00-dark - ZYTRAX

Download Report

Transcript 00-dark - ZYTRAX 

Module 2
Zone Files
Objective





Understand the idea of a zone and how it
relates to a domain name
understand zone file structure
Understand the major Resource Record
(RRs) used to create zone files
Understand IPv4 Reverse Mapping
Understand which zone files are required
DNS – Zone Files





Domain = Zone
Textual descriptions of various Resource
Records (RRs) that describe the domain,
such as Name Servers, Mail Servers,
Services and hosts and Directives
Forward mapping translates a name into
an IP address or a secondary name
Reverse Mapping translates an IP address
into a name
The Authoritative server for the Domain
(Zone) loads the zone files
DNS Zone File
; IPv4 zone file for example.com
$TTL 2d
; default TTL for zone
$ORIGIN example.com. ; base domain-name
; Start of Authority record defining the key characteristics of the zone (domain)
@
IN
SOA
ns1.example.com. hostmaster.example.com. (
2003080800 ; se = serial number
12h
; ref = refresh
15m
; ret = update retry
3w
; ex = expiry
2h
; min = minimum
)
; name servers Resource Records for the domain
IN
NS
ns1.example.com.
; the second name server is
; external to this zone (domain).
IN
NS
ns2.example.net.
; mail server Resource Records for the zone (domain)
3w
IN
MX 10 mail.example.com.
; the second mail server has lower priority and is
; external to the zone (domain)
IN
MX 20 mail.example.net.
; domain hosts includes NS and MX records defined previously
; plus any others required
ns1
IN
A
192.168.254.2
mail
IN
A
192.168.254.4
joe
IN
A
192.168.254.6
www
IN
A
192.168.254.7
; aliases ftp (ftp server) to an external location
ftp
IN
CNAME
ftp.example.net.
DNS - Forward Mapping
example.com






SOA RR defines the Apex of the zone and
general properties
NS RRs define the Name Servers (DNS)
which are authoritative
MX RRs define the mail servers
CNAME RRs define aliases
A (IPv4) and AAAA (IPv6) define IP
addresses
TXT RRs are general records (SPF)
RRs – Generic Format
name ttl class type parameters






name or label identifies the record
externally, for instance, www
ttl (Time-to-Live) defines how long the RR
may be cached in seconds
class = IN = Internet
type of RR, for example, MX
One or more type-specific parameters
TTL and Class can be omitted
Zone Directives


All start with $
$TTL time-in-seconds


$ORIGIN FQDN.


Base domain (zone) name
$INCLUDE file-name


default Time-to-Live for the zone in seconds
Include another file here
Comments start with ;
$TTL Zone Directive
The default Time-to-Live in seconds
if no TTL value on the RR
 172800 = 2 days
 Takes short forms in BIND

m, h, d, w
 172800 = 2d or 48h
 $TTL 1d2h3m = 93780


Must appear before any RR (first)
DNS - TTL
Only used by caching name servers
(resolvers)
 Slave uses SOA parameters
 Determines the time the RR can held
in a cache before being refreshed
 Value in seconds (think in hours)
 0 = never cache (dangerous)
 Determines DNS change propagation
time

$ORIGIN Directive
Defines a label (name) that will be
used to substitute all non-FQDN
names
 Parameter must be an FQDN


terminates with a dot
$ORIGIN example.com.
 Optional - defaults to zone name
 Usage illustrated later

DNS Zone File
; IPv4 zone file for example.com
$TTL 2d
; default TTL for zone
$ORIGIN example.com. ; base domain-name
; Start of Authority record defining the key characteristics of the zone (domain)
@
IN
SOA
ns1.example.com. hostmaster.example.com. (
2003080800 ; se = serial number
12h
; ref = refresh
15m
; ret = update retry
3w
; ex = expiry
2h
; min = minimum
)
; name servers Resource Records for the domain
IN
NS
ns1.example.com.
; the second name server is
; external to this zone (domain).
IN
NS
ns2.example.net.
; mail server Resource Records for the zone (domain)
3w
IN
MX 10 mail.example.com.
; the second mail server has lower priority and is
; external to the zone (domain)
IN
MX 20 mail.example.net.
; domain hosts includes NS and MX records defined previously
; plus any others required
ns1
IN
A
192.168.254.2
mail
IN
A
192.168.254.4
joe
IN
A
192.168.254.6
www
IN
A
192.168.254.7
; aliases ftp (ftp server) to an external location
ftp
IN
CNAME
ftp.example.net.
File layout rules
Comments begin with ;
; IPv4 zone file for example.com
Name @ = $ORIGIN
Blank or TAB = last label or $ORIGIN
Parameters continued in parenthesis ()
@
IN
SOA
ns1.example.com. hostmaster.example.com. (
2003080800 ; se = serial number
12h
; ref = refresh
15m
; ret = update retry
3w
; ex = expiry
2h
; min = minimum
)
DNS – Substitution Rule

If any name (label) in a zone file is
not an FQDN the last value of
$ORIGIN will be appended to the
end of the name (label).
DNS - SOA RR
SOA pmns mail sn refresh retry expiry min


SOA defines the start of the zone and
must be first non-directive entry
pmns = Primary Master Name Server



One of the authoritative name servers OR
if DDNS is used it defines the NS which will be
updated
Spec. name is MNAME
DNS - SOA RR
SOA pmns mail sn refresh retry expiry min

mail = mailbox of DNS
administrator or tech contact


Format is all dot separated (@ is used)
hostmaster.example.com (recommended) =
[email protected]
Can be very important
 Spec name is RNAME

DNS - SOA RR
SOA pmns mail sn refresh retry expiry min

sn = serial number of zone contents





Arbitrary 10 digit number (4294967295)
Usage typically YYYYMMDDSS
YYYY = year, MM = month DD = day, SS =
sequence number
MUST increment every time zone contents
change
Slave reads SOA and compares serial number
DNS - SOA RR
SOA pmns mail sn refresh retry expiry min




refresh = time after which Slave will start to
refresh zone from Master (AXFR, IXFR)
retry = time between failed attempts to fresh
zone
expiry = time after which Slave will not respond
to zone requests if Master not accessed
min = time NXDOMAIN (no name) may be
cached (max 3 hours)
DNS – SOA Example
@
IN
SOA
ns1.example.com. hostmaster.example.com. (
2003080800 ; se = serial number
12h
; ref = refresh
15m
; ret = update retry
3w
; ex = expiry
2h
; min = nxdomain ttl
)
DNS – SOA Example
$ORIGIN example.com.
@
IN
SOA
ns1 hostmaster (
2003080800 ; se = serial number
12h
; ref = refresh
15m
; ret = update retry
3w
; ex = expiry
2h
; min = nxdomain ttl
)
DNS - NS RR
NS name






NS RRs list all name servers for the domain
At zone apex for this zone
Minimum of two
In-zone servers will need A or AAAA RRs
name = name of an internal or external name
server that is authoritative for this domain
NS RRs appear in the zone (authoritative) and
the parent (point of delegation – not
authoritative)
DNS – NS RRs
; name servers Resource Records for the domain
IN
NS
ns1.example.com.
NS
ns1
; could have been
;
IN
; the second name server is
; external to this zone (domain).
IN
NS
ns2.example.net.
DNS – NS RRs
$ORIGIN example.com.
; name servers Resource Records for the domain
IN
NS
ns1.example.com.
IN
NS
ns1.example.com
; missing dot
; looks for ns1.example.com.example.com.
DNS - MX RR
MX priority name






MX RRs list all incoming mail servers for the
domain
Defined at zone apex for this zone
One or more
priority = relative priority of defined server
(low is most important). Value = 0 – 65535
name = name of an internal or external mail
server for this domain
In-zone servers will have A or AAAA RRs
DNS – MX RRs
; mail server Resource Records for the zone (domain)
3w
IN
MX 10 mail.example.com.
; the second mail server has lower priority and is
; external to the zone (domain) - backup
IN
MX 20 mail.example.net.
3w = TTL
Priority 10 simply means you can add a more
important mail server with only one change
DNS - A RR
A IPv4-address



A RRs list all visible hosts for the zone
(domain).
Must include the in-zone NS and MX RRs
plus others
IPv4-address = standard dotted quad
address (address not a name)
DNS - AAAA RR
AAAA IPv6-address




AAAA RRs list all visible IPv6 hosts for the
zone (domain).
Mixed with A RRs
Both A and AAAA if dual stacked
IPv6-address = standard colon
separated address (address not a name)
DNS – A RRs
; domain hosts includes NS and MX records defined
;previously plus any others required
ns1
IN
A
192.168.254.2
mail
IN
A
192.168.254.4
joe
IN
A
192.168.254.6
www
IN
A
192.168.254.7
DNS - CNAME RR
CNAME canonical-name





CNAME RRs maps an alias name to a canonical
(real) name (A or AAAA RRs)
May point to a host name in-zone or out-of-zone
canonical-name = real name of host
CNAME costs extra access
Alternate is to use multiple A or AAAA RRs
DNS – CNAME RRs
; aliases ftp (ftp server) to an external location
ftp
IN
CNAME
ftp.example.net.
; very common use of CNAME
mail
IN
A
www
IN
CNAME
192.168.2.3
mail
; alternate – functionally identical
mail
IN
A
192.168.2.3
www
IN
A
192.168.2.3
DNS - TXT RRs
TXT text





TXT RRs may be used to contain any text
Externally visible
Used to define Sender Profile (SPF) RRs
(now also SPF RR)
Used to define DKIM RRs
text = enclosed in quotes
DNS – TXT RRs
; uses of TXT
ftp
IN
IN
CNAME
TXT
ftp.example.net.
“Supports FTP and SFTP”
mail
mail
A
TXT
192.168.0.18
“v=spf1 ip4:192.168.0.3/27 –all”
IN
IN
; DKIM TXT RR
mail._domainkey IN TXT "v=DKIM1;t=s;p=blah....blah;"
; ADSP TXT RR
_adsp._domainkey IN TXT "dkim=discardable;"
DNS – Reverse Mapping




Maps an IP address to a name
Domain name hierarchy is right to left –
www.example.com
IP address hierarchy is left to right
192.168.0.1
Solution




Remove last digit (192.168.0)
Invert number (0.168.192)
Append in-addr.arpa (0.168.192.in-addr.arpa)
Define .1 (and others) in zone file with PTR RR
DNS – Reverse Mapping
DNS – Reverse Zone File
; simple
reverse mapping zone file for example.com
$TTL 2d
; default TTL for zone
$ORIGIN 254.168.192.IN-ADDR.ARPA.
; Start of Authority record defining the key characteristics of the zone
(domain)
@
IN
SOA
ns1.example.com. hostmaster.example.com. (
2003080800 ; sn = serial number
12h
; refresh
15m
; retry
3w
; expiry
2h
; min = minimum
)
; name servers Resource Records for the domain
IN
NS
ns1.example.com.
; the second name server is
; external to this zone (domain).
IN
NS
ns2.anotherdomain.com.
; PTR RR maps an IPv4 address to a host name
2
IN
PTR
ns1.example.com.
.....
4
IN
PTR
mail.example.com.
.....
16
IN
PTR
joe.example.com.
17
IN
PTR
www.example.com.
....
DNS - PTR RRs
name PTR name







PTR RRs maps a name to a name
Both left and right hand expressions are names
– needs $ORIGIN
Right hand name must be FQDN
PTR is used for both IPv4 and IPv6
Separate zone files for IPv4 and IPv6 because of
domain name
Reverse map domain for IPv6 is ip6.arpa
Generally only a single IP mapped to a name
DNS – PTR RR
$ORIGIN 254.168.192.IN-ADDR.ARPA.
...
; PTR RR maps an IPv4 address to a host name
2
IN
PTR
ns1.example.com.
.....
4
IN
PTR
mail.example.com.
.....
16
IN
PTR
joe.example.com.
1
IN
PTR
www.example.com.
; could be written as
17. 254.168.192.IN-ADDR.ARPA. IN PTR www.example.com.
...
; missing dot
1
IN
PTR
bill.example.com
; maps to bill.example.com.254.168.192.IN-ADDR.ARPA.
....
DNS – Reverse Mapping
IPv4 Optional
 Used especially by mail systems to
do reverse lookup (essential)
 IPv6 Optional (originally Mandatory)
 Local IP address reverse map

Zone File – Best Practice
Comment file – changes made
 Always include $ORIGIN

$ORIGIN is optional defaulted to name
of zone
 bad practice – non-self documenting


Use consistent style FQDN on right
names, or left names or both
Required Zone Files


Depends on name server function
Forward and reverse map for localhost
zone




Forward domain = localhost
Reverse map 0.0.127.in-addr.arpa
Hints file if caching server – points to
root-servers
Reverse map private IPs (192.168.x,
10.x.x, 172.16.x)
Hints (Root) Zone file
;
;
last update: Jan 29, 2004
;
related version of root zone: 2004012900
;
;
; formerly NS.INTERNIC.NET
;
.
3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.
3600000
A 198.41.0.4
…
Local Host Forward Map
$TTL 86400 ; 24 hours could have been written as 24h or 1d
$ORIGIN localhost.
@ 1D IN SOA @ hostmaster (
2004022401 ; serial
12h; refresh
15m ; retry
1w ; expiry
3h ; minimum
)
@ 1D IN NS @ ; localhost is the name server
1D IN A 127.0.0.1 ; always returns the loop-back address
Alternate Format
$TTL 1d ;
$ORIGIN localhost.
localhost. IN SOA localhost. hostmaster.localhost. (
2002022401 ; serial
3H ; refresh
15M ; retry
1w ; expire
3h ; minimum
)
localhost. IN NS localhost. ; localhost is the name server
localhost. IN A 127.0.0.1 ; the loop-back address
Localhost Reverse Map
$TTL 86400 ; 24 hours
; could use $ORIGIN 0.0.127.IN-ADDR.ARPA.
@
IN
SOA localhost. hostmaster.localhost. (
1997022700 ; Serial
3h
; Refresh
15
; Retry
1w
; Expire
3h ) ; Minimum
IN
NS
localhost.
1
IN
PTR localhost.
Quick Quiz






What RR defines a mail server?
What is the first record in a zone file?
What does the $ORIGIN directive do?
How does the slave know to transfer
zone?
What is a PTR RR used for?
What value defines how long an RR can
be cached?