Upload
hadan
View
221
Download
0
Embed Size (px)
Citation preview
Copyright 2013 1
DNS
2013 7 19DNS Summer Days 2013
JPRS
@OrangeMorishita
DNS
Copyright 2013 2
: 1965 9 21 47 :
7
Copyright 2013 3
Copyright 2013 4
1
DNS
RFC 2181
DNS Summer Days 2012
DNS
Copyright 2013 5
2
RFC 1034/1035
DNS Summer Days 2012
DNS
Copyright 2013 6
DNS
1.2. referral3. DNS4.
Copyright 2013 7
DNS
DNS
dig DNS
Copyright 2013 8
dig
Copyright 2013 9
1.
Copyright 2013 10
jpexample.jp
jp kr com org net
example.jp example2.jp example3.jp
www
DNS
DNS Summer Days 2012
DNS
Copyright 2013 11
dig DNS +norec dig BIND 9.9.0 +noedns
additional section EDNS0 OPT
$ dig +norec +noedns www.example.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; AUTHORITY SECTION:example.jp. 86400 IN NS ns1.example.jp.
;; ADDITIONAL SECTION:ns1.example.jp. 86400 IN A 192.0.2.1
Copyright 2013 12
answer section flags aa answer section answer section 0
$ dig +norec +noedns www.example.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; AUTHORITY SECTION:example.jp. 86400 IN NS ns1.example.jp.
;; ADDITIONAL SECTION:ns1.example.jp. 86400 IN A 192.0.2.1
Copyright 2013 13
authority section NS additional section NS
IP A/AAAA
$ dig +norec +noedns www.example.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; AUTHORITY SECTION:example.jp. 86400 IN NS ns1.example.jp.
;; ADDITIONAL SECTION:ns1.example.jp. 86400 IN A 192.0.2.1
Copyright 2013 14
A/AAAA
additional section
NS A/AAAA authority section
NS
Copyright 2013 15
$ dig +norec +noedns www.example.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; AUTHORITY SECTION:example.jp. 86400 IN NS ns1.example.net.
;; ADDITIONAL SECTION:ns1.example.net. 86400 IN A 192.0.2.1
Copyright 2013 16
NS
$ dig +norec +noedns www.example.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; AUTHORITY SECTION:example.jp. 86400 IN NS ns1.example.net.
;; ADDITIONAL SECTION:ns1.example.net. 86400 IN A 192.0.2.1
Copyright 2013 17
ns1.example.net 192.0.2.1a.dns.jp
alternic.net
$ dig +norec +noedns www.example.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; AUTHORITY SECTION:example.jp. 86400 IN NS ns1.example.net.
;; ADDITIONAL SECTION:ns1.example.net. 86400 IN A 192.0.2.1
Copyright 2013 18
flags aa
$ dig +norec +noedns www.example.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; AUTHORITY SECTION:example.jp. 86400 IN NS ns1.example.jp.
;; ADDITIONAL SECTION:ns1.example.jp. 86400 IN A 192.0.2.1
Copyright 2013 19
NSin-
bailiwick name
$ORIGIN jp.@ 86400 IN SOA example.jp. 86400 IN NS ns1.example.jp.
Copyright 2013 20
1
$ORIGIN jp.@ 86400 IN SOA example.co.jp. 86400 IN NS ns1.example.ne.jp.
$ORIGIN jp.@ 86400 IN SOA example.jp. 86400 IN NS ns1.example.ne.jp.
Copyright 2013 21
2
$ORIGIN .@ 86400 IN SOA jp. 86400 IN NS a.dns.jp.
$ORIGIN .@ 86400 IN SOA com. 86400 IN NS a.gtld servers.net.
Copyright 2013 22
$ORIGIN jp.@ 86400 IN SOA
1 example.jp. 86400 IN NS ns1.example.jp.2 example.jp. 86400 IN NS a.ns1.example.jp.3 example2.jp. 86400 IN NS ns1.example.com.4 example3.jp. 86400 IN NS ns1.example.jp.5 example.co.jp. 86400 IN NS ns1.example.co.jp.6 example.ne.jp. 86400 IN NS ns1.example.ad.jp.7 example4.jp. 86400 IN NS ns1.example.or.jp.
