DNS/Proxy Babu Ram Dawadi. Introduction - DNS Domain Name Server Domain Name Server –programs that...
-
Upload
johnathan-bishop -
Category
Documents
-
view
220 -
download
0
Transcript of DNS/Proxy Babu Ram Dawadi. Introduction - DNS Domain Name Server Domain Name Server –programs that...
DNS/ProxyDNS/Proxy
Babu Ram DawadiBabu Ram Dawadi
Introduction - DNSIntroduction - DNS
Domain Name ServerDomain Name Server– programs that store information about the domain name space – largest distributed database on the planet
Linux uses BIND to perform DNS functions Linux uses BIND to perform DNS functions – named
• It's a daemon that runs the server side of DNS
– resolver library• translate a friendly name to an IP address.
• uses the resolv.conf file
• Resolvers is a program that translating a users request located in end host, for example sending a queries to domains name servers
– dig • tools for testing your DNS server
Introduction – DNS Introduction – DNS (cont)(cont)
DNS is a distributed data base. DNS is a distributed data base.
Domain Name System database has three levels.Domain Name System database has three levels.– First group of servers
• Root servers
• Indicate by “.” (dot)
– Second group of servers• Top Level Domains or (TLDs).
• divided the Internet domain name space organizationally into seven domains: com, edu, gov, mil, net, org, int,
– Third group of servers• Client DNS server or also called Resolver in your domain
DNS – How it works?DNS – How it works?
DNS – How it works (mechanism)DNS – How it works (mechanism)
`
DNS server
Root name servers
“ . ”
Top Level Domain Servers (TLD)(org, com, net)
ns1.google.com.Google.com DNS server
www.google.com.
IP address of www.google.com
Issues a DNS query to ask for the IP address of www.google.com
issue a query to a root name server
it returns the IP addresses
of the TLD
Issue a query and sent to th
e "top level domain servers"
Reply with ns1.google.com and its IP
address
Issue an another query and sent to the ns1.google.com
Return the IP address of www.google.com
Return the IP address of
www.google.com
9
1
23
4 5
6
7
8
How does DNS answer QueriesHow does DNS answer Queries
If Bind package is installed, then Bind will come into play.If Bind package is installed, then Bind will come into play.
Named in the DNS will answer the queries from the Resolvers.Named in the DNS will answer the queries from the Resolvers.– By reading its configuration file, named.conf
named.conf named.conf contains the information in the contains the information in the zonezone files that can files that can supply named the answers of queries.supply named the answers of queries.
How does DNS answer Queries How does DNS answer Queries (cont)(cont)
named
named..conf
pri.zonereverse
zonelocalzone
Domain Name ServerDomain Name Server
InternetQueryQuery
Network CloudNetwork Cloud
ReplyReply
DNS-The Primary Zone File DNS-The Primary Zone File (cont)(cont)
@@ ININ SOASOA ns.example.org. root.localhost.ns.example.org. root.localhost. ( ( 20060121032006012103; serial; serial 2880028800; refresh, seconds; refresh, seconds 72007200; retry, seconds; retry, seconds 60480604800; expire, seconds0; expire, seconds 8640086400 ); minimum, ); minimum,
secondssecondsNameName
ClassClass
TypeType
Name-Server Email-AddressName-Server Email-Address
Serial-noSerial-no
RefreshRefresh
RetryRetry
ExpiryExpiry
Minimum-TTLMinimum-TTL
Class Class ININ = INternet = INternet
Proxy ServerProxy Server
Introduction - Proxy ServerIntroduction - Proxy Server
A proxy server is a server sit between the client site and the real server.A proxy server is a server sit between the client site and the real server.
When users request for a data from web browser which was configured to use When users request for a data from web browser which was configured to use proxy serverproxy server
– Traffic goes from web browser to a proxy server– On behalf of user, proxy will do the job for requesting the data from internet.– Proxy will transmit back the information to user
Internet
Web SiteWeb Site
Proxy ServerProxy ServerUserUser
Introduction – Why using Proxy?Introduction – Why using Proxy?
Advantages of using proxy serversAdvantages of using proxy servers– Improve performance– Ensure security
Improve performanceImprove performance– Faster operation, because using cache service.
