Embed Size (px)
Citation preview
DNS server & Client, part one of two
• Objectives– to learn how to setup dns servers
• Contents– The history of DNS
– An Introduction to DNS system
– Forward and Reverse name lookup
– Zonefiles
– Cahce, Primary & Secondary DNS
– Stub and Delegation DNS
– DNS security
– Installing chache only DNS
– Installing primary DNS
– Micrsosoft dnsmgmt console
DNS History• HOSTS.TXT file
Through the 1970’s ARPanet was a community of some 200 to 300 computers
A single file contained name to address mapping for all computers connected to arpanet
SRI-NIC maintained the single file
All computers needed to download the file once a week, then twice a week
The hosts.txt file is still used locally in all computers for important servers only.
• Finally maintaining the hosts.txt file broke downLoad and inconsisty in the hosts.txt file constantly changing forced another
solution. A distributed solution
• 1984 the DNS was born, described in RFC 882/883Todays DNS RFC is 1034 and 1035
• IP addresses are hard to remember
• To build the logical name based infrastructureLogical name to ip addressIp address to logical name
• Form logical name spheres, so called domainsLogical name spheres are essential for practical e-mail deliveryForm Windows Acrtive Directory domain tree
• Annonce Server Resource LocationsTell others where mailservers for domains sitTell others where the nameserver for domains sitTell others where domain controllants sitAnd many other resources records
What is DNS good for ?
DNS structureDNS Tree(simplified)
Server 2003 static host file
• In C:\Windows\System32\Drivers\Etc\hosts
Is important for the nameserver at startup, to find itself and other important servers. You manage with only localhost but it is practical to have one or two important servers here.
• The hosts file has higher priority than dnsBeware of differences in hosts file and dns!More than 40 names in hosts file is not practicalIt can be replicated in small isolated communities
127.0.0.1 localhost192.168.0.1 router router.my-site.com192.168.0.42 ns ns.my-site.com192.168.0.2 mail mail.my-site.com
127.0.0.1 localhost192.168.0.1 router router.my-site.com192.168.0.42 ns ns.my-site.com192.168.0.2 mail mail.my-site.com
NETBIOS names• Windows classic networking
Used to locate resources in windows domains and workgroupsPrintersShared foldersComputersRPC
• Based on broadcast
• Limited to 15 characters
• Stored in C:\Windows\System32\Drivers\Etc\lmhostsCan be shared
• Wins server for NetBios name resolutionWins is now replaced with DNSWorks almost like DNS
• Problem with routers
DNS name resolution
• Name resolution with DNS is Client Server activitiesThese are the steps in name resolution (simplified):
1. Client application search for www.my-site.com (Forward name resolution question)
2. Client first look in its local name cache, if there it try to make contact
3. Client looks in its hosts file, if there it updates the local cache and try to contact
4. Client look in registry for default DNS and send a query to its IP address
5. Name server try to rekognize my-site.com in local zonefiles, if it is found an answer is sent to client, if not(first found will be sent to client):
5a. Nameserver look in its name resolution cache, if it is there an answer is sent to client
5b. Nameserver consult the root name servers trying to find who have www.my-site.com
5c. Nameserver send recursion question if allowed to many other nameservers
5d. Nameserver updates its name resolution cache.
• Name resolution with DNS is Client Server activities
The local resolver
Resolving a FQDN, forward lookup I have name want IP address:
Querying a DNS server
Recursion
DNS Alternate query responses
• When quering a nameserver different reply’s can come
• An authoritative answerIndicate the answer was obtained from a server with direct authority for the queried name.
• A positive answerThe query matches with the DNS domain name and record type specified in the query message. (For example to find mailserver in a domain)
• A referral answerA referral answer contains additional data
• A negative answerindicate that one of two possible results:
A) An authoritative server reported that the queried name does not exist in the DNS namespace.
B) An authoritative server reported that the queried name exists but no records of the specified type exist for that name
DNS server types
• PrimaryIs authorative for all locally stored domain info (zone files)Can alter domain info (zone files)Also known as Master DNSMust have hostname nsReplicates out zonefiles to secondary
• SecondaryRecieves replicated zonefiles from primaryCan not alter domain info
• Caching only / Root HINTDoes not keep any zonefilesJust stores resolved names in ram memory (100 byte per resolved)
• ForwarderJust forwards all querys to another dns
• Stub ZONE dnsLimited forwarder, forwards only secific queries for selected domains
Zone and Domain
Zonefiles
• Each Zone need two zonefiles:– Forward name resolution: my.site.com.
This file contains the main resource records:
NS Nameserver’s of zone
MX Mailservers of zone
A Host address for client or server in zone
IN A Internet Address
CNAME Alias name
– Reverse name resolution: 0.168.192.in-addr.arpa.
