Understanding DHCP and DNS (Cisco - 2003)

8/14/2019 Understanding DHCP and DNS (Cisco - 2003)

1/40

Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

111 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2


Understanding DHCP and DNS

Session NMS-1101


2/40



Agenda

Introduction to Names and Addresses

Managing Addresses with DHCP

Hierarchy and Topology

Assignment and Reliability

Resolving Names with DNS

Protocol

DatabaseReliable Operation

New Things


128 64 32 16 8 4 2 1

0 00 01 100 00 10 000100 000000 0 0 0 0 0001

128 9 0 33

128 64 32 16 8 4 2 1128 64 32 16 8 4 2 1128 64 32 16 8 4 2 1

Address Review

IPv4 address 32 bits

Decimal, 8-bit fields, period separation

128.9.0.33 IPv6 address 128 bits

Hexadecimal, 16-bit fields, colon separation

2001:0DB8:0000:0001:02A0:C9FF:FE61:1216


3/40



Address Hierarchy and Naming

Addresseshave a topological hierarchy

Nameshave a logical hierarchy

not necessarily aligned with each other

mylaptop.myenterprise.com 192.168.1.1

yourlaptop.yourenterprise.com192.168.1.2


Address 128.9.0.33

Mask 255.255.255.0

Subnet Mask

Mask separates network (1)from host (0) part of the address

Prefix (longest match) routingcontiguous 1 bits to the left

0 00 01 100 00 10 000100 000000 0 0 0 0 0001

1 01 11 011 11 00 000111 111111 1 1 1 1 0111


4/40



Subnets

Each range of addresses for hosts

defines a subnet e.g. 128.9.0.0/24

24 is the number of 1 in mask, bits in network address

32-24=8 is the number of bits in host address

Within the subnet, hosts communicate directly,

using layer 2

Special meaning for certain host addresses

All-onesbroadcast

All-zeronetwork


Address Selection

A subnet is assigned to aphysical network (link)

Hosts on that network getunique address from thesubnet

Consequences:

Host gets initial addressbased on location

Host must change addressafter moving to new network

192.168.1.0192.168.1.0

192.168.2.0192.168.2.0

192.168.2.1192.168.2.1

192.168.1.1192.168.1.1


5/40



Special Addresses

MulticastIPv4224-239.d.d.d [RFC 2365]IPv6FFxx:x:x:x:x:x:x:x

Anycast [RFC 1546]Unicast, but with multiple advertisers

Site-localIPv410/8, 172.16/12, 192.168/16 [RFC 1918]IPv6FEC0:0:0::

Link-localIPv4: 169.254/16

IPv6: FE80:0:0:0: Loopback

IPv4: 127.0.0.1IPv6: 0:0:0:0:0:0:0:1 (::1)


.

.com

.edu

.net

.se

.uiuc

.unm

.umd.cs

.ncsa

.chem

Name Hierarchy

Independent of address hierarchy

Names length not limited by address size(63 bytes/label, 255 bytes/FQDN)


6/40



Agenda



Protocol



Protocol

Database

Reliable Operation

New Things


DHCP Basics

Ideal administratorDHCP server actsas proxy for network administrator

Assignment is temporaryaddress isassigned with a lease

Addresses can be reassigned when no

longer in use Backup for reliability


7/40



How DHCP Works:Obtaining an Address

Server dynamically assignsIP address on demand

Administrator creates poolsof addresses available forassignment to hosts

Address is assigned withlease time

Client can extend lease

time dynamically

Server can reassignaddress after leaseexpires

DHCP delivers otherconfiguration

information in options

Here is Your Configuration:

IP Address: 192.204.18.7Subnet Mask: 255.255.255.0Default Routers: 192.204.18.1, 192.204.18.3DNS Servers: 192.204.18.8, 192.204.18.9Lease Time: 5 days

Here is Your Configuration:IP Address: 192.204.18.7Subnet Mask: 255.255.255.0Default Routers: 192.204.18.1, 192.204.18.3DNS Servers: 192.204.18.8, 192.204.18.9Lease Time: 5 days

DHCPServer

DHCPClient

Send MyConfiguration

Information


(Broadcast)

Server 1 Client Server 2

OFFER-1

DISCOVER

(Broadc

ast)DISCOV

ER

REQUEST-2REQUES

T-2

OFFER-

2

ACK

(Unicast

)

(Unicas

t)

