Intro to DNS

The Domain Name System

Ben Scott

Oct 2007 (Rev B)

About this Presentation

• Some of this may be review
• Pacing can vary
• Questions are good
  • ... but I reserve the right to say, "We'll get to that"
• Credit to:
  • DNS and BIND, by Albitz and Liu, from O'Reilly
  • The ISC (Internet Software Consortitum) and its sponsors

Presentation Structure

1. Boring conceptual stuff
   • Concepts
   • Terminology
   • Nuts and bolts
2. DNS Query Mechanics
   • Tools: host and dig
   • The life and times of a DNS query
3. A working ISC BIND named configuration (time permitting)

Planting trees in a forest

• There are a lot of pieces
• Forward-references are necessary
• It will all eventually come together

What is DNS?

DNS stands for "Domain Name System".

Simply put, given a name, DNS allows you to lookup information about that name.

Given something.example.com, DNS might tell you:

• a network address
• a mail server
• operating system software
• any number of other things

Buzzword = Directory service

Scope

• DNS is a system. It includes:
  • structure
  • data types
  • file formats
  • network protocols
• DNS on the Internet
  • Additional structure, standards, and limits
  • DNS is not just for the Internet
  • This presentation, however, is not

Problems

IP networks use numerical addresses (e.g., 192.0.2.15)

• Not human-friendly
• No structure
• No semantics
• Network-dependent

DNS Gives Us

• Human-friendly names
  • www.example.com
• Structure
  • server.example.com is part of example.com
• Semantics
  • What server handles mail for example.com
• Network-independence
  • www.example.com can change network location

Features of DNS

• Open standard
• Distributed hierarchy
  • Scales very well
  • Fault-tolerant
• Extensible and flexible
  • Types of records
  • Classes of information
  • New classes can be defined
  • New record types can be defined

Names and Records

• Domain names
  • Unique in the namespace
  • The "query" part of a DNS protocol exchange
  • The "key" that is fed to a lookup function
  • Left Hand Side (LHS)
• Resource records (RRs)
  • Associated with a domain name
  • The "response" part of a DNS protocol exchange
  • Every record has a type
  • Multiple records per domain name allowed
  • Right Hand Side (RHS)

Labels and Names

• Domain names are made up of labels
• Labels are separated by dots (periods)
• Example:
  • www.example.com is a domain name
  • It consists of the labels:
    • com
    • example
    • www

Hierarchy - Root Domain

DNS is designed around a hierarchy, or tree structure.

The root domain

• At the top of the tree is the root domain
• The root domain has a null (empty) label
• Written as .

Hierarchy - Child Domains

Child domains

• Each additional label in a domain name is a child domain
• Also called subdomains

• com is a child of .
• example.com is a child of com
• something.example.com is a child of example.com

Name Qualification - Relative Names

Relative Domain Names

• foo.example.com is a subdomain of example.com
• foo is relative to example.com
• If you declare you are working in example.com, you can just say foo

Name Qualification - FQDNs

Fully Qualified Domain Names (FQDNs)

• Specify all the labels, all the way up to the root
• foo.example.com. would be the FQDN for our example
• Notice the trailing dot (.)

Top Level Domains - GTLDs

Global Top Level Domains (GTLDs)

• .com for companies
• .net for network infrastructure
• .org for organizations
• .edu for higher education institutions
• .gov for the US government
• .mil for the US military
• .int for international organizations
• New ones such as .biz and .info

Top Level Domains - ccTLDs

Country Code Top Level Domains (ccTLDs)

• ISO country codes
• .us for United States
• .au for Australia
• .jp for Japan
• .uk for United Kingdom (oops, ISO code is "GB")

Resource Records

Domain names have resource records (RRs) associated with them. Every RR has:

• Class
• Type
• Value
• Time To Live (TTL)

Resource Record Parameters

• Class
  • IN class = Internet
  • Others
• Type
  • The type of data the record describes
  • Short letter designations (A, SOA, etc.)
• Value
  • The actual answer you are looking for
  • Often called the Right Hand Side (RHS)
• Time To Live (TTL)

Some Common Record Types

• A (Address)
• NS (Name Server)
• MX (Mail Exchanger)
• PTR (Pointer)

Listing Resource Records

Full version

;Domain-Name 		TTL	Class	Type	Value

www.example.com.	600	IN	A	192.0.2.15

Listing Resource Records

Full version

;Domain-Name 		TTL	Class	Type	Value

www.example.com.	600	IN	A	192.0.2.15

Abbreviated Version

;Domain-Name 		Type	Value

www.example.com.	A	192.0.2.15

A file listing resource records is called a "zone file". (We'll talk about zones in a little bit.)

