Tài liệu Bài giảng LPI202 - Chapter 03: Advanced Linux Network Administration DNS: Advanced Linux Network Administration DNS Chapter 03 ObjectivesIntroduce Domain Name SystemBasic BIND 8 configurationCreate and maintain DNS zonesSecuring a DNS serverIntroductionComputers (hosts, routers) connected to the Internet have two forms of names: IP address — a 32 bit identifier used for addressing hosts and routing data to them. 192.168.0.101 Hostname — an ASCII string used by applications. cs.unt.eduPurposeThe DNS is an Internet-wide service that provides mappings between IP addresses and hostnames The DNS is usually used to translate a host name into an IP address . The DNS is a distributed database implemented in a hierarchy of name servers It is an application-layer protocol that allows hosts and name servers to communicate to provide the translation service.NetworkThe DNS protocol runs over UDP and uses port 53.Domain names comprise a hierarchy so that names are unique, yet easy to remember.Hosts and routers use name servers to resolve names (address/name translation)...
47 trang |
Chia sẻ: honghanh66 | Lượt xem: 835 | Lượt tải: 0
Bạn đang xem trước 20 trang mẫu tài liệu Bài giảng LPI202 - Chapter 03: Advanced Linux Network Administration DNS, để tải tài liệu gốc về máy bạn click vào nút DOWNLOAD ở trên
Advanced Linux Network Administration DNS Chapter 03 ObjectivesIntroduce Domain Name SystemBasic BIND 8 configurationCreate and maintain DNS zonesSecuring a DNS serverIntroductionComputers (hosts, routers) connected to the Internet have two forms of names: IP address — a 32 bit identifier used for addressing hosts and routing data to them. 192.168.0.101 Hostname — an ASCII string used by applications. cs.unt.eduPurposeThe DNS is an Internet-wide service that provides mappings between IP addresses and hostnames The DNS is usually used to translate a host name into an IP address . The DNS is a distributed database implemented in a hierarchy of name servers It is an application-layer protocol that allows hosts and name servers to communicate to provide the translation service.NetworkThe DNS protocol runs over UDP and uses port 53.Domain names comprise a hierarchy so that names are unique, yet easy to remember.Hosts and routers use name servers to resolve names (address/name translation)Name resolution is an essential Internet function implemented as application layer protocol.Name servers are often UNIX machines running the Berkeley Internet Name Domain (BIND) software.Name HierarchyTop Level Domains Root Name ServersImportant ApplicationsHost aliasinga host can have one or more alias names ex: ibm.com and www.ibm.comone of which is the canonical hostname ex: relay1.west-coast.ibm.comAliasing by servicea company can use the same host name for its Web server, mail server, ftp server, etc.even though these are different computers with different IP addresses Load distributiona set of IP addresses can be associated with a canonical hostname.DNS will return the set of addresses, varying the order of addressesSpecificationRFC 1034 Domain names - concepts and facilitiesintroduction to the Domain Name System (DNS).introduction to domain style names, their use for Internet mail and host address support, and the protocols and servers used to implement domain name facilities.RFC 1035 - Domain names - implementation and specificationThis RFC describes the details of the domain system and protocol ConfigurationGoals Names are not required to contain network identifiers, routes, addresses, etc.Maintained in a distributed manner with local caching to improve performanceAccess to info is more critical than speed or consistencyFunctions of DNSOperations of DNSName resolution ProcessEvent Flow in DNSFurther DNS FunctionsDNS FunctionsName SpaceDNS uses a hierarchical name space consisting of a single, complex, multi-level structure into which all names in the system fit. The name space is organized starting from a single root into which “containers” (called domains) are placed.Name Registration (Including Administration and Authorities)DNS uses a hierarchical arrangement of authorities that complements the hierarchical name space. A centralized authority determines the overall shape and structure of the name space, and handles registration of names at the highest level. DNS FunctionsName ResolutionThis is the most important part of DNS deign, to ensure that it could handle many name resolution requests each day.The name resolution process is implemented using two basic software elements that play the role of client and server: name servers and name resolvers.Name ServersThe main job of name servers is to receive requests for name resolution and either respond with the data requested from the database, or with the name of another name server that will lead to the requested information.Name ResolversName resolvers are the usual clients in the name resolution process. When a user makes reference to a name in a networking application, the name is passed to the resolver, which issues a request to a name server. Name ResolutionName resolution is the most important part of DNS as discussed before...DNS uses a very capable client/server name resolution method that makes use of a distributed database of name information.Domain Name ServersThese servers, which may be either dedicated devices or software processes running on machines that also perform other tasks. They store and manage information about domains, and respond to resolution requests for clients.Resolution TechniquesDNS Basic Name Resolution Techniques:Iterative and Recursive ResolutionCache: Locality of ReferenceOperation of DNSEvent Flow in DNSEvent Flow in DNSMessage FormatsProblemsPerformance IssuesExtensionsSecurity IssuesMessage FormatMessage FormatDNS messages are basically QUERY and RESPONSE.The other types of DNS messages are STATUS, NOTIFY and UPDATE.Typical Message Format Fields in the DNS HeaderFields in the DNS Question SectionProblems With DNSNo Support to IPv6 Conversions.Excess Traffic for Updating Slave Resource Records.No Security Procedures for DNS.Extensions In DNSSupport To IPv6 (RFC 1886)New Resource Record Type—AAAANew Reverse Resolution Hierarchy A new hierarchical structure similar to IN-ADDR.ARPA is defined for IPv6 reverse lookups. Changes To Query Types And Resolution ProcedureExtensions In DNSFacilitating Inbound NAT Using DNS Integrate DNS and NAT so they work together Defined in RFC 2694DNS Notify (RFC 1996)Incremental Transfers (RFC 1995)Security IN DNSDNSSECa) origin authentication of DNS data.b) data integrity.c) authenticated denial of existence. Security In DNSA resource record format is defined to associate keys with DNS names.This permits the DNS to be used as a public key distribution mechanism in support of DNS security itself and other protocols. It includes an algorithm identifier, the actual public key parameter(s), and a variety of flags including those indicating the type of entity the key is associated with and/or asserting that there is no key associated with that entity. Using dig and hostNon-recursive queries dig +norecursive +nostats www.tldp.org @127.0.0.1 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.tldp.org. IN A;; AUTHORITY SECTION: . 3600000 IN NS A.ROOT-SERVERS.NET. . 3600000 IN NS B.ROOT-SERVERS.NET. . 3600000 IN NS C.ROOT-SERVERS.NET. . 3600000 IN NS D.ROOT-SERVERS.NET. . 3600000 IN NS E.ROOT-SERVERS.NET. . 3600000 IN NS F.ROOT-SERVERS.NET. . 3600000 IN NS G.ROOT-SERVERS.NET.Search NS record for domain Search MX record for domainBasic Bind 8 ConfigurationThe configuration file for a Bind 8 server is /etc/named.conf Example 1: /etc/named.confoptions { directory "/var/named"; datasize 100M;};zone "." IN { type hint; file "named.ca";};zone "localhost" IN { type master; file "localhost.zone"; allow-update { none; };};zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; };};The Logging StatementThe Options Statement The global options for the server are set at the beginning of named.conf. The syntax is: options{ option1; option2; .... };The Options StatementversionManpage says “The version the server should report via the ndc command. The default is the real version number of this server, but some server operators prefer the string (surely you must be joking )Ex: version “(surely you must be joking)”;directoryThe working directory of the serverEx: directory “/var/named”;The Options Statementrecursion (default yes)The server will perform recursive queries when neededforward (only or first)The default value is first and causes the sever to query the forwarders before attempting to answer a query itself. If the option is set to only the server will always ask the forwarders for an answer. This option has to be used with forwarders. forwarders (list)List of servers to be used for forwarding. The default is an empty list.Ex: forwarders { 10.0.0.1; 10.0.0.10;}; The Options Statementallow-query (list)A lists of hosts or networks that may query the serverallow-recursion (list)List of hosts that can submit recursive queriesallow-transfer (list)List of hosts (usually the slaves) who are allowed to do zone transfersThe Zone StatementThe syntax for a zone entry in named.conf is as follows:zone domain_name { type zone_type; file zone_file; local_options;};Example master zone entries, allowing zone transfers to a slave server at 10.1.2.3:zone seafront.bar { type master; file “seafront.zone”; allow-transfer{10.1.2.3;);};The Access Control Lists (acl) StatementRather than use IPs it is possible to group lists of IP addresses or networks and assign a name to this grouping.Exmaple acl: acl internal_net {10.0.0.0/8; };There are built-in ACLs as followanyall hostsnoneno hostlocalhostall IP address for the local interfaceslocalnetsnetwork associated to the localhost interfacesCreate and Maintain Zone FilesThe format of the zone files is defined in RFC 1035 and contains resource records (RR) for the administered domain or sub-domain.The types of resource records are:Start Of Authority (SOA)Records defining the name-servers for this domain (NS)Records defining the mail-servers for this domain (MX)Authoritative information for hosts on the domain (A)Authoritative PTR recordsStart Of Authority (SOA)root-name TTL IN SOA name-server email-address ( serial number; refresh; retry; expire; minimum; )The root-name is often replaced with an “@” symbol which resolves to the name of the zone specified in named.conf. The “@” in email-address be replaced with “.”NS recordsRecords defining the name-servers for this domaindomain-name IN NS name-serverExample:IN NS ns@ IN NS nsVnuhcm.edu.vn. IN NS 203.162.44.34NOTICE1. If the name of the domain is missing then @ is assumed2. The fully qualified name of the name-server is ns.seafront.bar.. A host name that doesn't end with a dot will automatically have the domain-name '@' appended to it. Here for examplens becomes ns.seafront.bar. A,MX recordsMX Records defining the mail-servers for this domain, domain-name IN MX PRI mail-serverThe PRI entry is a priority number. If several mail-servers are defined for a domain then the servers with the lowest priority number are used first.ExampleVnuhcm.edu.vn. IN MX 10 mx1.foo.barA records: Authoritative information for hosts on the domainhost-name IN A IP-addressSecuring a DNS ServerServer Authentication The dnssec-keygen tool is used to generate a host key Master ConfigurationSlave ConfigurationTroubleshootingDATA Integrity and AuthenticityNew RR recordsSigning Zone Records SummaryDomain Name System.Basic BIND 8 configurationCreate and maintain DNS zonesSecuring a DNS server
Các file đính kèm theo tài liệu này:
- lpi202_c3_dns_471.ppt