SlideShare a Scribd company logo

What You Need to Know - Domain Name System (DNS)

Wes Morgan
Wes Morgan

A drinking-from-the-firehose introduction to the Domain Name System and the various behind-the-scenes records that make it work.

Related slideshows

MongoDB at eBay
MongoDB at eBayMongoDB at eBay
MongoDB at eBay
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1
 
Some key value stores using log-structure
Some key value stores using log-structureSome key value stores using log-structure
Some key value stores using log-structure
 
1 of 24
Download to read offline
© 2009 IBM Corporation IBM Collaboration Solutions What You Need to Know: Domain Name System (DNS) Wes Morgan WW ICS SWAT wes_morgan@us.ibm.com
© 2012 IBM Corporation November 8, 2016 Directory Assistance for TCP/IP Networks ● Humans don't “do” numerical addresses ● We like names ● More to the point, we like organized names ● DNS organizes hosts into domains, which it calls zones ● DNS can also organize/advertise services ● Zones may host other zones (aka “subdomains”) ● There is only ONE authoritative source for each zone ● DNS establishes a hierarchy of zones under a “root” zone Doing a “DNS lookup” simply means that we travel up, down, and/or across the hierarchy until we find the information we need
© 2012 IBM Corporation November 8, 2016 DNS Zones and Individual Hosts flamtap.lex.ky.us .us zone .ky.us zone lex.ky.us zone root zone .com .org .jp .edu .ny.us .ca.us .bg.ky.us .lou.ky.us ruff longroll Top-Level Domains (TLDs) Fully Qualified Domain Name (FQDN) Individual hosts booga
© 2012 IBM Corporation November 8, 2016 It's All About Resources... ● EVERYTHING in DNS is a resource ● DNS provides resource records (RRs) in response to queries ● So, a big part of “configuring DNS” is setting up RRs correctly ● As DNS has grown, so has the number of RRs supported ● We'll only touch upon the RRs we most frequently encounter: ● SOA – Start of Authority ● NS – Name Server ● A – Address (IPv4) ● AAAA – Address (IPv6) ● CNAME – Canonical Name ● MX – Mail eXchanger ● SRV – Service ● PTR – Pointer
© 2012 IBM Corporation November 8, 2016 SOA – Respect My Authority! ● Remember, there can be only one authority for each zone ● However, customers may have separate internal/external zones with the same name (aka “split horizon” DNS) with different authoritative name servers AND DIFFERENT DATA! ● The Start of Authority (SOA) record includes ● The authoritative server for the zone (aka “origin” or “primary name server”) ● The email address of the responsible party (without @) ● Other information used by secondary DNS servers in the zone
© 2012 IBM Corporation November 8, 2016 SOA Examples a ibm.com (external) ibm.com (internal)
© 2012 IBM Corporation November 8, 2016 NS Records – Nameservers ● NS records simply list all nameservers for a given zone ● This does NOT mean that all of them are up and running! ● Clients may send queries to any listed nameserver
© 2012 IBM Corporation November 8, 2016 A & AAAA Records – Give Me An IP Address! ● Almost all DNS queries lead to an actual Address (A/AAAA) record ● A records provide IPv4 address, while AAAA records are IPv6
© 2012 IBM Corporation November 8, 2016 A & AAAA Records – There Might Be More Than One! ● Multiple Address records may be provided for a single name ● Usually indicates a clustered server environment ● Address records are not prioritized; multiple Address records returned in rotating order (aka “round-robin”) ● Clients will attempt to reach addresses in the order provided } } Note different order of responses between the two queries
