DOCSLIB.ORG

Powerdns-Authoritative.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Powerdns-Authoritative.Pdf PowerDNS Authoritative Server Documentation PowerDNS.COM BV Sep 24, 2021 CONTENTS 1 PowerDNS Authoritative Nameserver1 1.1 Getting Started............................................1 1.2 Getting Support...........................................1 1.2.1 My information is confidential, must I send it to the mailing list, discuss it on IRC, or post it in a GitHub ticket?..................................1 1.2.2 I have a question!......................................2 1.2.3 What details should I supply?................................2 1.2.4 I found a bug!........................................2 1.2.5 I found a security issue!...................................2 1.2.6 I have a good idea for a feature!..............................2 2 Installing PowerDNS 3 2.1 Binary Packages...........................................3 2.1.1 Debian-based Systems...................................3 2.1.2 Redhat-based Systems...................................3 2.1.3 FreeBSD..........................................3 2.1.4 Mac OS X..........................................4 2.2 After installation...........................................4 3 Upgrade Notes 5 3.1 4.4.x to 4.5.0 or master........................................5 3.1.1 Record type changes....................................5 3.1.2 Changed options......................................5 3.2 4.3.x to 4.4.0.............................................6 3.2.1 Latency calculation changes................................6 3.2.2 MySQL character set detection...............................6 3.2.3 Record type changes....................................7 3.2.4 PostgreSQL configuration escaping............................7 3.2.5 New LMDB schema....................................7 3.2.6 Removed features......................................7 3.3 4.3.1 to 4.3.2.............................................7 3.3.1 Latency calculation changes................................7 3.4 4.3.0 to 4.3.1.............................................8 3.5 4.2.x to 4.3.0.............................................8 3.5.1 NSEC(3) TTL changed...................................8 3.5.2 Lua Netmask class methods changed............................8 3.5.3 socket-dir changed...................................8 3.5.4 Systemd service and permissions..............................9 3.5.5 New settings........................................9 3.5.6 Deprecated settings.....................................9 3.5.7 Changed defaults......................................9 3.5.8 Schema changes.......................................9 3.5.9 Implicit 5->7 algorithm upgrades..............................9 3.5.10 IXFR-in corruption..................................... 10 i 3.6 4.2.X to 4.2.3............................................. 10 3.7 4.X.X to 4.2.2............................................ 10 3.7.1 IXFR-in corruption..................................... 10 3.8 4.1.X to 4.2.0............................................. 10 3.9 4.1.X to 4.1.14............................................ 10 3.10 4.1.0 to 4.1.1............................................. 11 3.11 4.0.X to 4.1.0............................................. 11 3.11.1 Changed options...................................... 11 3.11.2 Other changes........................................ 11 3.12 4.0.X to 4.0.2............................................. 12 3.12.1 Changed options...................................... 12 3.13 3.4.X to 4.0.0............................................. 12 3.13.1 Database changes...................................... 12 3.13.2 Changed options...................................... 12 3.13.3 API............................................. 13 3.13.4 Resource Record Changes................................. 13 4 DNS Modes of Operation 15 4.1 Native replication.......................................... 15 4.2 Primary operation.......................................... 15 4.3 Secondary operation......................................... 16 4.4 Master/Slave Setup Requirements.................................. 17 4.5 IXFR: incremental zone transfers.................................. 17 4.6 Autoprimary: automatic provisioning of secondaries........................ 17 4.7 Modifying a slave zone using a script................................ 18 5 Migrating to PowerDNS 21 5.1 Using AXFR to a Slave-Capable Backend.............................. 21 5.1.1 To A Generic SQL Backend................................ 21 5.1.2 To the BIND backend.................................... 21 5.2 From zonefiles to PowerDNS.................................... 22 5.2.1 Using the BIND backend.................................. 22 5.2.2 To a Generic SQL backend................................. 22 5.3 Migrating Data from one Backend to Another Backend....................... 23 5.3.1 Prerequisites........................................ 23 5.3.2 Moving from source to target................................ 23 6 Running and Operating 25 6.1 Guardian............................................... 25 6.2 Logging to syslog on systemd-based operating systems....................... 25 6.3 Logging to syslog.......................................... 25 6.4 Controlling A Running PowerDNS Server............................. 26 6.4.1 Control Socket....................................... 26 6.4.2 pdns_control ...................................... 26 6.4.3 Backend manipulation................................... 26 6.4.4 pdnsutil ......................................... 26 6.5 The SysV init script......................................... 26 6.6 Running in the foreground...................................... 27 7 Security of PowerDNS 29 7.1 PowerDNS Security Policy..................................... 29 7.1.1 HackerOne......................................... 29 7.1.2 Disclosure Policy...................................... 29 7.2 Securing the Process......................................... 30 7.2.1 Running as a less privileged identity............................ 30 7.2.2 Jailing the process in a chroot............................... 30 7.3 Security Considerations....................................... 30 7.4 Security Polling........................................... 30 7.4.1 Details............................................ 31 ii 8 Performance and Tuning 33 8.1 Performance related settings..................................... 33 8.2 Packet Cache............................................. 34 8.3 Query Cache............................................. 34 8.4 Caches & Memory Allocations & glibc............................... 34 8.5 Performance Monitoring....................................... 34 8.5.1 Counters........................................... 34 8.5.2 open-tcp-connections.................................... 36 8.5.3 Ring buffers......................................... 39 8.5.4 Sending metrics to Graphite/Metronome over Carbon................... 40 9 DNSSEC 41 9.1 A brief introduction to DNSSEC................................... 41 9.2 DNSSEC Profile and Support.................................... 42 9.2.1 Supported Algorithms................................... 42 9.3 DNSSEC Modes of Operation.................................... 43 9.3.1 Online Signing....................................... 43 9.3.2 Pre-signed records..................................... 45 9.3.3 Front-signing........................................ 45 9.3.4 Signed AXFR........................................ 45 9.3.5 BIND-mode operation................................... 45 9.3.6 Hybrid BIND-mode operation............................... 45 9.4 pdnsutil and DNSSEC...................................... 46 9.4.1 DNSSEC Defaults..................................... 46 9.5 Migrating (Signed) Zones to PowerDNS.............................. 46 9.5.1 From an existing PowerDNS installation.......................... 46 9.5.2 From existing non-DNSSEC, non-PowerDNS setups................... 47 9.5.3 From existing DNSSEC non-PowerDNS setups, pre-signed................ 47 9.5.4 From existing DNSSEC non-PowerDNS setups, live signing............... 47 9.5.5 Secure transfers....................................... 47 9.6 Operational instructions....................................... 48 9.6.1 Publishing a DS....................................... 48 9.6.2 Going insecure....................................... 48 9.6.3 Setting the NSEC modes and parameters.......................... 48 9.6.4 SOA-EDIT: ensure signature freshness on slaves..................... 49 9.6.5 Security........................................... 50 9.6.6 Performance......................................... 50 9.6.7 Some notes on TTL usage................................. 50 9.7 DNSSEC advice & precautions................................... 51 9.7.1 Packet sizes, fragments, TCP/IP service.......................... 51 9.8 PKCS#11 support.......................................... 51 9.8.1 Using PKCS#11 with SoftHSM.............................. 51 9.8.2 SoftHSM2 with forwarding................................. 52 9.8.3 Using CryptAS....................................... 53 9.9 Thanks to, acknowledgements.................................... 54 10 Per zone settings: Domain Metadata 57 10.1 ALLOW-AXFR-FROM....................................... 57 10.2 API-RECTIFY............................................ 58 10.3 AXFR-SOURCE........................................... 58 10.4 ALLOW-DNSUPDATE-FROM, TSIG-ALLOW-DNSUPDATE, FORWARD-DNSUPDATE, SOA-EDIT-DNSUPDATE, NOTIFY-DNSUPDATE........................ 58 10.5 ALSO-NOTIFY..........................................
