Computers use IP addresses. Why DNS Session 1: Fundamentals Old solution: hosts.txt do we need names? � Easier for people to remember � A centrally-maintained file, distributed to all hosts � Computers may be moved between networks, in on the Internet � This feature still exists which case their IP address will change � /etc/hosts [Unix] � C:\windows\hosts [Windows] Brian Candler ISOC CCTLD workshop 128.4.13.9 SPARKY 4.98.133.7 UCB-MAILHOST 200.10.194.33 FTPHOST hosts.txt doesn't scale The domain name system was born DNS is Hierarchical � Huge file � DNS is a Distributed Database for holding name to � Forms a tree structure � Needs frequent copying to ALL hosts IP address (and other) information . (root) � Consistency � Distributed: � Always out-of-date � Shares the administration � Name uniqueness � Shares the load uk org � Robustness and performance through: � Single point of administration � Replication co.uk isoc.org nsrc.org � Caching � A critical piece of Internet infrastructure tiscali.co.uk
Domain Names are (almost) DNS is Hierarchical (2) Using the DNS unlimited � Gives globally unique names � Max 255 characters total length � A Domain Name (like www.tiscali.co.uk) is the KEY to look up information � Administered in "zones" (parts of the tree) � Max 63 characters in each part � You can give away ("delegate") control of part of � The result is one or more RESOURCE RECORDS � RFC 1034, RFC 1035 � If a domain name is being used as a host name, the tree underneath you (RRs) � Example: you should abide by some restrictions � There are different RRs for different types of � RFC 952 (old!) � isoc.org on one set of nameservers information � a-z 0-9 and minus ( - ) only � isocws.isoc.org on a different set � You can ask for the specific type you want, or ask � No underscores ( _ ) � t1.isocws.isoc.org on another set for "any" RRs associated with the domain name Commonly seen RRs Simple example Possible results � A (address): map hostname to IP address � Query: www.tiscali.co.uk � Positive � PTR (pointer): map IP address to name � Query type: A � one or more RRs found � MX (mail exchanger): where to deliver mail for � Result: � Negative user@ domain � definitely no RRs match the query www.tiscali.co.uk. IN A 212.74.101.10 � Server fail � CNAME (canonical name): map alternative � cannot contact anyone who knows the answer hostname to real hostname � In this case just a single RR is found, but in � TXT (text): any descriptive text general, multiple RRs may be returned � NS (name server), SOA (start of authority): used � IN is the "class" for INTERNET use of the DNS for delegation and management of the DNS itself
How do you use an IP address as Any questions? DNS is a Client-Server application the key for a DNS query? � Convert the IP address to dotted-quad � (Of course - it runs across a network) � Reverse the four parts � Requests and responses are normally sent in UDP � Add ".in-addr.arpa" to the end (special domain packets, port 53 � Occasionally uses TCP, port 53 reserved for this purpose) � e.g. to find name for 212.74.101.10 � for very large requests, e.g. zone transfer from master ? to slave 10.101.74.212.in-addr.arpa. � PTR www.tiscali.co.uk. � Known as a "reverse DNS lookup" � because we are looking up the name for an IP address, rather than the IP address for a name There are three roles involved in Three roles in DNS Three roles in DNS DNS � RESOLVER � The SAME protocol is used for resolver ↔ cache � Takes request from application, formats it into UDP Application packet, sends to cache and cache ↔ authoritative NS communication � CACHING NAMESERVER e.g. web browser � It is possible to configure a single nameserver as � Returns the answer if already known both caching and authoritative � Otherwise searches for an authoritative server which � But if still performs only one role for each Caching Authoritative Resolver has the information Nameserver Nameserver incoming query � Caches the result for future queries � Common but NOT RECOMMENDED to � Also known as RECURSIVE nameserver � AUTHORITATIVE NAMESERVER configure in this way (see later) � Contains the actual information put into the DNS by the domain owner
How does the resolver find a How do you choose which cache(s) ROLE 1: THE RESOLVER caching nameserver? to configure? � A piece of software which formats a DNS request � It has to be explicitly configured (statically, or via � Must have PERMISSION to use it � e.g. cache at your ISP, or your own into a UDP packet, sends it to a cache, and DHCP etc) � Prefer a nearby cache � Must be configured with the IP ADDRESS of a decodes the answer � Usually a shared library (e.g. libresolv.so � Minimises round-trip time and packet loss cache (why not name?) � Can reduce traffic on your external link, since often the � Good idea to configure more than one cache, in under Unix) because so many applications need it cache can answer without contacting other servers � EVERY host needs a resolver - e.g. every case the first one fails � Prefer a reliable cache Windows workstation has one � Perhaps you can run one better than your ISP? Resolver can be configured with Example: Unix resolver Testing DNS default domain(s) configuration � /etc/resolv.conf � If "foo.bar" fails, then retry query as � Just put "www.yahoo.com" in a web browser? � Why is this not a good test? "foo.bar.mydomain.com" search tiscali.co.uk � Can save typing but adds confusion nameserver 212.74.112.66 � May generate extra unnecessary traffic nameserver 212.74.112.67 � Usually best avoided � That's all you need to configure a resolver
# dig www.gouv.bj. a ; <<>> DiG 9.3.0 <<>> www.gouv.bj a ;; global options: printcmd Testing DNS with "dig" The trailing dot ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2462 dig tiscali.co.uk. ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.gouv.bj IN A � "dig" is a program which just makes DNS queries � Prevents any default domain being appended ;; ANSWER SECTION: � Get into the habit of using it always when testing and displays the results www.gouv.bj. 86400 IN CNAME waib.gouv.bj. waib.gouv.bj. 86400 IN A 81.91.232.2 � Better for debugging than "nslookup" and "host" DNS ;; AUTHORITY SECTION: � but only on domain names, not IP addresses or E-mail because it shows the raw information in full gouv.bj. 86400 IN NS rip.psg.com. gouv.bj. 86400 IN NS ben02.gouv.bj. addresses gouv.bj. 86400 IN NS nakayo.leland.bj. dig tiscali.co.uk. gouv.bj. 86400 IN NS ns1.intnet.bj. - defaults to query type "A" ;; ADDITIONAL SECTION: dig tiscali.co.uk. mx ben02.gouv.bj. 86400 IN A 81.91.232.1 nakayo.leland.bj. 18205 IN A 81.91.225.1 - specified query type ns1.intnet.bj. 18205 IN A 81.91.225.18 dig @212.74.112.66 tiscali.co.uk. mx rip.psg.com. 160785 IN A 147.28.0.39 - send to specific cache ;; Query time: 200 msec (overrides /etc/resolv.conf) ;; SERVER: 212.74.112.67#53(212.74.112.67) ;; WHEN: Tue Dec 28 19:50:01 2004 ;; MSG SIZE rcvd: 237 Interpreting the results: header Interpreting the results Practical Exercise � STATUS � Answer section (RRs requested) � Configure Unix resolver � Issue DNS queries using "dig" � NOERROR: 0 or more RRs returned � Each record has a Time To Live (TTL) � NXDOMAIN: non-existent domain � Says how long the cache will keep it � Use tcpdump to show queries being sent to cache � SERVFAIL: cache could not locate answer � Authority section � FLAGS � Which nameservers are authoritative for this domain � Additional section � AA: Authoritative answer (not from cache) � You can ignore the others � More RRs (typically IP addresses for authoritative NS) � QR: Query or Response (1 = Response) � Total query time � RD: Recursion Desired � Check which server gave the response! � RA: Recursion Available � ANSWER: number of RRs in answer � If you made a typing error, the query may go to a default server
Recommend
More recommend
