IT Domain Name System Revisited

Similar documents
DNS Configuration Guide. Open Telekom Cloud

Sicurezza dei sistemi e delle reti

Remote DNS Cache Poisoning Attack Lab

Date: 17-Feb :38

DNS Session 2: DNS cache operation and DNS debugging. Joe Abley AfNOG 2006 workshop

CIA Lab Assignment: Domain Name System (1)

DNS Session 2: DNS cache operation and DNS debugging. How caching NS works (1) What if the answer is not in the cache? How caching NS works (2)

Configuration of Authoritative Nameservice

Remote DNS Cache Poisoning Attack Lab

LAB-5: NAT64/DNS64. Lab Environment. Configure the IPv6 only client: Open the GNS3 project file: The lab topology has:

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Tasks (Part I): Setting Up a Local DNS Server. SEED Labs Local DNS Attack Lab 1

Computer Center, CS, NCTU. Outline. Installation Basic Configuration

OPS535 Lab 5. Dynamic DNS. RFC 2136 Dynamic Updates in the Domain Name System (DNS UPDATE)

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 5 Introduction to DNS in Windows Server 2008

Domain Name System (DNS) Session 2: Resolver Operation and debugging. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

Much is done on the Server, it20:

Managing Caching DNS Server

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Chapter 14. Configuring Linux Network Services Part 1 DHCP and DNS service

Lab 6 Implementing DNSSEC

IT341 Introduction to System Administration Project V Implementing DNS

BIND 9 Administrator Reference Manual

BIND 9 Administrator Reference Manual. BIND Version P3

Secured Dynamic Updates

Agha Mohammad Haidari General ICT Manager in Ministry of Communication & IT Cell#

RHCE BOOT CAMP BIND. Wednesday, November 28, 12

Network Protocols. DNS Intel *slightly modified public version of another talk. TDC 375 Autumn 2009/10 John Kristoff DePaul University 1

Authoritative-only server & TSIG

Configuring CWMP Service

Advanced Caching DNS Server

DNS / DNSSEC Workshop. bdnog November 2017, Dhaka, Bangladesh

Application Session (Hands-on) Athanassios Liakopoulos (GRNET) version 1.01

DNS & DHCP CONFIGURATION

BIG-IP DNS Services: Implementations. Version 12.1

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

DNS Pharming Attack Lab

Web Portal User Manual for

agility_dns_docs_17 Documentation

Managing DNS Firewall

Domain Name System - Advanced Computer Networks

How to Add Domains and DNS Records

Based on Brian Candler's materials ISOC CCTLD workshop

DNSSEC for Humans and BIND 10. Paul Vixie Internet Systems Consortium June 9, 2011

Development of the Domain Name System

How to Configure the DNS Server

DNS Session 1: Fundamentals. Based on Brian Candler's materials ISOC CCTLD workshop

SOFTWARE USER MANUAL (SUM): TRAINING, PROCEDURAL, AND DEVELOPMENT DOCUMENTATION

Maintained and stored on the domain s master name server Two types of entries. Used to store the information of The real part of DNS database

DNS. Introduction To. everything you never wanted to know about IP directory services

BIG-IP DNS Services: Implementations. Version 12.0

Configuring Answers and Answer Groups

Configuring Answers and Answer Groups

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

Running the Setup Web UI

ip dhcp-client network-discovery through ip nat sip-sbc

How the web works - 2. How the web works - 2. Names and Numbers. Transmission Control Protocol / Internet Protocol

Internet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: November 2015

Django IPRestrict Documentation

DEPLOY A DNS SERVER IN A SECURE WAY

What's so hard about DNSSEC? Paul Ebersman May 2016 RIPE72 Copenhagen

Prepared by Shiba Ratna Tamrakar

Running the Setup Web UI

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

Cisco Expressway Cluster Creation and Maintenance

DNS Concepts. Acknowledgements July 2005, Thimphu, Bhutan. In conjunction with SANOG VI. Bill Manning Ed Lewis Joe Abley Olaf M.

Wireshark Lab: DNS Please note that this exercise is designed for Windows machines. Change the commands accordingly if you are using Linux.

Internet Load Balancing Guide. Peplink Balance Series. Peplink Balance. Internet Load Balancing Solution Guide

Services: DNS domain name system

CS519: Computer Networks. Lecture 6: Apr 5, 2004 Naming and DNS

How to Configure Route 53 for F-Series Firewalls in AWS

Experience with 8 bit label in JP Zone

Split DNS. Finding Feature Information

Configure High Availability and Scalability

Managing Zones. Staged and Synchronous Modes CHAPTER. See Also

Split DNS. Finding Feature Information

DNS. Karst Koymans & Niels Sijm. Friday, September 14, Informatics Institute University of Amsterdam

BIND 9.11 Update. August 31, ISC

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

Installing MyDNS And The MyDNSConfig Control Panel On Fedora 8

SA3 E7 Advanced Linux System Administration III Internet Network Services and Security

Updates: 2535 November 2003 Category: Standards Track

DNS CACHE POISONING LAB

DNS and HTTP. A High-Level Overview of how the Internet works

Advanced SUSE Linux Enterprise Server Administration (Course 3038) Chapter 3 Configure Network Services

Novell Internet Security Management with BorderManager 3.5: Enterprise Edition.

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center

DNS. Some advanced topics. Karst Koymans. Informatics Institute University of Amsterdam. (version 17.2, 2017/09/25 12:41:57)

Enabling and Configuring DNS Traffic Control in NIOS 7.x

APNIC elearning: DNS Concepts

Chapter 19. Domain Name System (DNS)

Page 1 of 7 SUMMARY MORE INFORMATION. Windows 2000 DNS Event Messages 1616 Through Microsoft resource record (RR) problems.

DNS / DNSSEC Workshop. bdnog May 2017, Bogra, Bangladesh

agility17dns Release latest Jun 15, 2017

Migration to IPv6 using DNS64/NAT64. Stephan Lagerholm

Lesson 9: Configuring DNS Records. MOAC : Administering Windows Server 2012

Realms and Identity Policies

Mul$media Networking. #9 CDN Solu$ons Semester Ganjil 2012 PTIIK Universitas Brawijaya

IDN Deployment Test Results

Transcription:

IT 3100 - Domain Name System Revisited Curtis Larsen DSU-CIT Fall 2013 Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 1 / 14

Outline 1 Domain Name System - Revisited Load Balancing DNS Wildcard Named Configuration Checks Advanced Named Commands Named Access Control Lists Other DNS Thoughts Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 2 / 14

Load Balancing Domain Name System - Revisited Load Balancing High traffic sites may produce too much traffic for one server to handle. This situation can apply to many services, but HTTP is an obvious one. In this case, it is easy to bring up extra servers with the same content. Clients need not be made aware, if the same FQDN points to multiple IP addresses. This can be accomplished with multiple A records for one name. DNS servers rotate the IPs when they return them. This rotation causes roughly even distribution of load. Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 3 / 14

Load Balancing Example Load Balancing Zone file entries: abe IN A 144.38.214.10 abe IN A 144.38.214.11 abe IN A 144.38.214.12 Query 1: $ dig @144.38.214.2 abe.dsutux.us A egrep ^abe abe.dsutux.us. 3600 IN A 144.38.214.10 abe.dsutux.us. 3600 IN A 144.38.214.11 abe.dsutux.us. 3600 IN A 144.38.214.12 Query 2: $ dig @144.38.214.2 abe.dsutux.us A egrep ^abe abe.dsutux.us. 3600 IN A 144.38.214.12 abe.dsutux.us. 3600 IN A 144.38.214.10 abe.dsutux.us. 3600 IN A 144.38.214.11 Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 4 / 14

DNS Wildcard Domain Name System - Revisited DNS Wildcard Some sites want all host names to be specified, or give negative hit. Some sites want to wildcard so unspecified names are all handled by a single record. For example, this is appropriate for sites with a large number of virtual hosts on the same web server. Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 5 / 14

