Domain Name System.

1 Domain Name System ...
Author: Claribel Gibbs
0 downloads 5 Views

1 Domain Name System

2 History of DNS Before DNS Domain Name System ARPAnetHOSTS.txt contains all the hosts’ information Maintained by SRI’s Network Information Center In SRI-NIC host Problems: Not scalable! Traffic and Load Name Collision Consistency Domain Name System Administration decentralization 1984 Paul Mockapetris (University of Southern California) RFC 882, 883, 973  1034, 1035 1034: Concepts and facilities Updated by: 4033, 4034, 4035, 4343 1035: Implementation and Specification Updated by: 3658, 4033, 4034, 4035, 4343, 6604 ARPA - Advanced Research Projects Agency Network SRI - Stanford Research Institute In Menlo Park, California RFC Sourcebook:

3 DNS Introduction – DNS SpecificationMake domain name system as Distributed database Each site maintains segment of DB Each site open self information via network Client-Server architecture Name servers provide information (Name Server) Clients make queries to server (Resolver) Tree architecture Each subtree  “domain” Domain can be divided in to “subdomain”

4 DNS Introduction – Domain and SubdomainDNS Namespace A tree of domains Domain and subdomain Each domain has a “domain name” to identify its position in database EX: nctu.edu.tw EX: cs.nctu.edu.tw domain subdomain

5 DNS Introduction – DelegationAdministration delegation Each domain can delegate responsibility to subdomain ICANN - Internet Corporation for Assigned Names and Numbers NSI - Network Solutions, Incorporated. https://archive.icann.org/en/nsi/ https://en.wikipedia.org/wiki/Network_Solutions

6 DNS Introduction – Administrated ZoneAutonomously administered piece of namespace Once the subdomain becomes a zone, it is independent to it’s parent

7 DNS Introduction – Implementation of DNSJEEVES Written by Paul Mockapetris for “TOPS-20” OS of DEC BIND Berkeley Internet Name Domain Written by Kevin Dunlap for 4.3 BSD UNIX OS

8 The DNS Namespace (1) A inverted tree (Rooted tree) Domain levelRoot with label “.” Domain level Top-level or First level Child of the root Second-level Child of a First-level domain Domain name limitation 63-characters in each component and Up to 255-characters in a complete name .edu education Educause (via Verisign)

9 The DNS Namespace (2) infrastructure top-level domain (ARPA)generic top-level domains (gTLD) restricted generic top-level domains (grTLD) sponsored top-level domains (sTLD) country-code top-level domains (ccTLD) internationalized country code top-level domains (IDN ccTLD) ccTLDs in non-Latin character sets (e.g., Arabic, Cyrillic, Hebrew, or Chinese) test top-level domains (tTLD) Geographic top-level domains https://en.wikipedia.org/wiki/Top-level_domain https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains

10 The DNS Namespace (3) gTLDs generic Top-Level Domains, including:com: commercial organization, such as ibm.com edu: educational organization, such as purdue.edu gov: government organization, such as nasa.gov mil: military organization, such as navy.mil net: network infrastructure providing organization, such as hinet.net, twnic.net org: noncommercial organization, such as x11.org int: International organization, such as nato.int https://zh.wikipedia.org/wiki/通用頂級域 https://en.wikipedia.org/wiki/Generic_top-level_domain ICANN – Internet Corporation for Assigned Names and Numbers

11 The DNS Namespace (4) New gTLDs launched in year 2000:aero: for air-transport industry biz: for business coop: for cooperatives info: for all uses museum: for museum name: for individuals pro: for professionals https://en.wikipedia.org/wiki/Top-level_domain

12 The DNS Namespace (5) sponsored top-level domains (sTLD) .aero SITA.asia DotAsia Organisation .cat Fundació puntCat .coop DotCooperation LLC .int IANA .jobs Society for Human Resource Management .mobi dotMobi .museum Museum Domain Management Association .post Universal Postal Union .tel Telnic Ltd. .travel Tralliance Corporation .xxx ICM Registry https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains

13 The DNS Namespace (6) Other than US, ccTLD country code TLD (ISO 3166)Taiwan  tw Japan  jp Follow or not follow US-like scheme US-like scheme example edu.tw, com.tw, gov.tw Other scheme co.jp, ac.jp

14 The DNS Namespace (6) https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains https://en.wikipedia.org/wiki/Top-level_domain https://en.wikipedia.org/wiki/Generic_top-level_domain

15 The DNS Namespace (7) Zone Two kinds of zone filesAutonomously administered piece of namespace Two kinds of zone files Forward Zone files Hostname-to-Address mapping Ex: bsd IN A Reverse Zone files Address-to-Hostname mapping IN PTR bsd1.cs.nctu.edu.tw. in-addr.arpa.