Load more

Recommended publications
  • Ispconfig 3 Manual]
    [ISPConfig 3 Manual] ISPConfig 3 Manual Version 1.0 for ISPConfig 3.0.3 Author: Falko Timme <[email protected]> Last edited 09/30/2010 1 The ISPConfig 3 manual is protected by copyright. No part of the manual may be reproduced, adapted, translated, or made available to a third party in any form by any process (electronic or otherwise) without the written specific consent of projektfarm GmbH. You may keep backup copies of the manual in digital or printed form for your personal use. All rights reserved. This copy was issued to: Thomas CARTER - [email protected] - Date: 2010-11-20 [ISPConfig 3 Manual] ISPConfig 3 is an open source hosting control panel for Linux and is capable of managing multiple servers from one control panel. ISPConfig 3 is licensed under BSD license. Managed Services and Features • Manage one or more servers from one control panel (multiserver management) • Different permission levels (administrators, resellers and clients) + email user level provided by a roundcube plugin for ISPConfig • Httpd (virtual hosts, domain- and IP-based) • FTP, SFTP, SCP • WebDAV • DNS (A, AAAA, ALIAS, CNAME, HINFO, MX, NS, PTR, RP, SRV, TXT records) • POP3, IMAP • Email autoresponder • Server-based mail filtering • Advanced email spamfilter and antivirus filter • MySQL client-databases • Webalizer and/or AWStats statistics • Harddisk quota • Mail quota • Traffic limits and statistics • IP addresses 2 The ISPConfig 3 manual is protected by copyright. No part of the manual may be reproduced, adapted, translated, or made available to a third party in any form by any process (electronic or otherwise) without the written specific consent of projektfarm GmbH.
    [Show full text]
  • To the Members of the Senate Judiciary Committee: We, The
    To the members of the Senate Judiciary Committee: We, the undersigned, have played various parts in building a network called the Internet. We wrote and debugged the software; we defined the standards and protocols that talk over that network. Many of us invented parts of it. We're just a little proud of the social and economic benefits that our project, the Internet, has brought with it. We are writing to oppose the Committee's proposed new Internet censorship and copyright bill. If enacted, this legislation will risk fragmenting the Internet's global domain name system (DNS ), create an environment of tremendous fear and uncertainty for technological innovation, and seriously harm the credibility of the United States in its role as a steward of key Internet infrastructure. In exchange for this, the bill will introduce censorship that will simultaneously be circumvented by deliberate infringers while hampering innocent parties' ability to communicate. All censorship schemes impact speech beyond the category they were intended to restrict, but this bill will be particularly egregious in that regard because it causes entire domains to vanish from the Web, not just infringing pages or files. Worse, an incredible range of useful, law-abiding sites can be blacklisted under this bill. These problems will be enough to ensure that alternative name-lookup infrastructures will come into widespread use, outside the control of US service providers but easily used by American citizens. Errors and divergences will appear between these new services and the current global DNS, and contradictory addresses will confuse browsers and frustrate the people using them.
    [Show full text]
  • Domain Name Server Comparison
    DomainNameServerComparison: BIND8vs.BIND9vs.djbdnsvs.??? BradKnowles SeniorConsultantforSnow,BV [email protected] http://www.shub-internet.org/brad/papers/dnscomparison/ Entirecontentscopyright©2003byBradKnowles,allrightsreserved Overview • Meta Information • TLD Survey Results • Software – Installation – Features – Performance • Conclusions 2003-01-28 Copyright©2003byBradKnowles 2 MetaInformation • Hardware Used • Software Used • Methodology 2003-01-28 Copyright©2003byBradKnowles 3 HardwareUsed • TLD Survey – OS: BSD/OS 4.2 – CPU: Pentium III – RAM: 512MB real, 1.0GB virtual 2003-01-28 Copyright©2003byBradKnowles 4 HardwareUsed • Performance Testing – Compaq Armada 4131T Laptop • OS: FreeBSD 4.6.2-RELEASE • CPU: Pentium 133 • RAM: 48MB real, 384MB virtual • NICs: Asanté FriendlyNET AL1011 “Prism2” 802.11b WiFi PC Card & Linksys EtherFast 10/100 PC Card (PCM100) • HD: 10GB IBM Travelstar 20GN – 4200 RPM – 12ms avg. seek 2003-01-28 Copyright©2003byBradKnowles 5 HardwareUsed: PerformanceTesting Image copyright © 2001 Sunset Computer Services, Inc. All Rights Reserved. 2003-01-28 Copyright©2003byBradKnowles 6 SoftwareUsed • ISC – BIND 8.3.3-REL – BIND 9.2.2rc1 • djbdns 1.05 – daemontools 0.76 – ucpsi-tcp 0.88 – tinydns-bent 1.1 • nsd 1.02b1 • Nominum – ANS (Authoritative Name Server) 2.0.1-1eval – CNS (Caching Name Server) 1.1.0b1 • PowerDNS 2.9.4 2003-01-28 Copyright©2003byBradKnowles 7 SomeSoftwareConsidered • QuickDNS (authoritative) – See <http://www.menandmice.com/2000/2600_isp_dns_solution.html> • Aimed at small-to-medium size businesses,
    [Show full text]
  • Sirdom. Sistema Para La Gestión Del Servicio De Resolución De Nombres De Dominios
    Revista de investigación Editada por Área de Innovación y Desarrollo, S.L. Envío: 27-01-2013 Aceptación: 30-01-2013 Publicación: 19-02-2013 SIRDOM. SISTEMA PARA LA GESTIÓN DEL SERVICIO DE RESOLUCIÓN DE NOMBRES DE DOMINIOS SIRDOM. MANAGEMENT SYSTEM FOR THE RESOLUTION NAMES DOMAINS SERVICE. Yoedusvany Hernández Mendoza1 Yordanis Arencibia López2 Yankier Crespo González3 1. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. 2. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. 3. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. RESUMEN Este artículo presenta un estudio del comportamiento del servicio DNS, su funcionamiento, herramientas y por último se propone un sistema informático que permite configurar y gestionar dicho servicio a través de una serie de prestaciones y facilidades que las aplicaciones actuales no posibilitan. Este sistema permitirá gestionar el servicio de resolución de nombres de dominio sobre BIND en su versión 9. ABSTRACT This paper presents a study of the behavior of DNS, its operating principle, tools and finally proposes a computer system to configure and manage this service through a number of benefits and facilities that do not allow current applications. This system will manage the service of domain name resolution on BIND version 9. PALABRAS CLAVE Bind, DNS, dominio, resolución, sistema. KEYWORDS Bind, DNS, domain, resolution, system. SIRDOM. SISTEMA PARA LA GESTIÓN DEL SERVICIO DE RESOLUCIÓN DE NOMBRES DE DOMINIOS DE NOMBRES DE RESOLUCIÓN DE SERVICIO DEL GESTIÓN LA PARA SISTEMA SIRDOM. 2 INTRODUCCIÓN Las diferentes instituciones y organizaciones, siendo los centros educacionales unos de los principales, han tenido que cambiar sus esquemas tradicionales para adaptarse a la actual era de la información.
    [Show full text]
  • Domain Name System 1 Domain Name System
    Domain Name System 1 Domain Name System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. A Domain Name Service translates queries for domain names (which are easier to understand and utilize when accessing the internet) into IP addresses for the purpose of locating computer services and devices worldwide. An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 192.0.43.10 (IPv4) and 2620:0:2d0:200::10 (IPv6). The Domain Name System makes it possible to assign domain names to groups of Internet resources and users in a meaningful way, independent of each entity's physical location. Because of this, World Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 208.77.188.166 (IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). Users take advantage of this when they recite meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates them. The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain.
    [Show full text]
  • Linux Networking Cookbook.Pdf
    Linux Networking Cookbook ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Networking Cookbook™ by Carla Schroder Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Indexer: John Bickelhaupt Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Sumita Mukherji Illustrator: Jessamyn Read Printing History: November 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. The Cookbook series designations, Linux Networking Cookbook, the image of a female blacksmith, and related trade dress are trademarks of O’Reilly Media, Inc. Java™ is a trademark of Sun Microsystems, Inc. .NET is a registered trademark of Microsoft Corporation. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
    [Show full text]
  • Rssac026v2: RSSAC Lexicon
    RSSAC026v2: RSSAC Lexicon An Advisory from the ICANN Root Server System Advisory Committee (RSSAC) 12 March 2020 RSSAC Lexicon Preface This is an Advisory to the Internet Corporation for Assigned Names and Numbers (ICANN) Board of Directors and the Internet community more broadly from the ICANN Root Server System Advisory Committee (RSSAC). In this Advisory, the RSSAC defines terms related to root server operations for the ICANN Community. The RSSAC seeks to advise the ICANN community and Board on matters relating to the operation, administration, security and integrity of the Internet’s Root Server System. This includes communicating on matters relating to the operation of the Root Servers and their multiple instances with the technical and ICANN community, gathering and articulating requirements to offer to those engaged in technical revisions of the protocols and best common practices related to the operational of DNS servers, engaging in ongoing threat assessment and risk analysis of the Root Server System and recommend any necessary audit activity to assess the current status of root servers and root zone. The RSSAC has no authority to regulate, enforce, or adjudicate. Those functions belong to others, and the advice offered here should be evaluated on its merits. The RSSAC has relied on the RSSAC Caucus, a group of DNS experts who have an interest in the Root Server System to perform research and produce this publication. A list of the contributors to this Advisory, references to RSSAC Caucus members’ statement of interest, and RSSAC members’ objections to the findings or recommendations in this Report are at the end of this document.
