DNS/ProxyDNS/Proxy

Babu Ram DawadiBabu Ram Dawadi

Introduction - DNSIntroduction - DNS

Domain Name ServerDomain Name Server– programs that store information about the domain name space – largest distributed database on the planet

Linux uses BIND to perform DNS functions Linux uses BIND to perform DNS functions – named

• It's a daemon that runs the server side of DNS

– resolver library• translate a friendly name to an IP address.

• uses the resolv.conf file

• Resolvers is a program that translating a users request located in end host, for example sending a queries to domains name servers

– dig • tools for testing your DNS server

Introduction – DNS Introduction – DNS (cont)(cont)

DNS is a distributed data base. DNS is a distributed data base.

Domain Name System database has three levels.Domain Name System database has three levels.– First group of servers

• Root servers

• Indicate by “.” (dot)

– Second group of servers• Top Level Domains or (TLDs).

• divided the Internet domain name space organizationally into seven domains: com, edu, gov, mil, net, org, int,

– Third group of servers• Client DNS server or also called Resolver in your domain

DNS – How it works?DNS – How it works?

DNS – How it works (mechanism)DNS – How it works (mechanism)

`

DNS server

Root name servers

“ . ”

Top Level Domain Servers (TLD)(org, com, net)

ns1.google.com.Google.com DNS server

www.google.com.

IP address of www.google.com

Issues a DNS query to ask for the IP address of www.google.com

issue a query to a root name server

it returns the IP addresses

of the TLD

Issue a query and sent to th

e "top level domain servers"

Reply with ns1.google.com and its IP

address

Issue an another query and sent to the ns1.google.com

Return the IP address of www.google.com

Return the IP address of

www.google.com

9

1

23

4 5

6

7

8

How does DNS answer QueriesHow does DNS answer Queries

If Bind package is installed, then Bind will come into play.If Bind package is installed, then Bind will come into play.

Named in the DNS will answer the queries from the Resolvers.Named in the DNS will answer the queries from the Resolvers.– By reading its configuration file, named.conf

named.conf named.conf contains the information in the contains the information in the zonezone files that can files that can supply named the answers of queries.supply named the answers of queries.

How does DNS answer Queries How does DNS answer Queries (cont)(cont)

named

named..conf

pri.zonereverse

zonelocalzone

Domain Name ServerDomain Name Server

InternetQueryQuery

Network CloudNetwork Cloud

ReplyReply

DNS-The Primary Zone File DNS-The Primary Zone File (cont)(cont)

@@ ININ SOASOA ns.example.org. root.localhost.ns.example.org. root.localhost. ( ( 20060121032006012103; serial; serial 2880028800; refresh, seconds; refresh, seconds 72007200; retry, seconds; retry, seconds 60480604800; expire, seconds0; expire, seconds 8640086400 ); minimum, ); minimum,

secondssecondsNameName

ClassClass

TypeType

Name-Server Email-AddressName-Server Email-Address

Serial-noSerial-no

RefreshRefresh

RetryRetry

ExpiryExpiry

Minimum-TTLMinimum-TTL

Class Class ININ = INternet = INternet

Proxy ServerProxy Server

Introduction - Proxy ServerIntroduction - Proxy Server

A proxy server is a server sit between the client site and the real server.A proxy server is a server sit between the client site and the real server.

When users request for a data from web browser which was configured to use When users request for a data from web browser which was configured to use proxy serverproxy server

– Traffic goes from web browser to a proxy server– On behalf of user, proxy will do the job for requesting the data from internet.– Proxy will transmit back the information to user

Internet

Web SiteWeb Site

Proxy ServerProxy ServerUserUser

Introduction – Why using Proxy?Introduction – Why using Proxy?

Advantages of using proxy serversAdvantages of using proxy servers– Improve performance– Ensure security

Improve performanceImprove performance– Faster operation, because using cache service.

Ensure securityEnsure security– Rules and policies regulation can be added into proxy configuration makes

proxy server can serve the users by filtering their requests.– It make the network easier to be controlled because only traffic that

passes the filtering requirements will be served or reply

Proxy -Improving PerformanceProxy -Improving Performance

Proxy server can be configured as Proxy server can be configured as Cache ServerCache Server

The proxy server store the information that has been used by The proxy server store the information that has been used by many internet users many internet users

If a user intend to request the same information, he gets the If a user intend to request the same information, he gets the information immediately because the data has been previously information immediately because the data has been previously stored.stored.

Improving performanceImproving performance– Decrease the usage of network resources because make less contact to

the original Internet site using network resources

Proxy -Improving Performance Proxy -Improving Performance (cont)(cont)

InternetUser AUser A Proxy ServerProxy Server

Web SiteWeb Site

Check from the cache first

Existed or not?Request:ww.google.com

Not in the cache.Contact to the original server

Information return

Return:ww.google.com

Request:ww.google.com

Check from the cache.

Yes Existed!

Return:ww.google.com

Immediately

Internet

Web SiteWeb Site

User BUser B Proxy ServerProxy Server

CachedCached

CachedCached

Not contact to the original

server

Proxy -Ensure securityProxy -Ensure security

Proxy server can be configured to add some limitations on user Proxy server can be configured to add some limitations on user access.access.

It can be configured to bypass some restrictions as well.It can be configured to bypass some restrictions as well.

Policies can be defined into proxy configuration in order to put Policies can be defined into proxy configuration in order to put some restrictions on internet or webpage access. some restrictions on internet or webpage access.

Network administrator can blocks access to the users from certain Network administrator can blocks access to the users from certain network or even a country. network or even a country.

Limit the sites that can be surfed by users through proxies.Limit the sites that can be surfed by users through proxies.– Banned pornography or unsecured websites.

Proxy -Ensure security Proxy -Ensure security (cont)(cont)

Internet

Web SiteWeb Site

UsersUsers Proxy ServerProxy Server

Request from users

Allow?Checking the

rules

YES!

Internet

Web SiteWeb Site

UsersUsers Proxy ServerProxy Server

Request from users

Allow?Checking the

rules

Users are not allow to access

Internet

You are not allow to access

Internet

Types of ProxyTypes of Proxy

There are many different types of Proxy Servers . It depends on There are many different types of Proxy Servers . It depends on the purpose of network administrator to setup a proxy servers. the purpose of network administrator to setup a proxy servers. Mainly, proxy servers can be categorized into 3 types:Mainly, proxy servers can be categorized into 3 types:

– Forward Proxy

– Reverse Proxy

– Proxy Chaining

Forward ProxyForward Proxy

Forward Proxy is the most common Proxy ServerForward Proxy is the most common Proxy Server– Generally used to accept or reject request from users based on the

policies that defined.– If request is valid, the proxy server will forward the request to the original

server in Internet for retrieving the requested information.– Request may also be replied from local cache rather than passing through

Internet and it will help to reduce the network traffic.

InternetWeb SiteWeb Site

UsersUsers Proxy ServerProxy Server

CachedCached

The reverse proxy is generally used to pass the request from the The reverse proxy is generally used to pass the request from the Internet to local network.Internet to local network.

It can prevent the users connect to the local server and accessing It can prevent the users connect to the local server and accessing sensitive data directly or freely.sensitive data directly or freely.

Whenever there is a request, the proxy server will check the Whenever there is a request, the proxy server will check the request first, if it fulfilled the rules, then the request will send to request first, if it fulfilled the rules, then the request will send to server, otherwise the request will be blocked. server, otherwise the request will be blocked.

Proxy server may also reply the request using cache information.Proxy server may also reply the request using cache information.

Reverse ProxyReverse Proxy

InternetWeb SiteWeb Site UsersUsers

Proxy ServerProxy Server

CachedCached

Proxy ChainingProxy Chaining

Private LANPrivate LAN

Proxy Server 1Proxy Server 1

CachedCached

Proxy Server 2Proxy Server 2

CachedCached Web SiteWeb Site

InternetInternet

Proxy Chaining Proxy Chaining (cont)(cont)

Proxy chain involved 2 or more proxy server in a network in order Proxy chain involved 2 or more proxy server in a network in order to enhance the performance and the security control of a network.to enhance the performance and the security control of a network.

Proxy chaining allows requests from different protocols to be Proxy chaining allows requests from different protocols to be fulfilled different requirements.fulfilled different requirements.

According to previous slide, there are 2 proxy servers, Proxy According to previous slide, there are 2 proxy servers, Proxy server 1 can be configured to forward every request to upstream server 1 can be configured to forward every request to upstream proxy – Proxy server 2, or if the cache features is enabled, it can proxy – Proxy server 2, or if the cache features is enabled, it can reply the request immediately if information was already cached.reply the request immediately if information was already cached.

How does Squid Proxy works?How does Squid Proxy works?

Cache HitCache Hit

Private LANPrivate LAN

Proxy Server 1Proxy Server 1

Proxy Server 2Proxy Server 2 CachedCached Web SiteWeb Site

InternetInternet

CachedCached

URLRequest

Cache Hit!!HTTPResponse

How does Squid Proxy works? How does Squid Proxy works? (cont)(cont)

Cache Miss – case 1Cache Miss – case 1

Private LANPrivate LAN

Proxy Server 1Proxy Server 1

Proxy Server 2Proxy Server 2 CachedCached Web SiteWeb Site

InternetInternet

CachedCached

URLRequest

Cache Miss!!HTTPResponse

ICPRequest

Cache Hit!!

ICPReply

How does Squid Proxy works? How does Squid Proxy works? (cont)(cont)

Cache Miss – Case 2Cache Miss – Case 2

Private LANPrivate LAN

Proxy Server 1Proxy Server 1

Proxy Server 2Proxy Server 2 CachedCached Web SiteWeb Site

InternetInternet

CachedCached

URLRequest

Cache Miss!!ICP

Request

Cache Miss!!

Time out!!

ICPRequest

HTTPRequest

HTTPReply

ICPReply

HTTPResponse

Proxy Server – Squid ConfigurationProxy Server – Squid Configuration

cache_peer sfc-cache.ai3.net parent 8080 3130cache_peer sfc-cache.ai3.net parent 8080 3130

acl all src 0.0.0.0/0 ::/0acl all src 0.0.0.0/0 ::/0

acl manager proto cache_objectacl manager proto cache_objectacl localsite src 172.16.51.0/24 2001:d30:1214::/48 acl localsite src 172.16.51.0/24 2001:d30:1214::/48 acl localhost src 127.0.0.1/32 ::1/128 acl localhost src 127.0.0.1/32 ::1/128 acl to_localhost dst 127.0.0.0/8 ::/126acl to_localhost dst 127.0.0.0/8 ::/126

acl SSL_ports port 443acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl Safe_ports port 777 # multiling http

Proxy Server – Squid ConfigurationProxy Server – Squid Configuration

acl CONNECT method CONNECTacl CONNECT method CONNECT

http_access allow manager localhosthttp_access allow manager localhost

http_access deny managerhttp_access deny manager

# Deny requests to unknown ports# Deny requests to unknown ports

http_access deny !Safe_portshttp_access deny !Safe_ports

# Deny CONNECT to other than SSL ports# Deny CONNECT to other than SSL ports

http_access deny CONNECT !SSL_portshttp_access deny CONNECT !SSL_ports

DNS ForwarderDNS Forwarder

Domain Name ServerDomain Name Server– DNS forwards Only– DNS will forward all the query to the parent DNS server using IPv6 traffic– It can be done by modifying the current Cached Only Name Server

Configuration• /var/named/chroot/etc/named.conf

options {options {forwarders {2001:d30:102:1000::1001; 2001:d30:101:1::11;};forwarders {2001:d30:102:1000::1001; 2001:d30:101:1::11;};forward only;forward only;directory "/var/named";directory "/var/named";dump-file "/var/named/data/cache_dump.db";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";statistics-file "/var/named/data/named_stats.txt";allow-query { 172.16.51.0/24; localhost; 2001:d30:1214::/64; ::1/128; fe80::/10;};allow-query { 172.16.51.0/24; localhost; 2001:d30:1214::/64; ::1/128; fe80::/10;};allow-recursion { 172.16.51.0/24; localhost; 2001:d30:1214::/64; ::1/128; allow-recursion { 172.16.51.0/24; localhost; 2001:d30:1214::/64; ::1/128;

fe80::/10;};fe80::/10;};allow-transfer { none;};allow-transfer { none;};listen-on-v6 { any; };listen-on-v6 { any; };};};

Adding these two lines.Tell DNS must forward all the query to parent

DNS server

Thank youThank you