DNS Basics

1
DNS Basics Configuration

• Understanding DNS, Configuration and Management

2
Overview

• Understanding Name Resolution
• Basic Configuration
• Caching Forwarding Services
• Logging
• Authoritative Servers and Zones
• Monitoring and Debugging
• Real World Considerations
• Providing reliable service to many clients
• Inside vs. Outside Servers
• Windows 2000 in your network

3
Terminology
4
Understanding Name Resolution

• Client (stub resolver) asks its configured DNS
  server a question (Recursive query)
• DNS Server
• Checks cache for answer
• Goes looks for answer
• Starts at root server
• Queries each server in delegation until answer
  found
• Queries are non-recursive
• Answers are stored in cache, including
  delegations
• Server learns about the world as it runs
• subsequent queries for same TLD do not start at
  root servers
• e.g. Server learns TLD servers for .org during
  search for nwoca.org. Does not need to query
  roots when looking for sparcc.org.

5
Simple Resolution Case
6
Managing the NAMED service

• REPLY/ENABLENETWORK
• - Necessary to see NAMED OPCOM errors
• MULTINET NETCONTROL DOMAIN RESTART
• - Complete restart (reloads NAMED.CONF)
• MULTINET NETCONTROL DOMAIN RELOAD
• - Reloads zone files, slaves checks master
• for new zone
• MULTINET NETCONTROL DOMAIN STOP
• MULTINET NETCONTROL DOMAIN START
• - Stops and starts server
• - NAMED service also starts/restarts with
  MULITNET master
• Server (_at_MULTINETSTART_MULTINET)

7
Basic Configuration BIND 8

• NAMED.CONF Config (boot) file
• Same on all BIND platforms
• See http//www2.oecn.k12.oh.us/www/binddoc/
• Defines
• Options
• Forwarding
• Security
• Dynamic updates
• DNS Notification (of master zone updates to
  slaves)
• Logging
• Authoritative zones (master and slave zones)

8
Caching/Forwarding Servers

• All name servers must do caching
• Caching-Only servers
• Answers queries for clients (other servers or
  stub-resolvers)
• But are not authoritative for any zones
• Use forwarders
• To build central cache on one or more machines
• Forward building/district level servers to DAS
  -level
• Use forward only for servers that cannot query
  roots
• Because blocked in firewall
• Because they must get answers from inside server

9
Sample Options Forward Only Server
options directory "zones" notify
no forwarders 156.63.148.6 forward
only
10
BIND 8 Logging

• Important to know what server is doing and when
  having trouble
• BIND 8 logging
• Very chatty but flexible
• Allows fine control over type and severity of
  messages logged
• Allows control of where messages are logged

11
Logging Basics

• Channels
• Determines
• Where messages are logged (OPCOM, text file,
  syslog)
• Severity of messages (critical, fatal, warning,
  notice, info)
• What is printed (category, severity, date/time)
• Category
• Categories of messages
• panic, config, queries, security, and many more
• default category applies channel to any
  categories not specifically assigned a channel
• Each category can be assigned to one or more
  channel

12
Sample Logging - Channels
logging channel opcom_notice syslog
daemon severity notice print-category yes
print-severity yes channel opcom_info
syslog daemon severity info
print-category yes print-severity yes
channel named_log file
"zonesnamed.log" versions 5 size 100K
severity info print-category yes print-severity
yes channel query_log file
"zonesquery.log" versions 5 size 100K
severity notice
13
Sample Logging - Categories
category default opcom_info
category config opcom_info named_log
category notify opcom_info named_log
category os opcom_info named_log
category panic opcom_info named_log
category parser opcom_info named_log
category statistics opcom_notice named_log
category xfer-in opcom_info named_log
category xfer-out opcom_info named_log
category queries query_log
category load opcom_notice category
lame-servers null
14
Monitoring and Debugging

• Use log files
• Watch for errors (memory, crashes)
• Watch statistics
• Test with NSLOOKUP or DIG
• Confirm performance
• Play name server to trace delegations
• Compare inside and outside answers
• DIG shows when entry will expire from cache

15
Sample DIG output
multinet dig nwoca.org. ltltgtgt DiG 8.3 ltltgtgt
NWOCA.ORG. res options init recurs defnam
dnsrch got answer -gtgtHEADERltlt- opcode
QUERY, status NOERROR, id 4 flags qr rd ra
QUERY 1, ANSWER 1, AUTHORITY 2, ADDITIONAL
2 QUERY SECTION NWOCA.ORG, type A,
class IN ANSWER SECTION NWOCA.ORG.
20m36s IN A 156.63.148.12 AUTHORITY
SECTION NWOCA.ORG. 9h10m24s IN NS
ns1.esu.k12.oh.us. NWOCA.ORG.
9h10m24s IN NS ns4.esu.k12.oh.us. ADDITIONAL
SECTION ns1.esu.k12.oh.us. 5h15m31s IN A
156.63.1.26 ns4.esu.k12.oh.us. 1h6m18s IN A
198.234.34.82 Total query time 7 msec
FROM nwoca.org to SERVER default --
127.0.0.1 WHEN Sun May 5 192058 2002
16
Play the Name Server Game Chase the Delegation
MULTINET NSLOOKUP gt set norecurse gt
root Default Server A.ROOT-SERVERS.NET Address
198.41.0.4 gt nwoca.org. Server
A.ROOT-SERVERS.NET Address 198.41.0.4 Name
nwoca.org Served by - A.GTLD-SERVERS.NET
(192.5.6.30) org gt lserver a.gtld-servers.net Def
ault Server a.gtld-servers.net Address
192.5.6.30 gt nwoca.org. Name nwoca.org Served
by - NS1.ESU.K12.OH.US () nwoca.org -
NS4.ESU.K12.OH.US () nwoca.org

• gt lserver ns1.esu.k12.oh.us
• Default Server ns1.esu.k12.oh.us
• Address 156.63.1.26
• gt nwoca.org.
• Server ns1.esu.k12.oh.us
• Address 156.63.1.26
• Name nwoca.org
• Address 156.63.148.12

17
Authoritative Servers

• Servers with zone configured as Master/Slave
• Will answer queries authoritatively for such
  zones
• Never queries another server for zone
• Has no relationship with outside world
• Any server can declare itself authoritative for a
  zone
• E.g. inside server declare themselves
  authoritative
• Master
• Primary server were zone file is maintained
• May notify slave of changes (DNS NOTIFY)
• Slave
• Secondary server. Zone is copied automatically
  from master
• Schedule determined by SOA record or DNS NOTIFY

18
Sample Zone Configuration
On Master Server zone "hicksville.k12.oh.us"
in type master file "dns.hicksville_k12_oh
_us_zone" On Slave Server zone
"hicksville.k12.oh.us" in type slave
masters 156.63.148.9 file
hicksville_k12_oh_us.DNS"
19
Zone Files

• Contains resource records (RRs) for zone
• Zone ltgt Domain
• Zone Administrative point for domain and
  sub-domains starting at a given domain (dot)
• Domain exists at every dot but many may be
  within single zone file
• All zones begin with single SOA (Start Of
  Authority)
• Defines administrative contact , serial number
  and zone transfer schedule

20
Inverse Zones

• Translate IP addresses to name
• IP addresses not natural fit into DNS
• DNS is more significant on right
• IP is more significant on left
• So, in DNS IP addresses are specified in reverse
  order
• 156.64.148.12 12.64.148.156
• All inverse zones under .in-addr.arpa
• in-addr.arpa is special TLD . IPs are
  delegated from different authority than domains
• Inverse zone can only be on dot (byte)
  boundaries, no netmasks

21
Basics of RRs

• SOA Start of Authority
• A Official host name to IP address
• Each IP should have exactly one A RR
• But one name may have multiple IPs
• CNAME Canonical name Name to Name
• CNAMEs point to A RR, not another CNAME
• MX List of mail servers and preference
• PTR Address to name (inverse zone only)
• General rules
• Right side of RR is always IP address or A RR
  (hostname), never a CNAME
• A RR should match host name of the system, as
  configured in IP stack
• Real world these rules get broken, most name
  servers tolerate violations

22
Sample Zone File
HICKSVILLE.K12.OH.US Zone TTL 1d
Default TTL (time other servers can cache
records) _at_ IN SOA
ns1.esu.k12.oh.us. hostmaster.esu.k12.oh.us. (
20020505
Serial number
24h refresh
6h retry
2w expire
1h ) TTL for
negative responses IN MX
10 nwoca.org. IN MX 20
nwoca0.nwoca.org. IN NS
ns1.esu.k12.oh.us. IN NS
ns4.esu.k12.oh.us. IN NS
ns1.oar.net. webserver IN A
156.63.149.26 IN MX 10
nwoca.org. IN MX 20
nwoca0.nwoca.org. www IN CNAME
webserver
23
Zone files and Transfers

• Slave server will
• Check for new zone every refresh period
• If serial number on master is gt slave, then
  zone is transferred
• If master not available, will try again each
  retry
• If master not available after expire, then zone
  is disabled
• Important Serial number must be updated when
  RRs change, or slave will never update

24
TTL (Time To Live)

• Each record has TTL
• Defaults to TTL directive
• Determines how long a server is permitted to
  cache a given record
• Time to propagate to world
• SOA Refresh TTL
• If planning changes to zone, lower Refresh and
  TTL prior before (Refresh TTL) time
• Trade off between performance and convenience
• Frequently changing zones should have lower
  refresh/TTL
• Individual records may have lower TTL if needed

25
Delegation

• Authoritative server delegates sub-domain to
  another server
• TLDs delegate to second level servers
• Any authoritative server can delegate a subdomain
• To itself, to create a separate zone file
• To another server authoritative for the
  sub-domain
• Lame delegation
• Occurs when a server delegates to
  non-authoritative server
• Can happen if school registers their domain,
  without telling the administrator of the name
  servers

26
Sample Delegation
HICKSVILLE.K12.OH.US Zone TTL 1d
Default TTL (time other servers can cache
records) _at_ IN SOA
ns1.esu.k12.oh.us. hostmaster.esu.k12.oh.us. (
20020505
Serial number
24h refresh
6h retry
2w expire
1h ) TTL for
negative responses IN
MX 10 nwoca.org. IN
MX 20 nwoca0.nwoca.org.
IN NS ns1.esu.k12.oh.us.
IN NS ns4.esu.k12.oh.us.
IN NS ns1.oar.net. high-schoo
l IN NS ns1.web-wizards.com.
IN NS ns2.web-wizards.com.
27
Providing Reliable Service

• Provide multiple servers for clients
• Several servers must be able to query roots
• Not one forwarded to another, or off-site
• Spread the Load
• Use multiple servers to spread client load
• Use district servers forwarded to DAS servers
• Encourage/force DHCP so that clients can be
  reconfigured
• DNS intensive applications (SMTP, HTTP Proxy)
• Should have service on same box (caching-only
  minimum)
• Should not have to wait on other box for DNS
• Even if forwarded to inside DNS
• Dedicated DNS cache will fill with appropriate
  record types (MXs for SMTP, A for HTTP)

28
Inside DNS servers

• Inside Server
• Answers you want inside clients to get
• Defines inside addresses for inside domains
• You can have outside addresses in an inside
  zone
• Authoritative for inside domains, queries root
  delegations for all others
• If using Inside DNS
• Must have at least two authoritative servers
  (master slaves)
• Do NOT have single authoritative server with
  multiple forwarders
• All other servers must be forward only to these
  servers
• Only inside servers should be permitted to query
  outside servers
• Block all other servers and stub-resolvers at
  firewall

29
Outside (Global) Name Servers

• For hosting domain
• Answers you want outside clients to receive
• Can not be on same box as inside server (?)
• Must never response with private network IPs
• Must have at least two authoritative servers
• Master (Primary)
• Slave (Secondary)
• OECN will host most domains as secondary

30
Windows 2000

• DCs should be authoritative for their domain
• Where DNS domain equals ADS Domain
• At least two DCs configured with DNS
• Using ADS Integration
• Forward to DAS name servers
• Do not use recursion if DAS uses inside servers
  
• All client machines must use DCs for DNS
• Provides name resolution for domain
• Auto registers client with DCs and DNS
• Must not use DAS servers for DNS (unless DAS is
  auto-registering)

31
Windows 2000 and Trusts

• For domains to trust, must solve name resolution
  problem
• WINS still works
• One DNS solution
• Configure trusting domains DCs as secondaries
  for each other
• Not ADS Integrated just DNS secondaries
• DCs will replicate others domains and find each
  other
• Other DNS solution
• Second the ADS domains on DAS Inside DNS servers
• All servers forwarded to DAS will find each other
• Note Other solutions (perhaps better) may be
  available, but outside presenters experience.

32
W2K Conflicts with global DNS

• Understand collisions with global domain
• Consider hicksville.k12.oh.us in global DNS
• If school uses lan.hicksville.k12.oh.us for ADS
  domain
• DCs will be authoritative for lan.hicksville.k12.
  us
• But not hicksville.k12.oh.us, this handed for by
  DAS or outside servers
• Better isolates ADS domain from outside
• If school uses hicksville.k12.oh.us for ADS,
  then
• They must provide their own inside DNS for
• www.hicksville.k12.oh.us
• This must be seconded or duplicated in DASs
  inside DNS
• Potential unhealthy conflicts with global domain
  (someone creates workstation named www)

33
Name service for NWOCA clients

• NWOCA West
• Dedicated name server (ns.nwoca.org)
• Second server nwoca.org, forwarded to
  ns.nwoca.org
• Most web/mail servers forward to ns.nwoca.org
• NWOCA East
• Two dedicated name servers
• Forwarded to ns.nwoca.org
• NWOCA inside DNS
• W2K Domain Controllers provide limited inside
  service
• Used by NWOCA staff clients (DHCP) for Windows
  resolution
• School Districts
• If no local NS, clients configured to East/West
  servers, as appropriate
• With local NS, slave forwarded to East/West
  servers
• With W2K, ADS DCs are slaved forwarded to NWOCAs
  DCs

34
NWOCA Name Service
35
OECN Name Servers

• OECN authoritative servers
• dns.esu.k12.oh.us
• Master Server were zones are maintained
• No delegations directly to this system
• ns1.esu.k12.oh.us ns4.esu.k12.oh.us
• Slaves to dns.esu.k12.oh.us
• Outside world delegated here, though they are
  both slaves to real master name server
• Do not answer recursive queries
• ns1.oar.net
• Authoritative for k12.oh.us
• Seconds most of k12.oh.us domains for OECN
• Not under our control (can not be manually
  reloaded) Refresh 24h
• Notes
• Provides separate server for testing zones before
  errors escape into world
• If errors escape into world, takes (Refresh
  TTL) time to correct

36
OECN Delegations