pqr57: / >
pqr57: / >
pqr57: / > dig SOA us.company.com
; <<>> DiG 9.6.1-P3 <<>> SOA us.company.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1763
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;us.company.com. IN SOA
;; ANSWER SECTION:
us.company.com. 10800 IN SOA ns.company.com. hostmaster.company.com. 2014031222 21600 3600 1209600 900
;; AUTHORITY SECTION:
us.company.com. 10800 IN NS deeyenyes4.us.company.com.
us.company.com. 10800 IN NS deeyenyes3.us.company.com.
us.company.com. 10800 IN NS deeyenyes1.us.company.com.
us.company.com. 10800 IN NS deeyenyes2.us.company.com.
;; ADDITIONAL SECTION:
deeyenyes3.us.company.com. 10800 IN A 134.10.170.73
deeyenyes2.us.company.com. 10800 IN A 170.32.239.82
deeyenyes1.us.company.com. 10800 IN A 132.31.209.91
deeyenyes4.us.company.com. 10800 IN A 152.185.12.172
;; Query time: 5 msec
;; SERVER: 132.31.209.91#53(132.31.209.91)
;; WHEN: Wed Mar 12 23:04:44 2014
;; MSG SIZE rcvd: 221
pqr57: / >
pqr57: / >
pqr57.us.company.com: / >
pqr57.us.company.com: / >
pqr57.us.company.com: / >
pqr57.us.company.com: / > dig www.google.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.0.2.el6 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32709
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 245 IN A 74.125.28.147
www.google.com. 245 IN A 74.125.28.106
www.google.com. 245 IN A 74.125.28.104
www.google.com. 245 IN A 74.125.28.105
www.google.com. 245 IN A 74.125.28.103
www.google.com. 245 IN A 74.125.28.99
;; AUTHORITY SECTION:
google.com. 24 IN NS ns3.google.com.
google.com. 24 IN NS ns4.google.com.
google.com. 24 IN NS ns2.google.com.
google.com. 24 IN NS ns1.google.com.
;; ADDITIONAL SECTION:
ns3.google.com. 19 IN A 216.239.36.10
ns1.google.com. 19 IN A 216.239.32.10
ns4.google.com. 19 IN A 216.239.38.10
ns2.google.com. 19 IN A 216.239.34.10
;; Query time: 2 msec
;; SERVER: 120.95.239.92#53(130.35.249.52)
;; WHEN: Thu Mar 13 00:01:41 2014
;; MSG SIZE rcvd: 264
pqr57.us.company.com: / >
pqr57.us.company.com: / >
pqr57.us.company.com: / > dig www.cnn.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.0.2.el6 <<>> www.cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22468
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 7, ADDITIONAL: 8
;; QUESTION SECTION:
;www.cnn.com. IN A
;; ANSWER SECTION:
www.cnn.com. 391 IN CNAME www.cnn.com.vgtf.net.
www.cnn.com.vgtf.net. 45 IN CNAME cnn-56m.gslb.vgtf.net.
cnn-56m.gslb.vgtf.net. 195 IN A 157.166.249.10
cnn-56m.gslb.vgtf.net. 195 IN A 157.166.249.11
cnn-56m.gslb.vgtf.net. 195 IN A 157.166.248.11
cnn-56m.gslb.vgtf.net. 195 IN A 157.166.248.10
;; AUTHORITY SECTION:
gslb.vgtf.net. 571 IN NS ns1.p42.dynect.net.
gslb.vgtf.net. 571 IN NS ns5.timewarner.net.
gslb.vgtf.net. 571 IN NS ns3.p42.dynect.net.
gslb.vgtf.net. 571 IN NS ns1.timewarner.net.
gslb.vgtf.net. 571 IN NS ns3.timewarner.net.
gslb.vgtf.net. 571 IN NS ns4.p42.dynect.net.
gslb.vgtf.net. 571 IN NS ns2.p42.dynect.net.
