Upload
magnus-lee
View
245
Download
8
Tags:
Embed Size (px)
Citation preview
1
DNS
Domain Name Systems
2
Domain Name System
DNS Overview DNS Zones
Forward Reverse Fowarding
DNS Delegation/Parenting Mail Exchangers
3
DNS Overview
http://en.wikipedia.org/wiki/Dns
4
Overview On the Internet, the Domain Name System
(DNS) associates various sorts of information with domain names
Serves as the "phone book" for the Internet Translates human-readable computer hostnames into
IP addresses Required bynetworking equipment to delivering
information Also stores other information
Such as the list of mail exchange servers that accept email for a given domain.
By providing a worldwide keyword-based redirection service, the Domain Name System is an essential component of the modern Internet
5
Uses
6
Uses
The most basic use of DNS is to translate hostnames to IP addresses. Very much like a phone book For example, what is the internet
address of en.wikipedia.org? The Domain Name System can be used to
tell you it is 66.230.200.100
7
Uses DNS also has other important uses
DNS makes it possible Assign Internet destinations to the human organization or
concern they represent Independent of the physical routing hierarchy represented
by the numerical IP address. Hyperlinks and Internet contact information can remain
the same Whatever the current IP routing arrangements may be Can take a human-readable form (such as "wikipedia.org")
Easier to remember than an IP address (such as 66.230.200.100).
People take advantage of this when they recite meaningful URLs and e-mail addresses
Do not need to care how the machine will actually locate them
8
Uses
The Domain Name System distributes the responsibility for assigning domain names and mapping them to IP networks allows an authoritative server for each
domain to keep track of its own changes avoids the need for a central registrar to
be continually consulted and updated
9
History
10
History Using a name as a more human-legible abstraction of a
machine's numerical address on the network predates even TCP/IP
All the way to the ARPAnet era Back then however, a different system was used, as DNS was
only invented in 1983, shortly after TCP/IP was deployed. With the older system, each computer on the network retrieved a
file called HOSTS.TXT from a computer at SRI (now SRI International).
The HOSTS.TXT file mapped numerical addresses to names. A hosts file still exists on most modern operating systems, either by
default or through configuration Allows users to specify an IP address (eg. 192.0.34.166) to use for a
hostname (eg. www.example.net) without checking DNS. Nowadays, the hosts file serves primarily for troubleshooting DNS errors
or for mapping local addresses to more organic names Systems based on a hosts file have inherent limitations
The obvious requirement that every time a given computer's address changed, every computer that seeks to communicate with it would need an update to its hosts file
On Windows: C:\WINDOWS\system32\drivers\etc>
11
History The growth of networking called for a
more scalable system Records a change in a host's address in
one place only Other hosts would learn about the
change dynamically through a notification system
Completes a globally accessible network of all hosts' names and their associated IP Addresses
12
History At the request of Jon Postel, Paul Mockapetris
invented the Domain Name System in 1983 and wrote the first implementation. The original specifications appear in RFC 882 and
883 In 1987, the publication of RFC 1034 and
RFC 1035 updated the DNS specification Made RFC 882 and RFC 883 obsolete.
Several more-recent RFCs have proposed various extensions to the core DNS protocols.
13
History In 1984, four Berkeley students1 wrote the
first UNIX implementation In 1985 Kevin Dunlap of DEC significantly re-
wrote the DNS implementation Renamed it BIND (Berkeley Internet Name Domain)
BIND was ported to the Windows NT platform in the early 1990s.
Due to BIND's long history of security issues and exploits, several alternative nameserver/resolver programs have been written and distributed in recent years.
1Douglas Terry, Mark Painter, David Riggle and Songnian Zhou
14
How DNS works
Theory
15
How DNS Works - Theory
Domain names Arranged in a tree
Cut into zones Each served by a
nameserver
16
How DNS Works - Theory The domain name space consists of a
tree of domain names. Each node or leaf in the tree has one or more
resource records, which hold information associated with the domain name.
The tree sub-divides into zones. A zone consists of a collection of connected
nodes authoritatively served by an authoritative DNS nameserver.
