Module 7

Advanced Zone Files

Objectives Understand failover strategies using

DNS Understand domain delegation Understand Glue Records Understand the SRV RR Understand the NAPTR RR

Load Balancing/Failover Basic Strategy

Multiple RRs Mail Servers – 2 strategies

MX natural failover/load balancing Multiple RRs

RRs delivered in round-robin order BIND provides alternate controls

Mail Servers – MX RRs

; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com.; the second mail server has lower priority and is; external to the zone (domain) - backup IN MX 20 mail.example.net.

3w = TTL

Priority 10 simply means you can add a more important mail server with only one change

Mail Servers – Multiple RRs

; zone file fragment IN MX 10 mail.example.com. IN MX 10 mail1.example.com. IN MX 10 mail2.example.com.....mail IN A 192.168.0.4mail1 IN A 192.168.0.5mail2 IN A 192.168.0.6OR; zone file fragment IN MX 10 mail.example.com.....mail IN A 192.168.0.4 IN A 192.168.0.5 IN A 192.168.0.6

Mail Servers No difference in two approaches All local mail servers must have

access to common mail filestore Backup servers (priority 20) are

configured to forward mail to real (priority 10) mail servers

MX RRs can be set to very high TTLs A or AAAA RRs may change

Mail Server Reverse Map

; reverse-map file fragment; for 0.168.192.IN-ADDR.ARPA....4 PTR mail.example.com.5 PTR mail.example.com.6 PTR mail.example.com.

Other Services Typically uses multiple A (AAAA) RRs

Multiple RRs called RRsets In case of web - browser will do IP failover in 2

– 3 minutes Dynamic updating of IP with short TTL will

failover in 30 minutes (MSIE) DNS load balances on IP address

Works for flat loads If transaction loads vary must use load-

balancer

Load Balance – Multiple RRs

; example.com zone file fragment....ftp IN A 192.168.0.4ftp IN A 192.168.0.5ftp IN A 192.168.0.6www IN A 192.168.0.7www IN A 192.168.0.8

; example.com zone file fragment....ftp IN A 192.168.0.4 IN A 192.168.0.5 IN A 192.168.0.6www IN A 192.168.0.7 IN A 192.168.0.8

Parent and Child domains Parent of any domain is the next

level in the hierarchy Parent contains NS RRs which are

not Authoritative Child contains NS RRs which are

Authoritative

Parent and Child domains

DNS Subdomain Delegation www.ramq.example.com Two methods Full delegation

Needs separate name servers Complete control to delegated authority Method used by domain system Multiple zone files

Virtual subdomain Does not need name servers Single zone file to maintain

Parent Zone File; IPv4 zone file for example.com$TTL 2d ; default TTL for zone$ORIGIN example.com. ; base domain-name; Start of Authority record defining the key characteristics of the zone (domain)@ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 2h ; min = minimum ); name servers Resource Records for the domain IN NS ns1.example.com.; the second name server is; external to this zone (domain). IN NS ns2.example.net.; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com.; the second mail server has lower priority and is; external to the zone (domain) IN MX 20 mail.example.net.; domain hosts includes NS and MX records defined previously; plus any others requiredns1 IN A 192.168.254.2mail IN A 192.168.254.4joe IN A 192.168.254.6www IN A 192.168.254.7; aliases ftp (ftp server) to an external locationftp IN CNAME ftp.example.net.

DNS Subdomain Delegation

;; subdomain definitions in the same zone file; $ORIGIN directive simplifies and clarifies definitions$ORIGIN ramq.example.com. ; all subsequent RRs use this ORIGIN; two name servers for the subdomain@ IN NS ns3.ramq.example.com.; the preceding record could have been written without the $ORIGIN as; ramq.example.com. IN NS ns3.ramq.example.com.; or @ IN NS ns3; the second name server points back to preceding ns1 IN NS ns1.example.com.; A records for name server ns3 required - the glue recordns3 IN A 10.10.0.24 ; glue record; the preceding record could have been written as; ns3.ramq.example.com. A 10.10.0.24 if it's less confusing

Child Zone File; zone file for subdomain us.example.com$TTL 2d ; zone default of 2 days$ORIGIN ramq.example.com. IN SOA ns3.ramq.example.com. hostmaster.ramq.example.com. ( 2003080800 ; serial number 2h ; refresh = 2 hours 15m ; update retry = 15 minutes 3w12h ; expiry = 3 weeks + 12 hours 2h20m ; minimum = 2 hours + 20 minutes ); subdomain name servers IN NS ns3.ramq.example.com. IN NS ns1.example.com. ; see following notes; subdomain mail server IN MX 10 mail.ramq.example.com.; A records for preceding name serversns3 IN A 10.10.0.24ns1.example.com. IN A 192.168.0.3 ; 'glue' record; A record for preceding mail servermail IN A 10.10.0.25; next record defines our ftp serverftp IN A 10.10.0.28

Full Subdomain Delegation One of the Parent name servers provides

NS services (slave) – common but not essential

Mail is also delegated – not essential could use mail.example.com

Needs one DNS server in this case (ns3.ramq.example.com)

Zone file controlled by delegated authority

Can delegate further

Virtual Subdomains

$ORIGIN ramq.example.com. IN MX 10 mail; preceding record could have been written as; ramq.example.com. IN MX 10 mail.ramq.example.com.; A record for subdomain mail servermail IN A 10.10.0.28; the preceding record could have been written as; mail.ramq.example.com. A 10.10.0.28 if it's less confusingftp IN A 10.10.0.29; the preceding record could have been written as; ftp.ramq.example.com. A 10.10.0.29 if it's less confusing....; other subdomain definitions as required$ORIGIN mderr.example.com.

Virtual Subdomain Requires no new name servers Functionally identical to full delegation Zone file controlled by main zone

administrators Shows delegation of mail – not essential –

could use mail.example.com Further delegation possible under control

of main zone administrators

GLUE Records Widely and erroneously used term Glue is a A (AAAA) RR pointing to a

authoritative name server for the child zone

Glue is essential At the parent For in-zone name servers

All others are technically normal A (AAAA) RRs

Glue – Why Essential? Client needs A RR to get to host Client needs a name server to get to

host record Client needs A RR of name server to

get name server Not required if out-of-zone – normal

lookup for out-of-zone will get an in-zone name server glue record!

DNS – SRV RR

SRV provides a means to find a host that offers a service within domain

srvce = symbolic name of service (standardized by IANA) _ftp

prot = protocol name _tcp name = domain (zone name) can be

omitted (substitution)

srvce.prot.name ttl class rr pri weight port target

DNS – SRV RR

pri = relative priority – lower is more important like the MX RR (0 – 65535)

weight = when pri is the same defines the frequency of delivery of the SRV (0 – 65535)

port = the port number of the service (only time that DNS deals with ports and allows for non-standard ports)

srvce.prot.name ttl class rr pri weight port target

DNS – SRV RR

target = name of the host that provides the service

srvce.prot.name ttl class rr pri weight port target

SRV RR

$ORIGIN example.com.…..; left hand name is _http._tcp.example.com = query target_http._tcp SRV 10 1 80 slow.example.com. SRV 10 3 80 fast.example.com.; if neither slow or fast available, switch to; an external backup web server but use port 8100 not port 80 SRV 20 0 8100 backup.example.net.slow A 192.168.254.3fast A 192.168.254.4

SRV RR Extensive use made by modern

services such as: SIP (voip) LDAP Windows AD (kerberos and others)

Web browsers rarely use SRV

NAPTR RRs

NAPTR (Naming Authority Pointer Record) is a general purpose RR for Dynamic Delegation Discover System (DDDS). Sister or SRV. Application unique format.

order = low is highest like MX pref = if order is same pref (lower is

highest) is used to find best RR

NAPTR order pref flag params regexp replace

NAPTR RRs

flag = Optional. Enclosed in quotes. Unique to application

params = Optional. Enclosed in quotes. Unique to application.

regexp = regular expression applied to Application User String (AUS)

NAPTR order pref flag params regexp replace

NAPTR RRs

replace = Replaces the Application User String (AUS). Dot if not used.

NAPTR order pref flag params regexp replace

ENUM Use of NAPTR ENUM is a service which allows a

telephone number to be converted into one or more methods to reach a human

Domain name is .e164.arpa Assume we want to contact +44-111-555-

1212 (AUS = +441115551212) First Well Known Rule (ENUM specific)

creates 2.1.2.1.5.5.5.1.1.1.4.4.E164.ARPA – DNS lookup

ENUM Use of NAPTR

ENUM Use of NAPTR

; zone file fragment for 5.5.5.1.1.1.4.4.E164.ARPA$TTL 2d ; zone TTL default = 2 days or 172800 seconds$ORIGIN 5.5.5.1.1.1.4.4.E164.ARPA.....2.1.2.1 NAPTR ( 10 ;order 100 ; preference "U" ; flag "E2U+sip" ;svc "!^\\+44111555(.+)$!sip:7\\1@sip.example.com!" ;ere .) ; replace NAPTR 10 101 "u" "E2U+pres" "!^.*$!mailto:sheila@example.com!" .

ENUM Result First NAPTR RR gives

sip:71212@sip.example.com "!^\\+44111555(.+)$!sip:7\\1@sip.example.com!"

If this fails second NAPTR gives mailto:sheila@example.com "!^.*$!mailto:sheila@example.com!"

Regular Expression Quick Key! = delimiter, () group, $ = EoL, \1 = backref (group), ^ = SoL+ = 1 or more times, * = 0 or more times\ escaped for DNS only (\\1), on-wire escape char removed (\1)

Quick Quiz Normal strategy for load balancing? MX failover/load balancing strategies? Does virtual subdomain delegation

require name servers? What is the parent of ramq.example.com Are NS RRs in the parent authoritative Are GLUE records necessary for out-of-

zone name servers? What do SRV records do?

Zone File Exercise Zone files for domain delegation Full delegation

Parent is gov.lc Child is nic.gov.lc Mail will go to the parent domain Two NS servers ns1.nic.gov.lc,

ns2.nic.gov.lc