© 2012 IBM Corporation November 8, 2016 CNAME – What's the REAL Name? ● End users like easy-to-remember names, but admins have to deal with real system names ● Canonical Name (CNAME) records specify the “real name” of the system queried ● In other words, it lets us create aliases ● CNAME records can reference other CNAMEs (i.e. an alias pointing to another alias) ● You may see this in queries whose responses change according to geography (e.g. cloud resources)
© 2012 IBM Corporation November 8, 2016 CNAME – Chained Example ● Multiple levels of CNAMEs usually indicate dynamic DNS ● May indicate geographic DNS ● Often seen with Akamai and other content delivery networks ● When you see this, have affected users do queries too! ● They may be sent to different destinations!
© 2012 IBM Corporation November 8, 2016 CNAME – Chained Example ● Multiple levels of CNAMEs usually indicate dynamic DNS ● May indicate geographic DNS ● Often seen with Akamai and other content delivery networks ● When you see this, have affected users do queries too! ● They may be sent to different destinations!
© 2012 IBM Corporation November 8, 2016 MX Records – Where Can I Deliver Email to You? ● Mail eXchanger (MX) records list the email server(s) for the zone ● Multiple systems can be designated as mail exchangers ● MX records are be prioritized (usually in increments of 10) ● Clients will try to use the highest-priority (lowest-numbered) host first
© 2012 IBM Corporation November 8, 2016 SPF – Who Can Deliver Mail for Me? ● Sender Policy Framework (SPF) uses TeXT records (TXT) to specify what hosts can deliver mail on behalf of a given domain ● SPF used in mail security – if SPF fails, delivery attempt rejected ● Example of leveraging DNS for application-layer information
© 2012 IBM Corporation November 8, 2016 SRV Records – Services of All Sorts ● Service (SRV) records announce specific services via DNS ● General format is _service._protocol.dnsdomainname ● Heavily used in Active Directory environments _ldap._tcp.<DNSdomainName> – LDAP server for DNS domain _ldap._tcp.pdc._msdcs.<DNSdomainName> - Primary DC _kerberos._tcp.dc._msdcs.<DNDDomainName> - Kerberos DC ● Also seen in SIP and XMPP environments
© 2012 IBM Corporation November 8, 2016 PTR Records – I Have the Number, I Want the NAME! ● Pointer (PTR) records associate numbers back to names ● Commonly called “reverse DNS” ● Reverses the IP address & uses a pseudo-domain of “in-addr.arpa” ● Many mail security systems require valid reverse DNS before accepting email from a given host ● Not generally required, but can be useful
© 2012 IBM Corporation November 8, 2016 So, What Actually Happens When I Send a Query to DNS? ● Most DNS servers are recursive ● They will follow the trail until they have your answer ● Your client doesn't do the legwork ● Almost all DNS servers cache responses ● Cache lifetime (aka time-to-live or TTL) of each RR is set by its authoritative server (in seconds) ● So, you give a command like “ping -c 2 www.facebook.com” and it executes against an IP address, like so: ...but how did DNS get me from 'www.facebook.com' to 157.240.2.35?