Note that a single nameserver can host several zones
17
How DNS Works - Theory
When a system administrator wants to let another administrator control a part of the domain name space within his or her zone of authority Can delegate control to the other administrator. Splits a part of the old zone off into a new zone
Comes under the authority of the second administrator's nameservers
The old zone becomes no longer authoritative for what goes under the authority of the new zone.
18
How DNS Works - Theory
A resolver looks up the information associated with nodes. A resolver knows how to communicate with
name servers by sending DNS requests, and heeding DNS responses.
Resolving usually entails iterating through several name servers to find the needed information.
Some resolvers function simplistically and can only communicate with a single name server. These simple resolvers rely on a recursing
name server to perform the work of finding information for them.
19
How DNS Works - TheoryParts of a domain name
A domain name usually consists of two or more parts (labels), separated by dots Example: wikipedia.org.
The rightmost label conveys the top-level domain The address en.wikipedia.org has the top-level domain
org
Each label to the left specifies a subdivision or subdomain of the domain above it.
Note that "subdomain" expresses relative dependence, not absolute dependence:
wikipedia.org comprises a subdomain of the org domain en.wikipedia.org comprises a subdomain of the domain wikipedia.org
20
How DNS Works - TheoryParts of a domain name
A domain name usually consists of two or more parts (labels), separated by dots In theory
this subdivision can go down to 127 levels deep each label can contain up to 63 characters the whole domain name does not exceed a total
length of 255 characters In practice
some domain registries have shorter limits than that.
21
How DNS works in theoryParts of a domain name
A hostname refers to a domain name that has one or more associated IP addresses
For example, the en.wikipedia.org and wikipedia.org domains are both hostnames, but the org domain is not
The Domain Name System consists of a hierarchical set of DNS servers
Each domain or subdomain has one or more authoritative DNS servers that publish information about that domain and the name servers of any domains "beneath" it.
The hierarchy of authoritative DNS servers matches the hierarchy of domains
At the top of the hierarchy stand the root nameservers: the servers to query when looking up (resolving) a top-level domain name (TLD)
22
How DNS works in theoryParts of a domain name
Iterative and recursive queries: Iterative query: the DNS server may
provide a partial answer to the query (or give an error)
DNS servers must support non-recursive queries. Recursive query: the DNS server will fully
answer the query (or give an error) DNS servers are not required to support
recursive queries and both the resolver (or another DNS acting recursively on behalf of another resolver) negotiate use of recursive service using bits in the query headers
23
How DNS works in theoryAddress resolution mechanism
A full host name may have several name segments e.g ahost.ofasubnet.ofabiggernet.inadomain.example
In practice full host names typically consist of three segments
ahost.inadomain.example www.inadomain.example
Software interprets the name segment by segment, right to left
Using an iterative search procedure At each step along the way, the program queries a
corresponding DNS server to provide a pointer to the next server which it should consult.
Example: A DNS recursor consults three nameservers to resolve the
address www.wikipedia.org.
(This description deliberately uses the fictional .example TLD in accordance with the DNS guidelines themselves.)
24
How DNS works in theoryAddress resolution mechanism
As originally envisaged, the process was as simple as:
The local system is pre-configured with the known addresses of the root servers in a file of root hints
Needed to be updated periodically by the local administrator from a reliable source to be kept up to date with the changes which occur over time
Query one of the root servers to find the server authoritative for the next level down
Query this second server for the address of a DNS server with detailed knowledge of the second-level domain
Repeat the previous step to progress down the name, until the final step which would return the final address sought
(This description deliberately uses the fictional .example TLD in accordance with the DNS guidelines themselves.)
25
How DNS works in theoryAddress resolution mechanism
The diagram illustrates this process for the real host www.wikipedia.org.
(This description deliberately uses the fictional .example TLD in accordance with the DNS guidelines themselves.)
26
How DNS works in theoryAddress resolution mechanism
A search done in this simple form has a major problem: a huge operating burden on the root servers
each and every search for an address would be started by querying one of them
Root nameservers are critical to the overall function of the system Such a heavy use would create an
insurmountable bottleneck for trillions of queries placed every day
In practice preemptive measures are taken
(This description deliberately uses the fictional .example TLD in accordance with the DNS guidelines themselves.)