    [Show full text]
  • Linux Server Security, 2Nd Edition Expertly Conveys to Administrators
    Linux Server Security, 2nd Edition By Michael D. Bauer Publisher: O'Reilly Pub Date: January 2005 ISBN: 0-596-00670-5 Pages: 542 Table of • Contents • Index • Reviews • Examples Linux Server Security, 2nd Edition expertly conveys to administrators and Reader developers the tricks of the trade that can help them avoid serious • Reviews security breaches. It covers both background theory and practical step-by- • Errata step instructions for protecting a server that runs Linux. Packed with • Academic examples, this must-have book lets the good guys stay one step ahead of potential adversaries. Linux Server Security, 2nd Edition By Michael D. Bauer Publisher: O'Reilly Pub Date: January 2005 ISBN: 0-596-00670-5 Pages: 542 Table of • Contents • Index • Reviews • Examples Reader • Reviews • Errata • Academic Copyright dedication Dedication Preface What This Book Is About The Paranoid Penguin Connection The Second Edition Audience What This Book Doesn't Cover Assumptions This Book Makes Organization of This Book Conventions Used in This Book Safari® Enabled How to Contact Us Using Code Examples Acknowledgments Chapter 1. Threat Modeling and Risk Management Section 1.1. Components of Risk Section 1.2. Simple Risk Analysis: ALEs Section 1.3. An Alternative: Attack Trees Section 1.4. Defenses Section 1.5. Conclusion Section 1.6. Resources Chapter 2. Designing Perimeter Networks Section 2.1. Some Terminology Section 2.2. Types of Firewall and DMZ Architectures Section 2.3. Deciding What Should Reside on the DMZ Section 2.4. Allocating Resources in the DMZ Section 2.5. The Firewall Chapter 3. Hardening Linux and Using iptables Section 3.1.
    [Show full text]
  • DNS) Deployment Guide
    Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-81 Revision 1 Title: Secure Domain Name System (DNS) Deployment Guide Publication Date(s): April 2010 Withdrawal Date: September 2013 Withdrawal Note: SP 800-81 Revision 1 is superseded in its entirety by the publication of SP 800-81-2 (September 2013). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-81-2 Title: Secure Domain Name System (DNS) Deployment Guide Author(s): Ramaswamy Chandramouli, Scott Rose Publication Date(s): September 2013 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-81-2 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-81-2 (as of August 7, 2015) attached publication: Related information: http://csrc.nist.gov/ Withdrawal N/A announcement (link): Date updated: ƵŐƵƐƚϳ, 2015 Special Publication 800-81r1 Sponsored by the Department of Homeland Security Secure Domain Name System (DNS) Deployment Guide Recommendations of the National Institute of Standards and Technology Ramaswamy Chandramouli Scott Rose i NIST Special Publication 800-81r1 Secure Domain Name System (DNS) Deployment Guide Sponsored by the Department of Homeland Security Recommendations of the National Institute of Standards and Technology Ramaswamy Chandramouli Scott Rose C O M P U T E R S E C U R I T Y Computer Security Division/Advanced Network Technologies Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899 April 2010 U.S.
    [Show full text]
  • Powerdns Offerings ­ Version Current As of November 2012 ● Remotely Pollable Statistics for Real Time Graphing ● High Performance ● SNMP Statistics Bridge (Read Only)
    Products, Features & Services PowerDNS PowerDNS, founded in the late 1990s, is a premier supplier of DNS software, services and support. Deployed throughout the world with some of the most demanding users of DNS, we pride ourselves on quality software and the very best support available. PowerDNS customers include leading telecommunications service providers, large scale integrators, content distribution networks, cable networks / multi service operators and Fortune 500 software companies. In various important markets, like Scandinavia, Germany and The Netherlands, PowerDNS is the number one supplier of nameserver software. PowerDNS is based in The Netherlands, Europe and is privately held. Products Authoritative Server The PowerDNS Authoritative Server is the only solution that enables authoritative DNS service from all major databases, including but not limited to MySQL, PostgreSQL, SQLite3, Oracle, Sybase, Microsoft SQL Server, LDAP and plain text files. DNS answers can also be fully scripted using a variety of (scripting) languages like for example Lua, Java, Perl, Python, Ruby, C and C++. Such scripting can be used for dynamic redirection, (spam)filtering or real time intervention. In addition, the PowerDNS Authoritative Server is the leading DNSSEC implementation, hosting the majority of all DNSSEC domains worldwide. The Authoritative Server hosts at least 30% of all domain names in Europe, and around 90% of all DNSSEC domains in Europe. Recursor The PowerDNS Recursor is a high­end, high­performance resolving name server which powers the DNS resolution of at least a hundred million subscribers. Utilizing multiple processors and supporting the same powerful scripting ability of the Authoritative Server, the Recursor delivers top performance while retaining the flexibility modern DNS deployments require.
    [Show full text]
  • DNS / DNSSEC Workshop
    1/22/18 DNS / DNSSEC Workshop Hong Kong 22-24 January 2018 Issue Date: Revision: Overview • DNS Overview • BIND DNS Configuration • Recursive and Forward DNS • Reverse DNS • Troubleshooting • DNS Security Overview • DNS Transactions • DNS Security Extensions (DNSSec) • DNSSec Key Management and Automation 2 1 1/22/18 Overview • DNS Overview • BIND DNS Configuration • Recursive and Forward DNS • Reverse DNS • Troubleshooting • DNS Security Overview • DNS Transactions • DNS Security Extensions (DNSSec) • DNSSec Key Management and Automation 3 Domain Name System • A lookup mechanism for translating objects into otHer objects – Mapping names to numbers and vice versa • A globally distributed, loosely coHerent, scalable, reliable, dynamic database • Comprised of tHree components – A “name space” – Servers making tHat name space available – Resolvers (clients) query tHe servers about tHe name space • A critical piece of tHe Internet infrastructure 4 2 1/22/18 IP Addresses vs Domain Names The Internet DNS www.apnic.net202.112.0.46 2001:0400:: 2001:0C00:8888::My Computer www.apnic.net2001:0400:: 5 Old Solution: hosts.txt • A centrally-maintained file, distributed to all Hosts on tHe Internet • Issues witH Having just one file – Becomes Huge after some time – Needs frequent copying to ALL Hosts – Consistency // hosts.txt – Always out-of-date SERVER1 128.4.13.9 WEBMAIL 4.98.133.7 – Name uniqueness FTPHOST 200.10.194.33 – Single point of administration THis feature still exists: [Unix] /etc/Hosts [Windows] c:\windows\Hosts 6 3 1/22/18 DNS Features • Global distribution – SHares tHe load and administration • Loose CoHerency – GeograpHically distributed, but still coHerent • Scalability – can add DNS servers witHout affecting tHe entire DNS • Reliability • Dynamicity – Modify and update data dynamically 7 DNS Features • DNS is a client-server application • Requests and responses are normally sent in UDP packets, port 53 • Occasionally uses TCP, port 53 – for very large requests, e.g.
    [Show full text]
  • DNS Introduction
    DNS Introduction www.what-is-my-ip-address.com (C) Herbert Haas 2005/03/11 1 “Except for Great Britain. According to ISO 3166 and Internet tradition, Great Britain's top-level domain name should be gb. Instead, most organizations in Great Britain and Northern Ireland (i.e., the United Kingdom) use the top-level domain name uk. They drive on the wrong side of the road, too.” DNS and BIND book Footnote to the ISO 3166 two-letter country code TLDs 2 DNS Tree Growth 162,128,493 by 2002/7 (C) Herbert Haas 2005/03/11 3 The ISC about the new DNS survey method: The new survey works by querying the domain system for the name assigned to every possible IP address. However, this would take too long if we had to send a query for each of the potential 4.3 billion (2^32) IP addresses that can exist. Instead, we start with a list of all network numbers that have been delegated within the IN-ADDR.ARPA domain. The IN-ADDR.ARPA domain is a special part of the domain name space used to convert IP addresses into names. For each IN- ADDR.ARPA network number delegation, we query for further subdelegations at each network octet boundary below that point. This process takes about two days and when it ends we have a list of all 3-octet network number delegations that exist and the names of the authoritative domain servers that handle those queries. This process reduces the number of queries we need to do from 4.3 billion to the number of possible hosts per delegation (254) times the number of delegations found.
    [Show full text]