Ensure securityEnsure security– Rules and policies regulation can be added into proxy configuration makes
proxy server can serve the users by filtering their requests.– It make the network easier to be controlled because only traffic that
passes the filtering requirements will be served or reply
Proxy -Improving PerformanceProxy -Improving Performance
Proxy server can be configured as Proxy server can be configured as Cache ServerCache Server
The proxy server store the information that has been used by The proxy server store the information that has been used by many internet users many internet users
If a user intend to request the same information, he gets the If a user intend to request the same information, he gets the information immediately because the data has been previously information immediately because the data has been previously stored.stored.
Improving performanceImproving performance– Decrease the usage of network resources because make less contact to
the original Internet site using network resources
Proxy -Improving Performance Proxy -Improving Performance (cont)(cont)
InternetUser AUser A Proxy ServerProxy Server
Web SiteWeb Site
Check from the cache first
Existed or not?Request:ww.google.com
Not in the cache.Contact to the original server
Information return
Return:ww.google.com
Request:ww.google.com
Check from the cache.
Yes Existed!
Return:ww.google.com
Immediately
Internet
Web SiteWeb Site
User BUser B Proxy ServerProxy Server
CachedCached
CachedCached
Not contact to the original
server
Proxy -Ensure securityProxy -Ensure security
Proxy server can be configured to add some limitations on user Proxy server can be configured to add some limitations on user access.access.
It can be configured to bypass some restrictions as well.It can be configured to bypass some restrictions as well.
Policies can be defined into proxy configuration in order to put Policies can be defined into proxy configuration in order to put some restrictions on internet or webpage access. some restrictions on internet or webpage access.
Network administrator can blocks access to the users from certain Network administrator can blocks access to the users from certain network or even a country. network or even a country.
Limit the sites that can be surfed by users through proxies.Limit the sites that can be surfed by users through proxies.– Banned pornography or unsecured websites.
Proxy -Ensure security Proxy -Ensure security (cont)(cont)
Internet
Web SiteWeb Site
UsersUsers Proxy ServerProxy Server
Request from users
Allow?Checking the
rules
YES!
Internet
Web SiteWeb Site
UsersUsers Proxy ServerProxy Server
Request from users
Allow?Checking the
rules
Users are not allow to access
Internet
You are not allow to access
Internet
Types of ProxyTypes of Proxy
There are many different types of Proxy Servers . It depends on There are many different types of Proxy Servers . It depends on the purpose of network administrator to setup a proxy servers. the purpose of network administrator to setup a proxy servers. Mainly, proxy servers can be categorized into 3 types:Mainly, proxy servers can be categorized into 3 types:
– Forward Proxy
– Reverse Proxy
– Proxy Chaining
Forward ProxyForward Proxy
Forward Proxy is the most common Proxy ServerForward Proxy is the most common Proxy Server– Generally used to accept or reject request from users based on the
policies that defined.– If request is valid, the proxy server will forward the request to the original
server in Internet for retrieving the requested information.– Request may also be replied from local cache rather than passing through
Internet and it will help to reduce the network traffic.
InternetWeb SiteWeb Site
UsersUsers Proxy ServerProxy Server
CachedCached
The reverse proxy is generally used to pass the request from the The reverse proxy is generally used to pass the request from the Internet to local network.Internet to local network.
It can prevent the users connect to the local server and accessing It can prevent the users connect to the local server and accessing sensitive data directly or freely.sensitive data directly or freely.
Whenever there is a request, the proxy server will check the Whenever there is a request, the proxy server will check the request first, if it fulfilled the rules, then the request will send to request first, if it fulfilled the rules, then the request will send to server, otherwise the request will be blocked. server, otherwise the request will be blocked.
Proxy server may also reply the request using cache information.Proxy server may also reply the request using cache information.
Reverse ProxyReverse Proxy
InternetWeb SiteWeb Site UsersUsers
Proxy ServerProxy Server
CachedCached
Proxy ChainingProxy Chaining
Private LANPrivate LAN
Proxy Server 1Proxy Server 1
CachedCached
Proxy Server 2Proxy Server 2
CachedCached Web SiteWeb Site
InternetInternet
Proxy Chaining Proxy Chaining (cont)(cont)
Proxy chain involved 2 or more proxy server in a network in order Proxy chain involved 2 or more proxy server in a network in order to enhance the performance and the security control of a network.to enhance the performance and the security control of a network.
Proxy chaining allows requests from different protocols to be Proxy chaining allows requests from different protocols to be fulfilled different requirements.fulfilled different requirements.
According to previous slide, there are 2 proxy servers, Proxy According to previous slide, there are 2 proxy servers, Proxy server 1 can be configured to forward every request to upstream server 1 can be configured to forward every request to upstream proxy – Proxy server 2, or if the cache features is enabled, it can proxy – Proxy server 2, or if the cache features is enabled, it can reply the request immediately if information was already cached.reply the request immediately if information was already cached.
How does Squid Proxy works?How does Squid Proxy works?
Cache HitCache Hit
Private LANPrivate LAN
Proxy Server 1Proxy Server 1
Proxy Server 2Proxy Server 2 CachedCached Web SiteWeb Site
InternetInternet
CachedCached
URLRequest
Cache Hit!!HTTPResponse
How does Squid Proxy works? How does Squid Proxy works? (cont)(cont)
Cache Miss – case 1Cache Miss – case 1
Private LANPrivate LAN
Proxy Server 1Proxy Server 1
Proxy Server 2Proxy Server 2 CachedCached Web SiteWeb Site
InternetInternet
CachedCached
URLRequest
Cache Miss!!HTTPResponse
ICPRequest
Cache Hit!!
ICPReply
How does Squid Proxy works? How does Squid Proxy works? (cont)(cont)
Cache Miss – Case 2Cache Miss – Case 2
Private LANPrivate LAN
Proxy Server 1Proxy Server 1
Proxy Server 2Proxy Server 2 CachedCached Web SiteWeb Site
InternetInternet
CachedCached
URLRequest
Cache Miss!!ICP
Request
Cache Miss!!
Time out!!
ICPRequest
HTTPRequest
HTTPReply
ICPReply
HTTPResponse
Proxy Server – Squid ConfigurationProxy Server – Squid Configuration
cache_peer sfc-cache.ai3.net parent 8080 3130cache_peer sfc-cache.ai3.net parent 8080 3130
acl all src 0.0.0.0/0 ::/0acl all src 0.0.0.0/0 ::/0
acl manager proto cache_objectacl manager proto cache_objectacl localsite src 172.16.51.0/24 2001:d30:1214::/48 acl localsite src 172.16.51.0/24 2001:d30:1214::/48 acl localhost src 127.0.0.1/32 ::1/128 acl localhost src 127.0.0.1/32 ::1/128 acl to_localhost dst 127.0.0.0/8 ::/126acl to_localhost dst 127.0.0.0/8 ::/126
acl SSL_ports port 443acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl Safe_ports port 777 # multiling http
Proxy Server – Squid ConfigurationProxy Server – Squid Configuration
acl CONNECT method CONNECTacl CONNECT method CONNECT
http_access allow manager localhosthttp_access allow manager localhost
http_access deny managerhttp_access deny manager
# Deny requests to unknown ports# Deny requests to unknown ports
http_access deny !Safe_portshttp_access deny !Safe_ports
# Deny CONNECT to other than SSL ports# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_portshttp_access deny CONNECT !SSL_ports
DNS ForwarderDNS Forwarder
Domain Name ServerDomain Name Server– DNS forwards Only– DNS will forward all the query to the parent DNS server using IPv6 traffic– It can be done by modifying the current Cached Only Name Server
Configuration• /var/named/chroot/etc/named.conf
options {options {forwarders {2001:d30:102:1000::1001; 2001:d30:101:1::11;};forwarders {2001:d30:102:1000::1001; 2001:d30:101:1::11;};forward only;forward only;directory "/var/named";directory "/var/named";dump-file "/var/named/data/cache_dump.db";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";statistics-file "/var/named/data/named_stats.txt";allow-query { 172.16.51.0/24; localhost; 2001:d30:1214::/64; ::1/128; fe80::/10;};allow-query { 172.16.51.0/24; localhost; 2001:d30:1214::/64; ::1/128; fe80::/10;};allow-recursion { 172.16.51.0/24; localhost; 2001:d30:1214::/64; ::1/128; allow-recursion { 172.16.51.0/24; localhost; 2001:d30:1214::/64; ::1/128;
fe80::/10;};fe80::/10;};allow-transfer { none;};allow-transfer { none;};listen-on-v6 { any; };listen-on-v6 { any; };};};
Adding these two lines.Tell DNS must forward all the query to parent
DNS server
Thank youThank you