What is the DNS

The Domain Name System (DNS) is a service of the Internet. It is essentially a distributed database of domain name and IP mapping. With it, we can access the Internet more conveniently by domain name.

DNS has the following features:

  • A distributed
  • The protocol supports TCP and UDP. Port 53 is commonly used
  • The maximum length of each level domain name is 63
  • The maximum length of a domain name is 253

So, when do you use TCP and when do you use UDP?

In the early days, the MAXIMUM size of DNS UDP packets was 512 bytes, so when a response size exceeded 512 bytes (too many messages returned), DNS used TCP to transmit it. Later, the DNS protocol extended its UDP protocol. When a DNS client sends a query request, it can specify that it can receive UDP packets larger than 512 bytes. In this case, the DNS still uses UDP

Hierarchical database structure

DNS is structured like a Linux file system, like an upside-down tree. The following uses the webmaster’s home domain name for example:

At the top is the root domain, then the top level domain com, then the home of the webmaster chinaz, and so on. When using domain names, work from the bottom up. S.tool.chinaz.com. Is a full domain name, www.chinaz.com. Too.

This complex tree structure is designed to prevent name collisions. Such a tree structure can be stored on a single machine, of course, but in the real world, there are many complete domain names, and a large number of domain names are added and deleted every day. The storage performance of a single machine is not a small challenge. In addition, there is a disadvantage of centralized management is not flexible enough. Imagine the hassle of applying to a central database every time you add or delete a domain name. So DNS in real life is distributed storage.

The root DNS server only manages top-level domains, delegating the administration of each top-level domain to each top-level domain, so when you want to apply for a secondary domain name under COM, look for the COM domain name registry. For example, if you apply for the chinaz.com domain name above, the domain name below chinaz.com belongs to you. When you manage the subdomain name of chinaz.com, you can set up your own Nameserver and delegate the management of chinaz.com to your nameserver in the.com registry. The structure of a custom nameserver and a custom nameserver is shown below:

In general, don’t do it if you can, because it’s not easy to maintain a highly available DNS. As far as I know, there are two situations where you need to build your own Nameserver:

  1. Set up the internal DNS. An internal Nameserver can be set up to allow internal servers to communicate with each other through domain names
  2. The company is not satisfied with the performance of nameserver provided by the domain name vendor. Although the top-level domain registrar has its own Nameserver, the nameserver provided by the registrar is not professional and cannot meet the needs of the enterprise in terms of performance and stability. At this time, enterprises need to build their own high-performance Nameserver, such as adding intelligent resolution function, so that users in different regions can access the latest IP address. In order to improve the quality of service

To summarize the distributed management of DNS, when a domain is delegated to a Nameserver, the management of the domain is delegated to the nameserver. This design solves the storage pressure on the one hand, and improves the flexibility of domain name management on the other hand (this structure is similar to Linux File System, you can mount any subdirectory to another disk, but also can continue to mount the subdirectory below it out)

Top-level domain names

Top-level domains like com, which are tightly controlled by ICANN, are not allowed to be created. There are two types of top-level domains:

  • Generic top-level domain
  • Country top-level domain

General top-level domains are common, such as.com,.org,.edu, etc., while national top-level domains are common, such as.cn of China and.us of the United States. When applying for a public domain name, a company should choose a GTLDS if it is a multinational product. If there is no international business, see your preferences (you can compare the service and stability of each top domain to make a choice). Here are a few of the hottest top-level domains. See Wikipedia for the full list.

Me me top-level domain is actually the country domain, it is the country domain of The Republic of Montenegro, but it is applied for personal development, so many individual bloggers use it as their blog domain.

IO Many open source projects often use IO as a top-level domain, which is also a country domain. Because IO and the computer input/output abbreviation is the same, and the computer two mechanism 10 is also very similar, give a person a geek feeling. Compared to.com domain names, there are many resources under.io and more choices.

DNS Resolution Process

After talking about the basic concepts of DNS, let’s talk about the DNS resolution process. When accessing the Internet through a browser or an application, the DNS resolution process is performed first. The standard glibc provides the libresolv.so.2 dynamic library that our application uses for resolving domain names (also called resolving). The following configuration file, /etc/nsswitch.conf, controls the resolving behavior of a domain name:

hosts:      files dns myhostnameCopy the code

This determines the order of considerations. The default is to search the hosts file first, and if no match is found, DNS resolution will be performed. The default resolution flow is as follows:

The following is a description of the client’s resolving process: a resolution request to the local DNS server should be resolved based on the configuration of the local DNS server. The following steps will be discussed later: The local DNS server is configured in /etc/resolv.conf. Let’s take a look at the server side considerations flow:

Let’s analyze the parsing process:

  1. The client sends a request to the local DNS server (recursive resolution server) to resolve the domain name tool.chinaz.com
  2. The local DNS server checks whether the domain name tool.chinaz.com is cached. If yes, the DNS server returns the cache to the client. If the next step is not performed
  3. The local DNS server sends a request to the root DNS server to query the NAMeserver address of the COM top-level domain
  4. After obtaining the IP address of com domain name, send a request to com Nameserver to obtain the Nameserver address of Chinaz domain name
  5. A further request to Chinaz’s Nameserver for the address of tool’s domain name resulted in the IP address of Tool.chinaz.com, which was cached by the local DNS server for quick return to the next query
  6. The local DNS server returns the results to the client

Recursive resolution server vs authoritative domain name server

We found two types of DNS servers in the resolution process. The recursive resolution server that the client accesses directly is also the busiest during the whole resolution process. Its query steps are recursive, starting with the root DNS server and working its way to the target domain name.

The recursive resolution server obtains the address of the next target by requesting the first level of authoritative DNS until it finds the authoritative DNS of the target domain name

To put it simply: recursive resolution servers are responsible for resolving domain names, and authoritative DNS servers are responsible for storing domain name records

Recursive resolution server is generally provided by ISP, in addition to some more famous public recursive resolution server, such as Google 8.8.8.8, Unicom 114, BAT have also launched public recursive resolution server, but the best performance should be provided by your ISP, but there may be DNS hijacking problems

The cache

Because the whole resolution process is very complex, DNS uses caching technology to achieve service robustness. When the recursive Nameserver parses the tool.chianaz.com domain name and receives the tool.chinaz.com query again, it does not go through the recursive parsing process but returns the cache of the previous parsing results. And it’s tiered caching, which means that the next time you get a query from www.chinaz.com, Since the recursive parsing server already knows chinaz.com’s authority, Nameserver, all it needs to do is send a request to chinaz.com nameserver to query the WWW.

How does the recursive resolution server know the address of the root DNS server? The address of the root DNS server is fixed. At present, there are 13 root DNS servers in the world, and these 13 records are persisted in the recursive DNS server:

Why there are only 13 root DNS servers, shouldn’t there be as many as possible for load balancing? As mentioned earlier, THE DNS protocol uses UDP queries. Because the maximum length of UDP queries guaranteed performance is 512 bytes, to allow all root DNS data to be contained in 512-byte UDP packets, root servers are limited to 13, and each server must use a single letter of the alphabet

Smart parsing

If a domain name has multiple IP addresses, the nearest IP address is returned when you query the IP address of the domain name. Due to the low bandwidth between different operators in China, it is a disaster for telecom users to access Unicom’s IP, and intelligent DNS resolution can solve this problem.

Intelligent resolution relies on THE EDNS protocol, which is a DNS extension protocol drafted by Google. It is relatively easy to modify. If the origin client IP address is added to the DNS package, Nameserver can return the server IP address closest to the client based on the client IP address

The latest domestic support for EDNS is DNSPod, DNSPod is a popular domestic domain name resolution manufacturers, many companies will use DNSPod to accelerate the domain name, it has been acquired by goose factory

Domain name registrar

Generally we want to register a domain name, we need to find a domain name registrar, for example, I want to register hello.com, so I need to find com domain name registrar to register hello domain name. There is more than one domain registrar for com. These domain registrars are also registered from ICANN. See How to Apply to become a.com domain registrar

So what does a domain registrar have to do with an authoritative DNS server? For example, if you apply for a secondary domain name on dodaddy, you do not need to set up nameserver. You can directly manage your domain name pointing in godaddy’s control center. The reason is that the authoritative domain nameserver for your new domain name is provided by the domain registrar by default. Of course, you can also change the domain name from GoDaddy to DNSPod. For example, you can change the authoritative domain name server to DNSPod. On the one hand, you can speed up the domestic resolution, and on the other hand, you can enjoy the intelligent resolution function provided by DNSPod

Use BIND to set up the DNS server

There are a lot of articles on the web that explain how to build a local Nameserver. Here’s a look at the bind configuration file

The bind configuration file consists of two parts: the bind configuration file and the zone configuration file

Bind configuration file

The bind configuration file is located in /etc/named.conf. It is responsible for bind configuration, such as zone path, log, security, master/slave configuration, and so on

The main one is to add the zone configuration and specify the zone configuration file. Recursion (no, recursion) ¶ Recursion (no, recursion) ¶ Recursion (no, recursion) ¶ Recursion (no, recursion

Zone Configuration file

The zone configuration file is specified in the BIND configuration file. Here is a simple zone configuration:

Zone configuration is the core configuration of Nameserver. It specifies DNS resource records, such as SOA, A, CNAME, AAAA, etc. The role of SOA and CNAME is discussed.

The SOA record

The SOA record represents the authoritative resolution server address for this domain name. The difference between authoritative resolution servers and recursive resolution servers is described above. When all recursive resolution servers have a cache of your domain name resolution, they will return to the source and request an SOA record of that domain name, also called authoritative resolution record

CNAME

The concept of a CNAME is much like an alias, and so is its processing logic. When A server executes resloving and finds that name is A CNAME, it queries the A record for that CNAME instead. In general, any place where A CNAME can be used can be replaced by A record, so why invent CNAME? It is a quick way to have multiple domain names pointing to the same IP address, so that when the IP corresponding to the lowest CNAME changes, the upper CNAME does not have to change anything. Just like the hard code in our code, we always get rid of the hard code and put it in a variable, so that when the variable changes, we only have to change one thing

You can use the named-checkconf and named-checkzone commands to check if there is a problem with your configuration file.

$> service named start
Redirecting to /bin/systemctl restart  named.serviceCopy the code

We use netstat -ntlp to check whether the service is started:

Port 53 has been started, so let’s test it by digging the www.hello.com domain name and using 127.0.0.1 as the recursive resolution server

We see that the dig result is 1.2.3.4 as configured in our configuration file, DNS has completed its mission and obtained IP according to the domain name, but the IP we used here for demonstration is obviously a fake IP:)

DNS is used to implement load balancing

If multiple A records are added to A domain name, A random one is returned in polling mode during resolution. Traffic is evenly divided into multiple A records.

WWW IN A 1.2.3.4 WWW IN A 1.2.3.5Copy the code

In the configuration above, we added two A records to the WWW domain, which is called multi-Homed Hosts. This has the following effect: When we request Nameserver to resolve the www.hello.com domain name, the returned IP address is rotated between the two IP addresses. (By default, some intelligent DNS servers return an IP address that is closer to the client based on the IP address. Search for intelligent DNS solutions for the distance.)

In fact, nameserver returns all IP addresses each time DNS resolves a request. As configured above, nameserver returns both 1.2.3.4 and 1.2.3.5 to the client. So how does it implement RR? Nameserver just returns the IP address in a different order each time. The client will use the first IP address in response to send the request.

DNS load Balancing vs LVS Professional load balancing

Compared with LVS, load balancing at the DNS layer has the following features:

  1. The implementation is very simple
  2. By default, only RR scheduling can be used
  3. DNS does not provide health check for back-end services
  4. DNS fault recovery takes a long time (cache exists between DNS services)
  5. Limited number of RS that can be loaded (limited by DNS Response packet size)

In real scenarios, you need to select a load balancing policy based on requirements

Subdomain authorization

After we applied for A second-level domain name hello.com from the.com domain, our company developed to A day when we needed to split two business divisions A and B, and the company assigned third-level domain names A.hello.com and B.hello.com to them. The domain name structure is shown as follows:

After A period of development, department A and Department B have too many internal businesses and need to frequently apply for domain names for new products. At this time, they want to build their own NamServer, and they need the upper level to hand over the corresponding domain name management authority to themselves. Their expected structure is as follows:

Notice the difference between the first stage and the second stage: In the first stage, department A wants to apply for A sub-domain name under A.hello.com, it needs to apply to the superior, and the whole a.hello.com domain is managed by the head office. In the second stage, department A establishes nameserver by itself, and then the parent company transfers the management right of the A.hello.com domain to the self-established Nameserver. This transfer of management right is called subdomain authorization

Subdomain authorization consists of two operations:

  1. Department A creates its own nameserver and specifies the authoritative resolution server of a.hello.com as its nameserver address in the zone configuration file
  2. The parent company adds an NS record to nameserver and grants the a.hello.com domain to nameserver in department A

The first step is to specify the SOA record in the zone configuration file as described in bind:

@in SOA ns.a.hello.com admin.a.hello.com. (......)Copy the code

Step 2 add a NS record to the hello.com domain nameserver:

A.hello.com IN NS ns.a.hello.com ns.a.hello.com IN A xx.xx.xx.xx (nameserver IP address)Copy the code

In this way, when the xx.a.hello.com domain name is parsed, the hello.nameserver finds NS records in the configuration and continues to recursively parse the domain name

DNS debugging tool

OPS commonly used DNS debugging tools are: host, NSLookup, dig

All three of these commands belong to the bind-utils package, the BIND toolset, and are increasingly complex to use in order of functionality. There are numerous tutorials on their use in the MAN manual and online, so here’s a quick look at the dig output:

Dig has a lot of parameters and a lot of functions. Please man the detailed usage method by yourself

other

DNS amplification attack

A DNS amplification attack is a DoS attack. It uses a large amount of traffic to occupy the bandwidth of the target computer. As a result, the target computer rejects requests from normal users and hangs up.

In normal traffic attack, the hack machine establishes a large number of request-response to the target machine, but the problem is that a large number of hack machines are needed. Because the bandwidth of the server is much larger than that of the home network, if we use our own home machine to do hack machine, before the target machine’s bandwidth is occupied, our bandwidth is already overloaded.

The principle of DNS recursive resolution is quite special, we can exchange a few bytes of query request for a few hundred or even several thousand bytes of resolving reply (traffic amplification), and most servers will not defend against DNS servers. Hackers can perform DoS attacks if they can disguise the source IP of DNS query packets so that the DNS server sends massive responses to the target machine.

However, common DNS servers will filter attack requests, so finding DNS server vulnerabilities is also a problem. Detailed amplification attack methods we are interested in Google it, here is only a simple introduction 🙂

Easy to use public recursive resolution DNS server

See: Public DNS which strong

extension

How to build a HOME DNS with raspberry PI