Domain Name System Ver 1030316 1 Top Level

域名之分類 • 分類: 在區分不同的屬性 – Top Level Domain (TLD) 頂級域名 • g. TLDs: –

DNS 樹狀結構 Root tw cn com net gov … twnic www whois cdns Zone

• DNS要求相鄰的node(sibling node)(相同 parent node)其label必須不同– 確保每一node在tree中之domain name唯一 11

• Domain: – A subtree of domain name space • 一個Domain的Domain Name就是這個 Domain最高節點(node)的Domain

• Leaves of the tree 之Domain Name代表一個host, 並指出此host的Address, Mail Routing等資訊 • Tree中的節點(interior

Domain & Zone • A zone and a domain may share the same domain

tw tp domain edu zone mil gov tp tp zone fg slhs proxy fg

Query Type - recursive • The name server repeats the same basic process until

Query Type - iterative • 只須回答the best answer it already known • 告訴querier可再查詢的name server

Query: www. slhs. tp. edu. tw . root name server tw. name server Name

• Name server收到一個recursive query, 本身沒有答案, 則會向“closet known” name server詢問是否知道負責www. tp. edu.

正解之原理 • 正解 tp. edu. tw edu tp com edu com org net arpa

反解之原理 • 反解 3. 185. 72. 203. in-addr. arpa in-addr 203 72 185 3

Master & Slave Server • Master – The server for a zone reads the

Cache Only • The name servers not authoritative for any zones. 28

• Name server needs a configuration file – – named. conf • Zone

dns. slhs. tp. edu. tw. tom@tp. edu. tw. 40

市網中心DNS架構 dns 1 dns 2 dns 3 Slaves Zone Transfer ns 1 Master 50

DNS www. xxx. tp. edu. tw 203. 72. 185. 10 DNS www. xxx. tp.

區分內外網可 recursive 對象, 善用 bind 9 的 view acl “Lan” {192. 168/24; 127. 0.

限制服務的對象(Allow Query) acl "SLHS-Campus" { 203. 72. 185. 0/24; 203. 72. 186. 0/24; 203.

限制服務的對象(Allow Recursion) acl "SLHS-Campus" { 203. 72. 185. 0/24; 203. 72. 186. 0/24; 203.

存取控制 • Restricting Unauthorized Zone Transfer options { allow-transfer {203. 72. 185. 15; 140.

存取控制 • Restricting Unauthorized Zone Transfer Zone “slhs. tp. edu. tw” { type slave

• Caching-Only Server name servers not authorirative for any zones. options { directory

• Dynamic Update zone “slhs. tp. edu. tw" in { type master; file

• Dynamic Update zone “slhs. tp. edu. tw" in { type slave; file

dig [@server] domain [query-type] [query-class] [+query-option] [-dig-option] @server: name server domain: 要查詢的domain name query-type:

• 27 -Feb-2014 09: 01: 25. 256 info: lame server resolving 'taiwanledlight. com.

dig @59. 120. 169. 201 taiwanledlight. com. tw ns +norec ; ; flags: qr

06 -Mar-2014 12: 55: 19. 656 info: lame server resolving 'boenilaexl. lllh. tp. edu.

上層授權與下層宣告不一致 dig @163. 21. 249. 166 cccs. tp. edu. tw ns +norec ; ;

dig @163. 21. 249. 166 dees. tp. edu. tw ns +norec ; ; AUTHORITY

如何確認上層授權與學校宣告是否一致 dig @163. 21. 249. 166 slhs. tp. edu. tw ns +norec ; ;

如何確認市網授權與學校宣告是否一致 dig @163. 21. 249. 166 slhs. tp. edu. tw ns +norec ; ;

IPv 4與IPv 6都要測 dig @2001: 288: 1201: : 1 slhs. tp. edu. tw ns

Slides: 73

Download presentation

Domain Name System 蔡政道 Ver. 1030316 1

域名之分類 • 分類: 在區分不同的屬性 – Top Level Domain (TLD) 頂級域名 • g. TLDs: – com/net/org/gov/edu/… 共 13類 • cc. TLDs: – tw/cn/jp/us 共 243 個 – Second Level Domain (第二層域名) • com. tw/org. tw/ 等 • 目前 tw 之第二層域名 – com. tw/net. tw/org. tw/edu. tw/gov. tw/mil. tw – idv. tw/game. tw/club. tw/ebiz. tw • ICANN於 2011/6通過開放TLD申請 – 102年底, 台北市已申請到. taipei 5

DNS 樹狀結構 Root tw cn com net gov … twnic www whois cdns Zone 1 host 1 biz arpa … in-addr ip 6 e 164 IPv 6 反解 211 IPv 4 反解 72 210 211 : 為網域名稱或機器名稱 : 為上一層與下一層的委任關係註 : DNS 的搜尋由上往下 9

