Date post: | 28-Jan-2018 |
Category: |
Internet |
Upload: | wes-morgan |
View: | 73 times |
Download: | 2 times |
© 2009 IBM Corporation
IBM Collaboration Solutions
What You Need to Know:Domain Name System (DNS)
Wes MorganWW ICS [email protected]
© 2012 IBM Corporation
November 8, 2016
Directory Assistance for TCP/IP Networks
● Humans don't “do” numerical addresses● We like names● More to the point, we like organized names● DNS organizes hosts into domains, which it calls zones● DNS can also organize/advertise services● Zones may host other zones (aka “subdomains”)● There is only ONE authoritative source for each zone● DNS establishes a hierarchy of zones under a “root” zone
Doing a “DNS lookup” simply means that we travel up, down, and/or across the hierarchy until we find the information we need
© 2012 IBM Corporation
November 8, 2016
DNS Zones and Individual Hosts
flamtap.lex.ky.us.uszone
.ky.uszone
lex.ky.uszone
rootzone
.com.org
.jp
.edu
.ny.us
.ca.us
.bg.ky.us
.lou.ky.us ruff
longroll
Top-Level Domains(TLDs)
Fully Qualified Domain Name(FQDN)
Individualhosts
booga
© 2012 IBM Corporation
November 8, 2016
It's All About Resources...
● EVERYTHING in DNS is a resource● DNS provides resource records (RRs) in response to queries● So, a big part of “configuring DNS” is setting up RRs
correctly● As DNS has grown, so has the number of RRs supported● We'll only touch upon the RRs we most frequently
encounter:● SOA – Start of Authority● NS – Name Server● A – Address (IPv4)● AAAA – Address (IPv6) ● CNAME – Canonical Name● MX – Mail eXchanger ● SRV – Service● PTR – Pointer
© 2012 IBM Corporation
November 8, 2016
SOA – Respect My Authority!
● Remember, there can be only one authority for each zone● However, customers may have separate internal/external
zones with the same name (aka “split horizon” DNS) with different authoritative name servers AND DIFFERENT DATA!
● The Start of Authority (SOA) record includes● The authoritative server for the zone (aka “origin” or “primary
name server”)● The email address of the responsible party (without @)● Other information used by secondary DNS servers in the
zone
© 2012 IBM Corporation
November 8, 2016
NS Records – Nameservers
● NS records simply list all nameservers for a given zone● This does NOT mean that all of them are up and running!● Clients may send queries to any listed nameserver
© 2012 IBM Corporation
November 8, 2016
A & AAAA Records – Give Me An IP Address!
● Almost all DNS queries lead to an actual Address (A/AAAA) record
● A records provide IPv4 address, while AAAA records are IPv6
© 2012 IBM Corporation
November 8, 2016
A & AAAA Records – There Might Be More Than One!
● Multiple Address records may be provided for a single name● Usually indicates a clustered server environment
● Address records are not prioritized; multiple Address records returned in rotating order (aka “round-robin”)
● Clients will attempt to reach addresses in the order provided
}
}Note different order
of responses between the two
queries
© 2012 IBM Corporation
November 8, 2016
CNAME – What's the REAL Name?
● End users like easy-to-remember names, but admins have to deal with real system names
● Canonical Name (CNAME) records specify the “real name” of the system queried● In other words, it lets us create aliases
● CNAME records can reference other CNAMEs (i.e. an alias pointing to another alias)● You may see this in queries whose responses change
according to geography (e.g. cloud resources)
© 2012 IBM Corporation
November 8, 2016
CNAME – Chained Example
● Multiple levels of CNAMEs usually indicate dynamic DNS● May indicate geographic DNS
● Often seen with Akamai and other content delivery networks● When you see this, have affected users do queries too!
● They may be sent to different destinations!
© 2012 IBM Corporation
November 8, 2016
CNAME – Chained Example
● Multiple levels of CNAMEs usually indicate dynamic DNS● May indicate geographic DNS
● Often seen with Akamai and other content delivery networks● When you see this, have affected users do queries too!
● They may be sent to different destinations!
© 2012 IBM Corporation
November 8, 2016
MX Records – Where Can I Deliver Email to You?
● Mail eXchanger (MX) records list the email server(s) for the zone● Multiple systems can be designated as mail exchangers● MX records are be prioritized (usually in increments of 10)
● Clients will try to use the highest-priority (lowest-numbered) host first
© 2012 IBM Corporation
November 8, 2016
SPF – Who Can Deliver Mail for Me?
● Sender Policy Framework (SPF) uses TeXT records (TXT) to specify what hosts can deliver mail on behalf of a given domain
● SPF used in mail security – if SPF fails, delivery attempt rejected● Example of leveraging DNS for application-layer information
© 2012 IBM Corporation
November 8, 2016
SRV Records – Services of All Sorts
● Service (SRV) records announce specific services via DNS● General format is _service._protocol.dnsdomainname● Heavily used in Active Directory environments
_ldap._tcp.<DNSdomainName> – LDAP server for DNS domain_ldap._tcp.pdc._msdcs.<DNSdomainName> - Primary DC_kerberos._tcp.dc._msdcs.<DNDDomainName> - Kerberos DC
● Also seen in SIP and XMPP environments
© 2012 IBM Corporation
November 8, 2016
PTR Records – I Have the Number, I Want the NAME!
● Pointer (PTR) records associate numbers back to names● Commonly called “reverse DNS”
● Reverses the IP address & uses a pseudo-domain of “in-addr.arpa”● Many mail security systems require valid reverse DNS before
accepting email from a given host● Not generally required, but can be useful
© 2012 IBM Corporation
November 8, 2016
So, What Actually Happens When I Send a Query to DNS?
● Most DNS servers are recursive● They will follow the trail until they have your answer● Your client doesn't do the legwork
● Almost all DNS servers cache responses● Cache lifetime (aka time-to-live or TTL) of each RR is set by its
authoritative server (in seconds)● So, you give a command like “ping -c 2 www.facebook.com” and it
executes against an IP address, like so:
...but how did DNS get me from 'www.facebook.com' to 157.240.2.35?
© 2012 IBM Corporation
November 8, 2016
Behind the Scenes on the DNS Server
● Assuming that no cached information was available, the DNS server took your query for 'www.facebook.com' and started working backwards
● It went to the root zone nameservers and asked for .com NS ● It went to a .com name server and asked about facebook.com NS● It went to a .facebook.com name server and asked about
www.faceboook.com ● It got a CNAME RR in response, so it had to ask a .facebook.com
nameserver about the canonical name● It had valid cached info for .com and .facebook.com, so it didn't
have to repeat those queries● It finally received an A record, which it returned to your client
If you want to see what this process looks like for any FQDN, check out http://simpledns.com/lookup-dg.aspx
(It's a good thing that we have caching servers and TTLs, huh?)
© 2012 IBM Corporation
November 8, 2016
Easing the Burden – Forwarding DNS Servers
● Going all the way to the root zone for every query would be prohibitively slow/costly and consume significant resources
● Use of forwarding servers spreads the work● Forwarding DNS servers are NOT recursive; they pass queries
for which they have no answers cached to the “next server up”● As queries and responses are sent up and down the line, each
server caches the responses (according to its TTL)● Clients do not know if forwarding servers are used● Responses might be from the forwarded server's perspective!● Most ISPs offer forwarding DNS services, but don't require
customers to use them
dns.ap.company1.com
dns.na.company1.com
dns.eu.company1.com
Internet
© 2012 IBM Corporation
November 8, 2016
Troubleshooting Connectivity? ALWAYS Check DNS!
● If DNS is wrong, NOTHING will work!● Do NOT trust, use, or recommend “hosts files”
● “Hosts files” supplant DNS – DNS won't be queried if the “hosts file” has a matching entry
● Many customer issues caused by outdated hosts file entries● Don't use IP addresses in configurations – use FQDNs!
● FQDNs in configuration + working DNS survives server/address changes
● Use of VPN may change DNS servers!● Presence of round-robin DNS = no load balancers in use● Single A record for FQDN of a cluster = load balancer in use● Different answers internal/external may indicate split horizon
DNS or (with cloud) content delivery networks (e.g. Akamai)● Other names might be yielding different answers, too!
● Different answers within an enterprise may indicate Global Load Balancing (GLB) in use
● Using tcpdump/Wireshark? DNS query/response is udp/53, server/server (zone transfer) is tcp/53
© 2012 IBM Corporation
November 8, 2016
DNS Tools
● nslookup – built-in tool for Windows, Macintosh, AIX, Linux● Uses system's DNS server as default● Use “server A.B.C.D” to send queries to specific DNS server● Use “set type=<RR type>” to query specific records● Use “set type=ANY” to see all records associated with name
● dig – part of the BIND reference implementation of DNS● Open-source package from Internet Systems Consortium
● BIND is (by FAR) the most widely used DNS server● Built-in for Macintosh and many Linux distributions ● https://www.isc.org/downloads/bind/ for Windows binaries
and Linux source code● Windows: install “Tools Only” unless you want to run your
own DNS server● Allows quick command-line queries, e.g. “dig ns google.com”● Allows “any” keyword to see all records, e.g. “dig any ibm.com”