© 2012 IBM Corporation November 8, 2016 Behind the Scenes on the DNS Server ● Assuming that no cached information was available, the DNS server took your query for 'www.facebook.com' and started working backwards ● It went to the root zone nameservers and asked for .com NS ● It went to a .com name server and asked about facebook.com NS ● It went to a .facebook.com name server and asked about www.faceboook.com ● It got a CNAME RR in response, so it had to ask a .facebook.com nameserver about the canonical name ● It had valid cached info for .com and .facebook.com, so it didn't have to repeat those queries ● It finally received an A record, which it returned to your client If you want to see what this process looks like for any FQDN, check out http://simpledns.com/lookup-dg.aspx (It's a good thing that we have caching servers and TTLs, huh?)
© 2012 IBM Corporation November 8, 2016 A Food-for-Thought Exercise
© 2012 IBM Corporation November 8, 2016 Easing the Burden – Forwarding DNS Servers ● Going all the way to the root zone for every query would be prohibitively slow/costly and consume significant resources ● Use of forwarding servers spreads the work ● Forwarding DNS servers are NOT recursive; they pass queries for which they have no answers cached to the “next server up” ● As queries and responses are sent up and down the line, each server caches the responses (according to its TTL) ● Clients do not know if forwarding servers are used ● Responses might be from the forwarded server's perspective! ● Most ISPs offer forwarding DNS services, but don't require customers to use them dns.ap.company1.com dns.na.company1.com dns.eu.company1.com Internet
© 2012 IBM Corporation November 8, 2016 Troubleshooting Connectivity? ALWAYS Check DNS! ● If DNS is wrong, NOTHING will work! ● Do NOT trust, use, or recommend “hosts files” ● “Hosts files” supplant DNS – DNS won't be queried if the “hosts file” has a matching entry ● Many customer issues caused by outdated hosts file entries ● Don't use IP addresses in configurations – use FQDNs! ● FQDNs in configuration + working DNS survives server/address changes ● Use of VPN may change DNS servers! ● Presence of round-robin DNS = no load balancers in use ● Single A record for FQDN of a cluster = load balancer in use ● Different answers internal/external may indicate split horizon DNS or (with cloud) content delivery networks (e.g. Akamai) ● Other names might be yielding different answers, too! ● Different answers within an enterprise may indicate Global Load Balancing (GLB) in use ● Using tcpdump/Wireshark? DNS query/response is udp/53, server/server (zone transfer) is tcp/53
© 2012 IBM Corporation November 8, 2016 DNS Tools ● nslookup – built-in tool for Windows, Macintosh, AIX, Linux ● Uses system's DNS server as default ● Use “server A.B.C.D” to send queries to specific DNS server ● Use “set type=<RR type>” to query specific records ● Use “set type=ANY” to see all records associated with name ● dig – part of the BIND reference implementation of DNS ● Open-source package from Internet Systems Consortium ● BIND is (by FAR) the most widely used DNS server ● Built-in for Macintosh and many Linux distributions ● https://www.isc.org/downloads/bind/ for Windows binaries and Linux source code ● Windows: install “Tools Only” unless you want to run your own DNS server ● Allows quick command-line queries, e.g. “dig ns google.com” ● Allows “any” keyword to see all records, e.g. “dig any ibm.com”
© 2012 IBM Corporation November 8, 2016 Closing Exercise – What Do You See?
© 2012 IBM Corporation November 8, 2016 Questions & Answers

More Related Content

What You Need to Know - Domain Name System (DNS)

  • 1. © 2009 IBM Corporation IBM Collaboration Solutions What You Need to Know: Domain Name System (DNS) Wes Morgan WW ICS SWAT wes_morgan@us.ibm.com
  • 2. © 2012 IBM Corporation November 8, 2016 Directory Assistance for TCP/IP Networks ● Humans don't “do” numerical addresses ● We like names ● More to the point, we like organized names ● DNS organizes hosts into domains, which it calls zones ● DNS can also organize/advertise services ● Zones may host other zones (aka “subdomains”) ● There is only ONE authoritative source for each zone ● DNS establishes a hierarchy of zones under a “root” zone Doing a “DNS lookup” simply means that we travel up, down, and/or across the hierarchy until we find the information we need
  • 3. © 2012 IBM Corporation November 8, 2016 DNS Zones and Individual Hosts flamtap.lex.ky.us .us zone .ky.us zone lex.ky.us zone root zone .com .org .jp .edu .ny.us .ca.us .bg.ky.us .lou.ky.us ruff longroll Top-Level Domains (TLDs) Fully Qualified Domain Name (FQDN) Individual hosts booga
  • 4. © 2012 IBM Corporation November 8, 2016 It's All About Resources... ● EVERYTHING in DNS is a resource ● DNS provides resource records (RRs) in response to queries ● So, a big part of “configuring DNS” is setting up RRs correctly ● As DNS has grown, so has the number of RRs supported ● We'll only touch upon the RRs we most frequently encounter: ● SOA – Start of Authority ● NS – Name Server ● A – Address (IPv4) ● AAAA – Address (IPv6) ● CNAME – Canonical Name ● MX – Mail eXchanger ● SRV – Service ● PTR – Pointer
  • 5. © 2012 IBM Corporation November 8, 2016 SOA – Respect My Authority! ● Remember, there can be only one authority for each zone ● However, customers may have separate internal/external zones with the same name (aka “split horizon” DNS) with different authoritative name servers AND DIFFERENT DATA! ● The Start of Authority (SOA) record includes ● The authoritative server for the zone (aka “origin” or “primary name server”) ● The email address of the responsible party (without @) ● Other information used by secondary DNS servers in the zone
  • 6. © 2012 IBM Corporation November 8, 2016 SOA Examples a ibm.com (external) ibm.com (internal)
  • 7. © 2012 IBM Corporation November 8, 2016 NS Records – Nameservers ● NS records simply list all nameservers for a given zone ● This does NOT mean that all of them are up and running! ● Clients may send queries to any listed nameserver
  • 8. © 2012 IBM Corporation November 8, 2016 A & AAAA Records – Give Me An IP Address! ● Almost all DNS queries lead to an actual Address (A/AAAA) record ● A records provide IPv4 address, while AAAA records are IPv6
  • 9. © 2012 IBM Corporation November 8, 2016 A & AAAA Records – There Might Be More Than One! ● Multiple Address records may be provided for a single name ● Usually indicates a clustered server environment ● Address records are not prioritized; multiple Address records returned in rotating order (aka “round-robin”) ● Clients will attempt to reach addresses in the order provided } } Note different order of responses between the two queries
  • 10. © 2012 IBM Corporation November 8, 2016 CNAME – What's the REAL Name? ● End users like easy-to-remember names, but admins have to deal with real system names ● Canonical Name (CNAME) records specify the “real name” of the system queried ● In other words, it lets us create aliases ● CNAME records can reference other CNAMEs (i.e. an alias pointing to another alias) ● You may see this in queries whose responses change according to geography (e.g. cloud resources)
  • 11. © 2012 IBM Corporation November 8, 2016 CNAME – Chained Example ● Multiple levels of CNAMEs usually indicate dynamic DNS ● May indicate geographic DNS ● Often seen with Akamai and other content delivery networks ● When you see this, have affected users do queries too! ● They may be sent to different destinations!
  • 12. © 2012 IBM Corporation November 8, 2016 CNAME – Chained Example ● Multiple levels of CNAMEs usually indicate dynamic DNS ● May indicate geographic DNS ● Often seen with Akamai and other content delivery networks ● When you see this, have affected users do queries too! ● They may be sent to different destinations!
  • 13. © 2012 IBM Corporation November 8, 2016 MX Records – Where Can I Deliver Email to You? ● Mail eXchanger (MX) records list the email server(s) for the zone ● Multiple systems can be designated as mail exchangers ● MX records are be prioritized (usually in increments of 10) ● Clients will try to use the highest-priority (lowest-numbered) host first
  • 14. © 2012 IBM Corporation November 8, 2016 SPF – Who Can Deliver Mail for Me? ● Sender Policy Framework (SPF) uses TeXT records (TXT) to specify what hosts can deliver mail on behalf of a given domain ● SPF used in mail security – if SPF fails, delivery attempt rejected ● Example of leveraging DNS for application-layer information
  • 15. © 2012 IBM Corporation November 8, 2016 SRV Records – Services of All Sorts ● Service (SRV) records announce specific services via DNS ● General format is _service._protocol.dnsdomainname ● Heavily used in Active Directory environments _ldap._tcp.<DNSdomainName> – LDAP server for DNS domain _ldap._tcp.pdc._msdcs.<DNSdomainName> - Primary DC _kerberos._tcp.dc._msdcs.<DNDDomainName> - Kerberos DC ● Also seen in SIP and XMPP environments
  • 16. © 2012 IBM Corporation November 8, 2016 PTR Records – I Have the Number, I Want the NAME! ● Pointer (PTR) records associate numbers back to names ● Commonly called “reverse DNS” ● Reverses the IP address & uses a pseudo-domain of “in-addr.arpa” ● Many mail security systems require valid reverse DNS before accepting email from a given host ● Not generally required, but can be useful
  • 17. © 2012 IBM Corporation November 8, 2016 So, What Actually Happens When I Send a Query to DNS? ● Most DNS servers are recursive ● They will follow the trail until they have your answer ● Your client doesn't do the legwork ● Almost all DNS servers cache responses ● Cache lifetime (aka time-to-live or TTL) of each RR is set by its authoritative server (in seconds) ● So, you give a command like “ping -c 2 www.facebook.com” and it executes against an IP address, like so: ...but how did DNS get me from 'www.facebook.com' to 157.240.2.35?
  • 18. © 2012 IBM Corporation November 8, 2016 Behind the Scenes on the DNS Server ● Assuming that no cached information was available, the DNS server took your query for 'www.facebook.com' and started working backwards ● It went to the root zone nameservers and asked for .com NS ● It went to a .com name server and asked about facebook.com NS ● It went to a .facebook.com name server and asked about www.faceboook.com ● It got a CNAME RR in response, so it had to ask a .facebook.com nameserver about the canonical name ● It had valid cached info for .com and .facebook.com, so it didn't have to repeat those queries ● It finally received an A record, which it returned to your client If you want to see what this process looks like for any FQDN, check out http://simpledns.com/lookup-dg.aspx (It's a good thing that we have caching servers and TTLs, huh?)
  • 19. © 2012 IBM Corporation November 8, 2016 A Food-for-Thought Exercise
  • 20. © 2012 IBM Corporation November 8, 2016 Easing the Burden – Forwarding DNS Servers ● Going all the way to the root zone for every query would be prohibitively slow/costly and consume significant resources ● Use of forwarding servers spreads the work ● Forwarding DNS servers are NOT recursive; they pass queries for which they have no answers cached to the “next server up” ● As queries and responses are sent up and down the line, each server caches the responses (according to its TTL) ● Clients do not know if forwarding servers are used ● Responses might be from the forwarded server's perspective! ● Most ISPs offer forwarding DNS services, but don't require customers to use them dns.ap.company1.com dns.na.company1.com dns.eu.company1.com Internet
  • 21. © 2012 IBM Corporation November 8, 2016 Troubleshooting Connectivity? ALWAYS Check DNS! ● If DNS is wrong, NOTHING will work! ● Do NOT trust, use, or recommend “hosts files” ● “Hosts files” supplant DNS – DNS won't be queried if the “hosts file” has a matching entry ● Many customer issues caused by outdated hosts file entries ● Don't use IP addresses in configurations – use FQDNs! ● FQDNs in configuration + working DNS survives server/address changes ● Use of VPN may change DNS servers! ● Presence of round-robin DNS = no load balancers in use ● Single A record for FQDN of a cluster = load balancer in use ● Different answers internal/external may indicate split horizon DNS or (with cloud) content delivery networks (e.g. Akamai) ● Other names might be yielding different answers, too! ● Different answers within an enterprise may indicate Global Load Balancing (GLB) in use ● Using tcpdump/Wireshark? DNS query/response is udp/53, server/server (zone transfer) is tcp/53
  • 22. © 2012 IBM Corporation November 8, 2016 DNS Tools ● nslookup – built-in tool for Windows, Macintosh, AIX, Linux ● Uses system's DNS server as default ● Use “server A.B.C.D” to send queries to specific DNS server ● Use “set type=<RR type>” to query specific records ● Use “set type=ANY” to see all records associated with name ● dig – part of the BIND reference implementation of DNS ● Open-source package from Internet Systems Consortium ● BIND is (by FAR) the most widely used DNS server ● Built-in for Macintosh and many Linux distributions ● https://www.isc.org/downloads/bind/ for Windows binaries and Linux source code ● Windows: install “Tools Only” unless you want to run your own DNS server ● Allows quick command-line queries, e.g. “dig ns google.com” ● Allows “any” keyword to see all records, e.g. “dig any ibm.com”
  • 23. © 2012 IBM Corporation November 8, 2016 Closing Exercise – What Do You See?
  • 24. © 2012 IBM Corporation November 8, 2016 Questions & Answers