SlideShare ist ein Scribd-Unternehmen logo

Dns

julien pauli
julien pauli

DNS

Internet
1 von 68
Introduction to DNS Naming network items
Hi  Julien PAULI  Programming in PHP since early 2000s  PHP Internals hacker and trainer  PHP 5.5/5.6 Release Manager  Working at SensioLabs in Paris - Blackfire  Writing PHP tech articles and books  http://phpinternalsbook.com  http://blog.jpauli.tech  @julienpauli - github.com/jpauli - jpauli@php.net  Like working on OSS such as PHP :-)
TOC  History of Internet and networks  The need to name things  The need to create a synchronized decentralized system  Domain Name Server  A hierarchical system  Names and zones  Practicing DNS with BIND  Zones creations and delegation  Zones master and slave propagation
State Of The Art  Each machine on a network is assigned an IP address  IPV4 : 32 bits  IPV6 : 128 bits  Computers are fast at treating numbers  Human brains are crap at treating and memorizing numbers  But human brains are good at memorizing names (letters)  There is a need of a global system which goal would be association of human-memorizable mnemonics (names) and computer assigned address numbers
Usage of a centralized file  In 1970, ARPANET only handles hundreds of hosts  ARPANET == Internet ancestor  Among those, one machine were hosting a file : HOSTS.TXT , associating every network machine names with their addresses  HOSTS.TXT were then copied/synchronized in each local machine's /etc/hosts file, which is used as the local UNIX hosts db  When HOSTS.TXT were modified, admins sent emails to each machine to have their user download the new HOSTS.TXT and update their own /etc/hosts
Problems showing  ARPANET grows, more and more hosts  Having one single HOSTS.TXT file to both update and transfer to everyone starts to be a pain.  That becomes unmaintainable  ARPANET searches for a system to replace HOSTS.TXT drawbacks  In 1984, the DNS first RFC were written
DNS  A distributed name database  Name servers contain a segment of the whole name database  Clients, called resolvers, can query servers  Some caches are setup to improve overall performances
DNS Structure  DNS has been structured like UNIX Filesystem  A reversed tree where root node is on top root node domain subdomain
A domain name  A domain name is the equivalent of an absolute path  But it is read in the reverse way  And it uses a dot as a separator and not a slash Reading the FS Reading the DNS
DNS decentralization  Each subdomain may be managed by a different entity, this is called a delegation ICANN NSI BSD University Local FS Remote NFS
DNS overview  This system solves the HOSTS.TXT problems  No more duplicate entry  Each domain name is unique  And can be administrated by a unique entity  Each zone can contain  Host names  Sub domains  The system is  distributed  redundant  delegated (no centralization)
DNS tree  The namespace may reach 127 deepness levels  Each tree name can be up to 63 chars  Separator is dot " . "  Root node has the null name ""
DNS structure  A domain is simply a subtree of the namespace  Each subtree node is owned by its parent  Hence, pa.ca.us is child of ca.us and of us us domain pa.ca.us node ca.us domain Top Level Domain Level one domain Level two domain Root
Zone and domain  A zone contains records and delegation informations about a name  A domain contains the merge of all its zones informations
Zone delegation  Zone delegation allows a domain administrator to delegate any information about a zone to someone else  Each zone can be seen as an AS
DNS ? Competitors ?  If you connect to Internet  DNS is a must-have  If you got your own internet network, based on TCP/IP (network of networks)  DNS can be used  If you got your own local network  DNS is an option  Competitors exists, like WINS or NIS  If you need distributed management and face consistency issues, DNS could be your solution
Resource Records (RR)  RR are DNS data (what is stored is called a "resource record")  Divided in classes : we'll use the TCP/IP Internet class mainly (IN)  Classes are divided by types  https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml  Most commonly used types are :  A : an IPV4 Address  AAAA : an IPV6 address  NS : A name server  SOA : A Start Of Authority  PTR : A reverse-DNS entry  MX : A mail server entry  TXT : Some textual information  Location : Geo Data  SRV : Service discovery (http, ftp, ldap ... offered by a domain)
Resource Records (RR)  Nowadays, there exists many RR  Postcodes can be stored in DNS ;-)  User/pass can be stored in DNS (ldap alternative)  DNS is a database, it is possible to add new "fields" , infinitely  DNS is expansible, and is updated to follow the overall Internet mutations through time  Big companies may hide opportunities in DNS entries ;-)
DNS clients and servers  Clients are called resolvers  Servers  May be authoritative on a zone  May be non-authoritative on a zone  May also be themselves clients  Authoritative servers must be at least two per zone  We usually call both the "master" and the "slave", but they both are authoritative on a zone  The "master" can update the zone infos, whereas the slaves can only copy it from the master (or another slave) and can't edit it.
Resolving names  A resolver is silly, and needs a server  A server can resolve a name  Resolving a name, is searching for an answer  "What is the IPV4 of foo.bar ?"  "foo.bar is at 10.5.49.6"  Each server is only authoritative for the zone its been setup for  Each server only knows a small piece of names from the whole namespace
Root servers  Root servers know every server of the upper level  spreaded worldwide  critical hardware for the overall Internet life  AnyCast routed
Resolving from root servers  Root servers know every server of the upper level  Every upper server  knows the answer if no delegation is performed  (The answer can be an error, like "no such domain")  OR  knows the upper server of the upper name if the zone is delegated  So a server whether  Knows your answer  OR  Knows who can know it  ...this, recursively
DNS resolution example  let's resolve foo.bar.baz.com
Here is the DNS local server foo.bar.baz.com ?? foo.bar.baz ?? foo.bar ?? com zone server infos baz zone server infos foo.bar.baz.com?? Root server com server bar zone server infos foo ?? foo is at 1.2.3.4 baz server bar server 1 2 4 3 foo bar baz com . . . . 1.2.3.4
Resolving a name  A recursive server will attempt to find the answer on its own. It follows server informations until it finds  A non-recursive server only gives answer to its zone information, and does not try to resolve anything by contacting anyone else
Recursive VS Iterative queries local server foo.bar.baz.com ?? foo.bar.baz ?? foo.bar ?? com zone server infos baz zone server infos foo.bar.baz.com?? Root server com server bar zone server infos foo ?? foo is at 1.2.3.4 baz server bar server foo bar baz com . . . . 1.2.3.4 IterativeRecursive
Resolver - server - recursion  A resolver always issues recursive queries, it has zero intelligence  A server usually issues non-recursive, aka iterative queries.  Iterative answers give a new server name  Recursive queries involve more work on the server DNS Server DNS Server DNS Server DNS Server Iterative Recursive Company A
Recursion in DNS  If a server receives a recursive query , it must answer it fully  If it does not have authority on the zone, it must then ask another server. If needed, it will ask from the root server  If a server receives a recursive query, it politely will issue iterative queries on its side, until forwarding DNS Server DNS Server DNS Server DNS Server Iterative Recursive Company A
DNS resolution DNS Server DNS Server DNS Server DNS Server Iterative Recursive Company A
DNS forward DNS Server DNS Server DNS Server DNS Server Iterative Recursive Company A DNS Server forwarding
Practice
Let's practice it :-)  A registrar is a company that interface with a registry  A registry is the one company that takes care of one TLD  Common TLD : com, net, org, fr, us, uk .. .. ...  Registry is the big-seller  Registrar is the detail-reseller  Registrar takes customers domain booking, and records them to the registry  It records the delegation servers for the new zone, there should be two of them
Find a registrar, and register  ghandi, ovh , godaddy, etc...  Buy your domain : foo.bar.  Here, the registrar will register (haha), your nameservers for the foo.bar. zone, against the TLD registry for .bar.  This registration can take time, but it is usually fast .bar zone.bar registry registrar Ans1 ns2 registrar B registrar C ns1/ns2 ns1/ns2 ns1/ns2
Domain Registration == delegation  TLD only delegates, TLD never registers hosts  You delegate foo into the bar. zone  That is you declare your servers (2 minimum) to the bar. zone  Each future resolution in bar., about foo.bar., will answer your servers : .bar. delegates to you foo.bar. management  Now you can register names : aka "baz.foo.bar."  Or you can delegate full zones, like *.wow.foo.bar." .bar zone.bar registry registrar Ans1 ns2 registrar B registrar C ns1/ns2ns1/ns2ns1/ns2
Done ! .bar zone.bar registry registrar Ans1 ns2 registrar B registrar C wow.foo.bar ? DNS server .bar zone wow.foo.bar ? ns1.foo.bar is here ns1 ns2 wow.foo.bar ? 10.5.88.3 .foo.bar zone 10.5.88.3
Tools and practice
DNS Tools  BIND is the defacto DNS server under Unix  https://www.isc.org  DIG is the defacto DNS debugger under Unix  nslookup is old, and nowadays unmaintained, use dig  libc is the defacto DNS resolver under Unix  <resolv.h> and the well known gethostbyname()/getaddrinfo()  It makes use of the /etc/resolv.conf file to find DNS servers to query  https://www.zonemaster.net - http://dnsviz.net  DNS brute force tools : dnsrecon / subbrute  DNS helpers : dnstop / dnswalk
A real example
A real example  I'm linked at home with other peers through private VPN  jp : me  uf : Ulysse  Instead of learning each other network's IP addresses, we managed to setup 2 delegations  jp.vpn : delegated to jp, slave uf  uf.vpn : delegated to uf , salves jp  The TLD .vpn is publicly unused (but the contrary wouldn't hurt much)
Setup uf jp Internet VPN
jp Internet VPN VPN srv.jp.vpn JP
JP example  I need a recursive server  Because I want to use it as my DNS server, for my home network  I need to have it safe from the Internet  I need to be authoritative on jp.vpn. , this is my zone  I thus need to declare a zone file in BIND  I need to sync, as a slave, zones from uf.vpn.  I will then be able to access my peers machines by resolving their names localy  I also need to allow transfer of my jp.vpn. zone to my peer, so that he will be able to query my hosts localy and serve as replicates
Put some BIND config options { directory "/var/cache/bind"; version "Guess"; recursion yes; allow-transfer { none; }; dnssec-validation auto; allow-query { "private"; }; notify yes; auth-nxdomain no; # conform to RFC1035 listen-on { any; }; }; zone "jp.vpn" { type master; allow-transfer { "private"; }; allow-query { "private"; }; file "/etc/bind/zones/db.vpn"; forwarders {}; }; zone "." { type hint; file "/etc/bind/db.root"; };
db.jp.vpn configuration $TTL 604800 $ORIGIN jp.vpn. @ IN SOA srv admin.srv ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS srv srv IN A 192.168.0.1 gaming IN A 192.168.0.4 nas IN A 192.168.0.2 mkt IN A 192.168.0.254 obs IN CNAME srv stat IN CNAME srv nd IN CNAME srv
BIND documentation ?  Every information about BIND and the DNS is here : http://www.zytrax.com/books/dns/
Zone configuration detailed  $TTL gives the default TTL of any entry that does not overwrite it (common use-case)  $ORIGIN is the delegated zone. Every '@' refers to it , every name not ended by a point "." will refer to $ORIGIN  A fully qualified name must end with a point  This is a pretty common mistake done in bind configuration $TTL 604800 $ORIGIN jp.vpn.
Zone configuration detailed  owner-name ttl class rr name-server email $TTL 604800 $ORIGIN jp.vpn. @ IN SOA srv admin.srv (
Zone configuration detailed  "jp.vpn. with TTL 604800 of class INternet has an SOA (Start Of Authority) delegated by srv.jp.ovpn. and managed by admin@srv.jp.vpn."  In email address of zone contact, '@' is replaced by a dot  That's the way of doing things !  A SOA resource record is mandatory ! You declare yourself as being authoritative on a dedicated zone $TTL 604800 $ORIGIN jp.vpn. @ IN SOA srv admin.srv (
Zone configuration detailed  It's serial number is 3 (used for slave sync)  slaves should try to refresh the zone every 604800s  If slaves fail to contact master, they should retry after 86400s  The zone expires after 2419200s , slaves should stop responding after this time if they did not refresh from master  If a negative answer is given its cache is 604800s $TTL 604800 $ORIGIN jp.vpn. @ IN SOA srv admin.srv (3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL
Zone configuration detailed  @ replaces the $ORIGIN  jp.vpn. is managed by the srv.jp.vpn. name server  srv.jp.vpn. is at 192.168.0.1  obs.jp.vpn. is an alias of srv.jp.vpn. and will have IP 192.168.0. ... ... @ IN NS srv srv IN A 192.168.0.1 obs IN CNAME srv
Slave zones zone "uf.vpn" { type slave; allow-query { "private"; }; masters { 10.1.2.1; }; forwarders {}; };
Let's dig it dig foo.jp.vpn @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> foo.jp.vpn @192.168.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64753 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;foo.jp.vpn. IN A ;; AUTHORITY SECTION: jp.vpn. 604800 IN SOA srv.jp.vpn. admin.srv.jp.vpn. 3 604800 86400 2419200 604800 ;; Query time: 11 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Thu Oct 05 16:38:12 CEST 2017 ;; MSG SIZE rcvd: 86
DIG flags and answer details  qr : always here, means "answer"  aa : authoritative answer  rd : recursivity demanded  ra : recursive answer  status : NXDOMAIN == "no such domain" == "foo.jp.vpn doesn't exist" dig foo.jp.vpn @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> foo.jp.vpn @192.168.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64753 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
Authoritative ? dig foo.jp.vpn @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> foo.jp.vpn @192.168.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64753 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 dig dl.free.fr @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> dl.free.fr @192.168.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32392 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3
Recursive ?  By asking an iterative query on a non-authority server, this one will NOT recursively resolve.  It will answer what it can : the next NS found dig dl.free.fr @192.168.0.1 +norecurse ; <<>> DiG 9.10.3-P4-Ubuntu <<>> dl.free.fr @192.168.0.1 +norecurse ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24422 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; AUTHORITY SECTION: free.fr. 85526 IN NS freens2-g20.free.fr. free.fr. 85526 IN NS freens1-g20.free.fr.
Recursive ?  Now recursive : we got our answer dig dl.free.fr @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> dl.free.fr @192.168.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24422 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; AUTHORITY SECTION: free.fr. 85526 IN NS freens2-g20.free.fr. free.fr. 85526 IN NS freens1-g20.free.fr. ;; ANSWER SECTION: dl.free.fr. 85763 IN A 212.27.63.45 dl.free.fr. 85763 IN A 212.27.63.32
Let's ask for a trace  Let's trace all the resolution process dig dl.free.fr @192.168.0.1 +trace . 261197 IN NS g.root-servers.net. . 261197 IN NS e.root-servers.net. ;; Received 525 bytes from 192.168.0.1#53(192.168.0.1) in 40 ms fr. 172800 IN NS e.ext.nic.fr. fr. 172800 IN NS d.nic.fr. ;; Received 730 bytes from 192.112.36.4#53(g.root-servers.net) in 36 ms free.fr. 172800 IN NS freens2-g20.free.fr. free.fr. 172800 IN NS freens1-g20.free.fr. ;; Received 614 bytes from 192.5.4.2#53(d.ext.nic.fr) in 51 ms dl.free.fr. 86400 IN A 212.27.63.35 dl.free.fr. 86400 IN A 212.27.63.32
DNS caches  Each zone answer is cached.  The first DNS query for dl.free.fr will go to the root  Root gives .fr server address  The server then now memorize .fr server address and will reuse it for any further .fr resolution  Thus, the root server will NOT be queried again for any .fr further query  etc .... , recursively
DNS resolution caching  As a tree, the DNS resolution mechanism can cache the closest branch information and reuse it  Example : you ask for baz.foo.bar.com  If you asked before for hello.wow.bar.com  Your DNS server will start resolution from the bar.com NS zone  If you asked before for wow.foo.bar.com  Your DNS server will start resolution from foo.bar.com NS zone  If you asked before for hello.com  Your DNS server will start resolution from com NS zone
Dumping / flushing cache  Generating and dumping the cache  Flushing cache > rndc dumpdb -cache > cat /var/cache/bind/named_dump.db > rndc flush && rndc reload
Multiple records and perfs  Often, DNS is used as a basic Round Robin load balancer dig dl.free.fr @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> dl.free.fr @192.168.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24422 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; ANSWER SECTION: dl.free.fr. 85763 IN A 212.27.63.45 dl.free.fr. 85763 IN A 212.27.63.32
Multiple records and perfs  For iterative resolution, measures are performed by the server to ask the best responsive server among the full list dig dl.free.fr @192.168.0.1 +trace . 513067 IN NS i.root-servers.net. . 513067 IN NS m.root-servers.net. . 513067 IN NS h.root-servers.net. . 513067 IN NS a.root-servers.net. . 513067 IN NS b.root-servers.net. . 513067 IN NS f.root-servers.net. . 513067 IN NS c.root-servers.net. . 513067 IN NS d.root-servers.net. . 513067 IN NS g.root-servers.net. . 513067 IN NS j.root-servers.net. . 513067 IN NS l.root-servers.net. . 513067 IN NS k.root-servers.net.
Conclusions
Then ?  DNS is not very hard as soon as you understand its structure, and why it's been designed  Take however care about security  DNS has not been designed when security issues were in minds  Thus, vanilla DNS is pretty unsecure  No validation of hosts, of answers, no limits, no encryption, etc...  DNSSEC tries to answer some problems (also DNS over TLS)  Some other tools as well (BIND RPZ)  Don't jump into DNS without clearly knowing security risks  Do not open a recursive server to the world, it will be used as an attack vector in worldwide DNS attacks
Then ?  Try to start by setting up your own recursive server  Read bind doc ! http://www.zytrax.com/books/dns/  Trust it more than any server you used to use before  Your ISP server can lie, and can record any query you pass  Privacy of your information ?  Using your own recursive server is like keeping your day-to-day surf for yourself  Say bye bye to 8.8.8.8, 1.1.1.1 or 9.9.9.9 : DIY  Internet is decentralized, don't centralize it if you can prevent that
And after ?  After you can experiment managing your own zone and delegations  You buy a domain, and you fully manage it  Instead of letting it done by your registrar
Ha , and to sum things up  https://www.youtube.com/watch?v=oN7ripK5uGM
Thank you for listening !

Empfohlen

DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name SystemPeter R. Egli
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNSThousandEyes
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemABDUL GAFOOR K V
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNSAkshay Tiwari
 
Lesson 6: Dynamic Host Configuration Protocol A
Lesson 6: Dynamic Host Configuration Protocol ALesson 6: Dynamic Host Configuration Protocol A
Lesson 6: Dynamic Host Configuration Protocol AMahmmoud Mahdi
 
DNS Record
DNS RecordDNS Record
DNS Recordkangting21
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp pptHema Dhariwal
 
DNS server configuration
DNS server configurationDNS server configuration
DNS server configurationSanguine_Eva
 

Empfohlen

DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name SystemPeter R. Egli
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNSThousandEyes
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemABDUL GAFOOR K V
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNSAkshay Tiwari
 
Lesson 6: Dynamic Host Configuration Protocol A
Lesson 6: Dynamic Host Configuration Protocol ALesson 6: Dynamic Host Configuration Protocol A
Lesson 6: Dynamic Host Configuration Protocol AMahmmoud Mahdi
 
DNS Record
DNS RecordDNS Record
DNS Recordkangting21
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp pptHema Dhariwal
 
DNS server configuration
DNS server configurationDNS server configuration
DNS server configurationSanguine_Eva
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS ServerPrabhakar Thota
 
DNS Presentation
DNS PresentationDNS Presentation
DNS PresentationShubham Srivastava
 
Dns server
Dns serverDns server
Dns serverSubrata Kumer Paul
 
Presentation on dns
Presentation on dnsPresentation on dns
Presentation on dnsAnand Grewal
 
Dns
DnsDns
DnsSanoj Kumar
 
Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name SystemChinmay Joshi
 
Domain name system (dns)
Domain name system (dns)Domain name system (dns)
Domain name system (dns)Atikur Rahman
 
DNS (Domain Name System)
DNS (Domain Name System)DNS (Domain Name System)
DNS (Domain Name System)Shashidhara Vyakaranal
 
DNS(Domain Name System)
DNS(Domain Name System)DNS(Domain Name System)
DNS(Domain Name System)Vishal Mittal
 
7 understanding DNS
7 understanding DNS7 understanding DNS
7 understanding DNSHameda Hurmat
 
Dns presentation
Dns presentationDns presentation
Dns presentationAnurag Pandey
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemGurkamal Rakhra
 
Dns(Domain name system)
Dns(Domain name system)Dns(Domain name system)
Dns(Domain name system)Fâhém Ähmêd
 
Dns name resolution process
Dns name resolution processDns name resolution process
Dns name resolution processkannanragothaman
 
DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)Netwax Lab
 
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptChapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptwebhostingguy
 
The History of DNS
The History of DNSThe History of DNS
The History of DNSMichael McLean
 
Domain name system
Domain name systemDomain name system
Domain name systemDiwaker Pant
 
DHCP Protocol
DHCP ProtocolDHCP Protocol
DHCP ProtocolMohammed Hisham
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)Venkatesh Jambulingam
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Servervipulvaid
 
Dns
DnsDns
DnsMd Shihab
 

Weitere ähnliche Inhalte

Was ist angesagt?

Presentation on dns
Presentation on dnsPresentation on dns
Presentation on dnsAnand Grewal
 
Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name SystemChinmay Joshi
 
Domain name system (dns)
Domain name system (dns)Domain name system (dns)
Domain name system (dns)Atikur Rahman
 
DNS(Domain Name System)
DNS(Domain Name System)DNS(Domain Name System)
DNS(Domain Name System)Vishal Mittal
 
Dns name resolution process
Dns name resolution processDns name resolution process
Dns name resolution processkannanragothaman
 
DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)Netwax Lab
 
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptChapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptwebhostingguy
 
Domain name system
Domain name systemDomain name system
Domain name systemDiwaker Pant
 

Was ist angesagt? (20)

Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
 
DNS Presentation
DNS PresentationDNS Presentation
DNS Presentation
 
Dns server
Dns serverDns server
Dns server
 
Presentation on dns
Presentation on dnsPresentation on dns
Presentation on dns
 
Dns
DnsDns
Dns
 
Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name System
 
Domain name system (dns)
Domain name system (dns)Domain name system (dns)
Domain name system (dns)
 
DNS (Domain Name System)
DNS (Domain Name System)DNS (Domain Name System)
DNS (Domain Name System)
 
DNS(Domain Name System)
DNS(Domain Name System)DNS(Domain Name System)
DNS(Domain Name System)
 
7 understanding DNS
7 understanding DNS7 understanding DNS
7 understanding DNS
 
Dns presentation
Dns presentationDns presentation
Dns presentation
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
Dns(Domain name system)
Dns(Domain name system)Dns(Domain name system)
Dns(Domain name system)
 
Dns name resolution process
Dns name resolution processDns name resolution process
Dns name resolution process
 
DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)
 
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptChapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.ppt
 
The History of DNS
The History of DNSThe History of DNS
The History of DNS
 
Domain name system
Domain name systemDomain name system
Domain name system
 
DHCP Protocol
DHCP ProtocolDHCP Protocol
DHCP Protocol
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 

Ähnlich wie Dns

Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Servervipulvaid
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016Maarten Balliauw
 
Lesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionLesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionMahmmoud Mahdi
 

Ähnlich wie Dns (20)

Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Server
 
Dns
DnsDns
Dns
 
Linux basics andng hosti
Linux basics andng hostiLinux basics andng hosti
Linux basics andng hosti
 
Domainnamesystem
DomainnamesystemDomainnamesystem
Domainnamesystem
 
Dns
DnsDns
Dns
 
DHCP
DHCPDHCP
DHCP
 
Dns
DnsDns
Dns
 
Dns And Snmp
Dns And SnmpDns And Snmp
Dns And Snmp
 
Session_2.ppt
Session_2.pptSession_2.ppt
Session_2.ppt
 
Dns1111111111
Dns1111111111Dns1111111111
Dns1111111111
 
Domain Name System(ppt)
Domain Name System(ppt)Domain Name System(ppt)
Domain Name System(ppt)
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
DNS(In_Linux).pptx
DNS(In_Linux).pptxDNS(In_Linux).pptx
DNS(In_Linux).pptx
 
Domain Name Service
Domain Name ServiceDomain Name Service
Domain Name Service
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
 
Lesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionLesson 5: Configuring Name Resolution
Lesson 5: Configuring Name Resolution
 
The Application Layer
The Application LayerThe Application Layer
The Application Layer
 
Ch20 system administration
Ch20 system administration Ch20 system administration
Ch20 system administration
 
D.N.S
D.N.SD.N.S
D.N.S
 
Dns2
Dns2Dns2
Dns2
 

Mehr von julien pauli

Doctrine with Symfony - SymfonyCon 2019
Doctrine with Symfony - SymfonyCon 2019Doctrine with Symfony - SymfonyCon 2019
Doctrine with Symfony - SymfonyCon 2019julien pauli
 
PHP 7 OPCache extension review
PHP 7 OPCache extension reviewPHP 7 OPCache extension review
PHP 7 OPCache extension reviewjulien pauli
 
PHP Internals and Virtual Machine
PHP Internals and Virtual MachinePHP Internals and Virtual Machine
PHP Internals and Virtual Machinejulien pauli
 
Basics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGBasics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGjulien pauli
 
Mastering your home network - Do It Yourself
Mastering your home network - Do It YourselfMastering your home network - Do It Yourself
Mastering your home network - Do It Yourselfjulien pauli
 
SymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performancesSymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performancesjulien pauli
 
Php and threads ZTS
Php and threads ZTSPhp and threads ZTS
Php and threads ZTSjulien pauli
 
Symfony live 2017_php7_performances
Symfony live 2017_php7_performancesSymfony live 2017_php7_performances
Symfony live 2017_php7_performancesjulien pauli
 
Php7 extensions workshop
Php7 extensions workshopPhp7 extensions workshop
Php7 extensions workshopjulien pauli
 
Profiling php5 to php7
Profiling php5 to php7Profiling php5 to php7
Profiling php5 to php7julien pauli
 
PHP 7 performances from PHP 5
PHP 7 performances from PHP 5PHP 7 performances from PHP 5
PHP 7 performances from PHP 5julien pauli
 
Mysqlnd, an unknown powerful PHP extension
Mysqlnd, an unknown powerful PHP extensionMysqlnd, an unknown powerful PHP extension
Mysqlnd, an unknown powerful PHP extensionjulien pauli
 
Php extensions workshop
Php extensions workshopPhp extensions workshop
Php extensions workshopjulien pauli
 
Understanding PHP objects
Understanding PHP objectsUnderstanding PHP objects
Understanding PHP objectsjulien pauli
 
PHP Tips for certification - OdW13
PHP Tips for certification - OdW13PHP Tips for certification - OdW13
PHP Tips for certification - OdW13julien pauli
 

Mehr von julien pauli (20)

Doctrine with Symfony - SymfonyCon 2019
Doctrine with Symfony - SymfonyCon 2019Doctrine with Symfony - SymfonyCon 2019
Doctrine with Symfony - SymfonyCon 2019
 
Php engine
Php enginePhp engine
Php engine
 
PHP 7 OPCache extension review
PHP 7 OPCache extension reviewPHP 7 OPCache extension review
PHP 7 OPCache extension review
 
PHP Internals and Virtual Machine
PHP Internals and Virtual MachinePHP Internals and Virtual Machine
PHP Internals and Virtual Machine
 
Basics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGBasics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNG
 
Mastering your home network - Do It Yourself
Mastering your home network - Do It YourselfMastering your home network - Do It Yourself
Mastering your home network - Do It Yourself
 
SymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performancesSymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performances
 
Php and threads ZTS
Php and threads ZTSPhp and threads ZTS
Php and threads ZTS
 
Tcpip
TcpipTcpip
Tcpip
 
Symfony live 2017_php7_performances
Symfony live 2017_php7_performancesSymfony live 2017_php7_performances
Symfony live 2017_php7_performances
 
PHP 7 new engine
PHP 7 new enginePHP 7 new engine
PHP 7 new engine
 
Php7 extensions workshop
Php7 extensions workshopPhp7 extensions workshop
Php7 extensions workshop
 
Profiling php5 to php7
Profiling php5 to php7Profiling php5 to php7
Profiling php5 to php7
 
PHP 7 performances from PHP 5
PHP 7 performances from PHP 5PHP 7 performances from PHP 5
PHP 7 performances from PHP 5
 
PHP7 is coming
PHP7 is comingPHP7 is coming
PHP7 is coming
 
Mysqlnd, an unknown powerful PHP extension
Mysqlnd, an unknown powerful PHP extensionMysqlnd, an unknown powerful PHP extension
Mysqlnd, an unknown powerful PHP extension
 
Php extensions workshop
Php extensions workshopPhp extensions workshop
Php extensions workshop
 
Understanding PHP objects
Understanding PHP objectsUnderstanding PHP objects
Understanding PHP objects
 
PHP Tips for certification - OdW13
PHP Tips for certification - OdW13PHP Tips for certification - OdW13
PHP Tips for certification - OdW13
 
PHP5.5 is Here
PHP5.5 is HerePHP5.5 is Here
PHP5.5 is Here
 

Kürzlich hochgeladen

How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Kürzlich hochgeladen (20)

How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 

Dns

  • 2. Hi  Julien PAULI  Programming in PHP since early 2000s  PHP Internals hacker and trainer  PHP 5.5/5.6 Release Manager  Working at SensioLabs in Paris - Blackfire  Writing PHP tech articles and books  http://phpinternalsbook.com  http://blog.jpauli.tech  @julienpauli - github.com/jpauli - jpauli@php.net  Like working on OSS such as PHP :-)
  • 3. TOC  History of Internet and networks  The need to name things  The need to create a synchronized decentralized system  Domain Name Server  A hierarchical system  Names and zones  Practicing DNS with BIND  Zones creations and delegation  Zones master and slave propagation
  • 4. State Of The Art  Each machine on a network is assigned an IP address  IPV4 : 32 bits  IPV6 : 128 bits  Computers are fast at treating numbers  Human brains are crap at treating and memorizing numbers  But human brains are good at memorizing names (letters)  There is a need of a global system which goal would be association of human-memorizable mnemonics (names) and computer assigned address numbers
  • 5. Usage of a centralized file  In 1970, ARPANET only handles hundreds of hosts  ARPANET == Internet ancestor  Among those, one machine were hosting a file : HOSTS.TXT , associating every network machine names with their addresses  HOSTS.TXT were then copied/synchronized in each local machine's /etc/hosts file, which is used as the local UNIX hosts db  When HOSTS.TXT were modified, admins sent emails to each machine to have their user download the new HOSTS.TXT and update their own /etc/hosts
  • 6. Problems showing  ARPANET grows, more and more hosts  Having one single HOSTS.TXT file to both update and transfer to everyone starts to be a pain.  That becomes unmaintainable  ARPANET searches for a system to replace HOSTS.TXT drawbacks  In 1984, the DNS first RFC were written
  • 7. DNS  A distributed name database  Name servers contain a segment of the whole name database  Clients, called resolvers, can query servers  Some caches are setup to improve overall performances
  • 8. DNS Structure  DNS has been structured like UNIX Filesystem  A reversed tree where root node is on top root node domain subdomain
  • 9. A domain name  A domain name is the equivalent of an absolute path  But it is read in the reverse way  And it uses a dot as a separator and not a slash Reading the FS Reading the DNS
  • 10. DNS decentralization  Each subdomain may be managed by a different entity, this is called a delegation ICANN NSI BSD University Local FS Remote NFS
  • 11. DNS overview  This system solves the HOSTS.TXT problems  No more duplicate entry  Each domain name is unique  And can be administrated by a unique entity  Each zone can contain  Host names  Sub domains  The system is  distributed  redundant  delegated (no centralization)
  • 12. DNS tree  The namespace may reach 127 deepness levels  Each tree name can be up to 63 chars  Separator is dot " . "  Root node has the null name ""
  • 13. DNS structure  A domain is simply a subtree of the namespace  Each subtree node is owned by its parent  Hence, pa.ca.us is child of ca.us and of us us domain pa.ca.us node ca.us domain Top Level Domain Level one domain Level two domain Root
  • 14. Zone and domain  A zone contains records and delegation informations about a name  A domain contains the merge of all its zones informations
  • 15. Zone delegation  Zone delegation allows a domain administrator to delegate any information about a zone to someone else  Each zone can be seen as an AS
  • 16. DNS ? Competitors ?  If you connect to Internet  DNS is a must-have  If you got your own internet network, based on TCP/IP (network of networks)  DNS can be used  If you got your own local network  DNS is an option  Competitors exists, like WINS or NIS  If you need distributed management and face consistency issues, DNS could be your solution
  • 17. Resource Records (RR)  RR are DNS data (what is stored is called a "resource record")  Divided in classes : we'll use the TCP/IP Internet class mainly (IN)  Classes are divided by types  https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml  Most commonly used types are :  A : an IPV4 Address  AAAA : an IPV6 address  NS : A name server  SOA : A Start Of Authority  PTR : A reverse-DNS entry  MX : A mail server entry  TXT : Some textual information  Location : Geo Data  SRV : Service discovery (http, ftp, ldap ... offered by a domain)
  • 18. Resource Records (RR)  Nowadays, there exists many RR  Postcodes can be stored in DNS ;-)  User/pass can be stored in DNS (ldap alternative)  DNS is a database, it is possible to add new "fields" , infinitely  DNS is expansible, and is updated to follow the overall Internet mutations through time  Big companies may hide opportunities in DNS entries ;-)
  • 19. DNS clients and servers  Clients are called resolvers  Servers  May be authoritative on a zone  May be non-authoritative on a zone  May also be themselves clients  Authoritative servers must be at least two per zone  We usually call both the "master" and the "slave", but they both are authoritative on a zone  The "master" can update the zone infos, whereas the slaves can only copy it from the master (or another slave) and can't edit it.
  • 20. Resolving names  A resolver is silly, and needs a server  A server can resolve a name  Resolving a name, is searching for an answer  "What is the IPV4 of foo.bar ?"  "foo.bar is at 10.5.49.6"  Each server is only authoritative for the zone its been setup for  Each server only knows a small piece of names from the whole namespace
  • 21. Root servers  Root servers know every server of the upper level  spreaded worldwide  critical hardware for the overall Internet life  AnyCast routed
  • 22. Resolving from root servers  Root servers know every server of the upper level  Every upper server  knows the answer if no delegation is performed  (The answer can be an error, like "no such domain")  OR  knows the upper server of the upper name if the zone is delegated  So a server whether  Knows your answer  OR  Knows who can know it  ...this, recursively
  • 23. DNS resolution example  let's resolve foo.bar.baz.com
  • 24. Here is the DNS local server foo.bar.baz.com ?? foo.bar.baz ?? foo.bar ?? com zone server infos baz zone server infos foo.bar.baz.com?? Root server com server bar zone server infos foo ?? foo is at 1.2.3.4 baz server bar server 1 2 4 3 foo bar baz com . . . . 1.2.3.4
  • 25. Resolving a name  A recursive server will attempt to find the answer on its own. It follows server informations until it finds  A non-recursive server only gives answer to its zone information, and does not try to resolve anything by contacting anyone else
  • 26. Recursive VS Iterative queries local server foo.bar.baz.com ?? foo.bar.baz ?? foo.bar ?? com zone server infos baz zone server infos foo.bar.baz.com?? Root server com server bar zone server infos foo ?? foo is at 1.2.3.4 baz server bar server foo bar baz com . . . . 1.2.3.4 IterativeRecursive
  • 27. Resolver - server - recursion  A resolver always issues recursive queries, it has zero intelligence  A server usually issues non-recursive, aka iterative queries.  Iterative answers give a new server name  Recursive queries involve more work on the server DNS Server DNS Server DNS Server DNS Server Iterative Recursive Company A
  • 28. Recursion in DNS  If a server receives a recursive query , it must answer it fully  If it does not have authority on the zone, it must then ask another server. If needed, it will ask from the root server  If a server receives a recursive query, it politely will issue iterative queries on its side, until forwarding DNS Server DNS Server DNS Server DNS Server Iterative Recursive Company A
  • 32. Let's practice it :-)  A registrar is a company that interface with a registry  A registry is the one company that takes care of one TLD  Common TLD : com, net, org, fr, us, uk .. .. ...  Registry is the big-seller  Registrar is the detail-reseller  Registrar takes customers domain booking, and records them to the registry  It records the delegation servers for the new zone, there should be two of them
  • 33. Find a registrar, and register  ghandi, ovh , godaddy, etc...  Buy your domain : foo.bar.  Here, the registrar will register (haha), your nameservers for the foo.bar. zone, against the TLD registry for .bar.  This registration can take time, but it is usually fast .bar zone.bar registry registrar Ans1 ns2 registrar B registrar C ns1/ns2 ns1/ns2 ns1/ns2
  • 34. Domain Registration == delegation  TLD only delegates, TLD never registers hosts  You delegate foo into the bar. zone  That is you declare your servers (2 minimum) to the bar. zone  Each future resolution in bar., about foo.bar., will answer your servers : .bar. delegates to you foo.bar. management  Now you can register names : aka "baz.foo.bar."  Or you can delegate full zones, like *.wow.foo.bar." .bar zone.bar registry registrar Ans1 ns2 registrar B registrar C ns1/ns2ns1/ns2ns1/ns2
  • 35. Done ! .bar zone.bar registry registrar Ans1 ns2 registrar B registrar C wow.foo.bar ? DNS server .bar zone wow.foo.bar ? ns1.foo.bar is here ns1 ns2 wow.foo.bar ? 10.5.88.3 .foo.bar zone 10.5.88.3
  • 37. DNS Tools  BIND is the defacto DNS server under Unix  https://www.isc.org  DIG is the defacto DNS debugger under Unix  nslookup is old, and nowadays unmaintained, use dig  libc is the defacto DNS resolver under Unix  <resolv.h> and the well known gethostbyname()/getaddrinfo()  It makes use of the /etc/resolv.conf file to find DNS servers to query  https://www.zonemaster.net - http://dnsviz.net  DNS brute force tools : dnsrecon / subbrute  DNS helpers : dnstop / dnswalk
  • 39. A real example  I'm linked at home with other peers through private VPN  jp : me  uf : Ulysse  Instead of learning each other network's IP addresses, we managed to setup 2 delegations  jp.vpn : delegated to jp, slave uf  uf.vpn : delegated to uf , salves jp  The TLD .vpn is publicly unused (but the contrary wouldn't hurt much)
  • 42. JP example  I need a recursive server  Because I want to use it as my DNS server, for my home network  I need to have it safe from the Internet  I need to be authoritative on jp.vpn. , this is my zone  I thus need to declare a zone file in BIND  I need to sync, as a slave, zones from uf.vpn.  I will then be able to access my peers machines by resolving their names localy  I also need to allow transfer of my jp.vpn. zone to my peer, so that he will be able to query my hosts localy and serve as replicates
  • 43. Put some BIND config options { directory "/var/cache/bind"; version "Guess"; recursion yes; allow-transfer { none; }; dnssec-validation auto; allow-query { "private"; }; notify yes; auth-nxdomain no; # conform to RFC1035 listen-on { any; }; }; zone "jp.vpn" { type master; allow-transfer { "private"; }; allow-query { "private"; }; file "/etc/bind/zones/db.vpn"; forwarders {}; }; zone "." { type hint; file "/etc/bind/db.root"; };
  • 44. db.jp.vpn configuration $TTL 604800 $ORIGIN jp.vpn. @ IN SOA srv admin.srv ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS srv srv IN A 192.168.0.1 gaming IN A 192.168.0.4 nas IN A 192.168.0.2 mkt IN A 192.168.0.254 obs IN CNAME srv stat IN CNAME srv nd IN CNAME srv
  • 45. BIND documentation ?  Every information about BIND and the DNS is here : http://www.zytrax.com/books/dns/
  • 46. Zone configuration detailed  $TTL gives the default TTL of any entry that does not overwrite it (common use-case)  $ORIGIN is the delegated zone. Every '@' refers to it , every name not ended by a point "." will refer to $ORIGIN  A fully qualified name must end with a point  This is a pretty common mistake done in bind configuration $TTL 604800 $ORIGIN jp.vpn.
  • 47. Zone configuration detailed  owner-name ttl class rr name-server email $TTL 604800 $ORIGIN jp.vpn. @ IN SOA srv admin.srv (
  • 48. Zone configuration detailed  "jp.vpn. with TTL 604800 of class INternet has an SOA (Start Of Authority) delegated by srv.jp.ovpn. and managed by admin@srv.jp.vpn."  In email address of zone contact, '@' is replaced by a dot  That's the way of doing things !  A SOA resource record is mandatory ! You declare yourself as being authoritative on a dedicated zone $TTL 604800 $ORIGIN jp.vpn. @ IN SOA srv admin.srv (
  • 49. Zone configuration detailed  It's serial number is 3 (used for slave sync)  slaves should try to refresh the zone every 604800s  If slaves fail to contact master, they should retry after 86400s  The zone expires after 2419200s , slaves should stop responding after this time if they did not refresh from master  If a negative answer is given its cache is 604800s $TTL 604800 $ORIGIN jp.vpn. @ IN SOA srv admin.srv (3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL
  • 50. Zone configuration detailed  @ replaces the $ORIGIN  jp.vpn. is managed by the srv.jp.vpn. name server  srv.jp.vpn. is at 192.168.0.1  obs.jp.vpn. is an alias of srv.jp.vpn. and will have IP 192.168.0. ... ... @ IN NS srv srv IN A 192.168.0.1 obs IN CNAME srv
  • 51. Slave zones zone "uf.vpn" { type slave; allow-query { "private"; }; masters { 10.1.2.1; }; forwarders {}; };
  • 52. Let's dig it dig foo.jp.vpn @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> foo.jp.vpn @192.168.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64753 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;foo.jp.vpn. IN A ;; AUTHORITY SECTION: jp.vpn. 604800 IN SOA srv.jp.vpn. admin.srv.jp.vpn. 3 604800 86400 2419200 604800 ;; Query time: 11 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Thu Oct 05 16:38:12 CEST 2017 ;; MSG SIZE rcvd: 86
  • 53. DIG flags and answer details  qr : always here, means "answer"  aa : authoritative answer  rd : recursivity demanded  ra : recursive answer  status : NXDOMAIN == "no such domain" == "foo.jp.vpn doesn't exist" dig foo.jp.vpn @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> foo.jp.vpn @192.168.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64753 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
  • 54. Authoritative ? dig foo.jp.vpn @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> foo.jp.vpn @192.168.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64753 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 dig dl.free.fr @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> dl.free.fr @192.168.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32392 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3
  • 55. Recursive ?  By asking an iterative query on a non-authority server, this one will NOT recursively resolve.  It will answer what it can : the next NS found dig dl.free.fr @192.168.0.1 +norecurse ; <<>> DiG 9.10.3-P4-Ubuntu <<>> dl.free.fr @192.168.0.1 +norecurse ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24422 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; AUTHORITY SECTION: free.fr. 85526 IN NS freens2-g20.free.fr. free.fr. 85526 IN NS freens1-g20.free.fr.
  • 56. Recursive ?  Now recursive : we got our answer dig dl.free.fr @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> dl.free.fr @192.168.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24422 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; AUTHORITY SECTION: free.fr. 85526 IN NS freens2-g20.free.fr. free.fr. 85526 IN NS freens1-g20.free.fr. ;; ANSWER SECTION: dl.free.fr. 85763 IN A 212.27.63.45 dl.free.fr. 85763 IN A 212.27.63.32
  • 57. Let's ask for a trace  Let's trace all the resolution process dig dl.free.fr @192.168.0.1 +trace . 261197 IN NS g.root-servers.net. . 261197 IN NS e.root-servers.net. ;; Received 525 bytes from 192.168.0.1#53(192.168.0.1) in 40 ms fr. 172800 IN NS e.ext.nic.fr. fr. 172800 IN NS d.nic.fr. ;; Received 730 bytes from 192.112.36.4#53(g.root-servers.net) in 36 ms free.fr. 172800 IN NS freens2-g20.free.fr. free.fr. 172800 IN NS freens1-g20.free.fr. ;; Received 614 bytes from 192.5.4.2#53(d.ext.nic.fr) in 51 ms dl.free.fr. 86400 IN A 212.27.63.35 dl.free.fr. 86400 IN A 212.27.63.32
  • 58. DNS caches  Each zone answer is cached.  The first DNS query for dl.free.fr will go to the root  Root gives .fr server address  The server then now memorize .fr server address and will reuse it for any further .fr resolution  Thus, the root server will NOT be queried again for any .fr further query  etc .... , recursively
  • 59. DNS resolution caching  As a tree, the DNS resolution mechanism can cache the closest branch information and reuse it  Example : you ask for baz.foo.bar.com  If you asked before for hello.wow.bar.com  Your DNS server will start resolution from the bar.com NS zone  If you asked before for wow.foo.bar.com  Your DNS server will start resolution from foo.bar.com NS zone  If you asked before for hello.com  Your DNS server will start resolution from com NS zone
  • 60. Dumping / flushing cache  Generating and dumping the cache  Flushing cache > rndc dumpdb -cache > cat /var/cache/bind/named_dump.db > rndc flush && rndc reload
  • 61. Multiple records and perfs  Often, DNS is used as a basic Round Robin load balancer dig dl.free.fr @192.168.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> dl.free.fr @192.168.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24422 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; ANSWER SECTION: dl.free.fr. 85763 IN A 212.27.63.45 dl.free.fr. 85763 IN A 212.27.63.32
  • 62. Multiple records and perfs  For iterative resolution, measures are performed by the server to ask the best responsive server among the full list dig dl.free.fr @192.168.0.1 +trace . 513067 IN NS i.root-servers.net. . 513067 IN NS m.root-servers.net. . 513067 IN NS h.root-servers.net. . 513067 IN NS a.root-servers.net. . 513067 IN NS b.root-servers.net. . 513067 IN NS f.root-servers.net. . 513067 IN NS c.root-servers.net. . 513067 IN NS d.root-servers.net. . 513067 IN NS g.root-servers.net. . 513067 IN NS j.root-servers.net. . 513067 IN NS l.root-servers.net. . 513067 IN NS k.root-servers.net.
  • 64. Then ?  DNS is not very hard as soon as you understand its structure, and why it's been designed  Take however care about security  DNS has not been designed when security issues were in minds  Thus, vanilla DNS is pretty unsecure  No validation of hosts, of answers, no limits, no encryption, etc...  DNSSEC tries to answer some problems (also DNS over TLS)  Some other tools as well (BIND RPZ)  Don't jump into DNS without clearly knowing security risks  Do not open a recursive server to the world, it will be used as an attack vector in worldwide DNS attacks
  • 65. Then ?  Try to start by setting up your own recursive server  Read bind doc ! http://www.zytrax.com/books/dns/  Trust it more than any server you used to use before  Your ISP server can lie, and can record any query you pass  Privacy of your information ?  Using your own recursive server is like keeping your day-to-day surf for yourself  Say bye bye to 8.8.8.8, 1.1.1.1 or 9.9.9.9 : DIY  Internet is decentralized, don't centralize it if you can prevent that
  • 66. And after ?  After you can experiment managing your own zone and delegations  You buy a domain, and you fully manage it  Instead of letting it done by your registrar
  • 67. Ha , and to sum things up  https://www.youtube.com/watch?v=oN7ripK5uGM
  • 68. Thank you for listening !