Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
DNS
for Developers
Maarten Balliauw
@maartenballiauw
“Can we add a CNAME to
the DNS?”
Manager
“Sure, why?”
Me
“foo.bar.com
should redirect to
http://bar.com/foo.aspx”
Manager
Who am I?
Maarten Balliauw
Antwerp, Belgium
Developer Advocate, JetBrains
Founder, MyGet
AZUG
Focus on web
ASP.NET MVC, Az...
Agenda
The 101 stuff
How the Internet works (the DNS part)
DNS zones
Security
DNS in application architecture
Failover, lo...
How the Internet works
(the DNS part)
“Let’s Google!”
“Let’s Google!”
We need an IP address for www.google.com
Use Domain Name System (“phone book”)
Map www.google.com to 172.2...
“Let’s Google!”
Check operating system (hosts file, ...)
Check DNS cache
Ask home router
Check DNS cache at ISP, not in ca...
“Let’s Google!”
Ask root servers where .com. lives
Ask .com. authoritative server where google.com. lives
Ask .google.com....
Digging into the DNS
DEMO
DNS
2 types of servers
Authoritative
“Owns the domain”
Cache (recursor)
“Resolves the domain for you”
DNS
Designed in 1983 by Paul Mockapetris (University of California, Irvine)
Converts hostnames to IP addresses
Stores mail...
How do I get a domain name?
TLD’s managed by separate organisations
Verisign (.com) - Canadian Internet Registration Autho...
Hierarchical system
.
com
google
www
mail
org
example
www staff
www
ca
confoo
…
Root servers
ICANN’s 13 root servers http://root-servers.org/
Why only 13?
UDP packets limited to 512 bytes
Response with ...
gTLD, ccTLD, iTLD, … servers
Delegation from root servers to gTLD, ccTLD, iTLD, … servers
List managed by IANA http://www....
Root servers are a convention!
Every OS has them, but they can be replaced
E.g. www.opennicproject.org
They have their own...
Caches, caches everywhere!
“Let’s change the IP address for our webserver in the DNS”
Caches in recursive resolvers (e.g. ...
DNS zones
DNS zone
“A Domain Name System (DNS) zone file is a text file that describes a
DNS zone. A DNS zone is a subset, often a s...
DNS zone
$ORIGIN example.com. ; designates the start of this zone file in the namespace
$TTL 1h ; default expiration time ...
DNS zone
Contains records describing a domain
Value + TTL
At the minimum: Start of Authority (SOA) record
“which server st...
DNS zone
Typical other records:
NS – Which are my nameservers? (or subdomain delegation)
A – IPv4 address pointer
AAAA – I...
PTR
“Reverse DNS” used for e.g. diagnostics tools like ping and traceroute
Email anti-spam uses this as well (check EHLO I...
Zone transfer
Usually more than one nameserver for a zone
1 primary, other secondaries
No need to maintain zones on every ...
Security
DNS cache poisoning
Consider this DNS zone…
Consider this web page…
Browser & OS cache ns1.google.com as 123.123.123.123.
...
DNS cache poisoning
DEMO
DNSSEC (Domain Name SystemSecurity Extensions)
Set of extensions to DNS
Origin verification
Is the record really coming fr...
DNS Amplification for DDoS
DNS recursion is awesome! (and often default)
Lots of DNS servers out there have recursion enab...
DNS Amplification for DDoS
Attacker Victim
Open DNS resolver
Open DNS resolver
Open DNS resolver
DNS Amplification for DDoS
Make sure to disable recursion
Or limit it to known, trusted networks
Use a DDoS filtering serv...
DNS in application
architecture
DNS failover / load balancing
Simple “round-robin”
www.example.local. IN A 192.168.0.1.
www.example.local. IN A 192.168.0....
DNS failover / load balancing
Intelligent DNS server
e.g. Azure Traffic Manager / Amazon Route 53
Scenarios
Round-robin
Fa...
Azure Traffic Manager
DEMO
Content Delivery Network (CDN)
Serve origin content from edge location close to the user
www.cdnreviews.com
Content Delivery Network (CDN)
Serve origin content from edge location close to the user
Intelligent DNS approach
Check us...
Configuration in DNS
Typical application configuration
Key/value pairs
Hierarchy
 Store as DNS records (TXT?)
Typically m...
Configuration in DNS
DEMO
Configuration in DNS
Alternative: store just the hostnames per environment
api.app.local  different IP per environment
Do...
Service discovery
“Detect services on various devices on a network of computers with minimal
configuration.”
UPnP
Service ...
Service discovery
Multicast DNS (mDNS)
224.0.0.251 port 5353 - every machine on the network listens
DNS Service Discovery ...
Service Discovery
with mDNS and DNS-SD
DEMO
Abusing DNS
For fun and profit
Public hotspots
Connect to wifi
Captive portal
Usually intercepts HTTP(S) only
Usually allows DNS lookups
Public hotspots
HTTP over DNS
Custom client and server
Server
Identify client
Fetch upstream data and make it available as DNS records
Cli...
HTTP over DNS
Local browser
HoD client
HoD server
Target HTTP server
Browser uses local HoD client as proxy HoD server mak...
HTTP over DNS on the Internet
Local browser
HoD client
HoD server
Target HTTP server
ISP nameserver
HTTP over DNS
DEMO
IP over DNS
Same idea as HTTP over DNS: tunnel traffic
http://code.kryo.se/iodine/
More elaborate protocol:
User identific...
Conclusion
Conclusion
DNS is a hierarchical system
Built in 1983, flexible and widely used
Record types
DNSSEC
Application architectu...
Thank you!
http://blog.maartenballiauw.be
@maartenballiauw
DNS for Developers - ConFoo Montreal
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
Get more than a cache back! - ConFoo Montreal
Next
Upcoming SlideShare
Get more than a cache back! - ConFoo Montreal
Next
Download to read offline and view in fullscreen.

Share

DNS for Developers - ConFoo Montreal

Download to read offline

We browse the Internet. We host our applications on a server or a cloud that is hooked up with a nice domain name. That’s all there is to know about DNS, right? This talk is a refresher about how DNS works. How we can use it and how it can affect availability of our applications. How we can use it as a means of configuring our application components. How this old geezer protocol is a resilient, distributed system that is used by every Internet user in the world. How we can use it for things that it wasn’t built for. Come join me on this journey through the innards of the web!

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

DNS for Developers - ConFoo Montreal

  1. 1. DNS for Developers Maarten Balliauw @maartenballiauw
  2. 2. “Can we add a CNAME to the DNS?” Manager
  3. 3. “Sure, why?” Me
  4. 4. “foo.bar.com should redirect to http://bar.com/foo.aspx” Manager
  5. 5. Who am I? Maarten Balliauw Antwerp, Belgium Developer Advocate, JetBrains Founder, MyGet AZUG Focus on web ASP.NET MVC, Azure, SignalR, ... Former MVP Azure & ASPInsider Big passion: Azure http://blog.maartenballiauw.be @maartenballiauw
  6. 6. Agenda The 101 stuff How the Internet works (the DNS part) DNS zones Security DNS in application architecture Failover, load balancing, CDN Configuration and service discovery DNS for fun and profit
  7. 7. How the Internet works (the DNS part)
  8. 8. “Let’s Google!”
  9. 9. “Let’s Google!” We need an IP address for www.google.com Use Domain Name System (“phone book”) Map www.google.com to 172.217.0.164 / 2a00:1450:4009:80f::2004 After which the browser will do its HTTP magic
  10. 10. “Let’s Google!” Check operating system (hosts file, ...) Check DNS cache Ask home router Check DNS cache at ISP, not in cache? Iterate!
  11. 11. “Let’s Google!” Ask root servers where .com. lives Ask .com. authoritative server where google.com. lives Ask .google.com. authoritative server for www.google.com. IP address
  12. 12. Digging into the DNS DEMO
  13. 13. DNS 2 types of servers Authoritative “Owns the domain” Cache (recursor) “Resolves the domain for you”
  14. 14. DNS Designed in 1983 by Paul Mockapetris (University of California, Irvine) Converts hostnames to IP addresses Stores mail delivery information for a domain Stores other information for a domain (TXT records)
  15. 15. How do I get a domain name? TLD’s managed by separate organisations Verisign (.com) - Canadian Internet Registration Authority (CIRA) (.ca) - DNS Belgium (.be) - EURid (.eu) - … Rules! Who can register a name? Ownership change procedures Disputes Technical rules Usually domain registration done by registrar E.g. DNSimple - http://bit.ly/dns4developers
  16. 16. Hierarchical system . com google www mail org example www staff www ca confoo …
  17. 17. Root servers ICANN’s 13 root servers http://root-servers.org/ Why only 13? UDP packets limited to 512 bytes Response with > 13 entries would be > 512 bytes There are more: anycast
  18. 18. gTLD, ccTLD, iTLD, … servers Delegation from root servers to gTLD, ccTLD, iTLD, … servers List managed by IANA http://www.iana.org/domains/root/db “Where does .tld live?” .ca - https://www.iana.org/domains/root/db/ca.html “any.ca-servers.ca”
  19. 19. Root servers are a convention! Every OS has them, but they can be replaced E.g. www.opennicproject.org They have their own gTLD’s as well, e.g. .bit, .free, .null, .oss, … Not widely used (?) as it’s an alternate realm E.g. www.orsn.org Open Root Server Network Mirrors ICANN root servers Reduce over-dependence on the USA “Independent mode” in case political situation requires it
  20. 20. Caches, caches everywhere! “Let’s change the IP address for our webserver in the DNS” Caches in recursive resolvers (e.g. at ISP’s) https://www.whatsmydns.net/ Caches in OS ipconfig /flushdns Caches in application (e.g. in browser) Restart browser Lower TTL beforehand to make updating smoother
  21. 21. DNS zones
  22. 22. DNS zone “A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addresses and other resources, organized in the form of text representations of resource records (RR). A zone file may be either a DNS master file, authoritatively describing a zone, or it may be used to list the contents of a DNS cache. [1]“
  23. 23. DNS zone $ORIGIN example.com. ; designates the start of this zone file in the namespace $TTL 1h ; default expiration time of all resource records example.com. IN SOA ns.example.com. username.example.com. ( 2007120710 1d 2h 4w 1h ) example.com. IN NS ns ; ns.example.com is a nameserver for example.com example.com. IN NS ns.somewhere.example. ; another nameserver example.com. IN MX 10 mail.example.com. ; mail.example.com is the mailserver for example.com @ IN MX 20 mail2.example.com. ; equivalent to above line, "@" represents zone origin @ IN MX 50 mail3 ; equivalent to above line, but using a relative host name example.com. IN A 192.0.2.1 ; IPv4 address for example.com IN AAAA 2001:db8:10::1 ; IPv6 address for example.com ns IN A 192.0.2.2 ; IPv4 address for ns.example.com www IN CNAME example.com. ; www.example.com is an alias for example.com mail IN A 192.0.2.3 ; IPv4 address for mail.example.com mail2 IN A 192.0.2.4 ; IPv4 address for mail2.example.com mail3 IN A 192.0.2.5 ; IPv4 address for mail3.example.com
  24. 24. DNS zone Contains records describing a domain Value + TTL At the minimum: Start of Authority (SOA) record “which server stores all the information about the website I want to look up” Name of authoritative master name server Email address of someone responsible for management of the name server Expiration parameters (serial #, slave refresh, slave retry time, slave expiration rime, cache duration or Time To Live)
  25. 25. DNS zone Typical other records: NS – Which are my nameservers? (or subdomain delegation) A – IPv4 address pointer AAAA – IPv6 address pointer CNAME – Reference to another record (NOT A REDIRECT) MX – Mail exchangers for the domain, with priorities TXT – Textual value, often used to validate domain ownership/spam rules/… SRV – Describes a service type and port
  26. 26. PTR “Reverse DNS” used for e.g. diagnostics tools like ping and traceroute Email anti-spam uses this as well (check EHLO IP address)
  27. 27. Zone transfer Usually more than one nameserver for a zone 1 primary, other secondaries No need to maintain zones on every slave! Zone transfer Primary knows secondary IP’s (we don’t want to transfer to just anyone) Secondary knows zone name, queries primary over TCP (53) to replicate data Uses SOA serial to check zone version & decide on update
  28. 28. Security
  29. 29. DNS cache poisoning Consider this DNS zone… Consider this web page… Browser & OS cache ns1.google.com as 123.123.123.123. $ORIGIN evil.com. $TTL 1h evil.com. IN SOA ns.evil.com. username.example.com. ( 2007120710 1d 2h 4w 1h ) evil.com. IN NS ns1.google.com. ns1.google.com. IN A 123.123.123.123 <!-- ... --> <img src="http://www.evil.com/image.gif"/> <!-- ... -->
  30. 30. DNS cache poisoning DEMO
  31. 31. DNSSEC (Domain Name SystemSecurity Extensions) Set of extensions to DNS Origin verification Is the record really coming from the proper name server? Adds signing support (and delegation) Top-down the chain (root servers have DNSSEC, gTLD servers have DNSSEC, …) Why did that demo work? Custom resolver without DNSSEC  trust chain broken
  32. 32. DNS Amplification for DDoS DNS recursion is awesome! (and often default) Lots of DNS servers out there have recursion enabled for all Lots of open resolvers out there Saturate a victim’s network connection by using open DNS resolvers UDP traffic has no source IP verification Spoof source traffic
  33. 33. DNS Amplification for DDoS Attacker Victim Open DNS resolver Open DNS resolver Open DNS resolver
  34. 34. DNS Amplification for DDoS Make sure to disable recursion Or limit it to known, trusted networks Use a DDoS filtering service Akamai, CloudFlare, Verisign, ... Use SPI firewall to verify packet origin
  35. 35. DNS in application architecture
  36. 36. DNS failover / load balancing Simple “round-robin” www.example.local. IN A 192.168.0.1. www.example.local. IN A 192.168.0.2. www.example.local. IN A 192.168.0.3. Most DNS servers return different IP as first item in list Issues What if one of the addresses is unreachable? What if the order is cached at ISP?
  37. 37. DNS failover / load balancing Intelligent DNS server e.g. Azure Traffic Manager / Amazon Route 53 Scenarios Round-robin Failover Performance Issues What if one of the addresses is unreachable?  monitoring of endpoints What if the order is cached at ISP?  low TTL (still gaps)
  38. 38. Azure Traffic Manager DEMO
  39. 39. Content Delivery Network (CDN) Serve origin content from edge location close to the user www.cdnreviews.com
  40. 40. Content Delivery Network (CDN) Serve origin content from edge location close to the user Intelligent DNS approach Check user IP address location, return DNS record closer to the user Try nslookup myget-2e16.kxcdn.com Use IP Anycast Advertise the same IP for edge server in different networks No logic needed in DNS The DNS root servers use this as well
  41. 41. Configuration in DNS Typical application configuration Key/value pairs Hierarchy  Store as DNS records (TXT?) Typically multiple environments One special DNS server per environment One master to which we can recurse (e.g. shared settings)
  42. 42. Configuration in DNS DEMO
  43. 43. Configuration in DNS Alternative: store just the hostnames per environment api.app.local  different IP per environment Downside to configuration in DNS Still need to maintain “the phone book” when changes occur Not very flexible with dynamic resources... Caches, CACHES!
  44. 44. Service discovery “Detect services on various devices on a network of computers with minimal configuration.” UPnP Service Location Protocol (SLP) Zero Configuration Networking (Zeroconf) Simple way to find and list services without maintaining a directory Every service announces itself
  45. 45. Service discovery Multicast DNS (mDNS) 224.0.0.251 port 5353 - every machine on the network listens DNS Service Discovery (DNS-SD) Works with mDNS and DNS SRV (name + type, port, hostname) PTR (pointer) A (service IP) TXT (additional information) You are probably already using this today! Printer, Apple Bonjour, Office365, … 46ce01.local. A 192.168.1.101 46ce01._printer._tcp.local. SRV 515 46ce01.local _printer._tcp.local. PTR 46ce01._printer._tcp.local.
  46. 46. Service Discovery with mDNS and DNS-SD DEMO
  47. 47. Abusing DNS For fun and profit
  48. 48. Public hotspots Connect to wifi Captive portal Usually intercepts HTTP(S) only Usually allows DNS lookups
  49. 49. Public hotspots
  50. 50. HTTP over DNS Custom client and server Server Identify client Fetch upstream data and make it available as DNS records Client Expose itself as a local proxy Make DNS lookups with custom server Things to be aware of… UDP packet size, maximum length of records, maximum # of records Encrypt transport
  51. 51. HTTP over DNS Local browser HoD client HoD server Target HTTP server Browser uses local HoD client as proxy HoD server makes upstream request Translates into DNS response(s)
  52. 52. HTTP over DNS on the Internet Local browser HoD client HoD server Target HTTP server ISP nameserver
  53. 53. HTTP over DNS DEMO
  54. 54. IP over DNS Same idea as HTTP over DNS: tunnel traffic http://code.kryo.se/iodine/ More elaborate protocol: User identification Auto-optimize UDP packet size Compression
  55. 55. Conclusion
  56. 56. Conclusion DNS is a hierarchical system Built in 1983, flexible and widely used Record types DNSSEC Application architecture Failover, load balancing, CDN Configuration and service discovery Fun
  57. 57. Thank you! http://blog.maartenballiauw.be @maartenballiauw

We browse the Internet. We host our applications on a server or a cloud that is hooked up with a nice domain name. That’s all there is to know about DNS, right? This talk is a refresher about how DNS works. How we can use it and how it can affect availability of our applications. How we can use it as a means of configuring our application components. How this old geezer protocol is a resilient, distributed system that is used by every Internet user in the world. How we can use it for things that it wasn’t built for. Come join me on this journey through the innards of the web!

Views

Total views

573

On Slideshare

0

From embeds

0

Number of embeds

2

Actions

Downloads

13

Shares

0

Comments

0

Likes

0

×