Copyright 2013 23
$ORIGIN jp.@ 86400 IN SOA
1 example.jp. 86400 IN NS ns1.example.jp.2 example.jp. 86400 IN NS a.ns1.example.jp.3 example2.jp. 86400 IN NS ns1.example.com.4 example3.jp. 86400 IN NS ns1.example.jp.5 example.co.jp. 86400 IN NS ns1.example.co.jp.6 example.ne.jp. 86400 IN NS ns1.example.ad.jp.7 example4.jp. 86400 IN NS ns1.example.or.jp.
1 23 4
56 7
Copyright 2013 24
NSNS
DNS
Copyright 2013 25
NSNS DNS
Copyright 2013 26
DNS BIND 9 NSD
DNS
A/AAAA
Copyright 2013 27
www.iij.ad.jp www.iij-ii.co.jp www.iij4u.or.jp A JP DNS
Copyright 2013 28
$ dig +norec +noedns www.iij.ad.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 4
;; QUESTION SECTION:;www.iij.ad.jp. IN A
;; AUTHORITY SECTION:iij.ad.jp. 86400 IN NS dns0.iij.ad.jp.iij.ad.jp. 86400 IN NS dns1.iij.ad.jp.
;; ADDITIONAL SECTION:dns0.iij.ad.jp. 86400 IN A 210.138.174.16dns0.iij.ad.jp. 86400 IN AAAA 2001:240:bb41:8002::1:16dns1.iij.ad.jp. 86400 IN A 210.138.175.5dns1.iij.ad.jp. 86400 IN AAAA 2001:240:bb4c:8000::1:5
www.iij.ad.jp
Copyright 2013 29
www.iij-ii.co.jp$ dig +norec +noedns www.iij ii.co.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:;www.iij ii.co.jp. IN A
;; AUTHORITY SECTION:iij ii.co.jp. 86400 IN NS dns b.iij.ad.jp.iij ii.co.jp. 86400 IN NS dns c.iij.ad.jp.
Copyright 2013 30
www.iij4u.or.jp iij.ad.jp
$ dig +norec +noedns www.iij4u.or.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 4
;; QUESTION SECTION:;www.iij4u.or.jp. IN A
;; AUTHORITY SECTION:iij4u.or.jp. 86400 IN NS dns0.iij.ad.jp.iij4u.or.jp. 86400 IN NS dns1.iij.ad.jp.
;; ADDITIONAL SECTION:dns0.iij.ad.jp. 86400 IN A 210.138.174.16dns0.iij.ad.jp. 86400 IN AAAA 2001:240:bb41:8002::1:16dns1.iij.ad.jp. 86400 IN A 210.138.175.5dns1.iij.ad.jp. 86400 IN AAAA 2001:240:bb4c:8000::1:5
Copyright 2013 31
DNS
Copyright 2013 32
DNSNS
Copyright 2013 33
1/2
additional section NSA/AAAA
authority section
NS
pseudo-glue
Copyright 2013 34
2/2
NS
DNS DNS
Copyright 2013 35
2. referral
Copyright 2013 36
referral
referral
referral DNS referral example.jp ns1.example.jp
$ dig +norec +noedns www.example.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; AUTHORITY SECTION:example.jp. 86400 IN NS ns1.example.jp.
;; ADDITIONAL SECTION:ns1.example.jp. 86400 IN A 192.0.2.1
Copyright 2013 37
DNS
JP DNS ns1.example.com
Copyright 2013 38
DNS-OARC 2009Upward Referrals Considered Harmful
NANOG 45Upward Referrals Considered Harmful Peter Losher
Upward referralsUpward Referrals Considered Harmful
Copyright 2013 39
Upward referrals
BIND 9recursion no;
referral BIND 8
Upward referrals$ dig +norec +noedns www.example.jp a @ DNS;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; AUTHORITY SECTION:. 518400 IN NS a.root servers.net.. 518400 IN NS b.root servers.net.
