dns.workshop.hsgr
42
DNS Workshop Evaggelos Balaskas Serial: 2014011901
-
Upload
evaggelos-balaskas -
Category
Technology
-
view
2.023 -
download
0
description
dns notes from a hsgr workshop http://hackerspace.gr
Transcript of dns.workshop.hsgr
DNS WorkshopDNS Workshop
Evaggelos BalaskasSerial: 2014011901
disclaimer
• This presentation is just a supported material based on a dns workshop made on http://hackerspace.gr.
• May have errors! Plz email me to correct them.
• At the time you are reading this, the examples my have different values.
• The domains used in this presentation are randomly selected.
• Be aware of the serial in the first page!
Before DNS, What?
• /etc/hosts
• C:\Windows\system32\drivers\etc\hosts .
• Postel - Mockapetris
• /etc/resolv.conf● Nameserver 212.205.212.205
Now, What?
Domain Name System
• domain: hackerspace.gr.
• root NS .• TLD gr• ITE NS hackerspace• dns1.papaki.gr @• @ 185.4.135.249
• dig +trace hackerspace.gr. (notice the dot in the end)
Root ns
Root ns
root ns
• http://www.internic.net/domain/named.root
• > dig.exe NS . @a.root-servers.net.
Top Level Domains
• http://www.iana.org/domains/root/db
• Greek TLDs
.gr country-code ICS-FORTH GR
.δοκιμή test Internet Assigned Numbers Authority
Top Level Domain: gr. (ITE)
• gr. 10748 IN NS gr-br.ics.forth.gr. • gr. 10748 IN NS gr-m.ics.forth.gr. • gr. 10748 IN NS estia.ics.forth.gr. • gr. 10748 IN NS grdns.ics.forth.gr. • gr. 10748 IN NS gr-at.ics.forth.gr. • gr. 10748 IN NS gr-us.ics.forth.gr. • gr. 10748 IN NS gr-ix.ics.forth.gr. • gr. 10748 IN NS grdns-de.denic.de.
Check gr domains
• http://www.gr• dig +trace NS hackerspace.gr• dig +trace NS ebalaskas.gr• dig +trace NS goethe.gr
• Check the differences !
• dig +trace www.hackerspace.gr.• dig +trace A hackerspace.gr.
Check domains
• > dig A www.ert.gr +short
• > dig NS nerit.gr +short[de nada!]
ITE does not serve nerit.gr but ...(see next slide)
servers
• NS Vs DNS• Auth Vs Resolvers (caching/recursive)• Zone files Vs RAM (memory)
• ns1.otenet.gr (serve zone files – don’t ask ITE)• ns2.otenet.gr (serve zone files – don’t ask ITE)
• dns1.otenet.gr (ask root NS – ask ITE – ask NS)● dns2.otenet.gr (ask root NS – ask ITE – ask NS)
● All OTE customers MUST use ● 212.205.212.205 - dns1 & dns2
Public DNS – caching servers• Google Public DNS (they record your dns queries)
● 8.8.8.8● 8.8.4.4
• opennicproject● 85.126.4.170 (T, AT)● 151.236.10.135 (AT)
( the above IPs are just an example, click here: http://www.opennicproject.org/ )
• opendns● 208.67.222.222 (resolver1.opendns.com)● 208.67.220.220 (resolver2.opendns.com)
RR – resource records
• SOA - Start of Authority Record• NS - Name Server Record• MX - Mail Exchanger Record• A - IPv4 Address Record• CNAME - Host Alias Record• SRV - Services Record• TXT - Text Record
• PTR - Pointer Record
Start Of Authority> dig soa ebalaskas.gr +shortns14.ebalaskas.gr. ebalaskas.ebalaskas.gr. 2012052408 172800 3600 1209600 86400
• domain: ebalaskas.gr• TTL: 86400• Master NS: ns14.ebalaskas.gr.• Mail: ebalaskas.ebalaskas.gr.• Serial Number: 2012052408• Refresh: 172800 (when the slave will try to refresh the zone from the master)
• Retry: 1h (if the slave fails to contact the master)• Expiry: 2w (slave remove the zone from memory)• Minumum: 24h (slave remove the zone from memory if Non eXistent DOMAIN)
Serial number
• Integer number• Must always be greater than the previous value
• We change the serial on every DNS change
• Is the way to notify the slave NS that a change has occurred
• We use the reverse date format + AA of the change
• eg. 2013/06/20-01 -> 2013062001
NOTIFY• Master NS sends notifies (UDP packages) to all slaves NS
(NS RR in the zone file)
• Slaves NS check their SERIAL with master’s SERIAL
• If master’s serial greater than slave’s serial then pull the zone (zone transfer)
TTL Time to Live
How many seconds a DNS (caching/resolver) should: • remember a record• should ask again the master NS for something
• or keep records from a zone (if expired) in memory.
• TTL is the reason we (sometimes) need to flush!
dns flushing
A simple method to remove a specific entry or an entire zone from the memory/cache of a resolver name server.
Useful when you dont want to wait till the TTL expire.
ttl
> dig CNAME www.otenet.gr +nocomments +noqr +nocmd +nostats +noauthority +noadditional
www.otenet.gr. 86074 IN CNAME otenet.gr.
> dig CNAME www.otenet.gr +nocomments +noqr +nocmd +nostats +noauthority +noadditional
www.otenet.gr. 86072 IN CNAME otenet.gr.
ORIGIN
• With origin we refer to the domain, or the zone file.
• @ is the representative character• Origin can ONLY be A record
eg. yellowpagesbusiness.gr@ IN A 195.170.6.20www IN CNAME xo.gr.