16 BIND BIND Main versions the Berkeley Internet Name Domain system BIND4Announced in 1980s Based on RFC 1034, 1035 BIND8 Released in 1997 Improvements including: efficiency, robustness and security BIND9 Released in 2000 Enhancements including: multiprocessor support, DNSSEC, IPv6 support, etc BIND10 The next generation of BIND Modularity, Customizability, Clusterization, Integration with customer workflow, Resilience, Runtime control https://www.isc.org/bind10/project delphij: hmm... bind 4 was a disaster bind 8 lived too long bind 9 is a rewrite what about bind 10 XD

17 BIND – components Three major components named Library routinesDaemon that answers the DNS query Library routines Routines that used to resolve host by contacting the servers of DNS distributed database Ex: res_query, res_search, …etc. Command-line interfaces to DNS Ex: nslookup, dig, hosts

18 BIND – named (1) Categories of name serversBased on a name server’s source of data Authoritative: official representative of a zone Master: get zone data from disk Slave: copy zone data from master Nonauthoritative: answer a query from cache caching: cashes data from previous queries Based on the type of data saved Stub: a slave that copy only name server data (no host data) Based on the type of answers handed out Recursive: do query for you until it return an answer or error Nonrecursive: refer you to the authoritative server Based on the query path Forwarder: performs queries on behalf of many clients with large cache

19 BIND – named (2) Recursive query processEx: query lair.cs.colorado.edu  vangogh.cs.berkeley.edu, name server “ns.cs.colorado.edu” has no cache data

20 BIND – named (3) Nonrecursive referralHierarchical and longest known domain referral with cache data of other zone’s name servers’ addresses Ex: Query lair.cs.colorado.edu from a nonrecursive server Whether cache has Name servers of cs.colorado.edu, colorado.edu, edu, root The resolver libraries do not understand referrals mostly. They expect the local name server to be recursive

21 BIND – named (4) Caching negative cache Positive cache Negative cacheNo host or domain matches the name queried The type of data requested does not exist for this host The server to ask is not responding The server is unreachable of network problem negative cache 60% DNS queries are failed To reduce the load of root servers, the authoritative negative answers must be cached

22 BIND – named (5) Root name serversList in named.root file of BIND (/usr/local/etc/namedb/named.root) Get root.slave from F.ROOT-SERVERS.NET. NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET A A.ROOT-SERVERS.NET AAAA 2001:503:BA3E::2:30 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET A NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET A NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET A NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET A NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET A F.ROOT-SERVERS.NET AAAA 2001:500:2f::f NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET A NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET A H.ROOT-SERVERS.NET AAAA 2001:500:1::803f:235 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET A NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET A J.ROOT-SERVERS.NET AAAA 2001:503:C27::2:30 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET A K.ROOT-SERVERS.NET AAAA 2001:7fd::1 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET A NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET A M.ROOT-SERVERS.NET AAAA 2001:dc3::35 A.ROOT-SERVERS.NET. 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET. 2001:500:84::b C.ROOT-SERVERS.NET. 2001:500:2::c D.ROOT-SERVERS.NET. 2001:500:2d::d E.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 2001:500:2f::f G.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 2001:500:1::53 I.ROOT-SERVERS.NET. 2001:7fe::53 J.ROOT-SERVERS.NET. 2001:503:c27::2:30 K.ROOT-SERVERS.NET. 2001:7fd::1 L.ROOT-SERVERS.NET. 2001:500:9f::42 M.ROOT-SERVERS.NET. 2001:dc3::35

23 BIND – named (6) How to arrange your DNS servers? Ex:

24 The DNS Database A set of text files such thatMaintained and stored on the domain’s master name server Two types of entries Resource Records (RR) Used to store the information of The real part of DNS database Parser commands Used to modify or manage other RR data

