Tag Archive : dns

/ dns

How DNS Works?

December 9, 2015 | Article | No Comments

Computer / machine only recognize numbers and all data are stored as symbols. However human tends to easily recognize information in format of name. Instead of IP address such as 167.205.1.34, people can remember name such as itb.ac.id. Therefore, to bridge two different system, a DNS is created.

DNS is a server for translating name in human representation to number (IP address) which is known by computer.

DNS is a distributed database in the purpose of identifaction and naming nodes on Internet. The term distributed in this concept refer to the concept that DNS server only store hostnames or computers or nodes under its authorities only. DNS will not store information of nodes for domain which doesn’t belong to its authority.

For example:

Let say there is a DNS server on domain xathrya.id. This server will store name on its network. The network can be its subdomain which can be accessed outside of network. The subdomain for instance: mail.xathrya.web.id, wiki.xathrya.web.id, labs.xathrya.web.id, etc. A DNS also can store information of node inside a network. Naming resource such as switch, router, etc. This resource is private inside of network and cannot be seen by outside.

Hierarchy and Tree

As distributed system, there are many DNS server which has authorities for their domain. They are independent and autonomous. However, every DNS server is interconnect to each other and create a large internet connection. They are exchanging information since no DNS server know every nodes in the world.

DNS servers in the world are forming great tree and each node is located hierarchically. When DNS server doesn’t have name in its authority, they will ask other DNS server which might know. In the root there is a node referred as root DNS.

Searching Operation

When a computer inside of network want to visit a page / domain (for example: https://blog.xathrya.id) it should contact nearest DNS server. This operation is known as resolving domain name.

The DNS server is must be assigned on each machine. If a machine connect to DHCP network, it can acquired address of DNS server automatically. We can also set DNS server manually, depend on our Operating System.

When a machine ask DNS server for a name, there are two possibilities. The server knows the address of asked name, thus the name / domain is under its authority. If this happens, DNS directly reply and giving the IP address or information of that name.

But when DNS can’t resolve the name, it will begin search operations. The operation is described as below:

  1. Local DNS will asks root DNS about address of DNS server which have authorities on .id domain.
  2. root DNS will gives answer local DNS about DNS server which have authority on .id domain. Let say this domain is idDNS. Now we got information of idDNS and get partial name .id.
  3. Local DNS will asks idDNS about the DNS server which have authority on xathrya.id domain. Let say this domain is xathryaDNS. Now we got information of xathryaDNS and get partial name xathrya.id.
  4. Local DNS sucessfully get address of xathrya.id, it will then answer the client and gives IP address of xathrya.id.

When DNS get a new name, it can cache the name for some period of time. The caching mechanism will be discussed on other article.

Suppose our domain name is more than that level? Perhaps, we have a domain xathrya.web.id need to be resolved then the steps would be:

  1. Local DNS will asks root DNS about address of DNS server which have authorities on .id domain.
  2. root DNS will gives answer local DNS about DNS server which have authority on .id domain. Let say this domain is idDNS. Now we got information of idDNS and get partial name .id.
  3. Local DNS will asks idDNS about the DNS server which have authority on web.id domain. Let say this domain is webidDNS. Now we got information of webidDNS and get partial name .web.id.
  4. Local DNS will asks webidDNS about the DNS server which have authority on xathrya.web.id domain. Let say this domain is xathryaDNS. Now we got information of xathryaDNS and get partial name xathrya.web.id.
  5. Local DNS sucessfully get address of xathrya.web.id, it will then answer the client and gives IP address of xathrya.web.id.

As seen, when we have deeper name we need more steps to resolve it.

DNS Cache vs Authoritative

December 9, 2015 | Article | No Comments

A DNS Server has two main functions. It can acts as a resolver / cache, and it can also acts as authoritative server.

Authoritative DNS is a DNS server who manage or have authority over DNS under its domain. This domain will answer any query for any domain under it authority. For example: DNS on xathrya.id will only responsible to translate domain name under xathrya.id such as mail.xathrya.id, labs.xathrya.id, etc. It will not and can not answer other domain outside of its authority.

A physical DNS, can has authority over two or more domain. For example, the domain celestial-links.net is under the same authority of domain which manage xathrya.id.

Another function DNS Server had is cache / resolver. DNS server will relay a query to other DNS who has authority over the requested domain name. When other DNS server has given the answer, this DNS will cache the answer as well as relay the answer to client.

Authoritive DNS tends to non-recursive when giving answer (since they have the answer), a cache server will do a recursive operation when a query comes. A recursion occurs when the DNS tries to resolves a domain name (see How DNS Works article) from root DNS to the authoritative DNS.

When designing a DNS server one should separate between DNS servers for authoritative function and Cache functions. Most people use two functions for a single server. This design is not bad but should be avoided.

At least there are two reasons for splitting the task of DNS server into two different server for authoritative DNS server and cache DNS server. Mainly it concerns about securities and performance.

First reason: Performance. A DNS should be scalable and have good performance. It’s about identities over internet and DNS is a vital component. When a DNS server down, some nodes / machine will not be accessed. Therefore DNS server should have good performance, it should be able to handle as many client for resolving as possible. With separation, a DNS can focus for each function. One can act as only an authoritative DNS server or as cache DNS server and thus the throughput will be as maximum as possible.

Second reason: security. When a hacker has successfully taking control of a DNS server, it only has one of the DNS function. Not both. There is no guarantee that all of our DNS servers will not be taken down, but at least hackers can not take both.

Another thing for consideration when designing a DNS server is the position on network.

Authoritative DNS server should be located inside of DMZ network (perimeter or area of publicly known network. This network is known and accessible by public network). An authoritative DNS server is answering queries, therefore it should be able to answer the request directly. If an authoritative DNS server is behind a proxy or NAT, it would decrease the response time.

In other side, the cache DNS server should be located on local network and not exposed to public network. For a network, there should be a cache DNS. This server will do queries for client inside of the network.

Installing BIND as DNS Server on FreeBSD 8.3

December 9, 2015 | Article | No Comments

BIND by far is the most popular Domain Name System (DNS) Server used worldwide. It provides a robust and stable platform on top of which organization can build distributed computing system with the knowledge that those system are fully compliant with published DNS standards.

One of reason BIND become popular is indeed BIND is the application developed by Internet System Consortium, a nonprofit corporation dedicated to supporting the infrastructure of the universal connected self-organizing internet.

In this article we will discuss about installation and simple configuration of BIND on FreeBSD. Here I use:

  1. FreeBSD amd64 8.3

Although I use FreeBSD amd64 8.3, this method is general so we can apply it to other FreeBSD platform and version. Having a registered domain name is not necessary as for this article, but it is strongly recommended.

Installation

Make sure you have become super user by using su. Installing BIND is as easy as other ports installation.

cd /usr/ports/dns/bind99
make config
make install clean

At this point, standard installation of BIND has been successfully installed on our system. Before using BIND, we should do a little adjustment and configuration.

Add NO_BIND=YES to make.conf. This tells the make command not to build the base version of BIND if we want to rebuild FreeBSD from source. Using this method, we can prevent the system from downgrading BIND to older version.

echo 'NO_BIN=YES' >> /etc/make.conf

Next, we also want BIND to start automatically at boot time. Here we modify our rc.conf:

echo 'named_enable="YES"' >> /etc/rc.conf

Now, start the BIND if you don’t start it yet.

/etc/rc.d/named start

Resource

  1. RFC 1034 – Domain Names: Concepts and Facilities (http://tools.ietf.org/html/rfc1034)
  2. RFC 1035 – Domain Names: Implementation and Specification (http://tools.ietf.org/html/rfc1035)

Social media & sharing icons powered by UltimatelySocial