MX
> dig MX gmail.com +short
5 gmail-smtp-in.l.google.com.10 alt1.gmail-smtp-in.l.google.com.20 alt2.gmail-smtp-in.l.google.com.30 alt3.gmail-smtp-in.l.google.com.40 alt4.gmail-smtp-in.l.google.com.
mx defines the mail servers that recieving emails for a domain/email address.
A - CNAME
• hostname IN A 1.2.3.4eg.
• ebalaskas.gr IN A 158.255.214.14
• hostname IN CNAME fqdneg.
• www IN CNAME ebalaskas.gr.
• A fqdn must always finish with a dot (.) or else is a reference to another record inside the dns zone
Round-robin DNS
An example of DNS round robin (a poor man’s balancing mechanism):
eg. example.comwww IN A 1.2.3.4 (sometimes here!)www IN A 2.3.4.5 (sometimes there!)
CDN: Web hosting
• eg. webhosting on akamai or cloudflare• They serve a different www (IP) according to the most network route wise (cost efficient) – looks like geolocation!!!
• They don’t serve A records! only CNAMEs to www
• CDN stands for content delivery network
Check a domaineg cdn webhosting: www.plaisio.gr
• GREECE> dig www.plaisio.gr +shortplaisio.gr.edgesuite.net.a944.g.akamai.net.212.205.126.41212.205.126.34
• GERMANY>dig www.plaisio.gr +shortplaisio.gr.edgesuite.net.a944.g.akamai.net.87.245.215.7387.245.215.23
TXT
• txt RR are simply TEXT fields.• max length: 4000characters
Syntax:hostname TTL IN TXT “TEXT TEXT TEXT”
So the customers must send us the text inside double quotes (plz don’t fax)
TXT
• is the only resource record that can expand to more than one line
syntax:joe IN TXT ("Located in a black hole" " somewhere over the rainbow")
Be carefuly when using custom parsers
Some examples:
• DZC IN TXT "eoMi3Yk“
• @ 3600 IN TXT "MS=ms70870252"
• @ IN TXT "v=spf1 a mx ip4:195.170.6.0/24 -all"
• turbo-smtp._domainkey IN TXT "k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT3MWLni6so1q9eQggRYBCLHFjohZkCnYHH8gZNDBm6zRrodRVpWpJQW7x3cWWiuBhS1X0IfBB80l5tqFa+yc+mVgnk8tkUzOHFbPQPp4fi7egTpMtsQW/ZMrxw73SItNvPr72qvJTYZNPxarMx+ULjEWybcfEdXHPY8jslGcpCwIDAQAB"
SPF• Sender Policy Framework• Mostly Microsoft
• define the mail servers that can send an email for the domain they serve
• The DNS check comes from the receiver mail server
(see last page for reference)
DKIM• In the TXT RR is the public key of the receiver mail server.
• If defined, the sender mail server can encrypt the communication between the two mail servers.
• We cant convert a customer request from FAX. Plz ask text file from the customer. Pretty PLZ!
SRV
• Service Resource Record• Define a service for a domain and the server that serve this
service
• Syntax:• _service._protocol IN SRV PRI WEIGHT PORT record
• Mostly for xmpp communications,• SIP (voip communications)• web service• mail service• ntp service• etc
(see last page for reference)
some examples:
• _http._tcp IN SRV 10 5 80 www.tickethour.gr.
• _autodiscover._tcp IN SRV 10 0 443 mail.yellowpages.gr.
• _ntp._udp IN SRV 10 0 123 creta.logifer.gr.
• _xmpp-server._tcp IN SRV 5 0 5269 xmpp-server.l.google.com.
• _sip._tcp IN SRV 10 0 5061 sip.logifer.gr.
PTR
• dig +trace -x 185.4.135.249
• A.IN-ADDR-SERVERS.ARPA (operated by ARIN)• B.IN-ADDR-SERVERS.ARPA (operated by ICANN)• C.IN-ADDR-SERVERS.ARPA (operated by AfriNIC)• D.IN-ADDR-SERVERS.ARPA (operated by LACNIC)• E.IN-ADDR-SERVERS.ARPA (operated by APNIC)• F.IN-ADDR-SERVERS.ARPA (operated by RIPE NCC)
reverse zone
> dig 135.4.185.in-addr.arpa. +trace
135.4.185.in-addr.arpa.172800 IN NSdns2.papaki.gr.135.4.185.in-addr.arpa.172800 IN NSdns1.papaki.gr.
https://apps.db.ripe.net/search/query.html?searchtext=135.4.185.in-addr.arpa
subdomains• www.cs.teiath.gr.
• HOST DOMAIN• www.cs teiath.gr (not subdomain)• www cs.teiath.gr (subdomain, lets check it)
• > dig A www.cs.teiath.gr +short• 195.130.109.88
• > dig NS cs.teiath.gr +short• athena.teiath.gr.• hermes.teiath.gr.
DNS Ports
UDP port 53 (stateless)TCP port 53 (statefull)
default udp, transform to tcp when >512bytes
Zone transfer
• Transfer zone from authoritave name server to slave name servers.
• That makes dns a distribute service
• Authoritave name servers MUST open their firewall for UDP and TCP protocols on UDP/TCP port 53
Useful links• http://www.zytrax.com/books/dns/• http://www.internic.net/domain/named.root• http://www.iana.org/domains/root/db• http://www.kloth.net/services/dig.php• http://www.iana.org/• http://www.ripe.net/• http://www.openspf.org/● http://www.gr-ix.gr/services/statistics/