25 The DNS Database – Parser CommandsCommands must start in first column and be on a line by themselves $ORIGIN domain-name Used to append to un-fully-qualified name $INCLUDE file-name Separate logical pieces of a zone file Keep cryptographic keys with restricted permissions $TTL default-ttl Default value for time-to-live filed of records $GENERATE start-stop/[step] lhs type rhs Used to generate a series of similar records Can be used in only CNAME, PTR, NS record types

26 The DNS Database – Resource Record (1)Basic format [name] [ttl] [class] type data name: the entity that the RR describes ttl: time in second of this RR’s validity in cache class: network type IN for Internet CH for ChaosNet HS for Hesiod Special characters ; (comment) @ (The current domain name) () (allow data to spam lines * (wild card character, name filed only)

27 The DNS Database – Resource Record (2)Type of resource record discussed later Zone records: identify domains and name servers SOA NS Basic records: map names to addresses and route mail A PTR MX Optional records: extra information to host or domain CNAME TXT LOC SRV

28 The DNS Database – Resource Record (3)

29 The DNS Database – Resource Record (4)SOA: Start Of Authority Defines a DNS zone of authority, each zone has exactly one SOA record. Specify the name of the zone, the technical contact and various timeout information Format: [zone] IN SOA [server-name] [administrator’s mail] ( serial, refresh, retry, expire, ttl ) Ex: ; means comments @ means current domain name ( ) allow data to span lines * Wild card character $TTL 3600; $ORIGIN cs.nctu.edu.tw. @ IN SOA csns.cs.nctu.edu.tw. root.cs.nctu.edu.tw. ( ; serial number 1D ; refresh time for slave server 30M ; retry 1W ; expire 2H ) ; minimum

30 The DNS Database – Resource Record (5)NS: Name Server Identify the authoritative server for a zone Usually follow the SOA record Every authoritative name servers should be listed both in current domain and parent domain zone files Delegation purpose Ex: cs.nctu.edu.tw and nctu.edu.tw $TTL 3600; $ORIGIN cs.nctu.edu.tw. @ IN SOA csns.cs.nctu.edu.tw. root.cs.nctu.edu.tw. ( ; serial number 1D ; refresh time for slave server 30M ; retry 1W ; expire 2H ) ; minimum IN NS dns.cs.nctu.edu.tw. IN NS dns2.cs.nctu.edu.tw.

31 The DNS Database – Resource Record (6)A record: Address Provide mapping from hostname to IP address Ex: $ORIGIN cs.nctu.edu.tw. @ IN NS dns.cs.nctu.edu.tw. IN NS dns2.cs.nctu.edu.tw. dns IN A dns2 IN A www IN A

32 The DNS Database – Resource Record (7)PTR: Pointer Perform the reverse mapping from IP address to hostname Special top-level domain: in-addr.arpa Used to create a naming tree from IP address to hostnames $TTL ; $ORIGIN in-addr.arpa. @ IN SOA cs.nctu.edu.tw. root.cs.nctu.edu.tw. ( ; serial 1D ; refresh time for secondary server 30M ; retry 1W ; expire 2H) ; minimum IN NS dns.cs.nctu.edu.tw. IN NS dns2.cs.nctu.edu.tw. $ORIGIN in-addr.arpa. IN PTR csmailgate.cs.nctu.edu.tw. IN PTR csns.cs.nctu.edu.tw.

33 The DNS Database – Resource Record (8)MX: Mail exchanger Direct mail to a mail hub rather than the recipient’s own workstation Ex: $TTL 3600; $ORIGIN cs.nctu.edu.tw. @ IN SOA csns.cs.nctu.edu.tw. root.cs.nctu.edu.tw. ( ; serial number 1D ; refresh time for slave server 30M ; retry 1W ; expire 2H ) ; minimum IN NS dns.cs.nctu.edu.tw. IN NS dns2.cs.nctu.edu.tw. IN MX 5 csmx1.cs.nctu.edu.tw. IN MX 5 csmx2.cs.nctu.edu.tw. IN MX 10 csmx3.cs.nctu.edu.tw. csmx IN A csmx IN A csmx IN A

34 The DNS Database – Resource Record (9)CNAME: Canonical name Add additional names to a host CNAME record can nest eight deep in BIND Ex: www IN A IN A penghu-club IN CNAME www King IN CNAME www R IN A superman IN CNAME r21601