27
How DNS works in theoryCircular dependencies and glue records
Name servers in delegations appear listed by name, rather than by IP address. This means that a resolving name server must
issue another DNS request to find out the IP address of the server to which it has been referred
Since this can introduce a circular dependency if the nameserver referred to is under the domain that it is authoritative of, it is occasionally necessary for the nameserver providing the delegation to also provide the IP address of the next nameserver
This record is called a glue record
28
How DNS works in theoryCircular dependencies and glue records
For example, assume that the sub-domain en.wikipedia.org contains further sub-domains (such as something.en.wikipedia.org) and that the authoritative nameserver for these is at ns1.en.wikipedia.org
A computer trying to resolve something.en.wikipedia.org will thus first have to resolve ns1.en.wikipedia.org
Since ns1 is also under the en.wikipedia.org subdomain, resolving ns1.en.wikipedia.org requires resolving ns1.en.wikipedia.org which is exactly the circular dependency mentioned above
The dependency is broken by the glue record in the nameserver of wikipedia.org that provides the IP address of ns1.en.wikipedia.org directly to the requestor, enabling it to bootstrap the process by figuring out where ns1.en.wikipedia.org is located
29
How DNS Works
In Practice
30
How DNS Works In Practice
When an application tries to find the IP address of a domain name It doesn't necessarily follow all of the
steps outlined in the Theory section Uses caching
31
How DNS works In practice
Caching and time to live Huge volume of requests generated by a
system like DNS Need to provide a mechanism to reduce the
load on individual DNS servers DNS resolution process allows for caching for a
given period of time after a successful answer Caching: the local recording and subsequent
consultation of the results of a DNS query How long a resolver caches a DNS response is
determined by a value called the time to live (TTL) The TTL is set by the administrator of the DNS
server handing out the response The period of validity may vary from just seconds to
days or even weeks or years
32
How DNS Works In Practice- Caching time
As a consequence of the distributed and caching architecture, changes to DNS do not always take effect immediately and globally
This is best explained with an example: An administrator has set a TTL of 6 hours for the host
www.wikipedia.org Then changes the IP address to which www.wikipedia.org
resolves at 12:01pm Administrator must consider that a person who cached a
response with the old IP address at 12:00pm will not consult the DNS server again until 6:00pm.
The period between 12:01pm and 6:00pm in this example is called caching time
The period of time that begins when you make a change to a DNS record and ends after the maximum amount of time specified by the TTL expires
This essentially leads to an important logistical consideration when making changes to DNS: not everyone is necessarily seeing the same thing you're seeing.
RFC 1537 helps to convey basic rules for how to set the TTL.
33
How DNS Works In Practice- Caching time
Note that the term "propagation", although very widely used in this context, does not describe the effects of caching well Specifically, it implies that
[1] when you make a DNS change, it somehow spreads to all other DNS servers (instead, other DNS servers check in with yours as needed)
[2] that you do not have control over the amount of time the record is cached
you control the TTL values for all DNS records in your domain
except your NS records and any authoritative DNS servers that use your domain name
34
How DNS Works In Practice- Caching time
Some resolvers may override TTL values Protocol supports caching
up to 68 years no caching at all
Negative caching (the non-existence of records) is determined by name servers authoritative for a zone which MUST include the SOA record (Start Of Authority) when reporting no data of the requested type exists.
The MINIMUM field of the SOA record and the TTL of the SOA itself is used to establish the TTL for the negative answer
35
How DNS Works In Practice- Caching time
Many people incorrectly refer to a mysterious 48 hour or 72 hour propagation time when you make a DNS change.
When one changes the NS records for one's domain or the IP addresses for hostnames of authoritative DNS servers using one's domain (if any), there can be a lengthy period of time before all DNS servers use the new information
Those records are handled by the zone parent DNS servers Typically cache those records for 48 hours
However, those DNS changes will be immediately available for any DNS servers that do not have them cached
And any DNS changes on your domain other than the NS records and authoritative DNS server names can be nearly instantaneous, if you choose for them to be (by lowering the TTL once or twice ahead of time, and waiting until the old TTL expires before making the change)
36
How DNS Works In Practice- In the Real World
DNS resolving from program to OS-resolver to ISP-resolver to greater system.
Users generally do not communicate directly with a DNS resolver Instead DNS-resolution takes place
transparently in client-applications such as web-browsers, mail-clients, and other Internet applications
When an application makes a request which necessitates a DNS lookup
Such programs send a resolution request to the local DNS resolver in the local operating system
Which in turn handles the communications required
37
How DNS Works In Practice- In the Real World
The DNS resolver will almost invariably have a cache containing recent lookups
If the cache can provide the answer to the request, the resolver will return the value in the cache to the program that made the request
If the cache does not contain the answer, the resolver will send the request to one or more designated DNS servers
In the case of most home users, the Internet Service Provider to which the machine connects will usually supply this DNS server:
Such a user will either have configured that server's address manually or allowed DHCP to set it
System administrators have configured systems to use their own DNS servers
Their DNS resolvers point to separately maintained nameservers of the organization
In any event, the name server thus queried will follow the process outlined above
Until it either successfully finds a result or does not It then returns its results to the DNS resolver Assuming it has found a result, the resolver duly caches that
result for future use Hands the result back to the software which initiated the request
38
How DNS Works In Practice- Broken Resolvers
Broken resolvers An additional level of complexity emerges when resolvers
violate the rules of the DNS protocol Some people have suggested that a number of large ISPs
have configured their DNS servers to violate rules (presumably to allow them to run on less-expensive hardware than a fully-compliant resolver), such as by disobeying TTLs, or by indicating that a domain name does not exist just because one of its name servers does not respond
As a final level of complexity, some applications (such as web-browsers) also have their own DNS cache, in order to reduce the use of the DNS resolver library itself.
This practice can add extra difficulty when debugging DNS issues, as it obscures the freshness of data, and/or what data comes from which cache.
These caches typically use very short caching times — of the order of one minute
Internet Explorer offers a notable exception: recent versions cache DNS records for half an hour
39
How DNS Works In Practice- Other Applications
The system outlined above provides a somewhat simplified scenario.
The Domain Name System includes several other functions:
Hostnames and IP addresses do not necessarily match on a one-to-one basis.
Many hostnames may correspond to a single IP address: combined with virtual hosting
this allows a single machine to serve many web sites Alternatively a single hostname may correspond to many IP
addresses: Facilitates fault tolerance and load distribution Allows a site to move physical location seamlessly
Many uses of DNS besides translating names to IP addresses
E.g. Mail transfer agents use DNS to find out where to deliver e-mail for a particular address
The domain to mail exchanger mapping provided by MX records accommodates another layer of fault tolerance and load distribution on top of the name to IP address mapping
40
How DNS Works In Practice- Other Applications Sender Policy Framework and DomainKeys
Instead of creating their own record types Designed to take advantage of another DNS record type, the TXT record
To provide resilience in the event of computer failure, multiple DNS servers are usually provided for coverage of each domain, and at the top level, thirteen very powerful root servers exist, with additional "copies" of several of them distributed worldwide via Anycast
DNS primarily uses UDP on port 53 to serve requests. Almost all DNS queries consist of a single UDP request
from the client followed by a single UDP reply from the server
TCP comes into play only when the response data size exceeds 512 bytes, or for such tasks as zone transfer
Some operating systems such as HP-UX are known to have resolver implementations that use TCP for all queries, even when UDP would suffice
41
DNS Extensions
Extensions to DNS EDNS is an extension of the DNS
protocol Enhances the transport of DNS data in
UDP packages Adds support for expanding the space of
request and response codes Described in RFC 2671
42
Types of DNS records Important categories of data stored in DNS include the following:
An A record or address record maps a hostname to a 32-bit IPv4 address.
An AAAA record or IPv6 address record maps a hostname to a 128-bit IPv6 address.
