@krocz | * krocz changes topic to 'UMeet'2005, next talk: 21:00 GMT Sebastian Castro: "Operacion de un DNS" || #redes -> english transtation || #qc -> preguntas y comentarios' |
---|---|
@alejandro | The presentation will be held with the available slides in http://www.requin.cl/Umeet2005-OperacionDNS.pdf |
@alejandro | Good evening everybody. |
@alejandro | We have now the last talk in this Umeet05. |
@alejandro | Thanks for coming and contribute in the project. |
@alejandro | Our following speaker is Sebastian Castro. |
@alejandro | He is teacher in the Chile University and system-admin of NIC Chile. |
@alejandro | He has participated in some conferences and is an usual free software user. |
@alejandro | Now Sebatian Castro, |
@alejandro | It's your turn. |
@alejandro | Perfect, thanks for the introduction. |
@alejandro | With a lot of documentation, I'm not sure if you are talking about me. |
@alejandro | I'm going to use the available slides in http://www.requin.cl/Umeet2005-OperationDNS.pdf |
@alejandro | The idea of the talk is give a deep introduction about the DNS protocol. |
@alejandro | in a technical view |
@alejandro | and we look some operation and diagnostic elements |
@alejandro | I had serious problems to think about the topics of the talk |
@alejandro | so your questions are fundamental to enhance this talk |
@alejandro | We are going to begin with some basic and novice concepts. |
@alejandro | If someone know enough about DNS, your opinion can be right. |
@alejandro | In the slide 3 we can see the general DNS definition |
@alejandro | it's a database, distributed (not only in one place) |
@alejandro | and the fundamental idea is delegating |
@alejandro | it means, to be distributed, it needs to be delegated |
@alejandro | there are slices of DNS information in some places and every person can be responsable of one |
@alejandro | in the system we have three parts: |
@alejandro | the clients, the part in the operating system to resolv the names |
@alejandro | using some functions like gethostbyname, gethostbyaddr and others |
@alejandro | the authority server publishing the DNS information |
@alejandro | and the cache, the intermediate between resolvers and servers |
@alejandro | everything in the dns protocol is based in messages and the idea of request/reply |
@alejandro | and the mainly transport used is UDP |
@alejandro | but it requires also TCP (it needs the dns protocol) |
@alejandro | the assigned port in IANA is the 53 |
@alejandro | and a curious thing, that somebody doesnt now, consist in using TCP to send requests |
@alejandro | like we will see later, there is a bit named TC included in the reply |
@alejandro | to indicate to the server we are asking that the answer limit is over 512 bytes and you need to retry using TCP |
@alejandro | to get all the information |
@alejandro | for example, |
@alejandro | if you make a request to the hotmail or yahoo mail server, you will look answers very close |
@alejandro | in this limit |
@alejandro | to make a query, use the command dig mx hotmail.com |
@alejandro | and look the last two lines: |
@alejandro | ;; WHEN: Tue Dec 20 18:32:41 2005 ;; MSG SIZE rcvd: 511 |
@alejandro | Now, this limit is defined in the RFC 1034 who describe the DNS protocol |
@alejandro | and with the EDNS existence, you can make requests with answers higher than 512 bytes |
@alejandro | obligatin the UDP use |
@alejandro | but it's not widely used |
@alejandro | another useful element in the DNS operation is knowing the message structure |
@alejandro | (look it in the slide 5) |
@alejandro | there is a header to indicate in the message if you have a query or answer |
@alejandro | the query section, the answer section, the authority section and the additionals section |
@alejandro | the last three ones are related with the RR secuence (we will look it later) |
@alejandro | In the slide 6 we can look the header structure. |
@alejandro | I reccomend you look it with attention, because you will understand better some error conditions and diagnostic later. |
@alejandro | Some question? higher than 512 bytes with UDP? |
@alejandro | with the DNSSEC foundation, the answers will be higher than 512 bytes |
@alejandro | so nobody wants to use DNS with TCP because high bandwidth performance stablishing the session |
@alejandro | so I think that the EDNS extension let you define an UDP buffer higher than 512 bytes |
@alejandro | Now we will move to another DNS component related with the information structure |
@alejandro | the DNS is hierarchical depending in the root element |
@alejandro | probably you know it |
@alejandro | the root sons name TLD (Top Level Domain) |
@alejandro | and there are three types: |
@alejandro | probably you only know two |
@alejandro | the ccTLD (country code TLD) and gTLD (generic TLD) |
@alejandro | but it also exists the sTLD (sponsored TLD) |
@alejandro | closed TLD and created by organization groups with a particular profit |
@alejandro | for example, .aero created the airplane lines and other associated companies |
@alejandro | another important element are the root servers, or servers with authority to the "." label |
@alejandro | they let you solve any name and are only 13 because some protocol restrictions |
@alejandro | to the people asking why Chile is .CL instead .CH, the ISO decided it, the one who defined the specification with the country codes |
@alejandro | (CH is the contry code in Switzerland, because the original name is "Comunidad Helvetica") |
@alejandro | in the slide 8, everything depends in a node |
@alejandro | a zone describe the node content |
@alejandro | it means, the CL domain is the CL node in the tree, and also every node depending of this node |
@alejandro | damage: what are the requisites so a country have its own TLD, is there any organization? who makes the transation? |
@alejandro | ICANN is the coordinated organization that assigns the country TLD |
@alejandro | so it assigns the working rules in the first level domain |
@alejandro | in the history, only a few of TLD was created with the countries origen |
@alejandro | for example, it exists .pa assigned to Palestina |
@alejandro | when it was recognized as state |
@alejandro | when it happened, ICANN received the solicitation of a TLD creation .pa to be part of the assigned organizations in the palestin state |
@alejandro | so they had to validate the relationship |
@alejandro | now some chilens ask why the Chile University administrate the "." CL? |
@alejandro | why it doesnt make another organization? |
@alejandro | this question has answer in the history |
@alejandro | because the Chile University was the first organization connecting to internet using UUCP |
@alejandro | and the objetive of the connection was having mail, |
@alejandro | the United States said: |
@alejandro | so you can have a mail address, you need to have someone administrating the country code |
@alejandro | do you want to have the administration? |
@alejandro | and they answer allright. |
@alejandro | Digit-Teck: What are the ICANN requisites to have a first level domain? |
@alejandro | sorry, I dont know |
@alejandro | but not every organization can choice a domain in the first level |
@alejandro | depending of the TLD type, it follow to different places |
@alejandro | if you are a ccTLD, it needs to exist a state or nation recognized in the United Nations |
@alejandro | later receive the country code from the ISO |
@alejandro | and later demonstrate who asks for is related with the doma |
@alejandro | in the gTLD, it needs some years to discuss in some committes (and later it needs an aprobation in the Comerce Department in the United States gobernment) |
@alejandro | if it's a sTLD, there are some instructions so the organizations can solicitate their TLD |
@alejandro | you can look in: http://www.icann.org/topics/gtld-strategy -area.html |
@alejandro | and in : http://www.icann.org/tlds/stld-apps-19mar04/ |
@alejandro | about the right instructions |
@alejandro | in the slide 10 we can look another component in the DNS protocol, the RR |
@alejandro | every information in DNS is described using these records |
@alejandro | so you need to understand the structure |
@alejandro | Every RR has a label or name, a class, a type, a TTL and data |
@alejandro | the data depends of the type |
@alejandro | probably you will know some registers, like SOA, NS, MX, A, PTR, CNAME, TXT |
@alejandro | in the slide 10, perhaps you havent heard about HS or CH classes |
@alejandro | created by the MIT people because experimental reasons |
@alejandro | the CH class is used in some DNS implementations to get information |
@alejandro | like the dig version.bind CHAOS TXT @ns.nic.cl +short |
@alejandro | who answers "BIND 9, NIC Chile" |
@alejandro | another question: How i can get a .int domain? |
@alejandro | There are only a few of .int domains and are usually assigned with care to organizations internationally known as United Nations, WIPO and others. |
@alejandro | the domain delegation is lower this closed hierarchical |
@alejandro | in the slide 11, i proposed a revision of SOA register |
@alejandro | this register is special andan be present in every zone |
@alejandro | and defines operation parameters in a domain |
@alejandro | a right domain operation use these values |
@alejandro | also there is a section with recommend numbers later |
@alejandro | the right parameters we will discuss later |
@alejandro | in the slide 12 shows how correct is the query to the DNS |
@alejandro | it's used because academical reasons |
@alejandro | I'm doing my thesis related with DNS, I have to educate people |
@alejandro | in the slide 13, it's more interesting because it shows the elements to differenciate a answer and a request in a DNS query |
@alejandro | like how to interpretate the reply flags |
@alejandro | perhaps you want to know what does it mean every error code |
@alejandro | in the slide 14, it defines three actors in the DNS system |
@alejandro | we dont need to talk more related with clients and resolvers |
@alejandro | the cache servers are very important, they interactuate between clients and authority servers |
@alejandro | they save a copy (performance reasons) |
@alejandro | and finally the authority servers, publish the original information |
@alejandro | they are three types: the primary, an original copy of the zone |
@alejandro | secundary, get a copy of the zone from the primary |
@alejandro | and the stealth, the servers having a copy of the zone, but there are not part of the domain delegation |
@alejandro | so they are not in a NS list in a domain |
@alejandro | the secundary sincronizates with the primary using zone transfers |
@alejandro | the transfer zone is given the frecuence of zone update |
@alejandro | every secundary, before transfering, it verifies the SOA register in the zone and review if the serial number is higher than the stored |
@alejandro | if it's higher, it program a transfer zone (in a non busy server, it starts fastly, in one busy it can take some time) |
@alejandro | what is the objetive to have a dns stealth? |
@alejandro | mainly performance |
@alejandro | for example, in a CL domain, we could want that every ISP have a CL zone copy, but without receiving the domain delegation |
@alejandro | we can give access to a zone copy so they can query in local these names |
@alejandro | instead making a query in another network |
@alejandro | in a based cache in BIND, we can redirect every query to a preference server given a zone, using forwarders |
@alejandro | related with caching, there are two important elements |
@alejandro | the first one everybody knows it |
@alejandro | a cache server stores every query some seconds |
@alejandro | these seconds are the TTL associated to the register |
@alejandro | s/register/record |
@alejandro | and another idea, less extended, it's concerning the negative caching |
@alejandro | storing questions not being asked |
@alejandro | for example, if i make a request to a domain "nonexists.cl" in NIC, the server returns the return code NXDOMAIN and the SOA register of the CL zone |
@alejandro | if a cache ask it, it will return the return code and the SOA register |
@alejandro | storing the TTL seconds in the SOA record that this record doesnt exist |
@alejandro | after reviewing the dns concepts, we move to the operative recommendations |
@alejandro | i'm sure the slides wont be enough, so please make your questions |
@alejandro | to start, what DNS software exist? |
@alejandro | BIND is widely knwon |
@alejandro | but you can also use NSD or PowerDNS (the most known) |
@alejandro | in the propietary environment, we have ATLAS and UltraDNS |
@alejandro | we use Bind8, Bind9 and NSD |
@alejandro | the TLD servers use these ones |
@alejandro | and i'm not to talk about TinyDNS or DJBDNS |
@alejandro | s/not/not going/g |
@alejandro | finishing the talk, i'mg going to leave a better version of the slides |
@alejandro | i changed the format and it's hard to read it |
@alejandro | in the slide 19 |
@alejandro | we can see an important configuration element |
@alejandro | related with the parameter choice of SOA |
@alejandro | writen in the RFC 1912 recommendation |
@alejandro | and are related with the DNS Reporter service |
@alejandro | now, in discussion with another operators and looking another documents |
@alejandro | this RFC is considered old |
@alejandro | (around 1999) |
@alejandro | the domains with extrange letters name IDN (International Domain Names) |
@alejandro | and the technology to make it posible is named IDNA (IDN for Applications) |
@alejandro | the applications convert the domain with extended chars |
@alejandro | in an allowed label by the protocol |
@alejandro | using ACE |
@alejandro | well, i need to focus in the talk, we dont have more time |
@alejandro | the recommendations in the talk are: |
@alejandro | 1) Be sure of the right zone before loading it |
@alejandro | (slide 20) |
@alejandro | 2) Choose well the secundaries (slide 22) |
@alejandro | doesnt depending of the same place, link or network |
@alejandro | there are some TLD who needs to be in differente autonomous systems |
@alejandro | 3) Prefer the diversification of software / platform /hardware |
@alejandro | and operating systems: we are using Linux, FreeBSD, HP/UX in our .CL servers |
@alejandro | if you want to protect your domain, make it management |
@alejandro | s/it/IT |
@alejandro | Security: Use ACL |
@alejandro | (slide 25 talks about protecting a BIND) |
@alejandro | using TSIG |
@alejandro | validate the zone transfers, so you can disallow the access to a zone no by ip but crypto keys. |
@alejandro | slide 26 and 27 |
@alejandro | related to the TLDs needs servers in different networks and ASN, like german and french |
@alejandro | and another useful element: notify |
@alejandro | reduce the time between happens the change in a primary and the secundaries have a copy |
@alejandro | with the feature of IXFR, who let to transfer only zone differences |
@alejandro | not the full zone |
@alejandro | we use IXFR in the CL zone and we reduced the convergence time more than 90% |
@alejandro | and problem diagnostic (slide 30) |
@alejandro | the last three slides are related to explain DIG and understand the output. |
@alejandro | in the slide 32, it's important to know the meaning of the flags, or bits to indicated the kind of answer. |
@alejandro | thanks everybody |
@alejandro | probably i would need a full day to talk about everything related with DNS |
@alejandro | * alejandro (alejandro@78.Red-80-35-162.staticIP.rima-tde.net) Quit (Quit: Leaving) |