DNS Wildcard Example DNS Wildcard Zone file entries: * IN A 144.38.214.13 IN MX 10 mail Queries: $ dig @144.38.214.2 bob.dsutux.us A grep ^bob bob.dsutux.us. 3600 IN A 144.38.214.13 $ dig @144.38.214.2 barney.dsutux.us A grep ^barney barney.dsutux.us. 3600 IN A 144.38.214.13 $ dig @144.38.214.2 fred.dsutux.us MX grep ^fred fred.dsutux.us. 3600 IN MX 10 mail.dsutux.us. Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 6 / 14

Named Configuration Checks Named Configuration Checks /var/log/syslog shows errors when named is restarted. named.conf* and all zone files (db.*) can have syntax errors. Want to check for syntax errors before restarting named? named-checkconf or named-checkconf -z named-checkzone Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 7 / 14

Named Configuration Checks Named Configuration Checks Examples Configuration file error: $ named-checkconf /etc/bind/named.conf.options:32: unknown option foo /etc/bind/named.conf.options:33: unexpected token near } No configuration file error: $ named-checkconf $ Test loading of zone files (no errors): $ named-checkconf -z zone dsutux.us/in: loaded serial 2013102901 zone games.horgoth.com/in: loaded serial 2013100801 zone 0-31.214.38.144.in-addr.arpa/IN: loaded serial 201310 zone localhost/in: loaded serial 2 zone 127.in-addr.arpa/IN: loaded serial 1 zone 0.in-addr.arpa/IN: loaded serial 1 zone 255.in-addr.arpa/IN: loaded serial 1 Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 8 / 14

Named Configuration Checks Named Configuration Checks Examples Zone file no error: $ named-checkzone dsutux.us /etc/bind/db.dsutux.us zone dsutux.us/in: getaddrinfo(ns1.ubuntu.dsutux.us) faile zone dsutux.us/in: getaddrinfo(ns2.ubuntu.dsutux.us) faile zone dsutux.us/in: loaded serial 2013102901 OK Zone file error: $ named-checkzone dsutux.us /etc/bind/db.dsutux.us /etc/bind/db.dsutux.us:103: unknown RR type bad zone dsutux.us/in: loading from master file /etc/bind/db.d zone dsutux.us/in: not loaded due to errors. Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 9 / 14

Named Configuration Checks Named Configuration Checks Examples Test loading of all zone files with error: $ named-checkconf -z /etc/bind/db.dsutux.us:103: unknown RR type bad zone dsutux.us/in: loading from master file /etc/bind/db.d zone dsutux.us/in: not loaded due to errors. _default/dsutux.us/in: unknown class/type zone games.horgoth.com/in: loaded serial 2013100801 zone 0-31.214.38.144.in-addr.arpa/IN: loaded serial 201310 zone localhost/in: loaded serial 2 zone 127.in-addr.arpa/IN: loaded serial 1 zone 0.in-addr.arpa/IN: loaded serial 1 zone 255.in-addr.arpa/IN: loaded serial 1 Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 10 / 14

Named Commands Advanced Named Commands sudo rndc commands: reload # reload all configuration files reload zone # reload one zone stats # write stats to /var/cache/bind/named.stats dumpdb # write cache to /var/cache/bind/named dump.db flush # empty cache -h # see full list of commands Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 11 / 14

Named ACL Domain Name System - Revisited Named Access Control Lists In the named.conf* files, you can define and use access control lists. Allows for write once, use many configuration. Fix/update in one place. Already have any, none, localhost, and localnets. Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 12 / 14

Named ACL Example Named Access Control Lists Configure caching lookup clients in named.conf.options: acl my_lan { 144.38.214.0/27; };... allow-query { my_lan; localhost; }; allow-recursion { my_lan; localhost; };... Configure slave IPs in named.conf.local: acl my_slaves { 144.38.214.3; };... allow-transfer { my_slaves; localhost; };... Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 13 / 14

Other DNS Thoughts Other DNS Thoughts Bind9 can simultaneously serve as a caching lookup and authoritative server. Would there be times when it would be advantageous to separate the functionality into separate servers? Behind a single public IP, NAT configuration, multiple machines are running. How could you make the public internet see the single IP for translation, but the internal machines see the local network address for machines? Views. Curtis Larsen (DSU-CIT) IT 3100 - Domain Name System Revisited Fall 2013 14 / 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback