DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Similar documents
APNIC elearning: DNS Concepts

DNS Concepts. Acknowledgements July 2005, Thimphu, Bhutan. In conjunction with SANOG VI. Bill Manning Ed Lewis Joe Abley Olaf M.

ROOT SERVERS MANAGEMENT AND SECURITY

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

DNS Security. APNIC42 Colombo Sri Lanka 01 October 2016 Champika Wijayatunga

Welcome! Acknowledgements. Introduction to DNS. cctld DNS Workshop October 2004, Bangkok, Thailand

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016

DNS Fundamentals. Steve Conte ICANN60 October 2017

ICANN SSR Update. Save Vocea PacNOG17 Samoa 13 July 2015

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

DNS. Introduction To. everything you never wanted to know about IP directory services

DNS and HTTP. A High-Level Overview of how the Internet works

DNS and ICANN. Laurent Ferrali. 27th August 2018

Domain Name System.

DNS. A Massively Distributed Database. Justin Scott December 12, 2018

Networking Applications

S Computer Networks - Spring What and why? Structure of DNS Management of Domain Names Name Service in Practice

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 5 Introduction to DNS in Windows Server 2008

Domain Name Service. DNS Overview. October 2009 Computer Networking 1

One possible roadmap for IANA evolution

THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

Overview. Coordinating with our partners, we help make the Internet work.

DNS / DNSSEC Workshop. bdnog November 2017, Dhaka, Bangladesh

DNS Abuse Handling. FIRST TC Noumea New Caledonia. Champika Wijayatunga Regional Security, Stability and Resiliency Engagement Manager Asia Pacific

DNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS. Root servers.

ECE 650 Systems Programming & Engineering. Spring 2018

Internet Corporation for Assigned Names & Numbers - Internet Assigned Numbers Authority Update

IPv6 Support in the DNS. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

.BIZ Agreement Appendix 10 Service Level Agreement (SLA) (22 August 2013)

The Domain Name System

Protocol Classification

DNS Risk Framework Update

Draft Applicant Guidebook, v3

04 Identifiers. UUID URI Format Characteristics. Coulouris, Ch 9 rfc3986 Ahmed, 2005 Subharthi, 2009

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

Reverse DNS Overview

IPv6 How-To for a Registry 17th CENTR Technical Workshop

CSE 265: System & Network Administration

Internet Protocol Addresses What are they like and how are the managed?

RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal ---

IPv6 support in the DNS

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS.

Oversimplified DNS. ... or, even a rocket scientist can understand DNS. Step 1 - Verify WHOIS information

DNS Operations and DNSSEC Tutorial. Champika Wijayatunga SANOG30 - India July 12-13, 2017

Linux Network Administration

CIA Lab Assignment: Domain Name System (1)

CSCE 463/612 Networks and Distributed Processing Spring 2018

Managing DNS Firewall

DNS Basics BUPT/QMUL

KENIC-AFRINIC IPv6 Workshop 17th 20th June 2008

04 Identifiers UUID. Coulouris, Ch 9 URI. rfc3986 Format. Ahmed, 2005 Characteristics. Subharthi, 2009

Web Portal User Manual for

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS. Protect your business

IPv6 Support in the DNS

APNIC elearning: Reverse DNS for IPv4 and IPv6

Development of the Domain Name System

The Domain Name System

Network Security Part 3 Domain Name System

In the Domain Name System s language, rcode 0 stands for: no error condition.

RSSAC Activities Update. Lars Johan Liman and Tripti Sinha RSSAC Chair ICANN-54 October 2015

Domain Name System - Advanced Computer Networks

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC. Wes Hardaker

RIPE NCC DNS Update. Wolfgang Nagele DNS Services Manager

DNS. Karst Koymans & Niels Sijm. Tuesday, September 7, Informatics Institute University of Amsterdam

APNIC Update. RIPE 59 October 2009

DNS Management with Blue Cat Networks at PSU

DOMAIN NAME SYSTEM (DNS) BEYAZIT BESTAMİ YÜKSEL

DNS. DNS is an example of a large scale client-server application.

Configuration of Authoritative Nameservice

The basics. Karst Koymans. Tuesday, September 9, 2014

The Internet Ecosystem

Domain Name System Security

CSc 450/550 Computer Networks Domain Name System

How to Configure the DNS Server

Outline Applications. Central Server Hierarchical Peer-to-peer. 31-Jan-02 Ubiquitous Computing 1

Internet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: November 2015

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

Lesson 9: Configuring DNS Records. MOAC : Administering Windows Server 2012

Module 10. (Reconnaissance Whois and DNS)

Practices on DNS Management and Domain Name Emerging Topics. Jirasak Jullawat July 14, 2016

ICANN Policy Update & KSK Rollover

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

Computer Networks. Domain Name System. Jianping Pan Spring /25/17 CSC361 1

A DNS Tutorial

Managing Caching DNS Server

Application Layer Protocols

Documentation. Name Server Predelegation Check

Domain Name System Security

Ebook: DNS FUNDAMENTALS. From a Technical Dow Street, Manchester, NH USA

Domain Name System Security

Domain Name System (DNS) DNS Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale. The old solution: HOSTS.

Goal of this session

Identifier Technology Health Indicators (ITHI)

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: January 2019

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Overview General network terminology. Chapter 9.1: DNS

Transcription:

DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1

Agenda 1 2 3 Introduction to DNS DNS Features Domains, Delegations and Zones DNS Servers Resolution Process Caching Zone Files Forward DNS vs Reverse DNS DNS Security DNSSEC Overview 2

History 1983 DNS was designed/invented by Paul Mockapetris (RFC882 & 883) 1984 Berkeley Internet Name Domain (BIND) Server developed Original Seven Generic TLDs (.com,.edu,.gov,.int,.mil,.net, and.org) 1985 First country codes assigned.us,.uk, and.il 1986.au,.de,.fi,.fr,.jp,.kr,.nl and.se 1987 RFC1034 (Considered the first full DNS Specification).. Country Code TLDs continue to be added. 2000 Seven new TLDs added (.aero,.coop,.museum,.biz,.info,.name, and.pro) 2012 New round of applications for gtlds opened by ICANN 3

What is DNS? A distributed database primarily used to obtain the IP address, a number, e.g., 192.0.32.7 (IPv4) or 2620:0:2d0:200::7 (IPv6) Query: What is www.icann.org? that is associated with a user-friendly name (www.icann.org) User Answer: 192.0.32.7 or 2620:0:2d0:200::7 DNS Server 4 4

DNS Tree Root org net. com... au... sg icann isoc ripe apnic example com www ssac Names in generic Top Level Domains example Names in country-code TLDs Root Second level Top-level FQDN = Fully Qualified Domain Name www.icann.org. 5

DNS Features 6

What are the Key Features of DNS Hierarchical Globally Distributed Dynamic Scalable Reliable Consistent 7

DNS Resolution, Servers, and Caching 8

Root Server Operation 9 9

What do the Root-Server Operators do? Copy a very small database, the content of which is currently decided by PTI (formerly IANA) Put that database in the servers called Root Servers. Make the data available to all Internet users Work stems from a common agreement about the technical basis Everyone on the Internet should have equal access to the data The entire root system should be as stable and responsive as possible 10

What do the Root-Server Operators do not do? Interfere with the content of the database E.g. run the printing presses, but don't write the book Make policy decisions Who runs TLDs, or which domains are in them What systems TLDs use, or how they are connected to the Internet 11

Who are the Root Server operators? Not "one group", 12 distinct operators Operational and technical cooperation Participate in RSSAC as advisory body to ICANN High level of trust among operators Show up at many technical meetings, including IETF, ICANN, RIR meetings, NOG meetings, APRICOT etc. 12

How Secure are the Root Servers? Physically protected Tested operational procedures Experienced, professional, trusted staff Defense against major operational threat i.e. DDoS. Anycast Setting up identical copies of existing servers Same IP address Exactly the same data. Standard Internet routing will bring the queries to the nearest server Provides better service to more users. 13

Avoiding Common Misconceptions Not all internet traffic goes through a root server Not every DNS query is handled by a root server Root servers are not managed by volunteers as a hobby Professionally managed and well funded No single organization(neither commercial nor governmental) controls the entire system The "A" server is not special. Root Server Operators don't administrate the zone content They publish the IANA-approved data 14

Root Server Operation @ICANN + ICANN is the L-Root Operator + L-Root nodes keep Internet traffic local and resolve queries faster + Make it easier to isolate attacks + Reduce congestion on international bandwidth + Redundancy and load balancing with multiple instances 15

L-Root presence 16

L-Root presence +Geographical diversity via Anycast +Around 160 dedicated servers +Presence on every continent +On normal basis 15 ~ 25 kqps +That is app 2 billion DNS queries a day +Interested in hosting a L-Root +Contact your ICANN Global Stakeholder Engagement Representative 17

Types of DNS Servers Authoritative Servers Root Servers Primary Secondary Recursive Servers Or Recursive Resolvers Or Caching Servers 18

DNS Resolution Process 19

Caching Recursive or Caching Servers not only find answers but also store answers locally for TTL period of time TTL = Time To Live 20

Domain, Delegations and Zones 21

Domains Root org net. com... au sg icann isoc ripe apnic example com au domain icann.org domain www learn www org domain example 22

Delegations Administrators can create subdomains to group hosts According to geography, organizational affiliation etc. The authority of such subdomain(s) can be delegated to another party The parent domain retains links to the delegated subdomain The parent domain remembers to whom the subdomain is delegated 23

Zones Root icann.org zone org zone icann org isoc net ripe apnic. com... example au com sg au domain icann.org domain www learn www org domain example learn.icann.org zone 24

Zone Files 25

Zone Data DNS zone data are hosted at an authoritative name server DNS zones contain resource records that describe Name servers IP addresses Hosts, Services Cryptographic keys Signatures etc. 26

Resource Records (RR) Consists of resource mappings Label TTL Class Type RData www 3600 IN A 192.168.0.1 Most common types of RR o o o o o o A AAAA NS SOA MX CNAME Resource Record Label TTL Class Type RDATA Function Name substitution for FQDN Timing parameter, an expiration limit IN for Internet, CH for Chaos RR Type (A, AAAA, MX, PTR) for different purposes Anything after the Type identifier; Payload of the record 27

Zone Files $TTL 86400 ; 24 hours could have been written as 24h or 1d $ORIGIN example.test. @ IN SOA ns1.example.test. hostmaster.example.test. ( 2017092701 ; serial number 3H ; refresh 15 ; retry 1w ; expire 3h ; nxdomain TTL ) IN NS ns1.example.test. ; in the domain IN NS ns2.anotherexample.net. ; external to domain IN MX 10 mail.someotherexample.com. ; external mail provider ns1 IN A 192.168.0.1 ; name server definition www IN A 192.168.0.2 ; web server definition ftp IN CNAME www.example.test. ; ftp server definition host IN A 192.168.0.3 ; host definition 28

Delegating a Zone Delegation is done by adding NS records Ex: if example.com wants to delegate training.example.com to another party, training.example.test. NS ns1.training.example.test. training.example.test. NS ns2.training.example.test. Now how can we get to ns1 and ns2? We must add a Glue Record 29

Glue Record Glue is a non-authoritative data Don t include glue for servers that are not in the sub zones Only this record needs glue Glue Record training.example.test. NS ns1.training.example.test. training.example.test. NS ns2.training.example.test. training.example.test. NS training.example.test. NS ns1.another_example.net. ns2.another_example.net. ns1.training.example.test. A 192.0.2.1 ns2.training.example.test. A 192.0.2.2 30

Delegating a Child Zone from a Parent Zone example.test (Parent Zone) training.example.test (Child Zone) DNS DNS ns.example.test 1. Add NS records and glue 2. Make sure there is no other data from the training.example.test. zone in the zone file ns.training.example.test 1. Setup minimum two servers 2. Create zone file with NS records 3. Add all training.example.test data 31

Propagation of DNS Data Secondary Server (Authoritative Server) Zone Updates Primary Server Refresh Time (Authoritative Server) TTL Expiry Caching Server Refresh Time TTL Expiry Registry DB (Database of Domain Names and Registrants) Secondary Server (Authoritative Server) 32

Engage with ICANN Thank You and Questions Visit us at icann.org Email: champika.wijayatunga@icann.org 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback