DNS: Difference between revisions

← Older edit

DNS (view source)

Revision as of 05:14, 13 July 2021

5,600 bytes added , 2 years ago

→‎Fields

Amanjosan2008

Bureaucrats, Administrators

4,400

edits

Revision as of 15:02, 16 October 2017 (view source) Amanjosan2008 (talk \| contribs) (→‎Query Types) ← Older edit		Latest revision as of 05:14, 13 July 2021 (view source) Amanjosan2008 (talk \| contribs) (→‎Fields)
(36 intermediate revisions by the same user not shown)
Line 2: __TOC__ <br /> =~~DNS~~Basics= ; Why do we need DNS?<ref>www.zscaler.com</ref> Line 16: UDP: For all general purpose DNS Requests like nslookup, client's requests, etc TCP: For Server to Server Communication like Zone transfer as this process needs reliable protocol. ;Zone transfer It is the process of replicating a zone file to another name server, and is accomplished by copying the zone file information from the master server to the secondary server. Zone transfers take place when names and IP address mappings change in a domain. ; Who decides it? UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes. If a client doesn’t get response from DNS it must retransmit the data using TCP after 3-5 seconds of interval. ; When will firewall close a session opened for DNS? Line 23 ⟶ 31: If DNS ALG is disabled, the session table may fill in a short time. ==; DNS ~~Headers ==~~Flow {{UC}} == ~~Zone~~DNS Headers == <br /> {\| class="wikitable" style="margin: 0 auto; text-align:center; width:80%;" \|+DNS Headers \|- \| colspan="16"\| Identification \|\| colspan="1"\| QR \|\| colspan="4"\| Opcode \|\| cellpadding="1"\|<tt>A<br>A</tt>\|\|\|<tt>T<br>C</tt>\|\|\|<tt>R<br>D</tt>\|\|\|<tt>R<br>A</tt>\|\|\|<tt>Z</tt>\|\|\|<tt>A<br>D</tt>\|\|\|<tt>C<br>D</tt>\|\| colspan="4"\| RCode \|- \| colspan="16"\| Total Questions \|\| colspan="16"\| Total Answers \|- \| colspan="16"\| Total Authority Resource Records \|\| colspan="16"\| Total Additional Resource Records \|} <br /> == Fields == ;ID - Identifier (2 Bytes) A 16-bit identification field generated by the device that creates the DNS query. It is copied by the server into the response, so it can be used by that device to match that query to the corresponding reply received from a DNS server. This is used in a manner similar to how the Identifier field is used in many of the ICMP message types. ;QR - Query/Response Flag (1/8 bytes or 1 bit) Differentiates between queries and responses. Set to 0 when the query is generated; changed to 1 when that query is changed to a response by a replying server. ;Opcode: (1/2 bytes or 4 bits) Specifies the type of query Set by creator of the message Copied unchanged into Response 0 Query A Standard Query 1 IQuery Inverse Query (Obsolete) 2 Status Server Status Request 3 (Reserved) 4 Notify Used by Primary to tell secondary that Data for Zone has changed; prompt them to request zone transfer 5 Update Implements Dynamic DNS; allows resource records to be Added, Deleted or Updated selectively. ;DNS Flags AA - Authoritative Answer Flag This bit is set to 1 in a response to indicate that the server that created the response is authoritative for the zone in which the domain name specified in the Question section is located. If it is 0, the response is non-authoritative. * TC - Truncation Flag When set to 1, indicates that the message was truncated due to its length being longer than the maximum permitted for the type of transport mechanism used. TCP doesn't have a length limit for messages, while UDP messages are limited to 512 bytes. So this bit being sent usually is an indication that the message was sent using UDP and was too long to fit. The client may need to establish a TCP session to get the full message. On the other hand, if the portion truncated was part of the Additional section, it may choose not to bother. * RD - Recursion Desired When set in a query, requests that the server receiving the query attempt to answer the query recursively, if the server supports recursive resolution. The value of this bit is not changed in the response. * RA - Recursion Available Set to 1 or cleared to 0 in a response to indicate whether the server creating the response supports recursive queries. This can then be noted by the device that sent the query for future use. * Z - Zero Three reserved bits set to zero. ;RCode - Response Code (1/2 bytes or 4 bits) Set to 0 in Queries. Changed by Replying Server in Response Conveys Success or Error 0 No Error Success 1 Format Error 2 Server Failure 3 Name Error Name specified in query does not exist in domain. This code can be used by Authoritative Server for a zone (as it knows all objects & subdomains) Or by a caching server that implements negative caching. 4 Not Implemented Type of Query not supported by server. 5 Refused Server refused to process the query, generally for policy reasons - operations such as Zone Transfer are restricted, Server will honor Zone Transfer only from certain devices. 6 YX Domain A name exists when it should not. 7 YX RR Set A RR set exists that should not. 8 NX RR Set A RR set that should exists does not. 9 Not Auth Server receiving the query is not Authoritative for the zone specified. 10 Not Zone Name specified in message is not within the zone specified in the message. ;QDCount: Specifies the number of questions in the Question section of the message. ;ANCount: Specifies the number of resource records in the Answer section of the message. ;NSCount: Specifies the number of resource records in the Authority section of the message. NS stands for Name Server ;ARCount: Specifies the number of resource records in the Additional section of the message. = Resource Records = RR is the unit of information entry in DNS zone files. RRs are the basic building blocks of host-name and IP information and are used to resolve all DNS queries. Resource records exist as many types to provide extended name-resolution services. Different types of RRs have different formats, as they contain different data. In general, however, many RRs share a common format, as the following address resource records example illustrates. Fields found in an A resource record: microsoft.com. 600 IN A 150.150.150.1 microsoft.com denotes the owner. 600 TTL in seconds. IN Class field represents the protocol family commonly IN for Internet class. A Type of resource the RR is representing. 150.150.150.1 Resource data or RDATA. This field is a variable type that provides information appropriate for the type of resource; in this case, it's a 32-bit IP address. The following resource record types are commonly used in DNS: Start of authority (SOA) Name server (NS) Pointer record (PTR) Address (A) IPv6 Address (AAAA) Mail exchange (MX) Canonical name (CNAME) Windows Internet Naming Service (WINS) WINS Reverse Look up (WINSR) == SOA Record == Source: [https://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/12684-dns-resource.html cisco.com] ;SOA Record Data Fields DOMAIN.NAME IN SOA Hostname.Domain.Name Mailbox.Domain.Name Serial number Refresh Retry Expire TTL = DNS Record Types = A Address record Returns a 32-bit IPv4 address, AAAA IPv6 address record CNAME Canonical name record Alias of one name to another, DNS lookup will continue by retrying the lookup with the new name. LOC Location record Specifies a geographical location associated with a domain name MX Mail exchange record Maps a domain name to a list of message transfer agents for that domain NS Name server record Delegates a DNS zone to use the given authoritative name servers PTR Pointer record Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups. SOA Start of [a zone of] authority record Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number,etc SRV Service locator Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX. TXT Text record Originally for arbitrary human-readable text in a DNS record. Now more often carries machine-readable data, opportunistic encryption, Sender Policy Framework, etc. * All cached records Returns all cached records of all types known to the name server. If the name server does not have any information on the name, the request will be forwarded on. AXFR Authoritative Zone Transfer Transfer entire zone file from the master name server to secondary name servers. IXFR Incremental Zone Transfer Requests a zone transfer of the given zone but only differences from a previous serial number. <br /> = Authoritative Nameserver = Authoritative Nameserver is a DNS Server that holds the actual DNS records (A, CNAME, PTR, etc) for a particular domain/address. A recursive resolver would be a DNS server that queries an authoritative nameserver to resolve a domain/address. If I have a DNS server in my network that holds an A record for foobar.com, my DNS server would be authoritative for the foobar.com domain. If clients needed to access foobar.com, they could query my DNS server and they would get an authoritative response. = Zone = Source: [[http://think-like-a-computer.com/2011/06/11/dns-zones-explained/ think-like-a-computer.com]] Line 68 ⟶ 243: <br /> === Zone Transfer === DNS zone transfer (Also called AXFR) is a mechanism to replicate DNS databases across a set of DNS servers. Line 77 ⟶ 252: <br /> ==Query Types<ref>www.mphasis.com</ref>== DNS client tells DNS server whether Query is Recursive or Iterative. '''Recursive query:''' Line 88 ⟶ 263: '''Iterative query:''' [[File:Iterative DNS.jpg\|thumb\|right\| 1 & 8 are Recursive - rest are Interative]] * Returns the best answer server can give based on its cache or zone data. * If it does not have an exact match, it returns a pointer to another DNS server. Line 107 ⟶ 283: <br /> ==DNS Doctoring<sup><ref>www.juniper.net</ref></sup>== {{format}} * DNS doctoring enables an internal host on a LAN to receive the Private ip of an internal server as an answer from a DNS query when using a DNS server that is outside the LAN, such as on the internet. Line 119 ⟶ 295: <br /> ~~== DNS Record Types ==~~ = DNSSEC = ~~A Address record Returns a 32-bit IPv4 address,~~ {{UC}} ~~AAAA IPv6 address record~~ ~~CNAME Canonical name record Alias of one name to another, DNS lookup will continue by retrying the lookup with the new name.~~ ~~LOC Location record Specifies a geographical location associated with a domain name~~ ~~MX Mail exchange record Maps a domain name to a list of message transfer agents for that domain~~ ~~NS Name server record Delegates a DNS zone to use the given authoritative name servers~~ ~~PTR Pointer record Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups.~~ ~~SOA Start of [a zone of] authority record Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number,etc~~ ~~SRV Service locator Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.~~ ~~TXT Text record Originally for arbitrary human-readable text in a DNS record. Now more often carries machine-readable data, opportunistic encryption, Sender Policy Framework, etc.~~ * All cached records Returns all cached records of all types known to the name server. If the name server does not have any information on the name, the request will be forwarded on. ~~AXFR Authoritative Zone Transfer Transfer entire zone file from the master name server to secondary name servers.~~ ~~IXFR Incremental Zone Transfer Requests a zone transfer of the given zone but only differences from a previous serial number.~~ ~~<br />~~ =~~DHCP~~ Misc = ;CNAME: ~~;What are the ports used in DHCP?<ref name="bt">www.bt.com/in</ref>~~ A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) which maps one domain name (an alias) to another (the Canonical Name). NAME TYPE VALUE ~~Client-------------------Server~~ 68 --------------------------------------------------~~> 67~~ bar.example.com. CNAME ~~Request~~foo.example.com. foo.example.com. A 192.0.2.23 ~~68 <----------------- 67~~ ~~Reply~~ ;Glue Record ~~All are UDP ports~~ A glue record is a term for a record that's served by a DNS server that's not authoritative for the zone, to avoid a condition of impossible dependencies for a DNS zone. ~~;What packets are exchanged in DHCP?<ref>www.convergys.com</ref> Which packets are unicast or broadcast in DHCP?<ref name="bt"/>~~ * What glue records do is to allow the TLD's servers to send extra information in their response to the query for the example.com zone - to send the IP address that's configured for the name servers. * It's not authoritative, but it's a pointer to the authoritative servers, allowing for the loop to be resolved. Usually 4 messages are involved: ~~D = Discover = Broadcast~~ ~~O = Offer = May be broadcast or unicast depending upon implementation~~ ~~R = Request = Broadcast~~ ~~A = Acknowledge = May be broadcast or unicast depending upon implementation~~ A DHCP Server listens on port number UDP 67 and client uses source port UDP 68. The message from client is encapsulated in a UDP datagram, using the destination port number 67 and the source port number 68. This UDP datagram is encapsulated in an IP datagram. Now the question is how a client can send an IP datagram when it knows neither its own IP address nor the server’s IP address (the destination address). The client uses all 0s as the source address and all 1s as the destination address. The server responds with either a broadcast or a unicast message using UDP source port number 67 and destination port number 68. The response can be unicast because the server knows the IP address of the client. It also knows the physical address of the client, which means it does not need the services of ARP for logical to physical address mapping. However, some systems do not allow the bypassing of ARP, resulting in the use of the broadcast address. ~~<br />~~ ~~==DHCP Relay Agent==~~ ~~PC-----Switch-------------Router------DHCP Server~~ \| \| ~~Relay Agent~~ ~~\|-------->\|----------------->\|------------->\|~~ ~~Broadcast Unicast Unicast~~ * The DHCP request is broadcast because the client does not know the IP address of the server. * A broadcast IP datagram cannot pass through any router. * To solve the problem, there is a need for an intermediary. * One of the hosts (or a router) can be used as a relay agent. * The relay agent knows the unicast address of a DHCP server and listens for broadcast messages on port 67. * It encapsulates the message in a unicast datagram and sends the request to the DHCP server. * The packet is routed by any router and reaches the DHCP server. * The DHCP server knows the message comes from a relay agent because one of the fields in the request message defines the IP address of the relay agent. * The relay agent, after receiving the reply, sends it to the DHCP client. ~~<br />~~ ;References