Chapter 16 – The Domain Name System (DNS)

Presented by Shari Holstege

Tuesday, June 18, 2002

What does DNS provide?

• A hierarchical namespace for hosts and IP addresses

• A host table implemented as a distributed database

• A “resolver” – library routines that query this database

• Improved routing for e-mail• A mechanism for finding services on a network• A protocol for exchanging naming information

BIND

• Berkeley Internet Name Domain System

• An implementation of DNS for UNIX

• Maintained by the Internet Software Consortium

• Has been ported to Windows NT

DNS Namespace

• There are two types of top-level domains (TLDs):– Generic Top-Level Domains (gTLDs) such as

com, org, and net describe organizational and political structure and are used primarily within the United States

– Country codes (ccTLDs) are used outside the United States

Naming Tree

• The forward-mapping branch maps hostnames to IP addresses and uses forward zone files.

• The reverse-mapping branch maps IP addresses back to hostnames and uses reverse zone files.

Domain Names

• Domain names are case insensitive.• An Internet host’s fully qualified name is

formed by appending its domain name to its hostname.

• Within the DNS system, fully qualified names are terminated by a dot, but this dot is generally hidden from ordinary users. Names without dots terminating them are relative addresses.

Components of BIND

• A daemon called named that answers queries

• Library routines that resolve host queries by contacting the servers of the DNS distributed database

• Command-line interfaces to DNS: nslookup, dig, and host

named

• It answers queries about hostnames and IP addresses

• If it does not know the answer to a query, it asks other servers and caches the response

• It performs “zone transfers” to copy data among the servers of a domain

Authoritative and Caching-only Servers

• Each zone has one master name server that keeps the official copy of the zone’s data on disk.

• A slave server gets its data from the master server through a “zone transfer” operation.

• A stub server is a slave that loads only the NS records from the master.

• A caching-only name server loads the addresses of the servers for the root domain from a startup file and accumulates the rest of its data by caching answers to the queries it resolves.

Recursive and Nonrecursive Servers

• If a nonrecursive server has the asnwer to a query cached from a previous transaction or is authoritative for the domain to which the query pertains, it provides the appropriate response. Otherwise, instead of returning the real answer, it returns a referral to the authoritative servers of another domain that are more likely to know the answer.

• A recursive server returns only real answers or error messages. It follows referrals itself, relieving the client of the responsibility.

Negative Caching

• Perhaps 60% of DNS queries are for non-existent data

• Negative caching saves answers of the following types:– No host or domain matches the name queried– The type of data requested does not exist for this host– The server to ask is not responding– The server is unreachable because of network

problems

Resolver Configuration

• Each host on the network has a file called /etc/resolv.conf that lists the DNS servers the host should query.

• Format:search domainname . . .nameserver ipaddress

• Example:search cs.colorado.edu colorado.edu ee.colorado.edunameserver 128.138.243.151 ; nsnameserver 128.138.204.4 ; pipernameserver 128.138.240.1 ; anchor

Hardware Requirements

• BIND is a memory hog.• IPv6 and DNSSEC in BIND 9 are CPU-intensive.• To determine if a server has enough memory, let

it run for awhile and watch the size of the named process. It will take a week or two to converge on a stable size at which old cache records are expiring at about the same rate as new ones are being inserted.

Configuration Files

• The complete configuration for named consists of the config file, the hints file, and, for master servers, the zone data files that contain address mappings for each host.

• The configuration file specifies the role (master, slave, or stub) of this host relative to each zone and the way in which it should get its copy of the resource records that make up the local part of the database.

Statement Types in named.conf

• include – Interpolates a file (e.g., trusted keys readable only by named)

• options – Sets global name server configuration options and defaults

• server – Specifies per-server options

• key – Defines authentication information

• acl – Defines access control lists

• zone – Defines a zone of resource records

Statement Types in named.conf

• trusted-keys – Uses preconfigured keys

• controls – Defines channels used to control the name server with ndc

• logging – Specifies logging categories and their destinations

• view – Defines a view of the namespace (BIND 9 only)

DNS Database

• A set of text files maintained by the system administrator on the domain’s master name server

• Contain two types of entries:– parser commands– resource records (RRs)

Zone Records

• SOA – Start of Authority – Defines a DNS zone of authority

• NS – Name Server – Identifies zone servers, delegates subdomains

Basic Records

• A – IPv4 Address – Name-to-address translation• AAAA – Original IPv6 address – Now obsolete –

DO NOT USE• A6 – IPv6 Address – Name-to-IPv6-address

translation (V9 only)• PTR – Pointer – Address-to-name translation• DNAME – Redirection – Redirection for reverse

IPv6 lookups (V9 only)• MX – Mail Exchanger – Controls e-mail routing

Security Records

• KEY – Public Key – Public key for DNS name

• NXT – Next – Used with DNSSEC for negative answers

• SIG – Signature – Signed, authenticated zone

Optional Records

• CNAME – Canonical Name – Nicknames or aliases for a host

• LOC – Location – Geographic location and extent

• RP – Responsible Person – Specifies per-host contact info

• SRV – Services – Gives locations of well-known services

• TXT – Text – Comments or untyped information

Commands in Zone Files

• $ORIGIN domain-name – Sets the origin for relative filenames

• $INCLUDE filename – The specified file is read into the database at the point of the directive

• $TTL default-ttl – Sets a default value for the time-to-live field of the records that follow it

• $GENERATE lots-of-args – Provides a simple way to generate a series of similar records

Updating Zone Files

• When you make a change to a domain (such as adding or deleting a host):– The data files on the master server must be

updated– You must increment the serial number in the

SOA record for the zone– Run ndc reload to signal named to pick up

the changes

Security Features in named.conf

• allow-query (options, zone) – Who can query a zone or server

• allow-transfer (options, zone) – Who can request zone transfers

• allow-update (zone) – Who can make dynamic updates

• blackhole (options) – Which servers to ignore completely

• bogus (server) – Which servers should never be queried

• acl (various) – Access control lists

Transaction Signatures (TSIG)

• Developed by the IETF while DNSSEC was being specified

• Use a symmetric encryption scheme

• Use a shared-secret key that must be exchanged manually for every pair of servers that needs to communicate

• Not scalable to large networks

DNSSEC

• A set of DNS extensions that authenticate the origin of zone data and verify its integrity

• Uses public key cryptography• Provides:

– Key distribution by means of KEY resource records stored in the zone files

– Origin verification for servers and data– Verification of the integrity of zone data

Testing and Debugging

• named provides highly configurable logging. It is possible to select the severity and type of messages logged.

• nslookup queries the DNS database

• dig is similar to nslookup, but has more sensible defaults, provides more information, and has a nicer user interface

• host is similar to dig but less verbose