A network community is an organism, working through the orchestrated cooper- ation of many parts. We need to understand its operation carefully in order to make it work well. The choices we make about the system can make it easy to understand, or difficult to understand, efficient or inefficient. This is the challenge of community planning.
Within a local area network, a top-down approach is useful for understanding host interrelationships. We therefore begin at the local network level, i.e. at the level of the collective society of machines.
In most daily situations, one starts with a network already in place, i.e. we do not have to build one from scratch. For an administrator, it is important to know what hardware one has to work with and where everything is to be found; how it is organized (or not) and so on.
Principle 9 (Resource map). A resource map of a site aids the predictability
of the system by allowing an administrator to learn about the parts of the sys- tem, understand interrelationships and prepare a contingency plan for expected problems with the specific elements.
Here is a checklist:
• How does the network physically fit together? (What is its topology?)
• How many different subnets does the network have?
• What are their network addresses?
• Find the router addresses (and the default routes) on each segment.
• What is the netmask?
• What hardware is there in the network? (Hosts, printers etc.)
• Which function does each host/machine have on the network?
Some hardware can be efficiently identified and queried using SNMP technology. Most newer network hardware supports some kind of querying using SNMP protocols (see section 6.4.1). This is a form of network communication which talks directly to the device and extracts its hardware profile. Without SNMP, identifying hardware automatically is problematical. One author has proposed using the Unix log servicesyslogd to track hardware configurations [250]. An overview of network services can sometimes be obtained using port-scanning software, such as nmap, though this should be agreed in advance to avoid misunderstandings. Many network intrusion attempts begin with port scans; these can make security conscious administrators nervous.
Of course, when automated methods fail, one can always resort to a visual inspection. In any event, an organization needs some kind of inventory list for the purpose of insurance or theft, if not merely for good housekeeping. A rough overview of all this information needs to be assembled in system administrators’ minds, in order to understand the challenge ahead.
Having thought about the network in its entirety, we can drop down a level and begin to think about individual host machines. We need to know hosts both from the viewpoint of hardware and software.
• What kind of machines are on the network? What are their names and addresses and where are they? Do they have disks. How big? How much memory do they have? If they are PCs, which screen cards do they have?
• How many CPUs do the hosts have?
• What operating systems are running on the network? MS-DOS, Novell, Win- dows or Unix? (If so which Unix? GNU/Linux, Solaris, HPUX?)
• What kind of network cables are used?
• Where are hubs/repeaters/the router or other network control boxes located? Who is responsible for maintaining them?
• What is the hierarchy of responsibility? There is information about the local environment:
• What is the local timezone?
• What broadcast address convention is used? 255 or the older 0?
• Find the key servers on these networks.
– Where are the network disks located? Which machine are they attached to?
– Which name service is in use (DNS, NIS or NIS plus)?
– Where is the inevitable WWW/HTTP service? Who is running pirate servers?
Finding and recording this information is an important learning process, and the information gathered will prove invaluable for the task ahead. Of course, the information will change as time goes by. Networks are not static; they grow and evolve with time, so we must remain vigilant in pursuit of the moving target.
3.8.1
Network naming orientation
Familiarizing oneself with an organization’s network involves analyzing the net- work’s hosts and all of their interrelationships. It is especially important to know who is responsible for maintaining different parts of the network. It might be us or it might be someone else. We need to know whom to contact when something is going wrong over which we have no control ourselves. The most obvious way to view an organization is by its logical structure. This is usually reflected in the names of different machines and domains. Whom do we call if the Internet connection is broken? What service contracts exist on hardware, what upgrade possibilities are there on software? What system is in use for making backups? How does one obtain a backup should the need arise? In short, it is essential to know where to begin in solving any problem which might arise, and whom to call if the responsibility for a problem lies with someone else.
The Internet is permeated by a naming scheme which, naturally, is used to describe organizational groupings of Internet addresses. We can learn a lot by inspecting the name data for an organization. Indeed, many organizations now see this as a potential security hazard and conceal their naming strategies from outsiders. The Domain Name Service (DNS) is the Internet’s primary naming service. It not only allows us to name hosts, but also whole organizations, placing many different IP addresses under a common umbrella. The DNS is thus a hierarchical organization of machine names and addresses. Organizations are represented bydomainsand a domain is maintained either by or on behalf of each organization. Global domains are divided into countries, or groupings like .com and .org, and sub-domains are set up within larger domains, so that a useful name can be associated with the function of the organization. To analyze our own network, we begin by asking: who runs the DNS domain above ours?
For our organizational enquiry, we need an overview of the hosts which make up our organization. A host list can be obtained from the DNS usingnslookup/digor Nslookupetc. (unless that privilege has been revoked by the DNS administrator, see section 9.5.3). If there are Unix systems on the network, one can learn a lot without physical effort by logging onto each machine and using the uname command to find out what OS is being used:
sunshine% uname -a
SunOS nexus 5.9 Generic_112233-04 sun4u sparc
gnu% uname -a
Linux gnu 2.4.10-4GB #1 Fri Sep 28 17:20:21 GMT 2001 i686 unknown
This tells us that host nexus is a SunOS kernel version 5.9 (colloquially known as Solaris 2.9) system with a sun4u series processor, and that host gnu is a GNU/Linux system kernel version 2.4.10. If the uname command doesn’t exist, then the operating system is an old dinosaur from BSD 4.3 days and we have to find out what it is by different means. Try the commandsarchandmach.
Knowing the operating system of a host is not sufficient. We also need to know what kind of resources the host has to offer the network, so that we can later plan
the distribution of services. Thus we need to dig deeper:
• How much memory does a host have? (Most systems print this when they boot. Sometimes the information can be coaxed out of the system in other ways.) What disks and other devices are in use?
• Uselocate andfindandwhichandwhereisto find important directories and software. How is the software laid out?
• What software directories exist?/usr/local/bin,/local/bin?
• Do the Unix systems have a C compiler installed? This is often needed for installing software. Finding out information about other operating systems, such as Windows, which we cannot log onto is a tedious process. It must be performed by manual inspection, but the results are important nonetheless.
3.8.2
Using
nslookup
and
dig
Thenslookupprogram is for querying the Domain Name Service (DNS). On Unix it has now been officially deprecated and replaced by a new program,digorhost, in the source implementations of the BIND software. On Windows one hasNslookup. It is still in widespread use, however, both in Unix and Windows milieux. Moreover, IPv6 lookup does not work in all implementations ofnslookup. The name service provides a mapping or relationship between Internet numbers and Internet names, and contains useful information about domains: both our own and others. The first thing we need to know is the domain name. This is the suffix part of the Internet name for the network. For instance, suppose our domain is calledexample.org. Hosts in this domain have names likehostname.example.org.
If you don’t know your DNS domain name, it can probably be found by looking at the file/etc/resolv.confon Unix hosts. For instance:
gnu% more /etc/resolv.conf domain example.org
nameserver 192.0.2.10 nameserver 192.0.2.17 nameserver 192.0.2.244
Also most Unix systems have a command called domainname. This prints the name of the local Network Information Service (NIS) domain which is not the same thing as the DNS domain name (though, in practice, many sites would use the same name for both). Do not confuse the output of this command with the DNS domain name.
Once you know the domain name, you can find out the hosts which are registered in your domain by running the name service lookup programnslookup, ordig.
gnu% nslookup
Default Server: mother.example.org Address: 192.0.2.10
nslookup always prints the name and the address of the server from which it obtains its information. Then you get a new prompt>for typing commands. Typing helpprovides a list of the commands whichnslookupunderstands.
Hostname/IP lookup
Type the name of a host or Internet (IP) address and nslookup returns the equivalent translation. For example:
host% nslookup
Default Server: mother.example.org Address: 192.0.2.10 > www.gnu.org Server: mother.example.org Address: 192.0.2.10 Name: www.gnu.org Address: 206.126.32.23 > 192.0.2.238 Server: mother.example.org Address: 192.0.2.10 Name: dax.example.org Address: 192.0.2.238
In this example we look up the Internet address of the host called www.gnu.org and the name of the host which has Internet address192.0.2.238. In both cases the default server is the name server mother.example.org which has Internet address192.0.2.10.
Note that the default server is the first server listed in the file/etc/resolv.conf which answers queries on startingnslookup. Usingdig, we write the following to find IPv4 A records:
host% dig -t a www.gnu.org
; <<>> DiG 9.2.1 <<>> -t a www.gnu.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33680
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION:
;www.gnu.org. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION: gnu.org. 86388 IN NS nic.cent.net. gnu.org. 86388 IN NS ns1.gnu.org. gnu.org. 86388 IN NS ns2.gnu.org. gnu.org. 86388 IN NS ns2.cent.net. gnu.org. 86388 IN NS ns3.gnu.org. ;; ADDITIONAL SECTION: nic.cent.net. 101919 IN A 140.186.1.4 ns1.gnu.org. 118216 IN A 199.232.76.162 ns2.gnu.org. 118216 IN A 195.68.21.199 ns2.cent.net. 101919 IN A 140.186.1.14 ns3.gnu.org. 118216 IN A 209.115.72.62
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 6 13:21:28 2002
;; MSG SIZE rcvd: 223
The ‘-t’ argument specifies the type of record to be looked up when using the hostname as an argument. Thus, to look up IPv6 ‘AAAA’ records, we write
host% dig -t aaaa daneel.iu.hio.no
; <<>> DiG 9.2.1 <<>> -t aaaa daneel.iu.hio.no
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61573 ;; QUESTION SECTION:
;daneel.iu.hio.no. IN AAAA
;; ANSWER SECTION:
daneel.iu.hio.no. 14400 IN AAAA 2001:700:700:3:290:27ff:fea2:477b
;; AUTHORITY SECTION: iu.hio.no. 14400 IN NS cube.iu.hio.no. iu.hio.no. 14400 IN NS nexus.iu.hio.no. ;; ADDITIONAL SECTION: dns.hio.no. 5582 IN A 158.36.161.3 dns.hio.no. 86038 IN AAAA 2001:700:700:1::3 cube.iu.hio.no. 14400 IN A 128.39.74.16
cube.iu.hio.no. 14400 IN AAAA 2001:700:700:4:290:27ff:fe93:6723
nexus.iu.hio.no. 14400 IN A 128.39.89.10
quetzalcoatal.iu.hio.no. 14400 IN A 128.39.89.26
;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 6 13:23:09 2002
Similarly, IPv4 reverse lookup is performed with: dig -x 192.0.1.3
As to what works with IPv6 – this is a study in confusion. To date the only method that seems to work on newer versions of BIND is
host -n 2001:700:700:4:290:27ff:fe93:6723
There has been disagreement about the name of the reverse lookup domain for IPv6. As of January 2003, it has finally been decided that it will be called ip6.arpa, but some resolvers still try to look up ip6.int. This can cause all manner of confusion (see section 9.5.9). Try this:
host$ host -n 2001:700:700:3:0:0:0:1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.0.0.7.0.0.0.7.0.1.0.0.2.ip6.int domain name pointer ip6-gw.p52.hio.no.
host$ host -t PTR 1....3.0.0.0.0.0.7.0.0.0.7.0.1.0.0.2.ip6.arpa
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.0.0.7.0.0.0.7.0.1.0.0.2.ip6.arpa domain name pointer ip6-gw.p52.hio.no.
host$ host -t PTR 1....3.0.0.0.0.0.7.0.0.0.7.0.1.0.0.2.ip6.int
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.0.0.7.0.0.0.7.0.1.0.0.2.ip6.int domain name pointer ip6-gw.p52.hio.no.
Note that these horrendous lines are too wide for the page of the book, so in reverse ‘nibble’ format, one must type all of the ‘.0.0’s between the 1 and the 3 above.
Special information
The domain name service identifies certain special hosts which perform services like the name service itself and mail-handlers (called mail exchangers). These servers are identified by special records so that people outside of a given domain can find out about them. After all, the mail service in one domain needs to know how to send mail to a neighboring domain. It also needs to know how to find out the names and addresses of hosts for which it does not keep information personally.
We can usenslookupto extract this information by setting the ‘query type’ of a request. For instance, to find out about the mail exchangers in a domain we write > set q=mx > domain name For example > set q=mx > otherdomain.org Server: mother.example.org Address: 192.0.2.10
Non-authoritative answer:
otherdomain.org preference = 0,
mail exchanger = mercury.otherdomain.org Authoritative answers can be found from:
otherdomain.org nameserver = mercury.otherdomain.org otherdomain.org nameserver = delilah.otherdomain.org mercury.otherdomain.org internet address = 158.36.85.10
delilah.otherdomain.org internet address = 129.241.1.99 Or
dig -t mx otherdomain.org
Here we see that the only mail server forotherdomain.orgismercury.otherdo- main.org.
Another example, is to obtain information about the nameservers in a domain. This will allow us to find out information about hosts which is not contained in our local database. To get this, we set the query-type tons.
> set q=ns
> otherdomain.org
Server: mother.example.org Address: 192.0.2.10
Non-authoritative answer:
otherdomain.org nameserver = delilah.otherdomain.org otherdomain.org nameserver = mercury.otherdomain.org Authoritative answers can be found from:
delilah.otherdomain.org internet address = 192.0.2.78 mercury.otherdomain.org internet address = 192.0.2.80 >
Here we see that there are two authoritative nameservers for this domain called delilah.otherdomain.organdmercury.otherdomain.org.
Finally, other lookup criteria are provided. For instance, if we set the query type to ‘any’, we get a summary of all this information.
Listing hosts belonging to a domain
To list every registered Internet address and hostname for a given domain one can use thelscommand insidenslookup. For instance
> ls example.org [mother.example.org]
example.org. server = mother.example.org
example.org. server = mercury.otherdomain.org
pc59 192.0.2.59
pc59 192.0.2.59
pc196 192.0.2.196
etc...
Newer nameservers can restrict access to prevent others from obtaining this list all in one go, since it is now considered a potential security hazard. First the nameservers are listed and then the host names and corresponding IP addresses are listed.
If we try to look up hosts in a domain for which the default nameserver has no information, we get an error message. For example, suppose we try to list the names of the hosts in the domain over ours:
> ls otherdomain.org [mother.example.org]
*** Can’t list domain otherdomain.org: Query refused >
This does not mean that it is not possible to get information about other domains, only that we cannot find out information about other domains from the local server. See section 3.8.1.
Changing to a different server
If we know the name of a server which contains authoritative information for a domain, we can tell nslookup to use that server instead. That way it might be possible to list the hosts in a remote domain and find out detailed infor- mation about it. At the very least, it is possible to find out about key records, like nameservers and mail exchangers (MX). To change the server we simply type
> server new-server
Once this is done we uselsto list the names. > server ns.college.edu
Default Server: ns.college.edu Address: 192.0.2.10
> ls college.edu
(listing ..)
Another advantage to using the server which is directly responsible for the DNS data, is that we obtain extra information about the domain, namely a contact address for the person responsible for administrating the domain. For example:
> server ns.college.edu
Default Server: ns.college.edu
> college.edu
Server: ns.college.edu
Address: 192.0.2.10
college.edu preference = 0, mail exchanger = ns.college.edu
college.edu nameserver = ns.college.edu
college.edu
origin = ns.college.edu
mail addr = postmaster.ns.college.edu serial = 1996120503
refresh = 3600 (1 hour)
retry = 900 (15 mins)
expire = 604800 (7 days)
minimum ttl = 86400 (1 day)
college.edu nameserver = ns.college.edu
ns.college.edu internet address = 192.0.2.10
This is probably more information than we are interested in, but it does tell us that we can address queries and problems concerning this domain topostmas- [email protected]. (Note that DNS does not use the@symbol for ‘at’ in these data.)
3.8.3
Contacting other domain administrators
Sometimes we need to contact other domains, perhaps because we believe there is a problem with their system, or perhaps because an unpleasant user from another domain is being a nuisance and we want to ask the administrators there to put that person through a long and painful death. We now know how to obtain one contact address usingnslookup. Another good bet is to mail the one address which every domain should have: postmaster@domain. Various unofficial