35 The DNS Database – Resource Record (10)TXT: Text Add arbitrary text to a host’s DNS records $TTL 3600; $ORIGIN cs.nctu.edu.tw. @ IN SOA csns.cs.nctu.edu.tw. root.cs.nctu.edu.tw. ( ; serial number 1D ; refresh time for slave server 30M ; retry 1W ; expire 2H ) ; minimum IN NS dns.cs.nctu.edu.tw. IN NS dns2.cs.nctu.edu.tw. IN TXT “Department of Computer Science”

36 The DNS Database – Resource Record (11)LOC: Location Describe the geographic location and physical size of a DNS object Format: name [ttl] IN LOC latitude longitude [altitude [size [hp [vp]]]] latitude 緯度 longitude 經度 altitude 海拔 size: diameter of the bounding sphere hp: horizontal precision vp: vertical precision caida.org. IN LOC N W 107m 30m 18m 15m

37 The DNS Database – Resource Record (12)SRV: Service Specify the location of services within a domain Format: _service._proto.name [ttl] IN SRV pri weight port target Ex: ; don’t allow finger _finger._tcp SRV ; 1/4 of the connections to old, 3/4 to the new _ssh._tcp SRV old.cs.colorado.edu. _ssh._tcp SRV new.cs.colorado.edu. ; www server _http._tcp SRV SRV new.cs.colorado.edu. ; block all other services *._tcp SRV *._udp SRV

38 [pschiu@bsd4 ~]$dig SRV _http._tcp.update.freebsd.org; <<>> DiG P3 <<>> SRV _http._tcp.update.freebsd.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2612 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 0 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;_http._tcp.update.freebsd.org. IN SRV ;; ANSWER SECTION: _http._tcp.update.freebsd.org IN SRV update5.freebsd.org. _http._tcp.update.freebsd.org IN SRV update3.freebsd.org. _http._tcp.update.freebsd.org IN SRV update4.freebsd.org. _http._tcp.update.freebsd.org IN SRV update6.freebsd.org. ;; AUTHORITY SECTION: freebsd.org IN NS ns3.isc-sns.info. freebsd.org IN NS ns2.isc-sns.com. freebsd.org IN NS ns1.isc-sns.net. ;; Query time: 0 msec ;; SERVER: #53( ) ;; WHEN: WHEN: Thu Feb 23 00:33:14 CST 2017 ;; MSG SIZE rcvd: 1542

39 The DNS Database – Resource Record (13)Glue record – Link between zones Parent zone needs to contain the NS records for each delegated zone Ex: In zone files of nctu, it might contain: Lame delegation DNS subdomain administration has delegate to you and you never use the domain or parent domain’s glue record is not updated cs IN NS dns.cs.nctu.edu.tw. IN NS dns2.cs.nctu.edu.tw. IN NS dns3.cs.nctu.edu.tw. dns.cs IN A dns2.cs IN A dns3.cs IN A ee IN NS ns.ee.nctu.edu.tw. IN NS dns.ee.nctu.edu.tw. IN NS reds.ee.nctu.edu.tw. IN NS InterNetNS2.nctu.edu.tw. ns.ee IN A dns.ee IN A reds.ee IN A InterNetNS2 IN A

40 BIND Configuration

41 named in FreeBSD startup Configuration files See your BIND versionEdit /etc/rc.conf named_enable=“YES” Manual utility command % rndc {stop | reload | flush …} In old version of BIND, use ndc command Configuration files /etc/namedb/named.conf (Configuration file) /etc/namedb/named.root (DNS root server cache hint file) Zone data files See your BIND version % version.bind txt chaos version.bind CH TXT "9.3.3" knight:~ -lwhsu- version.bind txt chaos ;; ANSWER SECTION: version.bind CH TXT "There is no version." knight:~ -lwhsu- version.bind txt chaos version.bind CH TXT "9.3.5-P2"

42 BIND Configuration – named.conf (1)/etc/namedb/named.conf Roles of this name server Master, slave, or stub Global options Zone specific options named.conf is composed of following statements: include, options, server, key, acl, zone, view, controls, logging, trusted-keys

43 BIND Configuration – named.conf (2)Address Match List A generalization of an IP address that can include: An IP address Ex An IP network with CIDR netmask Ex /16 Ex /16 The ! character to do negate The name of a previously defined ACL A cryptographic authentication key First match Example: { ! ; 1.2.3/24; }; { /16; /24; /24; ; }; { 2001:288:4001::/48; };

44 BIND Configuration – named.conf includeThe "include" statement Used to separate large configuration file Another usage is used to separate cryptographic keys into a restricted permission file Ex: include "/etc/namedb/rndc.key"; -rw-r--r-- 1 root wheel Feb :40 named.conf -rw-r root bind Jan rndc.key If the path is relative Relative to the directory option Ex: chroot 舊投影片寫錯 -rw-r bind wheel 92 Aug rndc.key

45 BIND Configuration – named.conf aclThe "acl" statement Define a class of access control Define before they are used Syntax acl acl_name { address_match_list; }; Predefined acl classes any, localnets, localhost, none Example acl CSnets { /24; /24; /24; acl NCTUnets { /16; /24; 2001:288:4001::/48; allow-transfer {localhost; CSnets; NCTUnets};

46 BIND Configuration – named.conf keyThe "key" statement Define a encryption key used for authentication with a particular server Syntax key "key-id" { algorithm string; secret "string"; } Example: key "serv1-serv2" { algorithm hmac-md5; secret "ibkAlUA0XXAXDxWRTGeY+d4CGbOgOIr7n63eizJFHQo="; This key is used to Sign DNS request before sending to target Validate DNS response after receiving from target

47 BIND Configuration – named.conf option (1)The “option” statement Specify global options Some options may be overridden later for specific zone or server Syntax: options { option; } There are about 50 options in BIND9 version “There is no version.”; [real version num] directory “/etc/namedb/db”; Base directory for relative path and path to put zone data files version.bind CH TXT "9.8.1-P1" version.bind CH TXT " P2" version.bind CH TXT "There is no version." version.bind CH TXT "JAL-DNS-Ver-1.8"

48 BIND Configuration – named.conf option (2)notify yes | no [yes] Whether notify slave sever when relative zone data is changed also-notify ; [empty] Also notify this non-NS server recursion yes | no [yes] Recursive name server allow-recursion {address_match_list }; [all] Finer granularity recursion setting check-names {master|slave|response action}; check hostname syntax validity Letter, number and dash only 64 characters for each component, and 256 totally Action: ignore: do no checking warn: log bad names but continue fail: log bad names and reject default action master fail slave warn response ignore

49 BIND Configuration – named.conf option (3)listen-on port ip_port address_match_list; [53, all] NIC and ports that named listens for query Ex: listen-on port 5353 { /24; }; query-source address ip_addr port ip_port; [random] NIC and port to send DNS query forwarders { in_addr; … }; [empty] Often used in cache name server Forward DNS query if there is no answer in cache forward only | first; [first] If forwarder does not response, queries for forward only server will fail allow-query address_match_list; [all] Specify who can send DNS query to you allow-transfer address_match_list; [all] Specify who can request zone transfer to you blackhole address_match_list; [empty] Reject queries and would never ask them for answers

50 BIND Configuration – named.conf option (4)transfer-format one-answer | many-answers; [many-answers] Ways to transfer data records from master to slave How many data records in single packet transfers-in num; [10] transfers-out num; [10] Limit of the number of inbound and outbound zone transfers concurrently transfers-per-ns num; [2] Limit of the inbound zone transfers concurrently from the same remote server transfer-source IP-address; IP of NIC used for inbound transfers

51 BIND Configuration – named.conf serverThe "server" statement Tell named about the characteristics of its remote peers Syntax server ip_addr { bogus no | yes; provide-ixfr yes | no; (for master) request-ixfr yes | no; (for slave) transfers num; transfer-format many-answers | one-answer; keys { key-id; key-id}; }; ixfr Incremental zone transfer transfers Limit of number of concurrent inbound zone transfers from that server Server-specific transfers-in keys Any request sent to the remote server is signed with this key

52 BIND Configuration – named.conf zone (1)The "zone" statement Heart of the named.conf that tells named about the zones that it is authoritative zone statement format varies depending on roles of named Master or slave Basically Syntax: zone "domain_name" { type master | slave | stub; file "path"; masters { ip_addr; ip_addr; }; allow-query { address_match_list; }; [all] allow-transfer { address_match_list; }; [all] allow-update { address_match_list; }; [empty] };

53 BIND Configuration – named.conf zone (2)Master server zone configuration Slave server zone configuration zone "cs.nctu.edu.tw" IN { type master; file "named.hosts"; allow-query { any; }; allow-transfer { localhost; CS-DNS-Servers; }; allow-update { none; }; }; zone "cs.nctu.edu.tw" IN { type slave; file "cs.hosts"; masters { ; }; allow-query { any; }; allow-transfer { localhost; CS-DNS-Servers; }; };

54 BIND Configuration – named.conf zone (3)Forward zone and reverse zone zone "cs.nctu.edu.tw" IN { type master; file "named.hosts"; allow-query { any; }; allow-transfer { localhost; CS-DNS-Servers; }; allow-update { none; }; }; zone " in-addr.arpa" IN { type master; file "named.235.rev"; allow-query { any; }; allow-transfer { localhost; CS-DNS-Servers; }; allow-update { none; }; };

55 BIND Configuration – named.conf zone (4)Example In named.hosts, there are plenty of A or CNAME records In named.235.rev, there are plenty of PTR records $ORIGIN cs.nctu.edu.tw. bsd1 IN A csbsd1 IN CNAME bsd1 bsd2 IN A bsd3 IN A bsd4 IN A bsd5 IN A $ORIGIN in-addr.arpa. 131 IN PTR bsd1.cs.nctu.edu.tw. 132 IN PTR bsd2.cs.nctu.edu.tw. 133 IN PTR bsd3.cs.nctu.edu.tw. 134 IN PTR bsd4.cs.nctu.edu.tw. 135 IN PTR bsd5.cs.nctu.edu.tw.

56 BIND Configuration – named.conf zone (5)Setting up root hint A cache of where are the DNS root servers Setting up forwarding zone Forward DNS query to specific name server, bypassing the standard query path zone "." IN { type hint; file "named.root"; }; zone "nctu.edu.tw" IN { type forward; forward first; forwarders { ; ; }; }; zone " in-addr.arpa" IN {

57 BIND Configuration – named.conf view (1)The "view" statement Create a different view of DNS naming hierarchy for internal machines Restrict the external view to few well-known servers Supply additional records to internal users Also called "split DNS" In-order processing Put the most restrictive view first All-or-nothing All zone statements in your named.conf file must appear in the content of view

58 BIND Configuration – named.conf view (2)Syntax view view-name { match_clients {address_match_list}; view_options; zone_statement; }; Example view "internal" { match-clients { our_nets; }; recursion yes; zone "cs.nctu.edu.tw" { type master; file "named-internal-cs"; }; view "external" { match-clients { any; }; recursion no; file "named-external-cs";

59 BIND Configuration – named.conf controlsThe "controls" statement Specify how the named server listens for control message Syntax controls { inet ip_addr allow {address_match_list} keys {key-id;}; }; Example: include "/etc/named/rndc.key"; inet allow { ; } keys { rndc_key; }; } key "rndc_key" { algorithm hmac-md5; secret "GKnELuie/G99NpOC2/AXwA=="; }; SYNOPSIS rndc [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

60 Updating zone files Master Zone transfer Edit zone filesSerial number Forward and reverse zone files for single IP Do “rndc reload” “notify” is on, slave will be notify about the change “notify” is off, refresh timeout, or do “rndc reload” in slave Zone transfer DNS zone data synchronization between master and slave servers AXFR (all zone data are transferred at once, before BIND8.2) IXFR (incremental updates zone transfer) TCP port 53

61 Non-byte boundary (1) In normal reverse configuration:named.conf will define a zone statement for each reverse subnet zone and Your reverse db will contains lots of PTR records Example: zone " in-addr.arpa." { type master; file "named.rev.1"; allow-query {any;}; allow-update {none;}; allow-transfer {localhost;}; }; $TTL $ORIGIN in-addr.arpa. @ IN SOA lwhsu.csie.net lwhsu.lwhsu.csie.net. ( ; Serial ; Refresh ; Retry 7D ; Expire 2H ) ; Minimum IN NS ns.lwhsu.csie.net. IN PTR ns.lwhsu.csie.net. IN PTR IN PTR ftp.lwhsu.csie.net.

62 看到這

63 Non-byte boundary (2) What if you want to delegate to another sub-domain Parent Remove forward db about /24 network Ex: pc1.lwhsu.csie.net. IN A pc2.lwhsu.csie.net. IN A Remove reverse db about in-addr.arpa in-addr.arpa. IN PTR pc1.lwhsu.csie.net. in-addr.arpa. IN PTR pc2.lwhsu.csie.net. Add glue records about the name servers of sub-domain Ex: in zone db of “lwhsu.csie.net” sub1 IN NS ns.sub1.lwhsu.csie.net. ns.sub1 IN A Ex: in zone db of “ in-addr.arpa.” 2 IN NS ns.sub1.lwhsu.csie.net.

64 Non-byte boundary (3) What if you want to delegate to four sub-domains (a /26 network) ~ ns.sub1.lwhsu.csie.net. ~ ns.sub2.lwhsu.csie.net. ~ ns.sub3.lwhsu.csie.net. ~ ns.sub4.lwhsu.csie.net. It is easy for forward setting In zone db of lwhsu.csie.net sub1 IN NS ns.sub1.lwhsu.csie.net. ns.sub1 IN A sub2 IN NS ns.sub2.lwhsu.csie.net. ns.sub2 IN A

65 Non-byte boundary (4) Non-byte boundary reverse setting Method1$GENERATE $ in-addr.arpa. IN NS ns.sub1.lwhsu.csie.net. $GENERATE $ in-addr.arpa. IN NS ns.sub2.lwhsu.csie.net. $GENERATE $ in-addr.arpa. IN NS ns.sub3.lwhsu.csie.net. $GENERATE $ in-addr.arpa. IN NS ns.sub4.lwhsu.csie.net. And zone “ in-addr.arpa.” { type master; file “named.rev ”; }; ; named.rev @ IN SOA sub1.lwhsu.csie.net. root.sub1.lwhsu.csie.net. (1;3h;1h;1w;1h) IN NS ns.sub1.lwhsu.csie.net.

66 Non-byte boundary (5) Method2 ; named.rev.192.168.3.0-63$ORIGIN in-addr.arpa. $GENERATE $ IN CNAME $ in-addr.arpa. in-addr.arpa. IN NS ns.sub1.lwhsu.csie.net. $GENERATE $ IN CNAME $ in-addr.arpa. in-addr.arpa. IN NS ns.sub2.lwhsu.csie.net. $GENERATE $ IN CNAME $ in-addr.arpa. in-addr.arpa. IN NS ns.sub3.lwhsu.csie.net. $GENERATE $ IN CNAME $ in-addr.arpa. in-addr.arpa. IN NS ns.sub4.lwhsu.csie.net. zone “ in-addr.arpa.” { type master; file “named.rev ”; }; ; named.rev @ IN SOA sub1.lwhsu.csie.net. root.sub1.lwhsu.csie.net. (1;3h;1h;1w;1h) IN NS ns.sub1.lwhsu.csie.net. IN PTR IN PTR abc.sub1.lwhsu.csie.net.

67 BIND Security

68 Security – named.conf security configurationFeature Config. Statement comment allow-query options, zone Who can query allow-transfer Who can request zone transfer allow-update zone Who can make dynamic updates blackhole options Which server to completely ignore bogus server Which servers should never be queried

69 Security – With TSIG (1) TSIG (Transaction SIGnature)Developed by IETF (RFC2845) Symmetric encryption scheme to sign and validate DNS requests and responses between servers Algorithm in BIND9 HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512 Usage Prepare the shared key with dnssec-keygen Edit “key” statement Edit “server” statement to use that key Edit “zone” statement to use that key with: allow-query allow-transfer allow-update

70 Security – With TSIG (2) TSIG example (dns1 with dns2)% dnssec-keygen –a HMAC-MD5 –b 128 –n HOST cs Edit /etc/named/dns1-dns2.key Edit both named.conf of dns1 and dns2 Suppose dns1 = dns2 = % dnssec-keygen -a HMAC-MD5 -b 128 -n HOST cs Kcs % cat Kcs key cs. IN KEY oQRab/QqXHVhkyXi9uu8hg== % cat Kcs private Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: oQRab/QqXHVhkyXi9uu8hg== key dns1-dns2 { algorithm hmac-md5; secret “oQRab/QqXHVhkyXi9uu8hg==” }; include “dns1-dns2.key” server { keys {dns1-dns2;}; }; include “dns1-dns2.key” server { keys {dns1-dns2;}; };

71 BIND Debugging and Logging

72 Logging (1) Terms Logging configuration When a message is generatedChannel A place where messages can go Ex: syslog, file or /dev/null Category A class of messages that named can generate Ex: answering queries or dynamic updates Module The name of the source module that generates the message Facility syslog facility name Severity Priority in syslog Logging configuration Define what are the channels Specify where each message category should go When a message is generated It is assigned a “category”, a “module”, a “severity” It is distributed to all channels associated with its category

73 Logging (2) The “logging” statementEither “file” or “syslog” in channel sub-statement size: ex: 2048, 100k, 20m, 15g, unlimited, default facility: ex: local0 ~ local7 severity: critical, error, warning, notice, info, debug, dynamic logging { channel_def; category category_name { channel_name; }; channel channel_name { file path [versions num|unlimited] [size siznum]; syslog facility; severity severity; print-category yes|no; print-severity yes|no; print-time yes|no; };

74 Logging (3) Predefined channels Available categories default_syslogSends severity info and higher to syslog with facility daemon default_debug Logs to file “named.run”, severity set to dynamic default_stderr Sends messages to stderr or named, severity info null Discards all messages default Categories with no explicit channel assignment general Unclassified messages config Configuration file parsing and processing queries/client A short log message for every query the server receives dnssec DNSSEC messages update Messages about dynamic updates xfer-in/xfer-out zone transfers that the server is receiving/sending db/database Messages about database operations notify Messages about the “zone changed” notification protocol security Approved/unapproved requests resolver Recursive lookups for clients

75 Logging (4) Example of logging statement logging {channel security-log { file "/var/named/security.log" versions 5 size 10m; severity info; print-severity yes; print-time yes; }; channel query-log { file "/var/named/query.log" versions 20 size 50m; category default { default_syslog; default_debug; }; category general { default_syslog; }; category security { security-log; }; category client { query-log; }; category queries { query-log; }; category dnssec { security-log; };

76 Debug Named debug level Debug with “logging” statementFrom 0 (debugging off) ~ 11 (most verbose output) % named -d2 (start named at level 2) % rndc trace (increase debugging level by 1) % rndc trace 3 (change debugging level to 3) % rndc notrace (turn off debugging) Debug with “logging” statement Define a channel that include a severity with “debug” keyword Ex: severity debug 3 All debugging messages up to level 3 will be sent to that particular channel

77 Tools

78 Tools – nslookup Interactive and Non-interactive Non-Interactive% nslookup cs.nctu.edu.tw. % nslookup –type=mx cs.nctu.edu.tw. % nslookup –type=ns cs.nctu.edu.tw Interactive % nslookup > set all > set type=any > set server host > set lserver host > set debug > set d2 csduty:~ -lwhsu- nslookup > set all Default server: Address: #53 Default server: Address: #53 Default server: Address: #53 Set options: novc nodebug nod2 search recurse timeout = retry = port = 53 querytype = A class = IN srchlist = cs.nctu.edu.tw/csie.nctu.edu.tw >

79 Tools – dig Usage Find out the root servers % dig cs.nctu.edu.tw% dig cs.nctu.edu.tw mx % cs.nctu.edu.tw mx % dig -x Reverse query Find out the root servers % . ns

80 Tools – host host command % host cs.nctu.edu.tw.% host –t mx cs.nctu.edu.tw. % host % host –v

81 Miscellaneous

82 SSHFP record RFC4255 ssh_config dns/sshfp VerifyHostKeyDNS askknight:~ -lwhsu- dig anoncvs.tw.freebsd.org sshfp ;; ANSWER SECTION: anoncvs.tw.freebsd.org IN CNAME freebsd.cs.nctu.edu.tw. freebsd.cs.nctu.edu.tw IN SSHFP C6CF4EF655A6A5BE86CC9E039F FE9 knight:~ -lwhsu- cvs -d co ports The authenticity of host 'anoncvs.tw.freebsd.org ( )' can't be established. DSA key fingerprint is e8:3b:29:7b:ca:9f:ac:e9:45:cb:c8:17:ae:9b:eb:55. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?

83 DNS Accept filters accf_dns(9) Currently only on 8-CURRENTbuffer incoming DNS requests until the whole first request is present options INET options ACCEPT_FILTER_DNS kldload accf_dns Currently only on 8-CURRENT

84 Other references & toolsAdministrator's Reference Manual https://www.isc.org/software/bind/documentation FAQ https://www.isc.org/faq/bind DNS for Rocket Scientists Swiss army knife internet tool DNS Network Tools