Copyright 2013 40
Upward referrals
referral
Copyright 2013 41
RFC 1034
4.3.1. Queries and responsesThe way that the name server answers the query depends upon whether itis operating in recursive mode or not:
The simplest mode for the server is non recursive, since itcan answer queries using only local information: the responsecontains an error, the answer, or a referral to some otherserver closer to the answer.
referral
Copyright 2013 42
Upward referrals DNS
DNS . IN NS 47 Upward referrals 256
ISPrime
Upward Referrals Considered Harmful
Copyright 2013 43
Upward referrals
BIND 9 additional from cache no;allow query cache { none; };
BIND 9
named.root
REFUSED$ dig +norec +noedns www.example.jp a @ DNS;; >>HEADER
Copyright 2013 44
Upward referrals
NSD
SERVFAIL PowerDNS
send-root-referral=no yes BIND 8 lean BIND 9
djbdns
Copyright 2013 45
DNS BIND 9
NOTIFY BIND 9
NOTIFY
IPBIND 9
Copyright 2013 46
BIND 9 named.confNOTIFY
DNS BIND 9DNS
DNS
NS RRSetSOA MNAME NS
NOTIFY
Copyright 2013 47
BIND 9NOTIFY
allow transfer named.conf IP
DNS
DNS
Copyright 2013 48
BIND 9NOTIFY
zone "example.jp {....// also notify explicit IP NOTIFYnotify explicit;// NOTIFY IPalso notify { 192.0.2.53; 198.51.100.53; };
};
zone "example.jp {....// NOTIFY NOTIFY// notify no; NOTIFYnotify no;
};
Copyright 2013 49
3.DNS
Copyright 2013 50
RFC RFC 2181
Clarifications to the DNS Specification DNS
5.4.1. Ranking data source
trustworthiness
AA answer authority additional
CNAME
Copyright 2013 51
RFC 2181 5.4.1. Ranking data
answer section
authority section
answer sectionanswer section
additional informationauthority sectionadditional information
most
leastadditional section additional information
Copyright 2013 52
the least
NS authority section
A/AAAA additional information
Copyright 2013 53
BIND 9 NSD
BIND 8answer section
$ dig +norec +noedns ns1.example.jp a @a.dns.jp;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; AUTHORITY SECTION:example.jp. 86400 IN NS ns1.example.jp.
;; ADDITIONAL SECTION:ns1.example.jp. 86400 IN A 192.0.2.1
Copyright 2013 54
DNS DNSNS
answer section
increase
Copyright 2013 55
DNS
NS/ NS/A NS/
NA/A NS/
Copyright 2013 56
NSNS
DNS
Copyright 2013 57
NS/ NS/A NS/A NS/
Copyright 2013 58
4.
Copyright 2013 59
2008
*1 1 2
DNS 3
*1 BIND (Kaminsky Bug )
Copyright 2013 60
1
Web
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:;(random).example.jp. IN A
;; ANSWER SECTION:(random).example.jp. 86400 IN A ( IP )
;; AUTHORITY SECTION:(random).example.jp. 86400 IN NS www.example.jp.
;; ADDITIONAL SECTION:www.example.jp. 86400 IN A 192.0.2.234( )
Copyright 2013 61
2
Web
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:;(random).example.jp. IN A
;; ANSWER SECTION:(random).example.jp. 86400 IN A ( IP )
;; AUTHORITY SECTION:example.jp. 86400 IN NS www.example.jp.
;; ADDITIONAL SECTION:www.example.jp. 86400 IN A 192.0.2.234( )
Copyright 2013 62
3
DNS p.298
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:;(random).www.example.jp. IN A
;; ANSWER SECTION:(random).www.example.jp. 86400 IN A ( IP )
;; AUTHORITY SECTION:www.example.jp. 86400 IN NS www.example.jp.
;; ADDITIONAL SECTION:www.example.jp. 86400 IN A 192.0.2.234( )
Copyright 2013 63
1 2 authority section
1: (random).example.jp NS 2: example.jp NS
1 2 3 /answer section
1/2: (random).example.jp A 3: (random).www.example.jp A
authority section 1/2: 3: www.example.jp NS
Copyright 2013 64
12 additional information
BIND 9
2786. [bug] Additional could be promoted to answer. [RT #20663][bug] Additional answer
Copyright 2013 65
3 authority section additional information
www.example.jp
answer section
Copyright 2013 66
authority section additional information
answer section
DNS
Copyright 2013 67
192.0.2.234DNS
DNSDNS
answer section
Copyright 2013 68
5.4.1. Ranking data
answer section
authority section
answer sectionanswer section
additional informationauthority sectionadditional information
most
least
3
1/2
3
Copyright 2013 69
RFC 2181
RFC 2181
Copyright 2013 70
Q&A