• DNS要求相鄰的node(sibling node)(相同 parent node)其label必須不同– 確保每一node在tree中之domain name唯一 11

• Domain: – A subtree of domain name space • 一個Domain的Domain Name就是這個 Domain最高節點(node)的Domain Name • 同一個Domain中的host在邏輯上彼此相關, 可以是地域上, 或組織上…相關; 但與其 IP Address, 在何Network…無關 12

• Leaves of the tree 之Domain Name代表一個host, 並指出此host的Address, Mail Routing等資訊 • Tree中的節點(interior node)可代表一host, 亦可指出此Domain的資訊 – hp. com代表HP公司的Domain Name, 且是網路上一台host 13

Domain & Zone • A zone and a domain may share the same domain name but contain different nodes. • 一個授權自行管理的domain會有一個 name server, 其所負責的區域稱做zone, 但其範圍不含其授權管理的subdomain • Zone is bounded by delegation, it never includes delegated data. 15

tw tp domain edu zone mil gov tp tp zone fg slhs proxy fg zone slhs zone www mail ftp edu domain 16

Query Type - recursive • The name server repeats the same basic process until it receives an answer. Querier Answer Request Name Server 反覆Query其它Name Server 17

Query Type - iterative • 只須回答the best answer it already known • 告訴querier可再查詢的name server • 對name server的負擔較輕 18

Query: www. slhs. tp. edu. tw . root name server tw. name server Name Server resolver tw edu. tw. name server edu tp. edu. tw. name server tp slhs. tp. edu. tw. name server slhs gov ntnu ck 21

• Name server收到一個recursive query, 本身沒有答案, 則會向“closet known” name server詢問是否知道負責www. tp. edu. tw的Name Server 收到www. tp. edu. tw 不知道是否知道負責tp. edu. tw的Name Server 不知道是否知道負責tw的Name Server 不知道從root找 22

正解之原理 • 正解 tp. edu. tw edu tp com edu com org net arpa · · · gov · · · ······ 24

反解之原理 • 反解 3. 185. 72. 203. in-addr. arpa in-addr 203 72 185 3 com edu ip 6 ······ net tw ······ ······ 25

Master & Slave Server • Master – The server for a zone reads the data for the zone from files on its host • Slave – – The server for a zone gets the zone data from another name server that is authoritative for the zone 27

Cache Only • The name servers not authoritative for any zones. 28

• Name server needs a configuration file – – named. conf • Zone data files – – Case-insensitive – Resource records must start in the first column of a line – Order is not a requirement 29

Windows Server 2008 DNS 30

dns. slhs. tp. edu. tw. tom@tp. edu. tw. 40

DNS Amplification Attack 47

市網中心DNS架構 dns 1 dns 2 dns 3 Slaves Zone Transfer ns 1 Master 50

dns 1 dns 2 51

dns 1 dns 2 ns 1 ns 2 52

DNS www. xxx. tp. edu. tw 203. 72. 185. 10 DNS www. xxx. tp. edu. tw 192. 168. 1. 10 192. 168. 1. 1 www. xxx. tp. edu. tw 203. 72. 185. 10 192. 168. 1. 10 PC 192. 168. 1. 123 192. 168. 1. 10 53

區分內外網可 recursive 對象, 善用 bind 9 的 view acl “Lan” {192. 168/24; 127. 0. 0. 1; }; acl “public” { !Lan; }; options { directory “/var/named”; allow-transfer {none; }; }; view “intranet” { match-clients {Lan; }; recursion yes; zone ". " { type hint; file "named. root"; }; zone “xxx. tp. edu. tw" { type master; file “xxx-intranet. xxx. tp. edu. tw"; }; }; view “internet” { match-clients {!Lan; }; recursion no; zone ". " { type hint; file "named. root"; }; zone “xxx. tp. edu. tw" { type master; file “xxx-internet. xxx. tp. edu. tw"; }; }; 54 54

限制服務的對象(Allow Query) acl "SLHS-Campus" { 203. 72. 185. 0/24; 203. 72. 186. 0/24; 203. 72. 187. 0/24; 203. 72. 188. 0/24; } ; options { …………. . allow-query { SLHS-Campus; }; ……………. }; BIND 9. 4後 allow-query預設為localhost及localnets zone "slhs. tp. edu. tw" { type master; file "named. slhs"; allow-query { any; }; }; 55

限制服務的對象(Allow Recursion) acl "SLHS-Campus" { 203. 72. 185. 0/24; 203. 72. 186. 0/24; 203. 72. 187. 0/24; 203. 72. 188. 0/24; } ; options { …………. . allow-recursion { SLHS-Campus; }; allow-query { any; } ; ……………. }; allow-recursion預設為 any zone "slhs. tp. edu. tw" { type master; file "named. slhs"; }; 56