(Broadc

ast)

(Unicast)

(Broadcast)

How DHCP Works: Message Exchange DHCP client

broadcastsDISCOVER packeton local subnet

DHCP servers sendOFFER packet withlease information

DHCP client selects

lease and broadcastsREQUEST packet

Selected DHCP serversends ACK packet


8/40



DHCP Server161.44.54.7

DHCP Server161.44.55.8

DHCPClient

DHCPPacket

DHCPPacket

GIADDR

Physical Network161.44.18.0/24

Physical Network161.44.18.0/24

161.44.18.1161.44.18.1

Router with DHCP RelayInterface Ethernet 0

ip helper 161.44.54.7ip helper 161.44.55.8

DHCP Relay: Centralized DHCP Service

DHCP clients broadcastsa DISCOVER packet

DHCP relay (ip helper address)on the router hears theDISCOVER packet and forwards(unicast) the packet to theDHCP server

DHCP relay fills in theGIADDR field with IPaddress of the receivinginterface of router

DHCP relay can be configuredto forward the packet to multiple

DHCP servers; client will choosethe best server

DHCP servers use GIADDRfield of DHCP packet as an indexin to the list of address pools


DHCP Options for Applications

Options are registeredwith IANA

Service LocationProtocol (SLP)[RFC 2610]

Novell directoryservices [RFC 2241]

Time, NIS,TCP and IPparameters[RFC 2131]

DHCPServer

DHCPServer

NTPServer

NTPServer

DHCPClient


9/40



Agenda



Protocol



Protocol

Database

Reliable Operation

New Things


DHCP Reliability

Multiple servers with split address pools

Failover

Draft based on our (Cisco) design

Two servers can share address pools and

continue to operate if one fails


10/40



DHCP Safe Failover Protocol

All DHCP requests aresent to both servers

Primary updates backupwith lease information

Backup takes over

when primary fails

Backup serveruses dedicated poolof addresses allocatedby the primary toprevent duplicate IP address

Servers synchronizewhen primary is up

IETF Internet draftdraft-ietf-dhc-failover-12.txt

Primary Address Pool

172.16.18.101-200

Primary Address Pool

172.16.18.101-200

Primary DHCPServer

Backup DHCPServer

Backup Address Pool

172.16.18.191-200

Backup Address Pool

172.16.18.191-200


Transaction ID (XID)Transaction ID (XID)

OP CodeOP CodeHardware

Type

HardwareType

HardwareLength

HardwareLength

HOPSHOPS

Your IP Address (YIADDR)Your IP Address (YIADDR)

SecondsSeconds

Client IP Address (CIADDR)Client IP Address (CIADDR)

Server IP Address (SIADDR)Server IP Address (SIADDR)

Gateway IP Address (GIADDR)Gateway IP Address (GIADDR)

FlagsFlags

Server Name (SNAME)64 bytesServer Name (SNAME)64 bytes

Filename128 bytesFilename128 bytes

DHCP OptionsDHCP Options

Client Hardware Address (CHADDR)16 bytesClient Hardware Address (CHADDR)16 bytes

How DHCP Works: DHCP Packet


11/40



Summary

DHCP

Questions?


Agenda


Managing Addresses with DHCPProtocol


Resolving Names with DNSProtocol


New Things


12/40



Domain Name Service

DNS is a database

And the protocol to access it

Distinctive features:

Design for look-up queries

Replicated content

Distributed control (zones)


DNS Servers and Resolvers

Application connects by name, the applicationgets the address from the resolver

Most applications use addresses in the orderprovided by the resolver

Internal OSInternal OS

Network ApplicationNetwork Application

DNS ResolverDNS Resolver

Address of

DNS Server

Address of

DNS ServerDHCP

Server

DHCP

Server

DNS

Server

DNS

Server


13/40



TCP and UDP Ports

Port 53 for both TCP and UDP

UDP for queries if small enough

TCP for zone transfer

Server can use source port of 53when forwarding


Redirection and Recursion

Redirection:Take your question down the hall

Recursion:Ill get back to you

Resolver sets recursion desired (RD),

server responds with recursion available(RA) through bits in the DNS header


14/40



A. 128.8.126.2A. 128.8.126.2

Root Name ServerIncluding .edu

.UMDName Server

cs.umd.eduName Server

LocalDNS

Server ringding.cs.umd.edu

DNS First Query

Clients (stub resolvers)query local DNS serverfor IP addresses (RD on)

Local server queries (RDoff) the root name serverand follows referrals untilit finds a server that hasthe answer

Local servers sendanswers back to theclients and cachethe answers

Q. IP Addressfor ringding.cs.umd.edu



DNS Subsequent Queries Clients (stub resolvers)

query local DNS serverfor IP addresses (RD on)

After the first time, theanswer is found in thecache

Local servers sendanswers back to the

clients and cache theanswers A. 128.8.126.2A. 128.8.126.2

LocalDNS

Server ringding.cs.umd.edu



Root Name ServerIncluding .edu

.UMDName Server

cs.umd.eduName Server


15/40



Caching and Forwarders

Caching is controlled by the Time to Live

Negative caching (saving informationthat record doesnt exist) is required byRFC 2308

The minimum TTL parameter in the SOA(or the ttl of the SOA RR itself if it is lower)determines the TTL for caching negative

answers Sending a recursive query to a forwarder

builds a cache for the site


Time to Live

Changing host addresses

Reduce TTL prior to change

Then restore to manage the load

CNR dynamically updates DNS TTLwith 1/3 DHCP lease time


16/40



Agenda



Protocol



Protocol


New Things


Terminology

Label (name, owner)

Resource Record (type)

Value (encoded by type)


17/40



Record Format

[] []

VAXA.ISI.EDU. IN A 10.2.0.27

VAXA.ISI.EDU. IN A 128.9.0.33

Label RR-Type Value

Optional Fields:We Only Care About Class=IN (Internet)ttl Will Get Attention Later


Address Examples

Label RR-Type Value

In Standardized Format for ZoneDescription, Empty Label Is the Same

as Previous Line

VAXA.ISI.EDU. A 10.2.0.27

A 128.9.0.33


18/40



IP Version 6

AAAA resource records defined in RFC3152

v6host.example.com. AAAA 4321:0:1:2:3:4:567:89ab


Address and Canonical Name

A (address) resource record (RR)

The value is a 32 bit IPv4 address

CNAME

The value is the name of a new label

The value of a canonical name is not allowedto be the label of an CNAME record


19/40



EduEdu

WWW

UmdUmd

Lab

Chem

Faculty

Delegation Zone

Hierarchical name space

Each node in treerepresentsdomain/subdomain

Some subdomains aredefined as zones

Each zone has a primaryname server responsiblefor all lower nodes, butdelegation is to all

authoritative name servers

Resource Records (RR)can, but dont have to, bedefined for each node

Subordinate Zone


Delegation Records

Distributes database administration

Name Server (NS) RR

Refer in parent and child zone to authoritativename servers for child (delegated) zone

Zone Start of Authority (SOA) RR

Contain administrative information fordelegated zone, in delegated zone only


20/40



SRI.COM. NS KL.SRI.COM.

KL.SRI.COM. A 10.1.0.2

NS

Delegation: NS and Glue

NS Resource Record (RR)

Glue entries in parent zone when nameserver is in delegated zone


Delegation: SOA

[] [] SOA (

)

$ORIGIN ARPA.

@ IN SOA SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA. (

45 ;serial (sequential)3600 ;refresh (1 hour regular check)

600 ;retry (10 minutes between check)

3600000 ;expire (42 days until refresh)

86400 ) ;minimum (a day)


21/40



Reverse DNS for IPv4 Addresses

Another hierarchy for in-addr.arpa.

Reverse the order in the label becausenames aggregate within suffixesrather than (address) prefixes

27.0.2.10.IN-ADDR.ARPA. PTR VAXA.ISI.EDU.

33.0.9.128.IN-ADDR.ARPA. PTR VAXA.ISI.EDU.

ARPA: Addressing and Routing Parameters Area


Reverse DNS for IPv6 addresses

Reverse DNS for IPv6 in IP6.ARPA

v6host.example.com. AAAA 4321:0:1:2:3:4:567:89ab

b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2

.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.IP6.ARPA.

PTR v6host.example.com.


22/40



For every IP address, there shouldbe a matching PTR record in thein-addr.arpa. domain.

Reverse Requirement

RFC 1912,Common DNS Operational and Configuration Errors


Reverse Complication

Address field separations not on dotteddecimal boundaries

Create CNAMEs in in-addr.arpa.

Parent creates labels:

0/25.1.2.10.in-addr.arpa. IN NS ns.example.com.

13.1.2.10 IN CNAME 13.0/25.1.2.10.in-addr.arpa.

Child create PTR:

13.0/25.1.2.10.in-addr.arpa. IN PTR foo.example.com.

Instead of PTR have CNAME to different labelwhich is in a zone already delegated to holderof IP-address


23/40



Records for Applications

MX

SRV

NAPTR


MX

Mail eXchange RR

Where the mail for the host is to be sent

Round-robin within equal preferences

Mailers send only to lower preference numbers

po2 is only allowed to send to po1 in example below

Name TTL Class MX Preference Target

BAZ.FOO.COM. MX 10 PO1.FOO.COM.

MX 20 PO2.FOO.COM.

MX 20 PO3.FOO.COM.


24/40



Wildcards

Special treatment for * in the label

Any name in the query matches,and the answer is synthesized

Most often used in mail exchange

Create problems with DNSSEC

FOO.COM. MX 10 RELAY.CS.NET.*.FOO.COM. MX 20 RELAY.CS.NET.


SRV

Generalize the MX idea

Find hosts offering service in a domain

Add structure to the name

Add fields to the RRspecializepriority and weight (replace preference)

Target must not be an alias (CNAME)

RFC 2782


25/40



SRV

Format of RR and Example

_Service._Proto.Name. SRV Priority Weight Port Target

_ldap._tcp.example.com. SRV 1 10 389 ldap1.example.com.

SRV 1 20 389 ldap2.example.com.


NAPTR

Naming Authority PoinTeR

Universal resource identifier

Regular expressions

Replacement strings

RFC 2915

Used for example in ENUM

ENUM is mapping from E.164 number to URIs


26/40



Agenda



Protocol



Protocol


New Things


Secondary Servers

Reliability depends on separation

Locationphysical and subnet

Independent fateseparate power

Separate administration if possible

RFC 2182best current practice


27/40



Replication

Transfer zone contents (AXFR)

Transfer controlled by serial numberand refresh parameters in SOA

Secondary query for SOA and compare serialnumber with what it already has. If serial ishigher, client will request a zone transfer.

This is repeated by client as specified inRefresh in SOA.


Replication Efficiency

Notify (new protocol operation) enablesprimary to inform secondary when zonehas changed [RFC 1996]

In reality, it informs client to set Refresh timerto zero, so client will restart new Refresh cycleimmediately

Incremental transfer (IXFR) sends justchanges to the zone [RFC 1995]


28/40



Agenda



Protocol



Protocol


New Things


Dynamic Update

Atomic update of RR-set

Base specificationRFC 2136

Secure versionRFC 3007

Created so that DHCP serversand clients can update DNS

http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html


29/40



Securing Queries

TSIG

Transaction SignatureRFC 2845

Secret-key hash of the transaction(HMAC-MD5) to the forwarder

Pseudo RR, not cached or saved

Only useful with local forwarders


Securing Zone Transfer

TSIG is used

Secondary servers have an administrativerelationship that can support secret keys

Dont need the overhead of public keys


30/40



TKEY

Transaction KEYnot stored

Use DNS to establish secret keysalternative to manual keys

Modes include

Diffie-Hellman

GSS-API

Server or Resolver assigned encrypted(encrypted using KEY RR)

RFC 2930


SIG(0)

Use DNS for client to authenticateto server

Authenticates the transaction

Public KEY in DNS

Private key in client RFC 2931


31/40



Securing Zone Contents

DNS security

Key RRdistributes publickeys for records

SIG RRauthenticates (signs) one RR set

NXT RRnext record enablesauthentication of non-existence

DS RRdelegation signer~key in parentwith which the child zone is signed

RFC 2535being revised


Deployment of DNS Security

Experimental only now

Trust depends on the entire pathfrom the resolver

Signing all the RRsets in large zones,

like .com, is an unresolved problem


32/40



Split DNS

External holds limited contents for public

Internal

Isolated clients query DNS serversconfigured as root

Internal (secondary) servers forward to

external caching server for other domains


Internal Root

DNS Server For Zone

Resolver

Query From

Outside

Query From

OutsideQuery From

Inside

Query From

Inside

InternalForwarder

Internal

Root


33/40



Internal Forwarding Server

External DNS Server

Internal DNS Server

Resolver

InternalForwarder

Internal

RootWith Recursion ONWith Recursion OFF


Load Sharing

Resolvers use addresses in the orderreceived, although the original conceptwas that they choose randomly

DNS server can rotate the order of the(multiple) addresses of a hostname to

distribute the load


34/40



Source-Dependent Answers

Return addresses in the order ofcloseness to the resolver

Same subnet is close, but requiresknowing the subnet mask

Can look into the routing structure

DNS support for content networking usesother metrics for which answer to give


Distributed Director

DD Server is authoritativenameserver for zone withname as webserver

When query arrives, DDserver verify with DRPagents which webserveris closest to client

DD server respond with

best IP-address

DD server can also doHTTP redirects inHTTP mode

DistributedDirector

Brussels

Web Server

InternetParis

User

Los Angeles

User

San JoseWeb Server


35/40



DRPDirector Response Protocol

Operates with routersin the field todetermine:

Client to servernetwork proximity

Client to server linklatency (RTT)

UDP-based

Client

Web

Server Distributed Director

DRP Agents

Web

Server

Internet


Anycast

Announce the same IP-address from multipleservers

Only works with UDP

Two versions:

Anycast inside anAS (ok)

Anycast where the same

AS is announced frommultiple sources(dangerous due tosecurity reasons) Client

130.237.222.71130.237.222.71


36/40



Boomerang

1. Content is distributed

2. Client query content router via local DNS Server

3. Content servers are told to respond to DNS query

4. Responses are sent back

5. First response arriving is closest

6. Client connect to that IP-address

Origin WebServer

Origin WebServer

ContentRouter

ContentRouter

Server LoadBalancer and

Content Servers


Content Servers

Local DNSServer

Local DNSServer


Content Servers


Content Servers


Content Servers


Content Servers

Server Load

Balancer andContent Servers

Server Load

Balancer andContent Servers


Summary

Addresses can be allocated automatically

DNS can support more than just name toaddress lookup

For more details: Sessions NMS-1301 and

NMS-1302


37/40



NMS-1001 Introduction to Network Management

NMS-1011 Principles of Fault Management

NMS-1021 Principles of Configuration Management

NMS-1031 Introduction to Collecting Traffic Accounting Information

NMS-1041 Introduction to Performance Management

NMS-1201 Improving Network Availability

NMS-2001 Network Troubleshooting Tools and Techniques

NMS-2021 Large Scale Deployment of CiscoWorks

NMS-2041 Performance Measurement with Cisco IOS

NMS-2051 Securely Managing Your Network

NMS-2102 Deploying and Troubleshooting NAT

NMS-2201 Deploying Highly Available Enterprise Networks

NMS-4031 Advanced NetFlow Accounting

NMS-4041 Adv. Perform. Mgmt. with Cisco Service Assurance Agent

Other Network Management Sessions


Recommended Reading

IP AddressingFundamentalsISBN: 1587050676

Available on-site at the Cisco Company Store


38/40



Please Complete YourEvaluation Form

Session NMS-1101

767676 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2 767676 2003, Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID


39/40



Reverse Delegation

RFC 23172.3/12 CNAME xxx.IN-ADDR.ARPA

For delegation of

192.0.2.0/25 to organization A

192.0.2.128/26 to organization B

192.0.2.192/26 to organization C


Reverse Delegation Problem

$ORIGIN 2.0.192.in-addr.arpa.

;

1 PTR host1.A.domain.



;

129 PTR host1.B.domain.



;

193 PTR host1.C.domain.194 PTR host2.C.domain.

195 PTR host3.C.domain.


40/40


Reverse Delegation Solution

$ORIGIN 2.0.192.in-addr.arpa.

@ IN SOA my-ns.my.domain.

hostmaster.my.domain. (...)

;...

; /25

0/25 NS ns.A.domain.

0/25 NS some.other.name.server.

;

1 CNAME 1.0/25.2.0.192.in-addr.arpa.



; /26

128/26 NS ns.B.domain.

128/26 NS some.other.name.server.too.;





Reverse Delegation Solution (Cont.)

; /26

192/26 NS ns.C.domain.

192/26 NS some.other.third.name.server.

;




$ORIGIN 0/25.2.0.192.in-addr.arpa.

@ IN SOA ns.A.domain. hostmaster.A.domain. (...)

@ NS ns.A.domain.

@ NS some.other.name.server.

;




Documents

Understanding DHCP and DNS (Cisco - 2003)