Slide 1
1
Networking
DNS
© Janice Regan, 2006-2013
© Janice Regan, 2006-2013
2
DNS
The primary use of DNS is to answer queries requesting the IP address that corresponds to a given host name.
© Janice Regan, 2006-2013
3
Operation of a DNS server
A DNS name server is initialized, knowing the addresses of the root servers, knowing the addresses of some other servers, or with the zone data files for one or more zones.
As queries are made the information received from the queries is added to a cache.
Entries generally have a long (hours to days) lifetime.
Lifetime (TTL) is set by administrator when configuring the server, or reset by the administrator at a later time
Shorter lifetime keeps information up to date but causes increased load of queries to the DNS server
When further queries are made the cache is checked before queries are transmitted
© Janice Regan, 2006-2013
4
Caching
Each time a DNS query is made by the DNS server, the information in the response is cached
This cached information can be used to improve the efficiency of later queries to the DNS server
See the example at the end of the notes for this lecture
© Janice Regan, 2006-2013
5
DNS
There are two approaches to answering a query
Iterative: the name server receiving the query responds with either the IP address of the host or the name of the next server it would consult (next higher server in the tree)
Recursive: the name server will respond with either the IP address of the host or a message that the host was not found
© Janice Regan, 2006-2013
6
Submitting a query from a host
A host Drab, in domain cs.sfu.ca requests IP address for ftp.isc.org
Drab expects to receive the IP address of ftp.isc.org without making additional queries.
Drab actually requests the DNS address A record (address record) for ftp.isc.org
If the address is resolved Drab will receive the A record for ftp.isc.org and a number of other DNS records.
© Janice Regan, 2006-2013
7
Submitting a query from a host
When a host Drab, in domain cs.sfu.ca queries for the IP address for ftp.isc.org
The resolver (resolving software such as dig) on Drab it is making a recursive query that requires the local DNS server (seymour) to
Make an additional query or queries.
Analyze the reply or replies to the query/queries
Supply the resulting IP address and any other related information discovered while finding that address to Drab to Drab.
© Janice Regan, 2006-2013
8
Query from the local DNS server
The DNS server must then determine the desired IP address. It will do one of the following
Find the address record for ftp.isc.org in its cache
Execute a series of iterative DNS queries for the address record of ftp.isc.org
It may receive DNS records other that the address record for ftp.isc.org while doing this
Execute a recursive DNS query for the address of ftp.isc.org.
© Janice Regan, 2006-2013
9
Step 1: check the cache
The local DNS server will first check its own cache
We are asking for the A record for the host ftp.isc.org. If that record is not in the cache
Look for a NS record for the domain of the address in the cache ( the domain of the address ftp.isc.org. it would be isc.org. )
If there is no such NS record then look for a NS record for the next higher domain ( in this case .org. )
If there is no such NS record check the next higher domain …
the local DNS server will send a query to either
The address of the nameserver from the first matching NS record found in the cache
One of the root servers (if no other NS found)
A series of iterative queries
For simplicity in our first example consider the case where none of the NS records for any part of the host’s domain name are already in the cache of the local nameserver
The first query will be made to one of the root DNS servers
© Janice Regan, 2006-2013
10
A series of iterative queries (1)
The local DNS server will send a query to one of the DNS servers for the root domain
The DNS server for the root domain will send back a response with the NS records (and possibly A records) of one or more authoritative servers for the .org. domain.
An addition query to the root domain for the A record of one of the nameservers for the .org. domain may need to be made.
© Janice Regan, 2006-2013
11
© Janice Regan, 2006-2013
12
A series of iterative queries (2)
The DNS server’s resolving software will process the returned data, add the NS and A records for the DNS server/s for the .org. domain to its cache
The local server will formulate a query to the DNS server for the .org. domain
The query will be for the A record of the host ftp.isc.org
The .org. domain has been delegated by the root DNS server to the .org. authority, so no longer domain name match can be made.
© Janice Regan, 2006-2013
13
A series of iterative queries (3)
The DNS server’s resolving software will process the returned data, add the NS and A records for the DNS server/s for the .org domain to the cache
The local server will formulate a query to the DNS server for the .org domain
The local DNS server will send a query to one of the DNS servers for the domain .org
The query will be for the A record of the host ftp.isc.org
© Janice Regan, 2006-2013
14
A series of iterative queries (4)
The DNS server for the domain .org will send back a response with the IP address and name (plus other information) of an authoritative server for the isc.org domain.
The isc.org domain has been delegated by the .org DNS server to the ISC, so no longer domain name match can be made.
