Embed Size (px)
Citation preview
| 1
Champika WijayatungaRegional Security Engagement Manager – Asia Pacific
22-24 January 2018
DNS/DNSSEC WorkshopIn Collaboration with APNIC and HKIRC – Hong Kong
| 2
Introduction to DNS DNS Features
Domains, Delegations and Zones
DNS ServersResolution Process
Caching
Zone Files
Forward DNSvs
Reverse DNS
DNS SecurityDNSSEC Overview
1 2 3
Agenda
| 3
History
1983 DNS was designed/invented by Paul Mockapetris (RFC882 & 883)
1984 Berkeley Internet Name Domain (BIND) Server developedOriginal Seven Generic TLDs (.com, .edu, .gov, .int, .mil, .net, and .org)
1985 First country codes assigned .us, .uk, and .il1986 .au, .de, .fi, .fr, .jp, .kr, .nl and .se 1987 RFC1034 (Considered the first full DNS Specification)
…….. Country Code TLDs continue to be added….
2000 Seven new TLDs added (.aero, .coop, .museum, .biz, .info, .name, and .pro)
2012 New round of applications for gTLDs opened by ICANN
| 4
A distributed database primarily used to obtain the IP address,
a number, e.g., 192.0.32.7 (IPv4) or
2620:0:2d0:200::7 (IPv6)
that is associated with a user-friendly name (www.icann.org)
4
What is DNS?
User DNS Server
Query: What is www.icann.org?
Answer: 192.0.32.7
or 2620:0:2d0:200::7
| 5
DNS Tree
Names in country-code TLDsNames in generic Top Level Domains
“.”org
icann isoc
www ssac
net
ripe
com ...apnic example
au ... sg
example
com
Root
www.icann.org.
Top-levelSecond level
Root
FQDN = Fully Qualified Domain Name
| 6| 6
DNS Features
| 7
What are the Key Features of DNS
Hierarchical GloballyDistributed
Reliable Consistent
Dynamic Scalable
| 8| 8
DNS Resolution, Servers, and Caching
| 9| 9
Root Server Operation
9
| 10
What do the Root-Server Operators do?
• Copy a very small database, the content of which is currently decided by PTI (formerly IANA)
• Put that database in the servers called ‘Root Servers. • Make the data available to all Internet users • Work stems from a common agreement about the technical
basis – Everyone on the Internet should have equal access to the data– The entire root system should be as stable and responsive as
possible
| 11
What do the Root-Server Operators do not do?
• Interfere with the content of the database – E.g. run the printing presses, but don't write the book
• Make policy decisions – Who runs TLDs, or which domains are in them– What systems TLDs use, or how they are connected to
the Internet
| 12
Who are the Root Server operators?
• Not "one group", 12 distinct operators • Operational and technical cooperation• Participate in RSSAC as advisory body to ICANN • High level of trust among operators
– Show up at many technical meetings, including IETF, ICANN, RIR meetings, NOG meetings, APRICOT etc.
| 13
How Secure are the Root Servers?
• Physically protected • Tested operational procedures • Experienced, professional, trusted staff• Defense against major operational threat – i.e. DDoS.
– Anycast• Setting up identical copies of existing servers • Same IP address• Exactly the same data. • Standard Internet routing will bring the queries to the nearest
server• Provides better service to more users.
