Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
Wissenspark Moorburg
Wissenspark Moorburg
Loading in …3
×
1 of 42

dns.workshop.hsgr

1

Share

Download to read offline

dns notes from a hsgr workshop

http://hackerspace.gr

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

dns.workshop.hsgr

  1. 1. DNS Workshop DNS Workshop Evaggelos Balaskas Serial: 2014011901
  2. 2. disclaimer • This presentation is just a supported material based on a dns workshop made on http://hackerspace.gr. • May have errors! Plz email me to correct them. • At the time you are reading this, the examples my have different values. • The domains used in this presentation are randomly selected. • Be aware of the serial in the first page!
  3. 3. Before DNS, What? • /etc/hosts • C:Windowssystem32driversetchosts . • Postel - Mockapetris
  4. 4. Now, What? • /etc/resolv.conf ● Nameserver 212.205.212.205
  5. 5. Domain Name System • domain: hackerspace.gr. • root NS • TLD • ITE NS • dns1.papaki.gr •@ . gr hackerspace @ 185.4.135.249 • dig +trace hackerspace.gr. (notice the dot in the end)
  6. 6. Root ns
  7. 7. Root ns
  8. 8. root ns • http://www.internic.net/domain/named.root • > dig.exe NS . @a.root-servers.net.
  9. 9. Top Level Domains • http://www.iana.org/domains/root/db • Greek TLDs .gr country-code ICS-FORTH GR .δοκιμή test Internet Assigned Numbers Authority
  10. 10. Top Level Domain: gr. (ITE) • gr. • gr. • gr. • gr. • gr. • gr. • gr. • gr. 10748 10748 10748 10748 10748 10748 10748 10748 IN IN IN IN IN IN IN IN NS NS NS NS NS NS NS NS gr-br.ics.forth.gr. gr-m.ics.forth.gr. estia.ics.forth.gr. grdns.ics.forth.gr. gr-at.ics.forth.gr. gr-us.ics.forth.gr. gr-ix.ics.forth.gr. grdns-de.denic.de.
  11. 11. Check gr domains • http://www.gr • dig +trace NS hackerspace.gr • dig +trace NS ebalaskas.gr • dig +trace NS goethe.gr • Check the differences ! • dig +trace www.hackerspace.gr. • dig +trace A hackerspace.gr.
  12. 12. Check domains • > dig A www.ert.gr +short • > dig NS nerit.gr +short [de nada!] ITE does not serve nerit.gr but ... (see next slide)
  13. 13. servers • NS Vs • Auth Vs • Zone files Vs DNS Resolvers (caching/recursive) RAM (memory) • ns1.otenet.gr • ns2.otenet.gr (serve zone files – don’t ask ITE) (serve zone files – don’t ask ITE) • dns1.otenet.gr ● dns2.otenet.gr (ask root NS – ask ITE – ask NS) (ask root NS – ask ITE – ask NS) All OTE customers MUST use ● 212.205.212.205 - dns1 & dns2 ●
  14. 14. Public DNS – caching servers • Google Public DNS (they record your dns queries) ● 8.8.8.8 ● 8.8.4.4 • opennicproject ● 85.126.4.170 (T, AT) ● 151.236.10.135 (AT) ( the above IPs are just an example, click here: http://www.opennicproject.org/ ) • opendns ● 208.67.222.222 (resolver1.opendns.com) ● 208.67.220.220 (resolver2.opendns.com)
  15. 15. RR – resource records • SOA - Start of Authority Record • NS - Name Server Record • MX - Mail Exchanger Record • A - IPv4 Address Record • CNAME - Host Alias Record • SRV - Services Record • TXT - Text Record • PTR - Pointer Record
  16. 16. Start Of Authority > dig soa ebalaskas.gr +short ns14.ebalaskas.gr. ebalaskas.ebalaskas.gr. 2012052408 172800 3600 1209600 86400 • • • • • • domain: ebalaskas.gr TTL: 86400 Master NS: ns14.ebalaskas.gr. Mail: ebalaskas.ebalaskas.gr. Serial Number: 2012052408 Refresh: 172800 (when the slave will try to refresh the zone from the master) • Retry: 1h (if the slave fails to contact the master) • Expiry: 2w (slave remove the zone from memory) • Minumum: 24h (slave remove the zone from memory if Non eXistent DOMAIN)
  17. 17. Serial number • Integer number • Must always be greater than the previous value • We change the serial on every DNS change • Is the way to notify the slave NS that a change has occurred • We use the reverse date format + AA of the change • eg. 2013/06/20-01 -> 2013062001
  18. 18. NOTIFY • Master NS sends notifies (UDP packages) to all slaves NS (NS RR in the zone file) • Slaves NS check their SERIAL with master’s SERIAL • If master’s serial greater than slave’s serial then  pull the zone (zone transfer)
  19. 19. TTL Time to Live How many seconds a DNS (caching/resolver) should: • remember a record • should ask again the master NS for something • or keep records from a zone (if expired) in memory. • TTL is the reason we (sometimes) need to flush!
  20. 20. dns flushing A simple method to remove a specific entry or an entire zone from the memory/cache of a resolver name server. Useful when you dont want to wait till the TTL expire.
  21. 21. ttl > dig CNAME www.otenet.gr +nocomments +noqr +nocmd +nostats +noauthority +noadditional www.otenet.gr. 86074 IN CNAME otenet.gr. > dig CNAME www.otenet.gr +nocomments +noqr +nocmd +nostats +noauthority +noadditional www.otenet.gr. 86072 IN CNAME otenet.gr.
  22. 22. ORIGIN • With origin we refer to the domain, or the zone file. • @ is the representative character • Origin can ONLY be A record eg. yellowpagesbusiness.gr @ IN A 195.170.6.20 www IN CNAME xo.gr.
  23. 23. MX > dig MX gmail.com +short 5 10 20 30 40 gmail-smtp-in.l.google.com. alt1.gmail-smtp-in.l.google.com. alt2.gmail-smtp-in.l.google.com. alt3.gmail-smtp-in.l.google.com. alt4.gmail-smtp-in.l.google.com. mx defines the mail servers that recieving emails for a domain/email address.
  24. 24. A - CNAME • hostname IN A 1.2.3.4 eg. • ebalaskas.gr IN A 158.255.214.14 • hostname IN CNAME fqdn eg. • www IN CNAME ebalaskas.gr. • A fqdn must always finish with a dot (.) or else is a reference to another record inside the dns zone
  25. 25. Round-robin DNS An example of DNS round robin (a poor man’s balancing mechanism): eg. example.com www IN A 1.2.3.4 www IN A 2.3.4.5 (sometimes here!) (sometimes there!)
  26. 26. CDN: Web hosting • eg. webhosting on akamai or cloudflare • They serve a different www (IP) according to the most network route wise (cost efficient) – looks like geolocation!!! • They don’t serve A records! only CNAMEs to www • CDN stands for content delivery network
  27. 27. Check a domain eg cdn webhosting: www.plaisio.gr • GREECE > dig www.plaisio.gr +short plaisio.gr.edgesuite.net. a944.g.akamai.net. 212.205.126.41 212.205.126.34 • GERMANY >dig www.plaisio.gr +short plaisio.gr.edgesuite.net. a944.g.akamai.net. 87.245.215.73 87.245.215.23
  28. 28. TXT • txt RR are simply TEXT fields. • max length: 4000characters Syntax: hostname TTL IN TXT “TEXT TEXT TEXT” So the customers must send us the text inside double quotes (plz don’t fax)
  29. 29. TXT • is the only resource record that can expand to more than one line syntax: joe IN TXT ("Located in a black hole" " somewhere over the rainbow") Be carefuly when using custom parsers
  30. 30. Some examples: • DZC IN •@ 3600 •@ IN TXT IN TXT "eoMi3Yk“ TXT "MS=ms70870252" "v=spf1 a mx ip4:195.170.6.0/24 -all" • turbo-smtp._domainkey IN TXT "k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg QDT3MWLni6so1q9eQggRYBCLHFjohZkCnYHH8gZNDBm6zR rodRVpWpJQW7x3cWWiuBhS1X0IfBB80l5tqFa+yc+mVgnk8t kUzOHFbPQPp4fi7egTpMtsQW/ZMrxw73SItNvPr72qvJTYZNP xarMx+ULjEWybcfEdXHPY8jslGcpCwIDAQAB"
  31. 31. SPF • Sender Policy Framework • Mostly Microsoft • define the mail servers that can send an email for the domain they serve • The DNS check comes from the receiver mail server (see last page for reference)
  32. 32. DKIM • In the TXT RR is the public key of the receiver mail server. • If defined, the sender mail server can encrypt the communication between the two mail servers. • We cant convert a customer request from FAX. Plz ask text file from the customer. Pretty PLZ!
  33. 33. SRV • Service Resource Record • Define a service for a domain and the server that serve this service • Syntax: • _service._protocol IN SRV PRI WEIGHT PORT record • • • • • • Mostly for xmpp communications, SIP (voip communications) web service mail service ntp service etc (see last page for reference)
  34. 34. some examples: • _http._tcp IN SRV 10 5 80 www.tickethour.gr. • _autodiscover._tcp IN mail.yellowpages.gr. SRV • _ntp._udp 10 0 123 IN SRV • _xmpp-server._tcp IN server.l.google.com. • _sip._tcp IN SRV SRV 10 0 443 creta.logifer.gr. 5 0 5269 xmpp- 10 0 5061 sip.logifer.gr.
  35. 35. PTR • dig +trace -x 185.4.135.249 • A.IN-ADDR-SERVERS.ARPA • B.IN-ADDR-SERVERS.ARPA • C.IN-ADDR-SERVERS.ARPA • D.IN-ADDR-SERVERS.ARPA • E.IN-ADDR-SERVERS.ARPA • F.IN-ADDR-SERVERS.ARPA (operated (operated (operated (operated (operated (operated by by by by by by ARIN) ICANN) AfriNIC) LACNIC) APNIC) RIPE NCC)
  36. 36. reverse zone > dig 135.4.185.in-addr.arpa. +trace 135.4.185.in-addr.arpa.172800 IN NSdns2.papaki.gr. 135.4.185.in-addr.arpa.172800 IN NSdns1.papaki.gr. https://apps.db.ripe.net/search/query.html?searchtext= 135.4.185.in-addr.arpa
  37. 37. subdomains • www.cs.teiath.gr. • HOST • www.cs • www  DOMAIN  teiath.gr (not subdomain)  cs.teiath.gr (subdomain, lets check it) • > dig A www.cs.teiath.gr +short • 195.130.109.88 • > dig NS cs.teiath.gr +short • athena.teiath.gr. • hermes.teiath.gr.
  38. 38. DNS Ports UDP port 53 (stateless) TCP port 53 (statefull) default udp, transform to tcp when >512bytes
  39. 39. Zone transfer • Transfer zone from authoritave name server to slave name servers. • That makes dns a distribute service • Authoritave name servers MUST open their firewall for UDP and TCP protocols on UDP/TCP port 53
  40. 40. Useful links • http://www.zytrax.com/books/dns/ • http://www.internic.net/domain/named.root • http://www.iana.org/domains/root/db • http://www.kloth.net/services/dig.php • http://www.iana.org/ • http://www.ripe.net/ • http://www.openspf.org/ ● http://www.gr-ix.gr/services/statistics/

×