2. disclaimer
• This presentation is just a supported
material based on a dns workshop made
on http://hackerspace.gr.
• May have errors! Plz email me to correct
them.
• At the time you are reading this, the
examples my have different values.
• The domains used in this presentation are
randomly selected.
• Be aware of the serial in the first page!
10. Top Level Domains
• http://www.iana.org/domains/root/db
• Greek TLDs
.gr
country-code
ICS-FORTH GR
.δοκιμή
test
Internet Assigned
Numbers Authority
11. Top Level Domain: gr. (ITE)
• gr.
• gr.
• gr.
• gr.
• gr.
• gr.
• gr.
• gr.
10748
10748
10748
10748
10748
10748
10748
10748
IN
IN
IN
IN
IN
IN
IN
IN
NS
NS
NS
NS
NS
NS
NS
NS
gr-br.ics.forth.gr.
gr-m.ics.forth.gr.
estia.ics.forth.gr.
grdns.ics.forth.gr.
gr-at.ics.forth.gr.
gr-us.ics.forth.gr.
gr-ix.ics.forth.gr.
grdns-de.denic.de.
13. Check domains
• > dig A www.ert.gr +short
• > dig NS nerit.gr +short
[de nada!]
ITE does not serve nerit.gr but ...
(see next slide)
14.
15. servers
• NS
Vs
• Auth
Vs
• Zone files Vs
DNS
Resolvers (caching/recursive)
RAM (memory)
• ns1.otenet.gr
• ns2.otenet.gr
(serve zone files – don’t ask ITE)
(serve zone files – don’t ask ITE)
• dns1.otenet.gr
●
dns2.otenet.gr
(ask root NS – ask ITE – ask NS)
(ask root NS – ask ITE – ask NS)
All OTE customers MUST use
●
212.205.212.205 - dns1 & dns2
●
16. Public DNS – caching servers
• Google Public DNS (they record your dns queries)
●
8.8.8.8
●
8.8.4.4
• opennicproject
●
85.126.4.170 (T, AT)
●
151.236.10.135 (AT)
( the above IPs are just an example, click here:
http://www.opennicproject.org/ )
• opendns
●
208.67.222.222 (resolver1.opendns.com)
●
208.67.220.220 (resolver2.opendns.com)
17. RR – resource records
• SOA - Start of Authority Record
• NS - Name Server Record
• MX - Mail Exchanger Record
• A - IPv4 Address Record
• CNAME - Host Alias Record
• SRV - Services Record
• TXT - Text Record
• PTR - Pointer Record
18. Start Of Authority
> dig soa ebalaskas.gr +short
ns14.ebalaskas.gr. ebalaskas.ebalaskas.gr. 2012052408
172800 3600 1209600 86400
•
•
•
•
•
•
domain: ebalaskas.gr
TTL: 86400
Master NS: ns14.ebalaskas.gr.
Mail: ebalaskas.ebalaskas.gr.
Serial Number: 2012052408
Refresh: 172800 (when the slave will try to refresh
the zone from the master)
• Retry: 1h (if the slave fails to contact the master)
• Expiry: 2w (slave remove the zone from memory)
• Minumum: 24h (slave remove the zone from memory if
Non eXistent DOMAIN)
19. Serial number
• Integer number
• Must always be greater than the previous
value
• We change the serial on every DNS
change
• Is the way to notify the slave NS that a
change has occurred
• We use the reverse date format + AA of
the change
• eg. 2013/06/20-01 -> 2013062001
20. NOTIFY
• Master NS sends notifies (UDP packages)
to all slaves NS
(NS RR in the zone file)
• Slaves NS check their SERIAL with master’s
SERIAL
• If master’s serial greater than slave’s serial
then
pull the zone (zone transfer)
21. TTL Time to Live
How many seconds a DNS
(caching/resolver) should:
• remember a record
• should ask again the master NS for
something
• or keep records from a zone (if expired)
in memory.
• TTL is the reason we (sometimes) need to
flush!
22. dns flushing
A simple method to remove a specific
entry or an entire zone from the
memory/cache of a resolver name server.
Useful when you dont want to wait till the
TTL expire.
24. ORIGIN
• With origin we refer to the domain, or the
zone file.
• @ is the representative character
• Origin can ONLY be A record
eg. yellowpagesbusiness.gr
@
IN
A
195.170.6.20
www
IN
CNAME xo.gr.
25. MX
> dig MX gmail.com +short
5
10
20
30
40
gmail-smtp-in.l.google.com.
alt1.gmail-smtp-in.l.google.com.
alt2.gmail-smtp-in.l.google.com.
alt3.gmail-smtp-in.l.google.com.
alt4.gmail-smtp-in.l.google.com.
mx defines the mail servers that recieving
emails for a domain/email address.
26. A - CNAME
• hostname IN A 1.2.3.4
eg.
• ebalaskas.gr IN A 158.255.214.14
• hostname IN CNAME fqdn
eg.
• www IN CNAME ebalaskas.gr.
• A fqdn must always finish with a dot (.) or
else is a reference to another record
inside the dns zone
27. Round-robin DNS
An example of DNS round robin (a poor
man’s balancing mechanism):
eg. example.com
www IN A 1.2.3.4
www IN A 2.3.4.5
(sometimes here!)
(sometimes there!)
28. CDN: Web hosting
• eg. webhosting on akamai or cloudflare
• They serve a different www (IP) according
to the most network route wise (cost
efficient) – looks like geolocation!!!
• They don’t serve A records! only CNAMEs
to www
• CDN stands for content delivery network
30. TXT
• txt RR are simply TEXT fields.
• max length: 4000characters
Syntax:
hostname TTL IN TXT “TEXT TEXT TEXT”
So the customers must send us the text
inside double quotes (plz don’t fax)
31. TXT
• is the only resource record that can
expand to more than one line
syntax:
joe IN TXT ("Located in a black hole"
" somewhere over the rainbow")
Be carefuly when using custom parsers
32. Some examples:
• DZC
IN
•@
3600
•@
IN
TXT
IN
TXT
"eoMi3Yk“
TXT
"MS=ms70870252"
"v=spf1 a mx ip4:195.170.6.0/24 -all"
• turbo-smtp._domainkey IN
TXT
"k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg
QDT3MWLni6so1q9eQggRYBCLHFjohZkCnYHH8gZNDBm6zR
rodRVpWpJQW7x3cWWiuBhS1X0IfBB80l5tqFa+yc+mVgnk8t
kUzOHFbPQPp4fi7egTpMtsQW/ZMrxw73SItNvPr72qvJTYZNP
xarMx+ULjEWybcfEdXHPY8jslGcpCwIDAQAB"
33. SPF
• Sender Policy Framework
• Mostly Microsoft
• define the mail servers that can send an
email for the domain they serve
• The DNS check comes from the receiver
mail server
(see last page for reference)
34. DKIM
• In the TXT RR is the public key of the
receiver mail server.
• If defined, the sender mail server can
encrypt the communication between the
two mail servers.
• We cant convert a customer request from
FAX. Plz ask text file from the customer.
Pretty PLZ!
35. SRV
• Service Resource Record
• Define a service for a domain and the server that serve this
service
• Syntax:
• _service._protocol IN SRV PRI WEIGHT PORT record
•
•
•
•
•
•
Mostly for xmpp communications,
SIP (voip communications)
web service
mail service
ntp service
etc
(see last page for reference)
36. some examples:
• _http._tcp
IN
SRV 10 5 80 www.tickethour.gr.
• _autodiscover._tcp IN
mail.yellowpages.gr.
SRV
• _ntp._udp
10 0 123
IN
SRV
• _xmpp-server._tcp
IN
server.l.google.com.
• _sip._tcp IN
SRV
SRV
10
0
443
creta.logifer.gr.
5 0 5269 xmpp-
10 0 5061 sip.logifer.gr.
37. PTR
• dig +trace -x 185.4.135.249
• A.IN-ADDR-SERVERS.ARPA
• B.IN-ADDR-SERVERS.ARPA
• C.IN-ADDR-SERVERS.ARPA
• D.IN-ADDR-SERVERS.ARPA
• E.IN-ADDR-SERVERS.ARPA
• F.IN-ADDR-SERVERS.ARPA
(operated
(operated
(operated
(operated
(operated
(operated
by
by
by
by
by
by
ARIN)
ICANN)
AfriNIC)
LACNIC)
APNIC)
RIPE NCC)
38. reverse zone
> dig 135.4.185.in-addr.arpa. +trace
135.4.185.in-addr.arpa.172800 IN NSdns2.papaki.gr.
135.4.185.in-addr.arpa.172800 IN NSdns1.papaki.gr.
https://apps.db.ripe.net/search/query.html?searchtext=
135.4.185.in-addr.arpa
40. DNS Ports
UDP port 53 (stateless)
TCP port 53 (statefull)
default udp,
transform to tcp when >512bytes
41. Zone transfer
• Transfer zone from authoritave name
server to slave name servers.
• That makes dns a distribute service
• Authoritave name servers MUST open
their firewall for UDP and TCP protocols
on UDP/TCP port 53