A CNAME record or canonical name record is an alias of one name to another
The A record to which the alias points can be either local or remote - on a foreign name server.
This is useful when running multiple services (like an FTP and a webserver) from a single IP address.
Each service can then have its own entry in DNS (like ftp.example.com. and www.example.com.)
An MX record or mail exchange record maps a domain name to a list of mail exchange servers for that domain.
A PTR record or pointer record maps an IPv4 address to the canonical name for that host.
Setting up a PTR record for a hostname in the in-addr.arpa. domain that corresponds to an IP address implements reverse DNS lookup for that address.
For example (at the time of writing), www.icann.net has the IP address 192.0.34.164, but a PTR record maps 164.34.0.192.in-addr.arpa to its canonical name, referrals.icann.org.
An NS record or name server record maps a domain name to a list of DNS servers authoritative for that domain.
Delegations depend on NS records.
43
Types of DNS records Important categories of data stored in DNS include the following:
(cont.) An SOA record or start of authority record specifies the DNS server
providing authoritative information about an Internet domain, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.
An SRV record is a generalized service location record. A TXT Record allows an administrator to insert arbitrary text into a DNS
record. For example, this record is used to implement the Sender Policy Framework and
DomainKeys specifications. NAPTR records ("Naming Authority Pointer") are a newer type of DNS record
that support regular expression based rewriting. Other types of records simply provide information (for example, a
LOC record gives the physical location of a host), or experimental data (for example, a WKS record gives a list of servers offering some well known service such as HTTP or POP3 for a domain).
When sent over the internet, all records use the common format specified in RFC 1035 shown below.
RR (Resource Record) Fields FieldDescriptionLength (Octets)NAMEName of the node to which this record pertains.(variable)TYPEType of RR.
For example, MX is type 15.2CLASSClass code.2TTLSigned time in seconds that RR stays valid.4RDLENGTHLength of RDATA field.2RDATAAdditional RR-specific data.(variable)For a complete list of DNS Record types consult IANA DNS Parameters.
44
DNS Records – Complete List
http://www.iana.org/assignments/dns-parameters
45
Example DNS Record for logicbbs.org
First three lines describe valid name servers for logicbbs.org.
Following two entries indicate that the mail exchanger for logicbbs.org has a priority of 10 and messages should be directed to mail.logicbbs.org.
Priority values indicate where to send e-mail if a server is unavailable; the lower the priority value, the higher the priority of that server.
Mail servers send e-mail to the server with the lowest priority value, and then work their way up the values listed as necessary.
The last two lines indicate that logicbbs.org (the second-level domain) points to 69.17.158.109.
The www and mail subdomains (www.logicbbs.org, mail.logicbbs.org) also point to 69.17.158.109.
The DNS record is the reason why some internet addresses do not need the www prefix, while others do.
If that particular domain has a www A record that differs from the basic A record, then anydomain.com may be different from www.anydomain.com, and the former may not work.
Other sites, like logicbbs.org, have both the top-level domain and the www subdomain pointing to the same IP address, which reduces confusion and ambiguity
IN NS ns.planix.com IN NS ns1.mydyndns.orgIN NS ns2.mydyndns.org
IN MX 10 mailIN A 69.17.158.109
www IN A 69.17.158.109mail IN A 69.17.158.109
46
Internationalized Domain Names While domain names technically have no restrictions on
the characters they use and can include non-ASCII characters, the same is not true for host names
Host names are the names most people see and use for things like e-mail and web browsing.
Host names are restricted to a small subset of the ASCII character set that includes
the Roman alphabet in upper and lower case the digits 0 through 9 the dot the hyphen
This prevented the native representation of names and words of many languages
ICANN has approved the Punycode-based IDNA system, which maps Unicode strings into the valid DNS character set, as a workaround to this issue
Some registries have adopted IDNA
47
Security issues DNS was not originally designed with security in mind, and thus has a
number of security issues. DNS responses are traditionally not cryptographically signed, leading to
many attack possibilities; DNSSEC modifies DNS to add support for cryptographically signed responses There are various extensions to support securing zone transfer information as well
Even with encryption it still doesn't prevent the possibility that a DNS server could become infected with a virus (or for that matter a disgruntled employee) that would cause IP addresses of that server to be redirected to a malicious address with a long TTL.
This could have far reaching impact to potentially millions of internet users if busy DNS servers cache the bad IP data.
This would require manual purging of all affected DNS caches as required by the long TTL (up to 68 years).
Some domain names can spoof other, similar-looking domain names. For example, "paypal.com" and "paypa1.com" are different names, yet
users may be unable to tell the difference when the user's typeface (font) does not clearly differentiate the letter l and the number 1.
This problem is much more serious in systems that support internationalized domain names, since many characters that are different, from the point of view of ISO 10646, appear identical on typical computer screens.
48
Legal users of domains Registrant
Most of the NICs in the world receive an annual fee from a legal user in order for the legal user to utilize the domain name (i.e. a sort of a leasing agreement exists, subject to the registry's terms and conditions)
Depending on the various naming convention of the registries, legal users become commonly known as "registrants" or as "domain holders"
ICANN holds a complete list of domain registries in the world One can find the legal user of a domain name by looking in the WHOIS database held by
most domain registries For most of the more than 240 country code top-level domains (ccTLDs), the
domain registries hold the authoritative WHOIS (Registrant, name servers, expiry dates, etc.).
For instance, DENIC, Germany NIC, holds the authoritative WHOIS to a .DE domain name However, some domain registries, such as for .COM, .ORG, .INFO, etc., use a
registry-registrar model There are hundreds of Domain Name Registrars that actually perform the domain name
registration with the end user (see lists at ICANN or VeriSign) By using this method of distribution, the registry only has to manage the relationship
with the registrar, and the registrar maintains the relationship with the end users, or 'registrants'
For .COM, .NET domain names, the domain registries, VeriSign holds a basic WHOIS (registrar and name servers, etc.)
One can find the detailed WHOIS (registrant, name servers, expiry dates, etc.) at the registrars
Since about 2001, most gTLD registries (.ORG, .BIZ, .INFO) have adopted a so-called "thick" registry approach, i.e. keeping the authoritative WHOIS with the various registries instead of the registrars
49
Legal users of domains
Administrative contact A registrant usually designates an administrative contact to manage the domain
name The administrative contact usually has the most immediate power over a domain Management functions delegated to the administrative contacts may include:
the obligation to conform to the requirements of the domain registry in order to retain the right to use a domain name
authorization to update the physical address, e-mail address and telephone number etc. in WHOIS Technical contact
A technical contact manages the name servers of a domain name. The many functions of a technical contact include:
making sure the configurations of the domain name conforms to the requirements of the domain registry
updating the domain zone providing the 24×7 functionality of the name servers
allows accessibility of the domain name Billing contact
The party whom a NIC invoices Name servers
Namely the authoritative name servers that host the domain name zone of a domain name
50
Politics Many investigators have voiced criticism of the methods currently
used to control ownership of domains Critics commonly claim abuse by monopolies or near-monopolies, such as
VeriSign, Inc Particularly noteworthy was the VeriSign Site Finder system which
redirected all unregistered .com and .net domains to a VeriSign webpage Despite widespread criticism, VeriSign only reluctantly removed it after the
Internet Corporation for Assigned Names and Numbers (ICANN) threatened to revoke its contract to administer the root name servers
There is also significant disquiet regarding the United States' political influence over ICANN
This was a significant issue in the attempt to create a .xxx top-level domain and sparked greater interest in alternative DNS roots that would be beyond the control of any single country
Truth in Domain Names Act Main article: Anticybersquatting Consumer Protection Act In the United States, the "Truth in Domain Names Act" (actually the
"Anticybersquatting Consumer Protection Act"), in combination with the PROTECT Act, forbids the use of a misleading domain name with the intention of attracting people into viewing a visual depiction of sexually explicit conduct on the Internet
51
Other Internet Resources
See also Dynamic DNS Alternative DNS root Comparison of DNS server software
52
DNS Zones
Forward
53
DNS Zones
Reversehttp://en.wikipedia.org/wiki/Reverse_DNS_lookup
54
DNS Reverse Lookup Overview
Typically, the Domain Name System is used to determine what IP address is associated with a given domain name.