© Janice Regan, 2006-2013
15
A series of iterative queries (5)
The local DNS server’s resolver will process the returned data, add the DNS server for the isc.org domain to the cache, and formulate a request to the DNS server for the isc.org domain
The local DNS server’s resolver will send a request to one of the DNS servers for the domain isc.org
The request will be for the A record of the host ftp.isc.org.
© Janice Regan, 2006-2013
16
A series of iterative queries (6)
The DNS server for the domain isc.org will send back a response (the A record) with the IP address and name of ftp.isc.org.
The local DNS server’s resolver will process the returned data,
add an entry for the ftp.isc.org to the cache
formulate a reply to the original request from host Drab
All NS and A records from intermediate queries are included
© Janice Regan, 2006-2013
17
DNS Query
Iterative query
Drab
Seymour
Root DNS server
DNS server for .org
DNS server for isc.org
Referred to .org
Referred to isc.org
IP Address of ftp.isc.org
Recursive reply
Recursive query
all queries/replies are for the address of ftp.isc.org
© Janice Regan, 2006-2013
18
Recursive Requests
In the example above the resolver on the host made a recursive request, and the DNS server made only iterative requests.
DNS servers can also make recursive requests. However, busy DNS servers are often configured to accept only iterative requests. (this way they do not need to process the returning results as well, this reduces load on the busy server). Therefore, the iterative approach is more commonly used by DNS servers
© Janice Regan, 2006-2013
19
Recursive queries
DNS
Server
Recursive query
Querying host
Root DNS server .
DNS server for .gov.
DNS server for nasa.gov.
Queries .gov.
Queries nasa.gov.
IP Address of jpl.nasa.gov.
Recursive reply
Recursive query
All queries/replies are for the address of jpl.nasa.gov.
Replies to .gov.
Replies to .
© Janice Regan, 2006-2013
20
Using the Cache: subsequent queries
A later query to ftp.isc.org will find the IP address available in the local DNS servers cache. The DNS server will send back the results without making further queries
A later query to ftp2.isc.org will find the entry for isc.org DNS server in the cache of the local DNS server. A single query to the isc.org DNS server will provide the needed information
© Janice Regan, 2006-2013
21
Using the Cache: subsequent queries
A later query to qu.openoffice.org will find the entry for .org DNS server in the cache of the local DNS server. Two queries to the .org and the openoffice.org DNS servers respectively will provide the required information. There is no need to contact the root server
© Janice Regan, 2006-2013
22
Making direct queries
Use dig or host (or nslookup)
nslookup has been superceded (in LINUX). It may be removed from further releases so it is best to become familiar with dig and host
Please become familiar with using dig and host. You should understand usage for both basic lookup of IP address or name and for obtaining more complete information
© Janice Regan, 2006-2013
23
A number of applications can generate DNS requests. These include telnet, email applications and any client application that identifies the server by name rather than IP address
Any client or server that calls gethostbyname() or gethostbyaddr() will use the DNS name resolver to determine the IP address of the host
Other DNS queries generated
© Janice Regan, 2006-2013
24
Domain Server Message
Messages exchanged between clients and servers
Comer 2000: fig 24.5
© Janice Regan, 2006-2013
25
Contents of message fields
The identification field contains an identifier assigned by the program generating the query. It is used to match response to query
See next slide. A query type of 2 is now used for a server status request, recursion requested bit used in request, recursion available bit used in response. Response type of 5 server refused to perform requested operation (operation not permitted due to security settings of server)
The counts give the number of records in the corresponding section. But what do each of the records contain?
© Janice Regan, 2006-2013
26
The Parameter Field
Comer 2000: fig 24.6
© Janice Regan, 2006-2013
27
Authoritative Responses
An authoritative response is an answer that comes from the DNS server responsible for the zone containing the host with the domain name being queried.
The local DNS server will cache results from each external query
If an additional query for the same address is made soon after the first, the results will be found in the cache of the DNS server. No contact will have been made with the authoritative server.
The received response is not from the authoritative server and may be labelled as an non-authoritative response
© Janice Regan, 2006-2013
28
Example using nslookup
jregan3: nslookup jpl.nasa.gov.
Server: 199.60.1.1
Address: 199.60.1.1#53
Name: jpl.nasa.gov
Address: 137.78.160.180
jregan4: nslookup jpl.nasa.gov.