A (Address) Records

• Associate an IP address with a domain name
• Multiple addresses may be associated with a domain name
• "Address" does not have to mean "computer"
• www.example.com.     A     192.0.2.15

Syntax Trick - Comments

Comments can be used to document zone files. They are ignored by the software, and do not appear in DNS.

; put a comment here
foo.example.com.   A   192.0.2.58 ; or here

Note that ISC BIND named's configuration file (named.conf) uses different syntax for everything, and comments in particular.

Syntax Trick - Line spanning

very.very.very.very.very.very.very.very.long.example.com.   A   192.0.2.28

Ahh! The record fell off the edge of the screen!

Syntax Trick - Line spanning

very.very.very.very.very.very.very.very.long.example.com.   A   192.0.2.28

Ahh! The record fell off the edge of the screen!

Easy fix:

very.very.very.very.very.very.very.very.long.example.com. (
	A
	192.0.2.28
)

Syntax Trick - Repeating LHS

You can save yourself some typing in your zone files.

Lots of records for the example.com domain ...

example.com.   NS   fred.example.com.
example.com.   NS   barney.example.com.
example.com.   NS   blue.friend.us.
example.com.   MX   10 huey.example.com.
example.com.   A    192.0.2.42

Syntax Trick - Repeating LHS

You can save yourself some typing in your zone files.

Lots of records for the example.com domain ...

example.com.   NS   fred.example.com.
example.com.   NS   barney.example.com.
example.com.   NS   blue.friend.us.
example.com.   MX   10 huey.example.com.
example.com.   A    192.0.2.42

... so let's just list that once

example.com.   NS   fred.example.com.
               NS   barney.example.com.
               NS   blue.friend.us.
               MX   10 huey.example.com.
               A    192.0.2.42

Syntax Trick - Repeating RHS

You can save typing on the RHS, too.

In a domain, everything tends to be about that domain...

example.com.   NS   fred.example.com.
               NS   barney.example.com.
               NS   blue.friend.us.
               MX   10 huey.example.com.
               MX   20 dewey.example.com.

Syntax Trick - Repeating RHS

You can save typing on the RHS, too.

In a domain, everything tends to be about that domain...

example.com.   NS   fred.example.com.
               NS   barney.example.com.
               NS   blue.friend.us.
               MX   10 huey.example.com.
               MX   20 dewey.example.com.

... so you can use relative names

example.com.   NS   fred
               NS   barney
               NS   blue.friend.us.
               MX   10 huey
               MX   20 dewey
               A    192.0.2.42

Name Servers

• DNS protocol is query/response (client/server)
• DNS name servers respond to queries
• Multiple nameservers allowed
  • All such nameservers are peers
  • Clients accept first answer they can get

Distributed Authority

The root servers:

• Authoritative for the root domain
• Named as
  • a.root-servers.net
  • b.root-servers.net
  • ...
  • m.root-servers.net
• Delegate authority for subdomains

Delegation

A nameserver can say, in effect, "This server is responsible for that subdomain". This is called delegation, and is done with the NS record.

In the com. zone:

• example.com.   NS   blue.friend.us.
• For information about example.com., ask the nameserver blue.friend.us.

• Always done with domain names (not IP addresses).
• Note that the authoritative server is not in the delegated domain...

Glue

What if we delegate to a nameserver with a domain name in the child domain? Catch-22?

example.com.         NS    fred.example.com.

Glue

What if we delegate to a nameserver with a domain name in the child domain? Catch-22?

example.com.         NS    fred.example.com.
fred.example.com.    A     192.0.2.5    ; glue record

Note that glue records are not authorative. They only serve to help others find the authorative nameservers for a domain.

Glue is the only time you can list a LHS domain name outside your zone of authority. (What's a zone?)

Zones

A "zone" (zone of authority) is a contiguous part of the namespace for which a given set of nameservers is authoritative.

In other words: A zone is a section of DNS that a nameserver controls.

• Delegating authority creates a new zone of authority.
• The zone begins at the domain name which has been delegated.
• A zone ends where an NS record delegates authority to another nameserver (which then begins its own zone).
• Zones always begin/end at label level boundaries, but may contain multiple levels of labels.

Zones (diagram)

DNS delegation and zones diagram

SOA Records

A new zone is designated with an SOA (Start Of Authority) record.