So, to reverse-resolve a known IP address is to look up what the associated domain name is belonging to that IP address.
A reverse lookup is often referred to as reverse resolving, or more specifically reverse DNS lookup, and is accomplished using a "reverse IN-ADDR entry" in the form of a PTR record
55
DNS Reverse Lookup IPv4 Reverse DNS
Reverse DNS lookups for IPv4 addresses use a reverse IN-ADDR entry in the special domain in-addr.arpa.
An IPv4 address is represented in the in-addr.arpa domain by a sequence of bytes in reverse order, represented as decimal numbers, separated by dots with the suffix .in-addr.arpa.
For example the reverse lookup domain name corresponding to the
IPv4 address 10.12.13.140 is 140.13.12.10.in-addr.arpa. A host name for 1.2.3.4 can be obtained by issuing a DNS
query for the PTR record for that special address 4.3.2.1.in-addr.arpa.
56
DNS Reverse Lookup Classless Reverse DNS
Historically, IP addresses were allocated in blocks of 256
Each block fell upon an octet boundary Configuration of the PTR records easy
Dot separators delimited each block
IP addresses are now allocated in very much smaller blocks
Traditional way of configuring a nameserver to perform reverse DNS cannot work
A means of overcoming this problem was devised and published as RFC 2317
Uses a CNAME entry which corresponds to each block
57
Multiple PTR records While most rDNS entries only have one PTR record, it
is perfectly legal to have many different PTR records Although it is perfectly legal having multiple PTR
records for the same IP address it is generally not recommended, unless you have a specific need
For example, if a webserver supports many virtual hosts Can be one PTR record for each host Some versions of name server software will automatically add a PTR record
for each host Multiple PTR records can cause a couple of problems
Including triggering bugs in programs that only expect there to ever be a single PTR record
In the case of a large webserver, having hundreds of PTR records can cause the DNS packets to be much larger than normal
58
Records other than PTR records While uncommon compared with PTR
records, it is also legal to put other types of records in the reverse DNS tree.
In particular, encryption keys can be placed there
for, example, IPsec (RFC 4025) SSH (RFC 4255) IKE (RFC 4322)
Less standardized usages include comments placed in TXT records and LOC records
to identify the location of the IP address
59
DNS
Forward-vs-
ReverseLookups
60
Forward DNS lookup Forward DNS lookup is using an
Internet domain name to find an IP address.
Reverse DNS lookup Reverse DNS lookup is using an
Internet IP address to find a domain name.
http://searchsmb.techtarget.com/sDefinition/0,,sid44_gci213968,00.html
61
Lookups When you enter an address for a Web site at your
browser The address is transmitted to a nearby router The router does a forward DNS lookup in a routing table to
locate the IP address Forward DNS lookup is the more common lookup
Most users think in terms of domain names rather than IP addresses
Occasionally you may see a Web page with a URL in which the domain name part is expressed as an IP address (sometimes called a dot address) and want to be able to see its domain name.
An Internet facility that lets you do either forward or reverse DNS lookup yourself is called nslookup
Comes with some operating systems Can download the program and install it in your computer
62
DNS Zones
Forwarding
63
DNS Forwarding In large, well organized, academic or ISP networks you will
sometimes find that the network people have set up a forwarder hierarchy of DNS servers
Helps lighten the internal network load and the load on the outside servers
It's not easy to know if you're inside such a network or not By using the DNS server of your network provider as a
”forwarder”' you can make the responses to queries faster and less of a load on your network
Your nameserver forwards queries to your ISP nameserver Each time this happens you will dip into the big cache of
your ISPs nameserver Thus speeding your queries up, your nameserver does not
have to do all the work itself If you use a modem this can be quite a win
http://tldp.org/HOWTO/DNS-HOWTO-4.html
64
DNS
Delegation/Parenting
65
Mail Exchangers
Covered in previous section: How DNS Works In
Practice- Other Applications