• No results found

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. ."

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

Computer System Security

and Management

SMD139

Lecture 5: Domain Name System

Peter A. Jonsson

DNS

Translation of Hostnames to IP addresses Hierarchical distributed database

.com name server

Root name server

DNS Hierarchy

.se name server

...

Google.com

name server

name server

LTU.se

The Root Name Servers

Keeps track of all top level domains

(2)

Top Level Domains

Two types:

ccTLD’s, (.fi, .se) - country code TLD’s gTLD’s (.com, .org) - generic TLD’s http://www.icann.org/tlds

Centralizing DNS

Single point of failure Not scalable

Traffic volume Response time

Three Kinds of Queries

Recursive query

Iterative query - mandatory to support! Reverse query - “what is the domain name for this MX query”

Recursive Example #1

Scenario: You want to know the IP of kerberos.kth.se

(3)

Recursive Example #2

NS queries TLD server for IP of

kerberos.kth.se, gets a reply of the NS for kth.se

NS queries NS for kth.se for IP of host, zone file defines a CNAME which shows kerberos is an alias for himinbjorg and returns that and the A record (130.237.48.16)

Send this information back to the resolver, transaction complete

Iterative Example #1

Scenario: You want to know the IP of kerberos.kth.se

Resolver (you/your computer) asks local NS for kerberos.kth.se, lets assume it doesn’t have it cached - have to keep digging NS replies with referral to root servers

Iterative Example #2

Resolver queries root servers for kerberos.kth.se, gets TLD servers for .se in return

Resolver queries TLD for the host, gets NS for kth.se in return

Resolver queries kth.se which has the information, replies with both the CNAME and A record

Transaction done

Registering Domains

Register with the proper authority for the TLD you want.

(4)

About Domain Names

Not case-sensitive

Each subdomain component limited to 63 characters

FQDN is limited to 255 characters räksmörgås.se is a bad name

The Client Side

DNS clients

Configured via /etc/resolv.conf in most Unices First line: “search csee.ltu.se ltu.se”

If you try to lookup “krb1” and it can’t be found, it will first try to find

“krb1.csee.ltu.se”, then “krb1.ltu.se” Second/Third line: “nameserver <ip>”

Name Service Switch

Solaris and Linux provides /etc/nsswitch.conf, for specifying where to look for certain data Example line: “hosts: files dns”

(5)

The Server Side

Managing DNS

Most common server: Bind, consists of: The resolver library (used by gethostbyname() and relatives) The name server, often called named Make sure to watch out for security holes

Record types in DNS

SOA: Start of Authority NS: Name Server definition

A: Host name to IP address mapping CNAME: Canonical name, host alias MX: Mail server definition

More Record Types

PTR: IP address to host name mapping SRV: Service record

(6)

Reverse Records

Resides in in-addr.arpa domain IP number is reversed: 1.1.240.130.in-addr.arpa is really 130.240.1.1

Reverse mapping is *NOT* optional!

Name Servers

If a name server has authority of a zone, it has all data for the zone in question

Two kinds of name servers - primary and secondary masters. Often referred to as master/slave

The slave pulls its data from the master

Name Servers #2

The pulling is called a “Zone transfer”

A single name server can be authoritative for several zones. It could also be master for one zone and slave for another

Guidelines and Rules

Always use FQDN for NS and MX records (Never CNAME, things will break)

(7)

Split DNS

Possibility to give different replies depending on who is asking

(How do you reproduce errors your customers are seeing with this?)

Troubleshooting DNS

Dig is the command to use for querying DNS servers you want to troubleshoot

dig <recordtype> @<server> <name>

getent hosts <ip> might give a clue what your OS think is the right answer

(8)

Configuring primary

master

zone “ahania.com” {

type master;

file “ahania.com.db”;

};

zone “10.168.192.in-addr.arpa” {

type master;

file “192.168.10.rev”;

};

Configuring secondary

master

zone “verdana.com” {

type slave;

master{192.168.10.1;};

file “sec/verdana.com.db”;

};

zone “10.168.192.in-addr.arpa” {

type slave;

masters{192.168.10.1;};

file “sec/192.168.10.rev”;

};

Security

Zone Transfers

(9)

Transaction Signatures

Provides secure server to server communication (zone transfer, notify, recursive queries)

Uses shared secrets and a hash function for authentication

Relatively light weight

DNSSEC

All answers are signed

Designed to protect people from DNS cache poisoning

No confidentiality of data!

DNSSEC #2

Authenticates that data is truly from the domain owner, or not available

Possibility to store certificates, useful if using DNS as Public Key Infrastructure

Securing the named

process

Keep track of security holes in the version you use, if necessary upgrade

Do not run named as root. Have a separate user that only runs named.

References

Download now ( PDF - 9 Page - 183.93 KB )

Related documents