• Designates an SOA nameserver
• Gives a contact email address
• Specifies DNS protocol parameters

Example SOA Record

example.com.   SOA   fred.example.com.   jsmith.example.com. (
   12345   ; serial number
   1h      ; refresh - how often peer NSs check for updates
   10m     ; retry - if refresh fails, how often to try again
   1w      ; expiration - how long before peer NSs stop giving out old data
   1d      ; TTL - how long other NSs cache our answers
   )

MX (Mail Exchanger) Records

example.com.   MX   10   huey.example.com.
               MX   20   dewey.example.com.
               MX   20   louie.example.com.

Deliver anything@example.com to huey first. If huey is down, try dewey and/or louie.

Alias (CNAME) Records

CNAME = Canonical Name

www.example.com.    CNAME    donald.example.com.

CNAME is an alias for the LHS domain, not the RHS value. So you cannot do this:

example.com.     MX       10 huey.example.com.
example.com.     CNAME    www.example.net.

A complete example

example.com.   SOA   (
     fred.example.com.
     jsmith.example.com.
     12345 1h 10m 1w 1d )
; nameservers
         NS      fred
         NS      blue.friend.us.
fred     A       192.0.2.5
; mail exchangers
         MX      10 huey
         MX      20 green.friend.us.
huey     A       192.0.2.7
; web server
www      CNAME   donald
donald   A       192.0.2.6
; subdomain for overseas division
asia          NS     ghost.asia
asia          NS     shell.asia
ghost.asia    A      192.0.2.215 ; glue
shell.asia    A      192.0.2.216 ; glue

DNS Query Mechanics

What actually happens to process DNS queries

Tools

• host - Human-friendly (when things are working)
• dig - Technical details (scriping; investigation)
• nslookup - Original; deprecated

The Life and Times of a DNS Query

What actually happens when you type

http://www.example.com/files/mswinsrc.tgz

into your web browser?

Establish Domain Name

http://www.example.com/files/mswinsrc.tgz is not a domain name. The browser parses the URL. It will extract www.example.com as the domain name. It then asks the question, "What is the address of www.example.com?"

The Resolver

• Answering a DNS question is called "name resolution"
• The program code which does this is called the "resolver"
• So the web browser passes www.example.com to the resolver

The Resolver on Linux

• Stub resolver
  • Part of the standard system library (libresolv)
  • Simply constructs a DNS query and sends it to a configured nameserver
  • Hands off the problem to other software - recursive query
• The nameserver is responsible for finding the answer
  • Resolving name server, AKA full service resolver
  • Does all the work to find the answer - multiple iterations - iterative query
  • Could be on the local computer, LAN server, or at the ISP
  • Examples: ISC BIND named; DJB's dnscache

Resolver Configuration

File /etc/resolv.conf configures the resolver. In our example:

nameserver 192.0.2.205
search asia.example.com example.com

The resolver is responsible for turning an unqualified name like whatever into a FQDN like whatever.example.com.

Back to our query

So, our resolver builds a query which asks for the A records associated with www.example.com. It sends that query to the configured resolving nameserver at 192.0.2.205.

Let us call our resolving nameserver SPIRIT.

Iterative Resolution

• SPIRIT receives the query
  • It finds it is not authoritative for the domain of the query
  • It contacts a root nameserver and asks for the answer

Iterative Resolution

• The root nameserver replies with a delegation
  • NS records for servers authoritative for com
  • a.gtld-servers.net through m.gtld-servers.net
  • A records (glue) for all those servers

Iterative Resolution

• SPIRIT sends the query to one of those nameservers
  • The GTLD nameserver replies with a delegation
  • NS records for servers authoritative for example.com
  • fred.example.com and blue.friend.us
  • A record (glue) for fred.example.com
  • No glue for blue.friend.us

Iterative Resolution

• SPIRIT sends the query to one of those nameservers
  • Those nameservers are authoritative
  • They respond with an answer
  • www.example.com is a CNAME for donald.example.com.

Iterative Resolution

• SPIRIT now has an answer -- a CNAME (alias)
  • But it was asked for a A records (addresses)
  • So now it has to lookup donald.example.com.

Cached Answers

• Fortunately, SPIRIT remembers the authoritative servers for example.com
  • It asks one of them for the A records for donald.example.com
  • It receives an answer with an A record of 192.0.2.6
• SPIRIT now knows the answer
  • SPIRIT sends the answer back to the client's stub resolver
• The stub resolver passes the address back to the web browser
  • The web browser opens a connection to 192.0.2.6
• The TTL (Time To Live) controls how long records are cached by SPIRIT

End of slides