DNS Session 2: DNS cache operation and DNS debugging. Joe Abley AfNOG 2006 workshop

Similar documents
DNS Session 2: DNS cache operation and DNS debugging. How caching NS works (1) What if the answer is not in the cache? How caching NS works (2)

Domain Name System (DNS) Session 2: Resolver Operation and debugging. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

DNS Session 1: Fundamentals. Based on Brian Candler's materials ISOC CCTLD workshop

Based on Brian Candler's materials ISOC CCTLD workshop

Configuration of Authoritative Nameservice

Domain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

Oversimplified DNS. ... or, even a rocket scientist can understand DNS. Step 1 - Verify WHOIS information

Goal of this session

OPS535 Lab 5. Dynamic DNS. RFC 2136 Dynamic Updates in the Domain Name System (DNS UPDATE)

Domain Name System (DNS) Session-1: Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale

Domain Name System (DNS) DNS Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale. The old solution: HOSTS.

DNS Configuration Guide. Open Telekom Cloud

CIA Lab Assignment: Domain Name System (1)

Domain Name System - Advanced Computer Networks

Computer Center, CS, NCTU. Outline. Installation Basic Configuration

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1

DNS. Introduction To. everything you never wanted to know about IP directory services

Linux Network Administration

Services: DNS domain name system

Welcome! Acknowledgements. Introduction to DNS. cctld DNS Workshop October 2004, Bangkok, Thailand

Preparation Test AAAA and EDNS0 support Share Your Results Results Reported Testing Period

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

Managing Caching DNS Server

CSE 265: System & Network Administration

RHCE BOOT CAMP BIND. Wednesday, November 28, 12

CNAME-based Redirection Design Notes

Networking Applications

Secured Dynamic Updates

DNS & DHCP CONFIGURATION

Internet Engineering. DNS Message Format. Contents. Robert Elz.

Response Differences between NSD and other DNS Servers

IT Domain Name System Revisited

Internet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: November 2015

The Domain Name System

DNS. David Malone. 19th October 2004

Domain Name System (DNS)

DNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46

Managing Zones. Staged and Synchronous Modes CHAPTER. See Also

Reverse DNS Overview

Testing IPv6 address records in the DNS root

page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016

ENUM Dialing on Cisco Expressway

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

DNS. A Massively Distributed Database. Justin Scott December 12, 2018

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS.

Domain Name Service. DNS Overview. October 2009 Computer Networking 1

Figure 1: DNS server properties and the DNS server icon

Managing DNS Firewall

Is Your Caching Resolver Polluting the Internet?

QNAME minimisation. Ralph Dolmans (NLnet Labs) March 2016 Stichting NLnet Labs

Sicurezza dei sistemi e delle reti

Cisco Expressway ENUM Dialing

Setting up DHCP, DNS and NFS on the CLTC Server

Running the Setup Web UI

Protocol Classification

The Domain Name System

ECE 650 Systems Programming & Engineering. Spring 2018

DNS / DNSSEC Workshop. bdnog November 2017, Dhaka, Bangladesh

ip dhcp-client network-discovery through ip nat sip-sbc

Is your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018

Advanced Caching DNS Server

Installing MyDNS And The MyDNSConfig Control Panel On Fedora 8

DNS Flag day. A tale of five cctlds. Hugo Salgado,.CL Sebastián Castro,.NZ DNS-OARC 29, Amsterdam

Packet Traces from a Simulated Signed Root

Running the Setup Web UI

Configuring DNS. Finding Feature Information

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Tasks (Part I): Setting Up a Local DNS Server. SEED Labs Local DNS Attack Lab 1

Remote DNS Cache Poisoning Attack Lab

Network Protocols. DNS Intel *slightly modified public version of another talk. TDC 375 Autumn 2009/10 John Kristoff DePaul University 1

Managing Authoritative DNS Server

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS. Root servers.

DNS Concepts. Acknowledgements July 2005, Thimphu, Bhutan. In conjunction with SANOG VI. Bill Manning Ed Lewis Joe Abley Olaf M.

Open Resolvers in COM/NET Resolution!! Duane Wessels, Aziz Mohaisen! DNS-OARC 2014 Spring Workshop! Warsaw, Poland!

6.033 Computer System Engineering

DNS DNS DNS Summer Days 2013 Copyright

Maintained and stored on the domain s master name server Two types of entries. Used to store the information of The real part of DNS database

Strange Things Found in an Open Resolver Survey

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

DNS and BIND Rock Eagle Computing Conference October 27, 2000 CL 10/25/00

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 5 Introduction to DNS in Windows Server 2008

APNIC elearning: DNS Concepts

Authoritative-only server & TSIG

Network Working Group Request for Comments: 1536 Category: Informational ISI P. Danzig S. Miller USC October 1993

IT341 Introduction to System Administration Project V Implementing DNS

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

22/06/ :37 DNS COMPLIANCE. Fred Baker Internet Systems Consortium

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

Domain Name System.

CSc 450/550 Computer Networks Domain Name System

Much is done on the Server, it20:

Lesson 9: Configuring DNS Records. MOAC : Administering Windows Server 2012

Remote DNS Cache Poisoning Attack Lab

You Should Delete Dns Delegations In The Parent Zone

Application Session (Hands-on) Athanassios Liakopoulos (GRNET) version 1.01

How to Configure DNS Zones

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

CSC 574 Computer and Network Security. DNS Security

ECE 435 Network Engineering Lecture 7

IPv6 Support in the DNS. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Transcription:

DNS Session 2: DNS cache operation and DNS debugging Joe Abley AfNOG 2006 workshop

How caching NS works (1) If we've dealt with this query before recently, answer is already in the cache easy! Resolver Query Response Caching NS

What if the answer is not in the cache? DNS is a distributed database: parts of the tree (called "zones") are held in different servers They are called "authoritative" for their particular part of the tree It is the job of a caching nameserver to locate the right authoritative nameserver and get back the result It may have to ask other nameservers first to locate the one it needs

How caching NS works (2) Resolver 1 Query Response 5 Caching NS 2 4 3 Auth NS Auth NS Auth NS

How does it know which authoritative nameserver to ask? It follows the hierarchical tree structure e.g. to query "www.tiscali.co.uk". (root) 1. Ask here uk 2. Ask here co.uk 3. Ask here tiscali.co.uk 4. Ask here

Intermediate nameservers return "NS" resource records "I don't have the answer, but try these other nameservers instead" Called a REFERRAL Moves you down the tree by one or more levels

Eventually this process will either: Find an authoritative nameserver which knows the answer (positive or negative) Not find any working nameserver: SERVFAIL End up at a faulty nameserver either cannot answer and no further delegation, or wrong answer! Note: the caching nameserver may happen also to be an authoritative nameserver for a particular query. In that case it will answer immediately without asking anywhere else. We will see later why it's a better idea to have separate machines for caching and authoritative nameservers

How does this process start? Every caching nameserver is seeded with a list of root servers zone "." { type hint; file "named.root"; } /etc/namedb/named.conf /etc/namedb/named.root. 3600000 NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4. 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107. 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ;... etc

Where did named.root come from? ftp://ftp.internic.net/domain/named.cache Worth checking every 6 months or so for updates

Demonstration dig +trace www.tiscali.co.uk. Instead of sending the query to the cache, "dig +trace" traverses the tree from the root and displays the responses it gets dig +trace is a bind 9 feature useful as a demo but not for debugging

Distributed systems have many points of failure! So each zone has two or more authoritative nameservers for resilience They are all equivalent and can be tried in any order Trying stops as soon as one gives an answer Also helps share the load The root servers are very busy There are currently 13 of them (each of which is a large cluster)

Caching reduces the load on auth nameservers Especially important at the higher levels: root servers, GTLD servers (.com,.net...) and cctlds All intermediate information is cached as well as the final answer so NS records from REFERRALS are cached too

Example 1: www.tiscali.co.uk (on an empty cache) www.tiscali.co.uk (A) referral to 'uk' nameservers www.tiscali.co.uk (A) referral to 'tiscali.co.uk' nameservers www.tiscali.co.uk (A) Answer: 212.74.101.10 root server uk server tiscali.co.uk server

Example 2: smtp.tiscali.co.uk (after previous example) Previous referrals retained in cache smtp.tiscali.co.uk (A) Answer: 212.74.114.61 tiscali.co.uk server

Caches can be a problem if data becomes stale If caches hold data for too long, they may give out the wrong answers if the authoritative data changes If caches hold data for too little time, it means increased work for the authoritative servers

The owner of an auth server controls how their data is cached Each resource record has a "Time To Live" (TTL) which says how long it can be kept in cache The SOA record says how long a negative answer can be cached (i.e. the non existence of a resource record) Note: the cache owner has no control but they wouldn't want it anyway

A compromise policy Set a fairly long TTL 1 or 2 days When you know you are about to make a change, reduce the TTL down to 10 minutes Wait 1 or 2 days BEFORE making the change After the change, put the TTL back up again

Any questions??

What sort of problems might occur when resolving names in DNS? Remember that following referrals is in general a multi step process Remember the caching

(1) One authoritative server is down or unreachable Not a problem: timeout and try the next authoritative server Remember that there are multiple authoritative servers for a zone, so the referral returns multiple NS records

(2) *ALL* authoritative servers are down or unreachable! This is bad; query cannot complete Make sure all nameservers not on the same subnet (switch/router failure) Make sure all nameservers not in the same building (power failure) Make sure all nameservers not even on the same Internet backbone (failure of upstream link) For more detail read RFC 2182

(3) Referral to a nameserver which is not authoritative for this zone Bad error. Called "Lame Delegation" Query cannot proceed server can give neither the right answer nor the right delegation Typical error: NS record for a zone points to a caching nameserver which has not been set up as authoritative for that zone Or: syntax error in zone file means that nameserver software ignores it

(4) Inconsistencies between authoritative servers If auth servers don't have the same information then you will get different information depending on which one you picked (random) Because of caching, these problems can be very hard to debug. Problem is intermittent.

(5) Inconsistencies in delegations NS records in the delegation do not match NS records in the zone file (we will write zone files later) Problem: if the two sets aren't the same, then which is right? Leads to unpredictable behaviour Caches could use one set or the other, or the union of both

(6) Mixing caching and authoritative nameservers Consider when caching nameserver contains an old zone file, but customer has transferred their DNS somewhere else Caching nameserver responds immediately with the old information, even though NS records point at a different ISP's authoritative nameservers which hold the right information! This is a very strong reason for having separate machines for authoritative and caching NS Another reason is that an authoritative only NS has a fixed memory usage

(7) Inappropriate choice of parameters e.g. TTL set either far too short or far too long

These problems are not the fault of the caching server! They all originate from bad configuration of the AUTHORITATIVE name servers Many of these mistakes are easy to make but difficult to debug, especially because of caching Running a caching server is easy; running authoritative nameservice properly requires great attention to detail

How to debug these problems? We must bypass caching We must try *all* N servers for a zone (a caching nameserver stops after one) We must bypass recursion to test all the intermediate referrals "dig +norec" is your friend dig +norec @1.2.3.4 foo.bar. a Server to query Domain Query type

How to interpret responses (1) Look for "status: NOERROR" "flags... aa" means this is an authoritative answer (i.e. not cached) "ANSWER SECTION" gives the answer If you get back just NS records: it's a referral ;; ANSWER SECTION foo.bar. 3600 IN A 1.2.3.4 Domain name TTL Answer

How to interpret responses (2) "status: NXDOMAIN" OK, negative (the domain does not exist). You should get back an SOA "status: NOERROR" with zero RRs OK, negative (domain exists but no RRs of the type requested). Should get back an SOA Other status may indicate an error Look also for Connection Refused (DNS server is not running or doesn't accept queries from your IP address) or Timeout (no answer)

How to debug a domain using "dig +norec" (1) 1. Start at any root server: [a m].rootservers.net. dig +norec @a.root-servers.net. www.tiscali.co.uk. a Remember the trailing dots! 1. For a referral, note the NS records returned 2. Repeat the query for *all* NS records 3. Go back to step 2, until you have got the final answers to the query

How to debug a domain using "dig +norec" (2) 1. Check all the results from a group of authoritative nameservers are consistent with each other 2. Check all the final answers have "flags: aa" 3. Note that the NS records point to names, not IP addresses. So now check every NS record seen maps to the correct IP address using the same process!!

How to debug a domain using "dig +norec" (3) Tedious, requires patience and accuracy, but it pays off Learn this first before playing with more automated tools Such as: http://www.squish.net/dnscheck/ http://www.zonecheck.fr/ These tools all have limitations, none is perfect

Practical Worked examples

Easy! Building your own caching nameserver Standard software is "bind" (Berkeley Internet Name Daemon) from ISC: www.isc.org Most Unixes have it, and already configured as a cache FreeBSD: in the base system Red Hat: "bind" and "caching nameserver" RPM packages Question: what sort of hardware would you choose when building a DNS cache?

Improving the configuration Limit client access to your own IP addresses only No reason for other people on the Internet to be using your cache resources Make cache authoritative for queries which should not go to the Internet localhost A 127.0.0.1 1.0.0.127.in addr.arpa PTR localhost RFC 1918 addresses (10/8, 172.16/12, 192.168/16) Gives quicker response and saves sending unnecessary queries to the Internet

Access control acl mynetwork { 127.0.0.1; 192.188.58.64/26; }; options { directory "/etc/namedb"; recursion yes; # this is the default allow-query { mynetwork; }; # note: use 'allow-recursion' instead if your # nameserver is both caching and authoritative }; zone "." { type hint; file "named.root"; }; /etc/namedb/named.conf

localhost > 127.0.0.1 zone "localhost" { type master; file "master/localhost"; allow-update { none; }; }; /etc/namedb/named.conf /etc/namedb/master/localhost @ SOA localhost. root.localhost. ( 2004022800 ; serial 8h ; refresh 1h ; retry 4w ; expire 1h ) ; negative TTL NS localhost. A 127.0.0.1

127.0.0.1 > localhost /etc/namedb/named.conf zone "0.0.127.in-addr.arpa" { type master; file "master/localhost.rev"; allow-update { none; }; }; /etc/namedb/master/localhost.rev @ SOA localhost. root.localhost. ( 2004022800 ; serial 8h ; refresh 1h ; retry 4w ; expire 1h ) ; negative TTL NS localhost. 1 PTR localhost. ; Don't forget the trailing dots!

RFC1918 reverse lookups /etc/namedb/named.conf zone "168.192.in-addr.arpa" { type master; file "master/null.zone"; }; zone "10.in-addr.arpa" { type master; file "master/null.zone"; }; # repeat for 16.172.in-addr.arpa #... to 31.172.in-addr.arpa /etc/namedb/master/null.zone @ SOA localhost. root.localhost. ( 2004022800 ; serial 8h ; refresh 1h ; retry 4w ; expire 1h ) ; negative TTL NS localhost.

FreeBSD caching nameserver named_enable="yes" # in /etc/rc.conf For improved security, by default named is run inside a "chroot jail" under /var/named accesses to /foo are actually to /var/named/foo There is a symlink from /etc/namedb to /var/namedb/etc/namedb to make life easier

Managing a caching nameserver /etc/rc.d/named start rndc status rndc reload After config changes; causes less disruption than restarting the daemon rndc dumpdb dumps current cache contents to /var/named/var/dump/named_dump.db rndc flush Destroys the cache contents; don't do on a live system!

Absolutely critical! tail /var/log/messages after any nameserver changes and reload/restart A syntax error may result in a nameserver which is running, but not in the way you wanted bind is very fussy about syntax Beware } and ; Within a zone file, comments start with semicolon (;) NOT hash (#)

Practical Build a caching nameserver Examine its operation

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback