Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

dns.workshop.hsgr

Weitere Verwandte Inhalte

Ähnliche Bücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Ähnliche Hörbücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

dns.workshop.hsgr

  1. 1. DNS Workshop DNS Workshop Evaggelos Balaskas Serial: 2014011901
  2. 2. disclaimer • This presentation is just a supported material based on a dns workshop made on http://hackerspace.gr. • May have errors! Plz email me to correct them. • At the time you are reading this, the examples my have different values. • The domains used in this presentation are randomly selected. • Be aware of the serial in the first page!
  3. 3. Before DNS, What? • /etc/hosts • C:Windowssystem32driversetchosts . • Postel - Mockapetris
  4. 4. Now, What? • /etc/resolv.conf ● Nameserver 212.205.212.205
  5. 5. Domain Name System • domain: hackerspace.gr. • root NS • TLD • ITE NS • dns1.papaki.gr •@ . gr hackerspace @ 185.4.135.249 • dig +trace hackerspace.gr. (notice the dot in the end)
  6. 6. Root ns
  7. 7. Root ns
  8. 8. root ns • http://www.internic.net/domain/named.root • > dig.exe NS . @a.root-servers.net.
  9. 9. Top Level Domains • http://www.iana.org/domains/root/db • Greek TLDs .gr country-code ICS-FORTH GR .δοκιμή test Internet Assigned Numbers Authority
  10. 10. Top Level Domain: gr. (ITE) • gr. • gr. • gr. • gr. • gr. • gr. • gr. • gr. 10748 10748 10748 10748 10748 10748 10748 10748 IN IN IN IN IN IN IN IN NS NS NS NS NS NS NS NS gr-br.ics.forth.gr. gr-m.ics.forth.gr. estia.ics.forth.gr. grdns.ics.forth.gr. gr-at.ics.forth.gr. gr-us.ics.forth.gr. gr-ix.ics.forth.gr. grdns-de.denic.de.
  11. 11. Check gr domains • http://www.gr • dig +trace NS hackerspace.gr • dig +trace NS ebalaskas.gr • dig +trace NS goethe.gr • Check the differences ! • dig +trace www.hackerspace.gr. • dig +trace A hackerspace.gr.
  12. 12. Check domains • > dig A www.ert.gr +short • > dig NS nerit.gr +short [de nada!] ITE does not serve nerit.gr but ... (see next slide)
  13. 13. servers • NS Vs • Auth Vs • Zone files Vs DNS Resolvers (caching/recursive) RAM (memory) • ns1.otenet.gr • ns2.otenet.gr (serve zone files – don’t ask ITE) (serve zone files – don’t ask ITE) • dns1.otenet.gr ● dns2.otenet.gr (ask root NS – ask ITE – ask NS) (ask root NS – ask ITE – ask NS) All OTE customers MUST use ● 212.205.212.205 - dns1 & dns2 ●
  14. 14. Public DNS – caching servers • Google Public DNS (they record your dns queries) ● 8.8.8.8 ● 8.8.4.4 • opennicproject ● 85.126.4.170 (T, AT) ● 151.236.10.135 (AT) ( the above IPs are just an example, click here: http://www.opennicproject.org/ ) • opendns ● 208.67.222.222 (resolver1.opendns.com) ● 208.67.220.220 (resolver2.opendns.com)
  15. 15. RR – resource records • SOA - Start of Authority Record • NS - Name Server Record • MX - Mail Exchanger Record • A - IPv4 Address Record • CNAME - Host Alias Record • SRV - Services Record • TXT - Text Record • PTR - Pointer Record
  16. 16. Start Of Authority > dig soa ebalaskas.gr +short ns14.ebalaskas.gr. ebalaskas.ebalaskas.gr. 2012052408 172800 3600 1209600 86400 • • • • • • domain: ebalaskas.gr TTL: 86400 Master NS: ns14.ebalaskas.gr. Mail: ebalaskas.ebalaskas.gr. Serial Number: 2012052408 Refresh: 172800 (when the slave will try to refresh the zone from the master) • Retry: 1h (if the slave fails to contact the master) • Expiry: 2w (slave remove the zone from memory) • Minumum: 24h (slave remove the zone from memory if Non eXistent DOMAIN)
  17. 17. Serial number • Integer number • Must always be greater than the previous value • We change the serial on every DNS change • Is the way to notify the slave NS that a change has occurred • We use the reverse date format + AA of the change • eg. 2013/06/20-01 -> 2013062001
  18. 18. NOTIFY • Master NS sends notifies (UDP packages) to all slaves NS (NS RR in the zone file) • Slaves NS check their SERIAL with master’s SERIAL • If master’s serial greater than slave’s serial then  pull the zone (zone transfer)
  19. 19. TTL Time to Live How many seconds a DNS (caching/resolver) should: • remember a record • should ask again the master NS for something • or keep records from a zone (if expired) in memory. • TTL is the reason we (sometimes) need to flush!
  20. 20. dns flushing A simple method to remove a specific entry or an entire zone from the memory/cache of a resolver name server. Useful when you dont want to wait till the TTL expire.
  21. 21. ttl > dig CNAME www.otenet.gr +nocomments +noqr +nocmd +nostats +noauthority +noadditional www.otenet.gr. 86074 IN CNAME otenet.gr. > dig CNAME www.otenet.gr +nocomments +noqr +nocmd +nostats +noauthority +noadditional www.otenet.gr. 86072 IN CNAME otenet.gr.
  22. 22. ORIGIN • With origin we refer to the domain, or the zone file. • @ is the representative character • Origin can ONLY be A record eg. yellowpagesbusiness.gr @ IN A 195.170.6.20 www IN CNAME xo.gr.
  23. 23. MX > dig MX gmail.com +short 5 10 20 30 40 gmail-smtp-in.l.google.com. alt1.gmail-smtp-in.l.google.com. alt2.gmail-smtp-in.l.google.com. alt3.gmail-smtp-in.l.google.com. alt4.gmail-smtp-in.l.google.com. mx defines the mail servers that recieving emails for a domain/email address.
  24. 24. A - CNAME • hostname IN A 1.2.3.4 eg. • ebalaskas.gr IN A 158.255.214.14 • hostname IN CNAME fqdn eg. • www IN CNAME ebalaskas.gr. • A fqdn must always finish with a dot (.) or else is a reference to another record inside the dns zone
  25. 25. Round-robin DNS An example of DNS round robin (a poor man’s balancing mechanism): eg. example.com www IN A 1.2.3.4 www IN A 2.3.4.5 (sometimes here!) (sometimes there!)
  26. 26. CDN: Web hosting • eg. webhosting on akamai or cloudflare • They serve a different www (IP) according to the most network route wise (cost efficient) – looks like geolocation!!! • They don’t serve A records! only CNAMEs to www • CDN stands for content delivery network
  27. 27. Check a domain eg cdn webhosting: www.plaisio.gr • GREECE > dig www.plaisio.gr +short plaisio.gr.edgesuite.net. a944.g.akamai.net. 212.205.126.41 212.205.126.34 • GERMANY >dig www.plaisio.gr +short plaisio.gr.edgesuite.net. a944.g.akamai.net. 87.245.215.73 87.245.215.23
  28. 28. TXT • txt RR are simply TEXT fields. • max length: 4000characters Syntax: hostname TTL IN TXT “TEXT TEXT TEXT” So the customers must send us the text inside double quotes (plz don’t fax)
  29. 29. TXT • is the only resource record that can expand to more than one line syntax: joe IN TXT ("Located in a black hole" " somewhere over the rainbow") Be carefuly when using custom parsers
  30. 30. Some examples: • DZC IN •@ 3600 •@ IN TXT IN TXT "eoMi3Yk“ TXT "MS=ms70870252" "v=spf1 a mx ip4:195.170.6.0/24 -all" • turbo-smtp._domainkey IN TXT "k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg QDT3MWLni6so1q9eQggRYBCLHFjohZkCnYHH8gZNDBm6zR rodRVpWpJQW7x3cWWiuBhS1X0IfBB80l5tqFa+yc+mVgnk8t kUzOHFbPQPp4fi7egTpMtsQW/ZMrxw73SItNvPr72qvJTYZNP xarMx+ULjEWybcfEdXHPY8jslGcpCwIDAQAB"
  31. 31. SPF • Sender Policy Framework • Mostly Microsoft • define the mail servers that can send an email for the domain they serve • The DNS check comes from the receiver mail server (see last page for reference)
  32. 32. DKIM • In the TXT RR is the public key of the receiver mail server. • If defined, the sender mail server can encrypt the communication between the two mail servers. • We cant convert a customer request from FAX. Plz ask text file from the customer. Pretty PLZ!
  33. 33. SRV • Service Resource Record • Define a service for a domain and the server that serve this service • Syntax: • _service._protocol IN SRV PRI WEIGHT PORT record • • • • • • Mostly for xmpp communications, SIP (voip communications) web service mail service ntp service etc (see last page for reference)
  34. 34. some examples: • _http._tcp IN SRV 10 5 80 www.tickethour.gr. • _autodiscover._tcp IN mail.yellowpages.gr. SRV • _ntp._udp 10 0 123 IN SRV • _xmpp-server._tcp IN server.l.google.com. • _sip._tcp IN SRV SRV 10 0 443 creta.logifer.gr. 5 0 5269 xmpp- 10 0 5061 sip.logifer.gr.
  35. 35. PTR • dig +trace -x 185.4.135.249 • A.IN-ADDR-SERVERS.ARPA • B.IN-ADDR-SERVERS.ARPA • C.IN-ADDR-SERVERS.ARPA • D.IN-ADDR-SERVERS.ARPA • E.IN-ADDR-SERVERS.ARPA • F.IN-ADDR-SERVERS.ARPA (operated (operated (operated (operated (operated (operated by by by by by by ARIN) ICANN) AfriNIC) LACNIC) APNIC) RIPE NCC)
  36. 36. reverse zone > dig 135.4.185.in-addr.arpa. +trace 135.4.185.in-addr.arpa.172800 IN NSdns2.papaki.gr. 135.4.185.in-addr.arpa.172800 IN NSdns1.papaki.gr. https://apps.db.ripe.net/search/query.html?searchtext= 135.4.185.in-addr.arpa
  37. 37. subdomains • www.cs.teiath.gr. • HOST • www.cs • www  DOMAIN  teiath.gr (not subdomain)  cs.teiath.gr (subdomain, lets check it) • > dig A www.cs.teiath.gr +short • 195.130.109.88 • > dig NS cs.teiath.gr +short • athena.teiath.gr. • hermes.teiath.gr.
  38. 38. DNS Ports UDP port 53 (stateless) TCP port 53 (statefull) default udp, transform to tcp when >512bytes
  39. 39. Zone transfer • Transfer zone from authoritave name server to slave name servers. • That makes dns a distribute service • Authoritave name servers MUST open their firewall for UDP and TCP protocols on UDP/TCP port 53
  40. 40. Useful links • http://www.zytrax.com/books/dns/ • http://www.internic.net/domain/named.root • http://www.iana.org/domains/root/db • http://www.kloth.net/services/dig.php • http://www.iana.org/ • http://www.ripe.net/ • http://www.openspf.org/ ● http://www.gr-ix.gr/services/statistics/

×