;; ADDITIONAL SECTION:
ns2.p42.dynect.net. 455 IN A 204.13.250.42
ns3.p42.dynect.net. 533 IN A 208.78.71.42
ns3.p42.dynect.net. 233 IN AAAA 2001:500:94:1::42
ns1.timewarner.net. 533 IN A 204.74.108.238
ns3.timewarner.net. 533 IN A 199.7.68.238
ns4.p42.dynect.net. 533 IN A 204.13.251.42
ns1.p42.dynect.net. 533 IN A 208.78.70.42
ns5.timewarner.net. 533 IN A 204.74.109.238
;; Query time: 3 msec
;; SERVER: 133.32.219.82#53(133.32.219.82)
;; WHEN: Thu Mar 13 00:02:59 2014
;; MSG SIZE rcvd: 442
pqr57.us.company.com: / >
pqr57.us.company.com: / >
pqr57.us.company.com: / >
Zones
Domains are designated along organizational boundaries. A single organization can be separated into smaller administrative subdomains. Each subdomain gets its own zone. All of the zones collectively form the entire domain.
DNS configuration files and their description
/etc/sysconfig/named — Set up different configuration and data file directories through this file
/etc/named.conf — The main DNS configuration file. Incorporates data from other files with the include directive
/etc/named-caching-nameserver.conf — A template DNS configuration file for a caching DNS server
/etc/named.rfc1912.zones — Adds appropriate zones for localhost names and addresses
/var/named/chroot/etc/rndc.key — The authentication key required to support requests to the DNS server
/var/named/my.internal.zone.db — The zone file for the local network
/var/named/slaves/my.slave.internal.zone.db — The zone file for a slave DNS server
/var/named/slaves/my.ddns.internal.zone.db — The zone file for a dynamic DNS server
/var/named/localdomain.zone — The zone file for the localhost’s domain
/var/named/localhost.zone — The zone file for the localhost computer
/var/named/named.broadcast — A broadcast record for the localhost
/var/named/named.ca — A list of root DNS servers on the Internet
/var/named/named.local — A reverse zone record for the localhost
/var/named/named.ip6.local — An IPv6 version of named.local
/var/named/named.zero — Defaults to the broadcast record for the localhost
/var/named/data/named.stats.txt — Statistics from your DNS server, only available after DNS is active
Resource records
Each site maintains one or more pieces of the distributed database that makes up the worldwide DNS system. Your piece of the database consists of text files that contain records for each of your hosts; these are known as resource records. Eac record is a single line consisting of a name (usually a hostname), a record type, and some data values.
pqr520 IN A 10.145.73.21
IN MX 10 mailserver.company.com
Name servers
A name server performs several chores:
Recursive and nonrecursive servers
Name servers are either recursive or nonrecursive. If a nonrecursive server has the answer to a query cached from a previous transaction or is authoritative for the domain to which the query pertains, it provides an appropriate response. Otherwise, instead of returning a real answer, it returns a referral to the authoritative servers of another domain that are more likely to answer. A client of a non recursive server must be prepared to accept and act on referrals.
Although nonrecursive servers may seem lazy, they usually have a good reason not to take on extra work. Authoritative-only servers (e.g., root servers and top level domain servers) are all nonrecursive but since they may process tens of thousands of queries per second we can excuse them for cutting corners.
A recursive server returns only real answers and error messages.
For security reasons, an organization’s externally name accessible servers should always be nonrecursive. Recursive name servers that are visible to the world may be vulnerable to cache poisoning attacks.
The SOA record
An SOA (Start of Authority) record marks the beginning of a zone, a group of resource records located at the same place within the DNS namespace. The data for a DNS domain usually includes at least two zones: one for translating hostnames to IP addresses, called the forward zone, and others that map IP addresses back to hostnames, called reverse zones.
NS records
NS (Name Server) records identify the servers that are authoritative for a zone (that is, all the master and slave servers) and delegate subdomains to other organizations. NS records are usually placed directly after the zone’s SOA record.
A record
A records are the heart of the DNS database. They provide the mapping from hostnames to IP addresses that was formerly specified in the /etc/hosts file on local machines. A host usually has one A record for each of its network interfaces.
PTR records
PTR (Pointer) records map from IP addresses back to hostnames. Reverse mapping records live under the in-addr.arpa domain and are named with the bytes of the IP address in reverse order.
MX records
The mail system uses MX records to route mail more efficiently. An MX record pre-empts the destination specified by the sender of a message, in most cases directing the message to a hub at the recipient’s site.
pqr57: / >
pqr57: / > dig SOA us.company.com
; <<>> DiG 9.6.1-P3 <<>> SOA us.company.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1763
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;us.company.com. IN SOA
;; ANSWER SECTION:
us.company.com. 10800 IN SOA ns.company.com. hostmaster.company.com. 2014031222 21600 3600 1209600 900
;; AUTHORITY SECTION:
us.company.com. 10800 IN NS deeyenyes4.us.company.com.
us.company.com. 10800 IN NS deeyenyes3.us.company.com.
us.company.com. 10800 IN NS deeyenyes1.us.company.com.
us.company.com. 10800 IN NS deeyenyes2.us.company.com.
;; ADDITIONAL SECTION:
deeyenyes3.us.company.com. 10800 IN A 134.10.170.73
deeyenyes2.us.company.com. 10800 IN A 170.32.239.82
deeyenyes1.us.company.com. 10800 IN A 132.31.209.91
deeyenyes4.us.company.com. 10800 IN A 152.185.12.172
;; Query time: 5 msec
;; SERVER: 132.31.209.91#53(132.31.209.91)
;; WHEN: Wed Mar 12 23:04:44 2014
;; MSG SIZE rcvd: 221
pqr57: / >
pqr57: / >
pqr57.us.company.com: / >
pqr57.us.company.com: / >
pqr57.us.company.com: / >
pqr57.us.company.com: / > dig www.google.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.0.2.el6 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32709
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 245 IN A 74.125.28.147
www.google.com. 245 IN A 74.125.28.106
www.google.com. 245 IN A 74.125.28.104
www.google.com. 245 IN A 74.125.28.105
www.google.com. 245 IN A 74.125.28.103
www.google.com. 245 IN A 74.125.28.99
;; AUTHORITY SECTION:
google.com. 24 IN NS ns3.google.com.
google.com. 24 IN NS ns4.google.com.
google.com. 24 IN NS ns2.google.com.
google.com. 24 IN NS ns1.google.com.
;; ADDITIONAL SECTION:
ns3.google.com. 19 IN A 216.239.36.10
ns1.google.com. 19 IN A 216.239.32.10
ns4.google.com. 19 IN A 216.239.38.10
ns2.google.com. 19 IN A 216.239.34.10
;; Query time: 2 msec
;; SERVER: 120.95.239.92#53(130.35.249.52)
;; WHEN: Thu Mar 13 00:01:41 2014
;; MSG SIZE rcvd: 264
pqr57.us.company.com: / >
pqr57.us.company.com: / >
pqr57.us.company.com: / > dig www.cnn.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.0.2.el6 <<>> www.cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22468
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 7, ADDITIONAL: 8
;; QUESTION SECTION:
;www.cnn.com. IN A
;; ANSWER SECTION:
www.cnn.com. 391 IN CNAME www.cnn.com.vgtf.net.
www.cnn.com.vgtf.net. 45 IN CNAME cnn-56m.gslb.vgtf.net.
cnn-56m.gslb.vgtf.net. 195 IN A 157.166.249.10
cnn-56m.gslb.vgtf.net. 195 IN A 157.166.249.11
cnn-56m.gslb.vgtf.net. 195 IN A 157.166.248.11
cnn-56m.gslb.vgtf.net. 195 IN A 157.166.248.10
;; AUTHORITY SECTION:
gslb.vgtf.net. 571 IN NS ns1.p42.dynect.net.
gslb.vgtf.net. 571 IN NS ns5.timewarner.net.
gslb.vgtf.net. 571 IN NS ns3.p42.dynect.net.
gslb.vgtf.net. 571 IN NS ns1.timewarner.net.
gslb.vgtf.net. 571 IN NS ns3.timewarner.net.
gslb.vgtf.net. 571 IN NS ns4.p42.dynect.net.
gslb.vgtf.net. 571 IN NS ns2.p42.dynect.net.
;; ADDITIONAL SECTION:
ns2.p42.dynect.net. 455 IN A 204.13.250.42
ns3.p42.dynect.net. 533 IN A 208.78.71.42
ns3.p42.dynect.net. 233 IN AAAA 2001:500:94:1::42
ns1.timewarner.net. 533 IN A 204.74.108.238
ns3.timewarner.net. 533 IN A 199.7.68.238
ns4.p42.dynect.net. 533 IN A 204.13.251.42
ns1.p42.dynect.net. 533 IN A 208.78.70.42
ns5.timewarner.net. 533 IN A 204.74.109.238
;; Query time: 3 msec
;; SERVER: 133.32.219.82#53(133.32.219.82)
;; WHEN: Thu Mar 13 00:02:59 2014
;; MSG SIZE rcvd: 442
pqr57.us.company.com: / >
pqr57.us.company.com: / >
pqr57.us.company.com: / >
Zones
Domains are designated along organizational boundaries. A single organization can be separated into smaller administrative subdomains. Each subdomain gets its own zone. All of the zones collectively form the entire domain.
DNS configuration files and their description
/etc/sysconfig/named — Set up different configuration and data file directories through this file
/etc/named.conf — The main DNS configuration file. Incorporates data from other files with the include directive
/etc/named-caching-nameserver.conf — A template DNS configuration file for a caching DNS server
/etc/named.rfc1912.zones — Adds appropriate zones for localhost names and addresses
/var/named/chroot/etc/rndc.key — The authentication key required to support requests to the DNS server
/var/named/my.internal.zone.db — The zone file for the local network
/var/named/slaves/my.slave.internal.zone.db — The zone file for a slave DNS server
/var/named/slaves/my.ddns.internal.zone.db — The zone file for a dynamic DNS server
/var/named/localdomain.zone — The zone file for the localhost’s domain
/var/named/localhost.zone — The zone file for the localhost computer
/var/named/named.broadcast — A broadcast record for the localhost
/var/named/named.ca — A list of root DNS servers on the Internet
/var/named/named.local — A reverse zone record for the localhost
/var/named/named.ip6.local — An IPv6 version of named.local
/var/named/named.zero — Defaults to the broadcast record for the localhost
/var/named/data/named.stats.txt — Statistics from your DNS server, only available after DNS is active
Resource records
Each site maintains one or more pieces of the distributed database that makes up the worldwide DNS system. Your piece of the database consists of text files that contain records for each of your hosts; these are known as resource records. Eac record is a single line consisting of a name (usually a hostname), a record type, and some data values.
pqr520 IN A 10.145.73.21
IN MX 10 mailserver.company.com
Name servers
A name server performs several chores:
- It answers queries about your site’s hostnames and IP addresses
- It asks about both local and remote hosts on behalf of your users
- It caches the answers to queries so that it can answer faster next time
- It transfers data between your name servers to keep them synchronized
Recursive and nonrecursive servers
Name servers are either recursive or nonrecursive. If a nonrecursive server has the answer to a query cached from a previous transaction or is authoritative for the domain to which the query pertains, it provides an appropriate response. Otherwise, instead of returning a real answer, it returns a referral to the authoritative servers of another domain that are more likely to answer. A client of a non recursive server must be prepared to accept and act on referrals.
Although nonrecursive servers may seem lazy, they usually have a good reason not to take on extra work. Authoritative-only servers (e.g., root servers and top level domain servers) are all nonrecursive but since they may process tens of thousands of queries per second we can excuse them for cutting corners.
A recursive server returns only real answers and error messages.
For security reasons, an organization’s externally name accessible servers should always be nonrecursive. Recursive name servers that are visible to the world may be vulnerable to cache poisoning attacks.
The SOA record
An SOA (Start of Authority) record marks the beginning of a zone, a group of resource records located at the same place within the DNS namespace. The data for a DNS domain usually includes at least two zones: one for translating hostnames to IP addresses, called the forward zone, and others that map IP addresses back to hostnames, called reverse zones.
NS records
NS (Name Server) records identify the servers that are authoritative for a zone (that is, all the master and slave servers) and delegate subdomains to other organizations. NS records are usually placed directly after the zone’s SOA record.
A record
A records are the heart of the DNS database. They provide the mapping from hostnames to IP addresses that was formerly specified in the /etc/hosts file on local machines. A host usually has one A record for each of its network interfaces.
PTR records
PTR (Pointer) records map from IP addresses back to hostnames. Reverse mapping records live under the in-addr.arpa domain and are named with the bytes of the IP address in reverse order.
MX records
The mail system uses MX records to route mail more efficiently. An MX record pre-empts the destination specified by the sender of a message, in most cases directing the message to a hub at the recipient’s site.
No comments:
Post a Comment