Based on their origins, the proxy either refuses them, or hands them over to the name server on port 7053 or the name server on port 8053.. If the queries come from: • An Internet clien
Trang 1Chapter 10
It is improbable that the usual client would use a port other than port 53, since they would not be aware of the existence of ports 7053 and 8053
A DNS proxy is run on the firewall standard port 53 of the name server The DNS proxy server identifies the source of queries Based on their origins, the proxy either refuses them, or hands them over to the name server on port 7053 or the name server on port 8053
If the queries come from:
• An Internet client, then they are handed over to the Internet name server (port 7053
in the figure)
• An intranet client, then there are two different cases
Firstly, any request for a translation from the company.com domain is handed over to the intranet name server (port 8053)
Secondly, any request for a translation of a different Internet domain is left to the DNS proxy, which decides:
o If we want to translate the Internet on the intranet, then the request is
handed over to the Internet name server (port 7053)
o If we do not want to translate other Internet domains on the intranet,
then it gives a negative response What is interesting about this is the fact that if we do not have other (for example, secondary) name servers, then we do not even need the intranet root name server The negative response is issued directly by the DNS proxy
• An application running on the firewall (such as proxy), then if the request is for the
company.com domain it is handed over to the intranet name server (port 8053) or if it concerns a different domain it is handed over to the Internet name server (port 5073)
10.4 End Remarks
In this book, we learned about DNS principles, resolver configuration, and configuration of various name servers You must have realized that domain registration and delegation is altogether quite easy However, in spite of its comprehensibility, the DNS is often a source of problems to ordinary computer users
The correct diagnosis of computer problems is similar to a correct medical diagnosis In both cases, it is important not only to reach the correct diagnosis, but also to do so in the minimum time We can suspect mistakes in a DNS configuration if a user complains either that his or her computer does not communicate at all or, more often, the communication seems to be slow from time to time even if the network infrastructure is fast
In such cases, if a user asks you for help, you should sit down in front of the user's computer, run the command prompt (never mind if it is a UNIX or a Windows machine), and find out the following:
169
Trang 2IP address of the DNS server of your Internet Service Provider) If the TCP/IP
protocol stack is installed; the best method to do it is to type a ipconfig command (in Windows) or ifconfig (in UNIX)
2 By ping with IP address of default gateway command test connection to default
gateway If a default gateway is accessible, simply type the ping command along with the IP address of DNS server If the default gateway or DNS server does not respond,
we can see that it is not a DNS problem, but a problem of the network infrastructure
3 If the DNS server is placed outside your local network, you should also verify the network connection quality with the help of the ping command, now with the
parameter –t (in Windows only) Let the command work for a while, stop it, and
look at its statistic If more than 10% of packets are lost, then the problem is again in the network infrastructure
4 Now you can focus on the DNS because the problem is probably there
Accomplishing this is very simple Type the ping command, not with an IP address
of the DNS server, but with its name The response must be as fast as if you are
using the IP address If not, check the resolver configuration
5 Now you can check if a DNS translation of the name of some remote server in
Internet to its IP address is functional Be aware of the fact that known Internet
servers are usually configured not to respond to the ping command You must use the tracert command (or traceroute in UNIX) instead
If you have passed all the previous steps successfully, verify if the response is faster when using the
