DNS & mail 1997/12/17

DNS Structure and Management DNS (Domain Name System)

F Content F Wide area distribution database
– Domain and zone F Matrix of host name and IP address
– Server type F Self-administration according to
– Server configuration organization
– Record details – long time ago, one organization administrated
– Address supplement using /etc/hosts
– Wildcard MX
– CIDR and reverse reference
– Frequent configuration errors
1 2

Domain Tree Decentralization and Search

root
・ (top)
F (sub)domain F Split upper and lower links between nodes
– tree with node as tip when necessary
– beyond node (lower rank) jp uk … com org – Node links to downstream
u Delegation
node
… ac ad co or – TOP domain, 2nd(3rd) -level domain
u NIC administers
F One-way link (from top to bottom)
kyoto-u
… wide nic … … janog
– to go up, goes back to root and traces
– All servers know the root
ad.jp domain jp domain
3 4

Zone and Domain Zone and root ・ delegation

zone
F Administration doesn’t necessarily have to be Delegation
dispersed by node units jp jp net net
zone zone
F Zone Same NS
co.jp co ad ad.jp
– Group of adjacent nodes jointly administered zone zone
– Domains not necessarily matching x.co.jp nic.ad.jp
u Possible to define multiple sub-domains within 1 zone zone x wide.ad.jp wide nic zone

– Data administration unit zone

u zone unit/region unit dispersion host

sub1 sub2 kyoto tokyo v6
u applies to 1 name server

– Ultimately matches domain

v6.wide.ad.jp zone
5 6

InternetWeek'97 1
DNS & mail 1997/12/17

Administration of Supplied Data

Server Types
(Zone) (cont.)
F Categorized by service type
F Primary (master) server
– Supplies data (also searches) / searches only
– Edits database file
F Categorized by data (zone) administrative
F Secondary (slave) server
method
– back-up for primary service
– Edits there (Primary) / copies from others
– copies data from primary server
(Secondary)
u Possible to do it from another secondary also
F Categorized by authority – copy chain
– Authorized / Unauthorized u Possible to specify multiple servers as copy origin
F Categorized by service target – Placed in location where both won’t fail to
work
– for outside organization / inside organization 7 8

Administration of Supplied Data

Authority Regarding Data Supply
(Zone) (cont ’d)
F Authorized Server
F Search request comes equally
– No differentiation between primary and – Supplies data to the Internet
secondary – Has links (delegation of authority) from upper
zones
F Differentiation for zone
– One server administers multiple zones F Unauthorized Server
u primary for zone A – Steady cache kept handy
u secondary for zone B – Data supplied to adjacent clients
– Not a differentiation of each server – No link (delegation of authority) from upper
zones
F Differentiation toward zones
9 10

Server Authority and Zones Dedicated to Searching

Upper zone
primary
ad
inquiry from F Cache server
(master) outside organization
delegation – temporarily stores searched data
u Responds as Unauthoritative Answer from second
Unauthorized time
ns3 ns1 ns2 – neither primary nor secondary
u regardless of zone
Authorized Servers

inquiry from wide.ad.jp zone

inside organization Reference: negative cache
(resolv.conf) secondary – maintains fact that relevant record didn’t exist
(slave)
(all servers)
11 12

InternetWeek'97 2
DNS & mail 1997/12/17

Search Procedure Name server group

root zone DNS Servers
・ (root server)
3
jp zone F Berkeley Internet Name Domain (BIND)
4 jp
2 (ns.nic.ad.jp) Server
root cache
5 ad.jp zone – bind 4.9.7
ad
6 (ns.nic.ad.jp)
1 – bind 8.1.2
wide.ad.jp zone
Search for www.wide.ad.jp wide (ns.wide.ad.jp) u the newer version, the better
– security, performance, reliability, new functions
F Can’t be referred unless root server is reachable – http://www.isc.org/bind.html
– Stability of international lines F Windows NT name server etc.
– Domestic root server necessary (m.root-servers.net) – reliability is OK (?)
– Unauthorized Secondary of jp zone
13 14

Server Configuration File sample of named.boot (bind 4)

; default directory
F /etc/named.boot (bind 4)
directory /etc/namedb
F /etc/named.conf (bind 8) ; data needed at start-up (root server information)
cache . root.cache
– Format conversion with named-bootconf.pl
; localhost information
u from named.boot to named.conf primary localhost localhost
u attached to bind 8 primary 0.0.127.in-addr.arpa 127.rev
; zone supplied as primary
primary wide.ad.jp wide
For BIND, ‘; ’ is the beginning of the primary 136.178.203.in-addr.arpa 203.178.136.rev
; zone supplied as secondary
comment
secondary v6.wide.ad.jp 203.178.136.188 sec/v6

15 16

sample of named.conf (bind 8) root cache

options { zone "0.0.127.in-addr.arpa" { zone "v6.wide.ad.jp" { F Root server information
directory "/etc/namedb"; type master; type slave;
}; file ”127.rev"; file "sec/v6";
– As long as it knows the root server, everything
}; masters { is searchable
zone "." { 203.178.136.188;
type hint; zone "wide.ad.jp" { };
F ftp://ftp.rs.internic.net/domain/named.root
file "root.cache"; type master; };
F The 13th root server begin operation in
}; file "wide";
}; Japan (1997/8)
zone "localhost" {
– m.root -servers.net
type master; zone "136.178.203.in -addr.arpa" {
file "localhost"; type master; F Inside firewall
}; file ”203.178.136.rev";
}; – Prepare root server for internal use
17 18
– Work with Forwarders

InternetWeek'97 3
DNS & mail 1997/12/17

sample of root.cache forwarders

F Outside address inquiry from within
; formerly NS.INTERNIC.NET
. 3600000 IN NS A.ROOT-SERVERS.NET.
organization
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 – Forward inquiry to outside name server
; u i.e. firewall compatible with SOCKS
; formerly NS1.ISI.EDU
. 3600000 NS B.ROOT-SERVERS.NET.
– specified together with slave
forwarders 12.34.56.79 (server accessible internally and externa lly)
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
slave (options forward-only - 4.9.3 or later)
:
: F Efficient use of cache
; housed in Japan, operated by WIDE
. 3600000 NS M.ROOT-SERVERS.NET.
– consolidation of data at specified server
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 – curb traffic
u when bandwidth is not enough, etc.
19 20

sample of localhost sample of 127.rev

; $ORIGIN localhost. ; $ORIGIN 0.0.127.in-addr.arpa.
@ IN SOA ns.wide.ad.jp. postmaster.wide.ad.jp. ( @ IN SOA ns.wide.ad.jp. postmaster.wide.ad.jp. (
1 ; Serial number 1 ; Serial number
172800 ; Refresh every 2 days 172800 ; Refresh every 2 days
3600 ; Retry every hour 3600 ; Retry every hour
1728000 ; Expire every 20 days 1728000 ; Expire every 20 days
172800 ); Minimum 2 days 172800 ); Minimum 2 days
; ;
IN NS localhost . IN NS localhost.
; ;
IN A 127.0.0.1 0 IN PTR loopback-net. ; network name
IN A 255.0.0.0 ; netmask
1 IN PTR localhost.
21 22

sample of wide (cont.) sample of wide (cont ’d)

; $ORIGIN wide.ad.jp. sh IN A 203.178.137.73
@ IN SOA ns.wide.ad.jp. two.wide.ad.jp. ( jp-gate IN A 203.178.137.75
1998112301 ; Serial IN A 203.178.136.81
3600 ; Refresh
900 ; Retry www IN CNAME endo
3600000 ; Expire endo IN A 203.178.137.71
3600 ; Minimum IN MX 10 endo
)
IN NS ns localhost IN CNAME localhost.
IN NS ns.tokyo
IN MX 10 sh.wide.ad.jp. v6 IN NS ns1.v6
IN MX 20 jp-gate.wide.ad.jp. IN NS ns2.v6
ns IN A 203.178.136.63 ns1.v6 IN A 163.221.11.21
ns.tokyo IN A 203.178.136.61 ns2.v6 IN A 203.178.136.188

23 24

InternetWeek'97 4
DNS & mail 1997/12/17

sample of 203.178.136 (cont.) Base Format of Record Definition

; $ORIGIN 136.178.203.in -addr.arpa. key [ ttl] IN r-id value1 value2 ...
@ IN SOA ns.wide.ad.jp. two.wide.ad.jp. (
1998100401 ; Serial
<left side> <right side>
3600 ; Refresh F ttl (Time To Live) - option
900 ; Retry
3600000 ; Expire – cache time limit for relevant
3600 ; Minimum
)
F IN (class-ID) - Internet Domain
IN NS ns.wide.ad.jp .
F r-id (resource-ID)
IN NS ns.tokyo.wide.ad.jp.
– record type (SOA, NS, A, MX, ....)
61 IN PTR ns.wide.ad.jp .
63 IN PTR ns.tokyo.wide.ad.jp. F value
188 IN PTR ns2.v6.wide.ad.jp. – record value (different format according to r-id)
25 26

Basics of Record Definition SOA (Start Of Authority) RR

@ IN SOA <Pri-NS name> <administrator mail address> (
F Series of definitions for same key
1 ; Serial
– Succeeding definition of key optional
172800 ; Refresh (2d)
F $ORIGIN <domain> 3600 ; Retry
– Designation of default domain name 1728000 ; Expire (20d)
– initial default is assigned by named.{boot,conf } 172800 ; Minimum TTL (2d)
)
F $INCLUDE <filename> [<domain>]
– file insertion
F The @ is changed to . in the administrator
F host name in FQDN format has . at end mail address
27
– motonori.wide.ad.jp 28

SOA Parameter (cont.) SOA Parameter (cont’d)

F Serial F Expire (seconds)
– For judging update of Sec-NS data – check failure-time before service is stopped
F Refresh (seconds) – If nslookup is done after service is stopped...
– Serial check intervals for Sec-NS *** ns.provider.ad.jp can't find x.co.jp.: Server failed

F Retry (seconds) F Minimum TTL (time to live) (seconds)

– Check intervals after Refresh completed – default cache-time
for all records defined within zone
(Has effect on all NS that caches)

29 30

InternetWeek'97 5
DNS & mail 1997/12/17

Serial Data Reload

F For Secondary synchronization with Primary
– when content is revised, serial must increase F After
updating data, send SIGHUP to
named
F 32 binary digits
# ndc reload
F beware of confusion with . (better to avoid?)
F Ifbind8 or upper version, update request is
– 1.01 = 100001 ("." is same value as "000" )
sent to Secondary with BIND_NOTIFY
F Using date i.e. 1997122501 is distinctive function (If Serial has increased)
– 100 updates/day OK till Year 4294 – Secondary also needs to be bind8 or upper
F No maximum (loop):RFC1912(I) version
– possible to return to 1
– within 2147483647(7fffffff), add twice 31 32

Secondary Manual Update NS (Name Server) RR

F FORCED_RELOAD function F Pri-NS and Sec-NS are listed
– Check serial upon receiving SIGHUP – Listings in upper zones are important
F Aftererasing back up files, named is u Authorized Server
rebooted – No listing in upper zones
– transfer is done with named-xfer u Unauthorized Server
# mv mydomain.zone mydomain.zone.bak F A RR relevant to applicable NS also listed
# ndc restart – glue record (not needed for reverse zones)
$ORIGIN ad.jp.
wide IN NS ns.wide.ad.jp. ; delegation from ad.jp.zone
ns.wide IN A 203.178.136.63 ; ← glue record
33 34

lame NS A (Address) RR
F Thought it was authorized and sent query F A RR
but unauthoritative answer was returned – Maps IP address from host name
– Even though it ’s been Delegated
– It ’s not Primary/Secondary NS $ORIGIN wide.ad.jp.
F If an actual Authorized NS can’t be sh IN A 203.178.137.73
accessed, then it’s assumed that data
doesn’t exist even if it does
– mail doesn’t get delivered

35 36

InternetWeek'97 6
DNS & mail 1997/12/17

Characters which can be used for

MX (Mail eXchanger) RR
“Host Name ”
F MX RR
F Alphabet (A-Z, a-z)
– Map from mail address to destination host name
F Numbers (0-9)
$ORIGIN wide.ad.jp.
F hyphen (-)
@ IN MX 10 sh.wide.ad.jp.
F characters that require caution
– underscore ( _ )
F Make sure for . at end
u RFC1035(S), RFC1123(S) do not allow
u New (after 4.9.4) bind resolver ignores F MX has priority over A (mail delivery)
host names including _ (res_hnok) F when you want A to have priority
– mail is not delivered
– transfer with 1st -MX
37 38

Right side of MX RR and

MX Preferences
CNAME
F Cost value designated to DNS MX RR F The name which belongs on the left side of
F Smallest cost CNAME should not be written on the right
– Primary MX / Primary Mail Server side of MX RR
– First MX / First Mail Server F If the Lower MX can’t recognize your name

F Next smallest cost on the right side of MX RR, there’s a

– Secondary MX / Secondary Mail Server problem
– If preventive measures are taken, it will work,
F Other than smallest cost
but …
– Lower MX (meaning low priority)
– named will issue warning
39 40

Wild-card MX (cont.) Wild-card MX (cont’d)

*.x.co.jp. IN MX 10 mail.x.co.jp. F Ifa specific record exits, it doesn’t get
referenced
F When there’s firewall (no direct communication) ns.x.co.jp. IN A 12.34.56.78
– outside: doesn’t want to show records to outside *.x.co.jp. IN MX 10 mail.x.co.jp.
u but wants to use mail address to host ns.x.co.jp. IN MX 10 mail.x.co.jp. (needed)
– inside: want one record definition to represent – Same situation for existing sub-domains
outside world
u Wildcard MX is defined at root, gathered at GW
F matches nohost.x.co.jp and host.nosubdom.x.co.jp
– unnecessary mail transfers 41 42

InternetWeek'97 7
DNS & mail 1997/12/17

Adverse effects of Wild-card MX CNAME (Canonical NAME) RR

F Mail send even to non-existent addresses F Host alias name assignment
– unknown it ’s non-existent at time of sending $ORIGIN wide.ad.jp.
archie IN CNAME sun3.tokyo.wide.ad.jp.
F Supplemented by non-existent addresses – Attention to . at end
user@mail.x.co.jp.x.co.jp – CNAME chain should be avoided
– To avoid, in sendmail.cf – Different type of record should not be assigned
Resolver Options, define Has Wild-cardMX to same key
F Can’t reference appropriate MX RR for – Multiple CNAMES should not be assigned to
destination same key
– always add . at end of destination host name F Don’t use name assigned with CNAME on
→ use only when absolutely necessary 43 right side of NS, MX 44

CNAME Chains Mail address and CNAME

F An alias on an envelope should be rewritten to
F The right side of CNAME RR is the left side
the real name (RFC1123(S))
of another CNAME RR
F Many (old) sendmail also rewrite headers to
alias1 IN CNAME alias2
alias2 IN CNAME real-name real names
– it becomes confusing as to which address it
F RFC1034(S)
arrived to
– Chain definition is not recommended (should not)
– depends on settings of sendmail.cf route
– things that could be reached when implemented
F If you don’t want rewriting, use MX or A
(should)
u sendmail can reach up to 10 times (MAXCNAMEDEPTH) – IETF is moving towards not rewriting by CNAME
u named can reach up to 8 times (MAXCNAMES) – Don’t Expand Cnames option (after 8.7)
45 46

DNS Search Procedure for Mail DNS Search Procedure for Mail
Delivery (cont.) Delivery (cont ’d)
1. Solve CNAME 3. Search with A
– Follow chain until CNAME is no longer – When MX couldn’t be obtained
u there is a limit (to prevent endless looping) – For individual MX
2. Search with MX (When A couldn’t obtained through Additional
Info.)
– If multiple, sort by preference
– If preference is same, select at random
F Ifonly A is defined, search process is
çWhen MX is found A is also returned as
Additional Information (DNS spec) necessary twice (for MX and A)
– MX should be defined also in host
u Curb communication traffic
47 48

InternetWeek'97 8
DNS & mail 1997/12/17

Mail Address Supplementation

MX Record for the Host also
(cont.)
F In case of failure F MX RR and A RR are used
– Secondary MX can’t be designated with only A – be cautious of wild-card MX issue
record
F see /etc/resolv.conf
– A record which defines IP address for other hosts
(virtual host) domain sub.x.co.jp
u weak as failure countermeasure/only serve as load – same value as search sub.x.co.jp x.co.jp co.jp
u reverse search of 3 levels (MAXDFLSRCH)
sharing
u shortest is 2 levels (LOCALDOMAINPARTS)
F Making DNS search efficient – doesn’t match JP domain current situation
– Should be defined even if only that host can receive – In RFC1535(I), implicit reverse searching is banned
u new bind resolver doesn’t perform reverse search
u DNS search would be completed with one time
49 50

Mail Address
PTR (domain name PoinTeR) RR
Supplementation(cont’d)
F Mapping from IP address to host name
search sub1.x.co.jp sub2.x.co.jp x.co.jp
– So-called reverse look-up
F User setting based on LOCALDOMAIN $ORIGIN 137.178.203.in-addr.arpa.
environment variables 73 IN PTR sh.wide.ad.jp.

– Maximum 6 domains (MAXDNSRCH) çService limitations from PTR record search

u access denial from hosts that can’t perform PTR record search
F Sequence of search u confirmation of domain name
nic.ad.jp F liar issue
nic.ad.jp.sub.x.co.jp – can trick when searching method is one-way, from
nic.ad.jp.x.co.jp address to host name
nic.ad.jp.co.jp – check with double reference
– before RFC1535(I), nic.ad.jp was searched last
51 52

Confirmation of Reverse Look-

Network Name Definition
up with nslookup
F When the host IP address is 1.2.3.4 F RFC1101: DNS Encoding of Network
% nslookup -q=ptr 4.3.2.1.in-addr.arpa. Names and Other Types
F netstat -i, -r etc. are referenced
F With the new nslookup (after 4.8.3), the
following designation is possible 0.0.54.130.in-addr.arpa. IN PTR kuins.kyoto-u.ac.jp.
IN A 255.255.0.0
% nslookup 1.2.3.4
kuins.kyoto-u.ac.jp. IN PTR 0.0.54.130.in-addr.arpa.

0.0.0.224.in-addr.arpa. IN PTR BASE -ADDRESS.MCAST.NET .

53 54

InternetWeek'97 9
DNS & mail 1997/12/17

Other Records localhost/127.in-addr.arpa zone

F HINFO, TXT, WKS F All name servers should be configured
– HINFO always needs more than 2 parameters! – wasteful to inquire root server
F NULL, MB, MG, MR, MINFO (experimental)
– RFC1035(S) $ORIGIN my.domain.jp.
F AFSDB, ISDN, RP, RT, X25 localhost IN CNAME localhost .
– RFC1183(E)
F PX F prevent inconsistencies when performing
– RFC1664(E) double reference
– So 127.0.0.1 won’t become localhost.my.domain.jp
55 56

CIDR and Reverse Look-up Classless IN-ADDR.ARPA

administration delegation (cont.)
F Allocation of classless addresses
– 192.0.2.0/25 - organization A F Delegation from upper zone
– 192.0.2.128/26 - organization B $ORIGIN 2.0.192.in -addr.arpa.
; <<0-127>> /25
F Issues on administration unit in reverse zone
– inconsistency with octet (8 bits) unit authority delegation 0/25 NS ns.A.domain.jp .
1 IN CNAME 1.0/25.2.0.192.in-addr.arpa.
F Solution
2 IN CNAME 2.0/25.2.0.192.in-addr.arpa.
– Scatter with CNAME
u RFC2317(BCP) :
– Classless IN-ADDR.ARPA delegation 126 IN CNAME 126.0/25.2.0.192.in-addr.arpa.
– Scatter with NS
57 58

Classless IN-ADDR.ARPA Classless IN-ADDR.ARPA

delegation (cont ’d) delegation (cont ’d)
F Definition at relevant zone F In other words...
$ORIGIN 0/25.2.0.192.in-addr.arpa.
@ IN SOA ... 1.2.0.192.in -addr.arpa.
IN NS ns.A.domain.jp . ↓CNAME
1 IN PTR host1.A.domain.jp.
1.0/25.2.0.192.in-addr.arpa.
2 IN PTR host2.A.domain.jp.
↓PTR
:
host1.A.domain.jp.
126 IN PTR host126.A.domain.jp.

59 60

InternetWeek'97 10
DNS & mail 1997/12/17

Old glue records don’t erase? Errors Reported by Server (cont.)

F Issue of when address was re-applied F bad referral
F before bind4.8.3? – No SOA despite having NS
A B
F server A: primary of x.co.jp F NS points to a CNAME
F server B: primary of sub.x.co.jp F MX points to a CNAME
– they’re secondary for each other
F dangling CNAME pointer
F revise NS (server C) address for x.co.jp
– CNAME doesn’t point to anything
F The old glue record of server C won’t erase
F Lame server on 'x.co.jp'
– even erase with server A…
– Supposed to be Authorized server, but
– revive with zone transfer from server B
Unauthorized answer came back
→ should erase from secondary copy also
61 62

Errors Reported by Server (cont’d) Future of DNS

F Response from unexpected source F Dynamic Update
– Response from different interface address? – Record-by-record data update
– attack? F Incremental Zone Transfer (IXFR)
F zone "xxx" (class 1) SOA serial# (nn) is < – Curbing of traffic and improvement of update
ours (mm) speed
– SOA serial decreased! F Security Extention
– SIG RR, NXT RR
RFC1912(I): Common DNS Operational and
Configuration Errors
63 64

InternetWeek'97 11