Jump to navigation Jump to search
blog comments powered by Disqus
- Why do we need DNS?
- People prefer to use names instead of numeric addresses.
- So we need a system that can map a name to an address or an address to a name.
- When Internet was small, IP to Hostname mapping was done using a Host file, which was periodically updated.
- Today it is impossible to store & update all as it will create a huge amount of traffic in Internet.
- Packet Capture
- Which Protocol does DNS use?
UDP: For all general purpose DNS Requests like nslookup, client's requests, etc TCP: For Server to Server Communication like Zone transfer as this process needs reliable protocol.
- Zone transfer
It is the process of replicating a zone file to another name server, and is accomplished by copying the zone file information from the master server to the secondary server. Zone transfers take place when names and IP address mappings change in a domain.
- Who decides it?
- UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes.
- If a client doesn’t get response from DNS it must retransmit the data using TCP after 3-5 seconds of interval.
- When will firewall close a session opened for DNS?
- UDP is having timeout of 1 minute.
- DNS Queries may fill out the session table to its limit.
- Therefore DNS ALG is used to close the DNS session on getting a reply message.
- If DNS ALG is disabled, the session table may fill in a short time.
|This section is under construction.|
- DNS zone is any distinct, contiguous portion of domain name space for which administrative responsibility has been delegated to a single manager.
- The domain name space of the Internet is organized into a hierarchical layout of subdomains below the DNS root domain.
- Don’t associate a zone with a domain.
- A DNS zone can contain multiple domains or just one domain, the important thing to remember is that it is used for delegating control of portions of the namespace.
- Different zones can also be on the same server.
- Think of a zone as a database or part of it.
- If a company is massive and have offices all over the world.
- You create a subdomain for each country on the same DNS server.
- Now if you further split up into cities.
- Can you imagine how many subdomains, DNS A records etc must be stored on this one server.
- This DNS server would contain every record of all my worldwide organisations and most likely kill the server.
- So all these domains are stored in one zone on one server.
- The problem is that it is too much for one server and too much for the admin team to manage this entire “zone”.
- Delegating DNS Zones
- Now we create a new zone on each COuntry DNS server.
- Root Server is configured to push all queries for the Country Subdomain to this server.
The key differences here is that:
- Main DNS Server does not contain any records at all for Country or city subdomains.
- It only contains a pointer to redirect queries there.
- This means the entire DNS namespace can be split throughout an organisation.
- By splitting the entire namespace like this it removes unnecessary bandwidth and queries.
- If the whole namespace existed in the US then the UK would have to query the US servers for UK queries.
- Moving the UK subdomain into a zone on a UK server keeps the queries local.
- Once a zone is created you can set permissions on it and delegate control of it out to different staff.
- If we wanted 3 domains to be administered by 3 different teams they would need to be in different zones.
- DNS zone transfer (Also called AXFR) is a mechanism to replicate DNS databases across a set of DNS servers.
- Zone transfers may be performed using two methods, full AXFR and incremental IXFR
- A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction.
- The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, called a primary server.
- The portion of the database that is replicated is a zone.
- DNS client tells DNS server whether Query is Recursive or Iterative.
- This means that the resolver expects the server to supply the final answer.
- Reply with an address or an error message.
- Server cannot refer client to a different DNS server.
- Generally made by a DNS client to a DNS server or by server that is configured to pass unresolved name queries to another DNS server, if configured to use a forwarder.
- Returns the best answer server can give based on its cache or zone data.
- If it does not have an exact match, it returns a pointer to another DNS server.
- The Client can then query the DNS server for which it obtained a referral.
- It continues until it locates a DNS server authoritative for the query, or until an error or time-out condition.
Reverse DNS query
- rDNS is the determination of a domain name associated with a IP address.
- Uses the pointer DNS record type (PTR record).
- use a reverse IN-ADDR entry in the special domain in-addr.arpa
- If an address (A) record for mail.example.com points to the IP address 192.0.2.5.
- In pointer records of the reverse database, this IP address is stored as the domain name 188.8.131.52.in-addr.arpa pointing back to its designated host name mail.example.com.
- Original use of the rDNS: network troubleshooting via tools such as traceroute, ping, and the "Received:" trace header field for SMTP e-mail, web sites tracking users (especially on Internet forums), etc.
- One e-mail anti-spam technique: Checking the domain names in the rDNS to see if they are likely from dialup users, dynamically assigned addresses, or other inexpensive Internet services.
- System logging or monitoring tools often receive entries by IP addresses. To provide more human-usable data.
|This section needs formatting or rework.|
- DNS doctoring enables an internal host on a LAN to receive the Private ip of an internal server as an answer from a DNS query when using a DNS server that is outside the LAN, such as on the internet.
- A static NAT translation must also exist to translate the public IP to the private IP.
- Without DNS doctoring, the external DNS server will reply with the public IP address of the host on the internal LAN.
- The problem occurs when the client and the host that the client tries to reach are both on the same of different private network behind NAT, but the DNS server used by the client is on another public network.
- Without DNS doctoring or another solution enabled in this situation, if the client sends a DNS request for the IP address of the Web Server it is unable to access the WWW server.
- This is because the client receives an A-record that contains the mapped public address of WWW server.
- When the client tries to access this IP address, the security appliance drops the packets because it does not allow packet redirection on the same interface.
- Configure static NAT for the DNS server first and if the DNS ALG is enabled, public-to-private and private-to-public static address translation can occur for A-records in DNS replies.
DNS Record Types
A Address record Returns a 32-bit IPv4 address, AAAA IPv6 address record CNAME Canonical name record Alias of one name to another, DNS lookup will continue by retrying the lookup with the new name. LOC Location record Specifies a geographical location associated with a domain name MX Mail exchange record Maps a domain name to a list of message transfer agents for that domain NS Name server record Delegates a DNS zone to use the given authoritative name servers PTR Pointer record Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups. SOA Start of [a zone of] authority record Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number,etc SRV Service locator Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX. TXT Text record Originally for arbitrary human-readable text in a DNS record. Now more often carries machine-readable data, opportunistic encryption, Sender Policy Framework, etc. * All cached records Returns all cached records of all types known to the name server. If the name server does not have any information on the name, the request will be forwarded on. AXFR Authoritative Zone Transfer Transfer entire zone file from the master name server to secondary name servers. IXFR Incremental Zone Transfer Requests a zone transfer of the given zone but only differences from a previous serial number.
An authoritative Nameserver is a nameserver (DNS Server) that holds the actual DNS records (A, CNAME, PTR, etc) for a particular domain/ address. A recursive resolver would be a DNS server that queries an authoritative nameserver to resolve a domain/ address. If I have a DNS server in my network that holds an A record for foobar.com, my DNS server would be authoritative for the foobar.com domain. If clients needed to access foobar.com, they could query my DNS server and they would get an authoritative response.
- A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) which maps one domain name (an alias) to another (the Canonical Name).
NAME TYPE VALUE -------------------------------------------------- bar.example.com. CNAME foo.example.com. foo.example.com. A 192.0.2.23
- Glue Record
- A glue record is a term for a record that's served by a DNS server that's not authoritative for the zone, to avoid a condition of impossible dependencies for a DNS zone.
- What glue records do is to allow the TLD's servers to send extra information in their response to the query for the example.com zone - to send the IP address that's configured for the name servers.
- It's not authoritative, but it's a pointer to the authoritative servers, allowing for the loop to be resolved.
blog comments powered by Disqus