IP address compared to using a DNS name If both responses are equally fast, then the problem is neither in the network infrastructure nor in DNS The problem could not be on the client site, but on the server (application) site (for example, the DNS configuration of the application server is wrong) You probably think that the previously described problems are too shallow for you, but you should realize that the DNS problems can be found in different levels:
• Ordinary users: Their computers either run or not, and they are usually ignorant
about DNS
• Local administrators: They configure user's computers and should understand the
basic DNS principles
• Local name server administrators (local hostmasters): They must understand the
DNS configuration and principles in detail
• ISP hostmasters: They must know about not only DNS configuration, but also
communication with the Internet registries
• Internet Registry hostmasters: A detailed DNS knowledge is essential, but in this
case, it is more of policy than of DNS administration
Dear reader, we do not know which level you belong to, but we wish you good luck and success at your work and hope that this publication was useful to you
Trang 3A
Country Codes and RIRs
The information included in this appendix comes from http://www.ripe.net/ TLDs for
individual countries are assigned in accordance with ISO 3166 (http://www.iso.org/iso/en/
prods-services/iso3166ma/02iso-3166-code-lists/index.html) However, if you look at the
following table of assigned ccTLDs and compare it with ISO 3166, you will find that a
significantly greater number of ccTLDs are delegated For example, the United Kingdom has a
number of domains assigned for its territories (GB, GI, JE, FK, and so on)
Trang 4BARBADOS BB ARIN
CONGO, THE DEMOCRATIC REPUBLIC OF THE CD AfriNIC
Trang 5Appendix A
173
Trang 6GREENLAND GL RIPE NCC
KOREA, DEMOCRATIC PEOPLE'S REPUBLIC OF KP APNIC
Trang 7Appendix A
175
MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF MK RIPE NCC
Trang 8NETHERLANDS NL RIPE NCC
Trang 9Appendix A
177
SOUTH GEORGIA AND THE SOUTH SANDWICH ISLANDS GS LACNIC
Trang 10TRINIDAD AND TOBAGO TT LACNIC
UNITED STATES MINOR OUTLYING ISLANDS UM ARIN
European TLD managers have created a common body called Council of European National
Top-Level Domain Registries (CENTR) For more detailed information, see http://www.centr.org/
Trang 11Index
$
$INCLUDE command, 89
$ORIGIN command, 88
A
A records, 82
access control, parameters, 103
Access Control List, 95
ACL, 95
acl statement, 95, 96
Active Directory, 115
address_match_list, 96
algorithm
asymmetric encrypting, 78
Diffie-Hollman, 77
asymmetric encrypting algorithm, 78
authoritative data, 11
authoritative-only name server, 94
autonomous system numbers, 153
B
BIND
advantages, Windows, 92
named.conf file, content, 93
versions, 91, 92
boolean options, 102
BootMethod parameter, 114
C
cache command, 91
caching-only name server, 21, 94
CERT records, 78
Classless IN-ADDR.ARPA delegations, 145
CNAME records, 83
controls statement, 96, 97
D
DatabaseDirectory parameter, 114 Diffie-Hollman algorithm, 77 dig program, 74, 126, 127, 137 directory command, 90 DisableAutoReverseZone parameter, 114
DNS See Domain Name System
DNS database
$GENERATE statement, 109, 110
$TTL statement, 109 about, 79
data types, content, 79 sharing, 162
DNS IPv6 extention
A6 records, 61, 62 AAAA records, 61 DNAME records, 63 reverse domains, 62
DNS NCACHE
MINIMUM field, SOA record, 60 negative reply, saving rules, 60 TTL, 59
DNS Notify
about, 52 master/slave communication, 52-55 message, 52, 53
DNS protocols
about, 29 resource records, examples, 28, 29 resource records, structure, 27, 28
DNS query
answer packet, 34, 36 communication with DNS server, example, 40-42
communication with root server, example, 39 compression, 36, 37
inverse query, 38 nonexistent resource record query, example,
38, 39
Trang 12packet header, 30, 31, 75, 76 reverse domains, 8, 9
question section, 32, 33 root DNS server in Windows 2000/2003, 160 resource record transfer, 38 sending an incorrect request, 156
TCP usage, example, 42-44 sharing a DNS database, 162
subdomains, 6
DNS record
syntax, 80 subordinate zone, 10
tuning, 117
DNS server
channels, 98-100 working, 168
implementing, Windows server OS, 111-115 zone, 10
local server information, obtaining, 115 zone cache/hint, 10
parameters, 114, 115 zone stub, 10
stopping, 115 domains
about, 6,7
DNS Update
journal file, 52 delegation process, 135
packet, 48 See also DNS Update packet delegation process, example, 135-139
pseudodomains, 11
DNS Update packet
additional data section, 51 regestration, 139-141
header section, 49 reserved, 11
prerequisite section, 50, 51 second level, delegation, 154
structure, 48 second level, registration, 154
update section, 51 dynamic update, 47
zone section, 50
dnswalk program, 126, 137
127.0.0.1, 9
about, 5
F
client, DNS, 13
closed intranets, 155
file specification, 101, 102
configuration check, 117, 118
firewall, 161, 163
configuration errors, 134
forwarder command, 91
configuring a name server for the root domain, 159
forwarder server
configuring a root name server on a separate
server, 159 configuration, 25
local name server, communication, 24, 25 configuring a root name server on the same
server, 158 Forwarders parameter, 114
forwarding, parameters, 102
configuring DNS on the intranet, 164
domain name, 6
G
domains, 6
dual DNS, 168
glue record, 134, 139
hostname into IP address, translation,
13, 14, 19, 20
IPv6 extention, 60 H
name syntax, 7, 8
pseudodomains, 11 HINFO records, 83
Trang 13I LogFilePath parameter, 115
logging statement, 98-100 LogLevel parameter, 115 ICANN, 150
lwres include statement, 97
server, 111
incremental zone transfer
statement, 111 about, 55
master/slave communication, 55
M
reply format, 56
request format, 55
RFC 1995, example, 56-58 master name server, 20
Internet, 149, 150
Internet Corporation for Assigned Names and
Internet registry, Local Internet Registry,
routing the IP addresses of the Internet by the
intranet, 162 communicating, nslookup program, 125 controlling, 128, 129 sitename, translation process, 22, 23 definition, 20
version 4, 152, 153 implementing, named program, 90
client, 55 secondry, 20
purging, 56 slave, 20
server, 55 stealth, 21
types, 20
named.boot configuration file, commands, 90
comments, format, 95
K content, 93
statements, 93
named-checkconf utility, 118 KEY record, 65, 66
named-checkzone utility, 118 key statement, 97
named-xfer program, 101 kill program, 129
National Internet Registry, 151 Network Information Center, 154
NIR, 151 lame delegation, 134
nonauthoritative data, 11, 21 lightweight resolver, working, 110, 111
NoRecursion parameter, 115 LIR See Local Internet Registry
notify set, 52 ListenAddress parameter, 114
NS records, 84 Local Internet Registry
nslookup command, 119
Regional Internet Registry, 151
nslookup program
registration, 154
about, 118
LogFileMaxSize parameter, 115
181
Trang 14domain name, finding, 119 PTR records, 85, 86
error messages, 125 SRV records, 87, 88, 89
IP address, finding, 119 Start Of Authority, 81, 82
name server communication, 125 structure, 27-29
record, finding, 120 TXT records, 83
servers list, 120 reverse domain
start up, 119 delegation process, 144
tuning mode, 121 delegation process, example, 144-147 zone extract, 125 IP6.ARPA, 62
IP6.INT, 62
NXT record, 71-73
subnetwork delegation, 145 subnetwork marking, 145, 146
O variations, 143
rndc program, 128, 129 option statement
root name server, 21
about, 101
round robin, 15
parameters, 101-104
S
P
secondary command, 90 packet header, 30, 31, 75, 76
secondary name server, 20 periodic task intervals, parameters, 104
Secure Dynamic Update, 52 pointer record, 143
security primary command, 90
certificates, 78
primary master, 20
dig program, 74
pseudodomains, 11
DNS protocol, 75, 76
PTR, 143
DNSsec, 64
PTR records, 85, 86
KEY record, 65, 66 NXT record, 71-73
R SIG record, 67-71
TKEY record, 77
caching, 12 server command, 124
configuration in UNIX, 16 server statement, 104
configuration in Windows, 17, 18, 19, 20 set command, 121
lightweight, working, 110, 111 SIG record, 67-71
queries, translating, 11, 13 signals
stub, 12, 110 HUP, 130
working, 16 INT, 130
$INCLUDE command, 89 KILL, 133
$ORIGIN command, 88 TERM, 133
A records, 82 USR1, 133
CNAME records, 83 USR2, 133
definition, 5 slave command, 91
DNS Update, prerequisite section, 50, 51 slave name server, 20
DNS Update, update section, 51
Trang 15U
SOA, 81, 82
SRV records, 87-89
into IP address, 14, 15 stub resolver, 110
subdomains, 6
subordinate zone, 10
V
syntax
DNS record, 80 view statement, 105-107
SRV record, 87, 88
Z
T
zone
whole Internet, 166 statement, 107-109
without Internet translation, 167 stub, 10, 108
trusted-key statement, 104, 105
TSIG, 76
TTL, 59, 68
TXT records, 83
transfer See zone transfer
zone transfer
incremental See incremental zone transfer parameters, 103, 104
183