PTR Reverse record
• Resource Records or RR tell us:What is inside this zone
• Domain name of zonePractical is to name the file after domain
Nameservers need to be two!
• In order to keep stable nameserviceHave one PRIMARY nameserver at a central administration point.
Setup at least one SECONDARY nameserver close to customers.
The secondary will not only offload the primary for name resolution, it will also secure name resolution for you.
Two nameservers are essential if you run public domain hosting services, you will in fact not be allowed to do ”pointing” without at least two nameservers.
You also need RP, responsible person, one who recieves e-mail for your zones. If this email is not working, you will not got NIC acceptance.
Replicating zonefiles
• Whenever one zonefile at the PRIMARY is modified or if a zone/domain is added/removedServer PUSH
• Keeping the infrastructure intact with zonefile’s the SECONDARY uses SOA header
SOA means start of authority and is first in zonefile.
TimeToLive
Serial number
• Securing the infrastructureAllowing only selected nameservers to access and replicate zonefiles
This is configured inside Windows dnsmgmt console on zonfile basis or globally
Zonefile update process
incremental zone transfer (IXFR) ifull (AXFR) transfer of the zone
Reverse lookup
Client query is for PTR records found in file ”20.1.168.192.in-addr.arpa.”
Most services does not use reverse lookup, however some do to prevent spoofing of domain names and hostnames.
Understanding stub zones
The STUB zone can speed up name resolution becauses it bypasses the root nameservers and going directly to the selected zone’s nameservers.
A stub zone consists of:• The start of authority (SOA) resource record, name server (NS)
resource records, and the glue A resource records for the delegated zone.
• The IP address of one or more master servers that can be used to update the stub zone.
Stub zones are often used to improve name resolution.
It can take up to 4 hours for a name to be registered worldwide.
Dynamic update
DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records
Dynamic updates can be sent for any of the following reasons or events:
• An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections.
• An IP address lease changes or renews with the DHCP server any one of the installed network connections. For example, when the computer is started or if the ipconfig /renew command is used.
• The ipconfig /registerdns command is used to manually force a refresh of the client name registration in DNS.
• At startup time, when the computer is turned on.
• A member server is promoted to a domain controller.
Host Header LOOKUPS
• Commonly known as Virtual webbserver
Practically you bind a hostname to a specific directory in IIS
• Practial to use if you dont have enough IP addresses
• Does not work with SSL, the host header is encrypted when it arrives to IIS.
• DNS resource record CNAME to share same IP address among several virtual webb servers in subdomains.
• Use resource record IN A in zonefiles
Install a DNS server, Server installation
To install a DNS server (dont install any dns yet):A. Install one Win2k3 SE with default and typical settings.
This is the PRIMARY nameserver it’s hostname is ”ns”B. Open control panelC. Select System iconD. Select Computer NameE. Click on ChangeF. Verify Computer name: nsG. Click on More…H. Enter Primary DNS suffix of this computer: ”my-site.com”
or whatever this nameserver domain is.I. Click on OK to accept everythingJ. Go back to Control panel and click on Network ConnectionsK. Click on properties and select TCP/IPL. Click on properties againM. The PRIMARY nameserver must not recieve DHCP IP address,
enter it IP address and subnet mask and default gatewayN. At Preferred DNS server: 127.0.0.1 remove Alternate!O. Goto Advanced Wins and Disable NetBios over TCP/IP!P. Accept everyting
Install a DNS server, DNS installation
1. Open Windows Components Wizard.
2. In Components, select the Networking Services check box, and then click Details.
3. In Subcomponents of Networking Services, select the Domain Name System (DNS) check box, click OK, and then click Next.
4. If prompted, in Copy files from, type the full path to the distribution files, and then click OK.
Required files are copied to your hard disk.
You now have CACHING ONLY DNS
Configure a new DNS server
To configure a new DNS server, you can:• Using the Windows interface (preferred method)
Using a command lineUsing the Windows interface:
To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS.
• Open DNS.• If needed, add and connect to the applicable server in the
console.• In the console tree, click the applicable DNS server.• Where?• DNS/Applicable DNS server• On the Action menu, click Configure a DNS Server.• Follow the instructions in the Configure a DNS Server
Wizard.
Summary• DNS server is used to resolve name and IP
• Configuration sit in /etc/named.conf
• Zonefiles are in /var/named/
• Zone transfter from primary to secondary
• Stub zones speed up name resolution
• Cache only nameserver is default setting
• You have two files for each zone
• Hosts can share same IP with CNAME or in zones
• Stop dns server with dnsmgmt mmc GUI
• Reload dns server with dnsmgmt mmc GUI
• You can restrict and policy quieries
• It takes time for names to update globaly
• DNS server has 127.0.0.1 default nameserver
• Primary DNS must have name ns