Server: 199.60.1.1
Address: 199.60.1.1#53
Non-authoritative answer:
Name: jpl.nasa.gov
Address: 137.78.160.180
© Janice Regan, 2006-2013
29
Question section record
Query class, usually IN to indicate internet, or 255 to indicate any class
Query type, there are many types, see RFC 1035 for a complete list, Query types are a superset of types used for all resource records such as
A an address, NS an authoritative name server, SOA (start of authority), MX mail exchange, CNAME canonical name
Query type also includes additional types like AXFR to transfer all data for a zone
Comer 2000: fig 24.7
© Janice Regan, 2006-2013
30
Query / resource domain name
“Domain names in messages are of variable length and are expressed in terms of a sequence of labels.
Each label is one segment of the domain name (characters between two .’s )
Each label is represented as a one octet length field followed by that number of octets of name.
Since every domain name ends with the null label of the root, a domain name is terminated by a length byte of zero.
The high order two bits of every length octet must be zero, and the remaining six bits of the length field limit the label to 63 octets or less” From RFC 1035
Compressed name format: can replace a label with a pointer to an earlier occurrence of that label
© Janice Regan, 2006-2013
31
Records in other sections
Comer 2000: fig 23.8
© Janice Regan, 2006-2013
32
Records in other sections
Answer, Authority, Additional
The resource domain name has the same format as the query domain name discussed above
Type contains a code indicating the type of resource record, a complete list is given in RFC 1035. The type will determine the amount and format of data in the resource data area (see Query Type for examples)
Class (same definition as query, 255 not used)
TTL (time to live) the time interval in seconds for which the resource record may be cached. 0 means use only for the current transaction.
Resource data length: number of octets of resource data
© Janice Regan, 2006-2013
33
Example using dig: 1
jregan15: dig ftp.isc.org
; <<>> DiG 9.2.1 <<>> ftp.isc.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33180
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; QUESTION SECTION:
;ftp.isc.org. IN A
;; ANSWER SECTION:
ftp.isc.org. 2898 IN A 204.152.184.110
;; AUTHORITY SECTION:
isc.org. 2898 IN NS ns-ext.lga1.isc.org.
isc.org. 2898 IN NS ns-ext.nrt1.isc.org.
isc.org. 2898 IN NS ns-ext.sth1.isc.org.
isc.org. 2898 IN NS ns-ext.isc.org.
© Janice Regan, 2006-2013
34
Example using dig: 2
;; ADDITIONAL SECTION:
ns-ext.lga1.isc.org. 75012 IN A 192.228.91.19
ns-ext.nrt1.isc.org. 75012 IN A 192.228.90.19
ns-ext.sth1.isc.org. 75012 IN A 192.228.89.19
ns-ext.isc.org. 29497 IN A 204.152.184.64
ns-ext.isc.org. 155246 IN AAAA 2001:4f8:0:2::13
;; Query time: 1 msec
;; SERVER: 199.60.1.1#53(199.60.1.1)
;; WHEN: Fri Nov 5 06:21:09 2004
;; MSG SIZE rcvd: 236
© Janice Regan, 2006-2013
35
Knowing where to look
Dig and other applications that need to look up DNS information must know where to go to find or ask for the information
The list of locations to look (on a linux system) can be found in /etc/resolv.conf. The locations will be queried in the order given
/etc/resolv.conf Will look something like
search cs.sfu.ca css.sfu.ca ensc.sfu.ca math.sfu.ca nameserver 199.60.1.1
nameserver 142.58.103.1
nameserver 142.58.103.2
© Janice Regan, 2006-2013
36
resolv.conf: search
search followed by a series of domain names (defaults are generated, in addition you can set the list yourself in versions 4.9 and later)
If a query for the address of draconis is made, since draconis is not fully qualified it will not be found
Then the resolver will append the first domain name in the search list (usually the domain of the host making the request.) to the requested name, and then make a request for then if the query for draconis.cs.sfu.ca. That request will produce a result
If that request did not produce a result the resolver would make requests for draconis with each of the domain names in the search list (in the same order as the list is given) and would stop if and when one of those requests produced a match
© Janice Regan, 2006-2013
37
Other content: resolv.conf
nameserver followed by the IP address of a DNS server
Up to three nameservers can be specified. If the first cannot be contacted the second will be tried. If the first two are unavailable the third will be tried
Options followed by a list of options
Can turn on debug
option debug
Can set the maximum number of attempts to make before you assume a nameserver is unavailable
option attempts:4
Numerous other options are available
© Janice Regan, 2006-2013
38
Database / authoritative servers
When a authoritative master or slave DNS server is initialized it loads a configuration file which associates domain names with data files containing DNS resource records for that domain
For linux systems that file is usually /etc/named.conf, configuration for the DNS daemon named. This file will be present only on hosts running DNS servers
/docProps/thumbnail.jpeg