| 14
Avoiding Common Misconceptions
• Not all internet traffic goes through a root server• Not every DNS query is handled by a root server • Root servers are not managed by volunteers as a hobby
– Professionally managed and well funded • No single organization(neither commercial nor
governmental) controls the entire system• The "A" server is not special. • Root Server Operators don't administrate the zone content
– They publish the IANA-approved data
| 15
Root Server Operation @ICANN
+ ICANN is the L-Root Operator
+ L-Root nodes keep Internet traffic local and resolve queries faster
+ Make it easier to isolate attacks
+ Reduce congestion on international bandwidth
+ Redundancy and load balancing with multiple instances
| 16
L-Root presence
| 17
L-Root presence
+Geographical diversity via Anycast
+Around 160 dedicated servers
+Presence on every continent
+On normal basis 15 ~ 25 kqps
+That is app 2 billion DNS queries a day
+Interested in hosting a L-Root
+Contact your ICANN Global Stakeholder Engagement Representative
| 18
Types of DNS Servers
¤ Authoritative Servers¡ Root Servers¡ Primary¡ Secondary
¤ Recursive Servers¡ Or Recursive Resolvers¡ Or Caching Servers
| 19
DNS Resolution Process
| 20
Caching
Recursive or Caching Servers not only find answers
but also store answers locally for
“TTL” period of time
TTL = Time To Live
| 21| 21
Domain, Delegations and Zones
| 22
Domains
“.”org
icann isoc
www learn
net
ripe
com ...apnic example
au sg
example
com
Root
au domain
wwworg domainicann.org
domain
| 23
Delegations
• Administrators can create subdomains to group hosts– According to geography, organizational affiliation etc.
• The authority of such subdomain(s) can be delegated to another party
• The parent domain retains links to the delegated subdomain– The parent domain “remembers” to whom the subdomain is delegated
| 24
Zones
“.”org
icann isoc
www learn
net
ripe
com ...apnic example
au sg
example
com
Root
au domain
wwworg domainicann.org
domain
org zone
icann.org zone
learn.icann.org zone
| 25| 25
Zone Files
| 26
Zone Data
• DNS zone data are hosted at an authoritative name server
• DNS zones contain resource records that describe– Name servers– IP addresses– Hosts, Services– Cryptographic keys– Signatures etc.
| 27
Resource Records (RR)
• Consists of resource mappings
Label TTL Class Type RDatawww 3600 IN A 192.168.0.1
• Most common types of RRo A
o AAAA
o NS
o SOA
o MX
o CNAME
Resource Record FunctionLabel Name substitution for FQDNTTL Timing parameter, an expiration limitClass IN for Internet, CH for ChaosType RR Type (A, AAAA, MX, PTR) for
different purposesRDATA Anything after the Type identifier;
Payload of the record
| 28
Zone Files$TTL 86400 ; 24 hours could have been written as 24h or 1d$ORIGIN example.test.@ IN SOA ns1.example.test. hostmaster.example.test. (
2017092701 ; serial number3H ; refresh15 ; retry1w ; expire3h ; nxdomain TTL )
IN NS ns1.example.test. ; in the domain IN NS ns2.anotherexample.net. ; external to domain IN MX 10 mail.someotherexample.com. ; external mail provider
ns1 IN A 192.168.0.1 ; name server definition www IN A 192.168.0.2 ; web server definitionftp IN CNAME www.example.test. ; ftp server definitionhost IN A 192.168.0.3 ; host definition
| 29
Delegating a Zone
• Delegation is done by adding NS records– Ex: if example.com wants to delegate training.example.com to another party,
training.example.test. NS ns1.training.example.test.training.example.test. NS ns2.training.example.test.
• Now how can we get to ns1 and ns2?– We must add a Glue Record
| 30
Only this record needs glue
Glue Record
• Glue is a ‘non-authoritative’ data• Don’t include glue for servers that are not in the sub zones
training.example.test. NS ns1.training.example.test.training.example.test. NS ns2.training.example.test.
training.example.test. NS ns1.another_example.net.training.example.test. NS ns2.another_example.net.Glue
Recordns1.training.example.test. A 192.0.2.1ns2.training.example.test. A 192.0.2.2
| 31
Delegating a Child Zone from a Parent Zone
ns.training.example.test
1. Setup minimum two servers2. Create zone file with NS records3. Add all training.example.test data
ns.example.test
1. Add NS records and glue2. Make sure there is no other data
from the training.example.test. zone in the zone file
example.test (Parent Zone) training.example.test (Child Zone)
DNS DNS
| 32
Propagation of DNS Data
Registry DB(Database of Domain
Names and Registrants)
Primary Server(Authoritative Server)
Secondary Server(Authoritative Server)
Caching Server
Refresh Time
Zone Updates
Secondary Server(Authoritative Server)
Refresh Time
TTL Expiry
TTL Expiry