存取控制 • Restricting Unauthorized Zone Transfer options { allow-transfer {203. 72. 185. 15; 140. 122. 65. 221 } ; directory "/var/named"; allow-query { SLHS-Campus; 203. 72. 185/24 ; }; }; 57

存取控制 • Restricting Unauthorized Zone Transfer Zone “slhs. tp. edu. tw” { type slave ; masters {203. 72. 185. 1; } ; file “slhs. zone” ; allow-transfer { none ; }; 58

• Caching-Only Server name servers not authorirative for any zones. options { directory “/var/named” ; }; zone “. ” { type hint ; file “named. ca” ; }; zone “ 0. 0. 127. in-addr. arpa” { type master ; file “named. local” ; }; 59

• Dynamic Update zone “slhs. tp. edu. tw" in { type master; file "named. hosts"; allow-update {none; }; }; 60

• Dynamic Update zone “slhs. tp. edu. tw" in { type slave; file “slhs. zone"; allow-update { 203. 72. 185/24 ; }; }; Only updates from IP address that match the address match list will be forwarded. 61

dig [@server] domain [query-type] [query-class] [+query-option] [-dig-option] @server: name server domain: 要查詢的domain name query-type: A, MX, NS, SOA. . . query-class: in, any query-option: [no]debug, [no]recurse, [no]vc. . . dig-option: -x 62

• 27 -Feb-2014 09: 01: 25. 256 info: lame server resolving 'taiwanledlight. com. tw' (in 'taiwanledlight. com. tw'? ): 59. 120. 169. 201#53 dig @192. 83. 166. 9 taiwanledlight. com. tw ns +norec ; ; AUTHORITY SECTION: taiwanledlight. com. tw. 86400 IN NS NS ; ; ADDITIONAL SECTION: ypns 1. chyp. com. tw. 86400 IN ypns 2. chyp. com. tw. 86400 IN A A ypns 1. chyp. com. tw. ypns 2. chyp. com. tw. 59. 120. 169. 201 59. 120. 169. 200 dig @59. 120. 169. 200 taiwanledlight. com. tw ns +norec ; ; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 …… ; ; ANSWER SECTION: taiwanledlight. com. tw. 3600 IN NS ypns 2. chyp. com. tw. ; ; ADDITIONAL SECTION: ypns 2. chyp. com. tw. 1500 IN A 59. 120. 169. 200 64

dig @59. 120. 169. 201 taiwanledlight. com. tw ns +norec ; ; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 3 …. ; ; AUTHORITY SECTION: . 3600 IN NS g. root-servers. net. . 3600 IN NS h. root-servers. net. . 3600 IN NS i. root-servers. net. . 3600 IN NS j. root-servers. net. . 3600 IN NS k. root-servers. net. . 3600 IN NS l. root-servers. net. . 3600 IN NS m. root-servers. net. . 3600 IN NS a. root-servers. net. . 3600 IN NS b. root-servers. net. . 3600 IN NS c. root-servers. net. . 3600 IN NS d. root-servers. net. . 3600 IN NS e. root-servers. net. . 3600 IN NS f. root-servers. net. ; ; ADDITIONAL SECTION: g. root-servers. net. 3600 h. root-servers. net. 3600 i. root-servers. net. 3600 IN IN IN A A A 192. 112. 36. 4 128. 63. 2. 53 192. 36. 148. 17 65

06 -Mar-2014 12: 55: 19. 656 info: lame server resolving 'boenilaexl. lllh. tp. edu. tw' (in 'lllh. tp. edu. tw'? ): 163. 21. 249. 166#53 dig @163. 21. 249. 166 lssh. tp. edu. tw ns +norec ; ; AUTHORITY SECTION: lllh. tp. edu. tw. 259200 IN ; ; ADDITIONAL SECTION: dns. lllh. tp. edu. tw. 37178 IN dns. lllh. tp. edu. tw. 21507 IN NS dns. lllh. tp. edu. tw. A 163. 21. 2 xx. 2 AAAA 2001: 288: 12 xx: : 1 dig @163. 21. 208. 2 lllh. tp. edu. tw ns +norec ; ; ANSWER SECTION: lllh. tp. edu. tw. 38400 IN ; ; ADDITIONAL SECTION: dns. lllh. tp. edu. tw. 38400 IN NS NS dns. tp. edu. tw. dns. lllh. tp. edu. tw. A 163. 21. 2 xx. 2 AAAA 2001: 288: 12 xx: : 1 66

上層授權與下層宣告不一致 dig @163. 21. 249. 166 cccs. tp. edu. tw ns +norec ; ; AUTHORITY SECTION: cccs. tp. edu. tw. 259200 IN NS ; ; ADDITIONAL SECTION: tpws 132. cccs. tp. edu. tw. 259200 IN tpws 132. cccs. tp. edu. tw. A 163. 21. 5 x. 5 AAAA 2001: 288: 12 xx: : 1 dig @163. 21. 5 x. 5 cccs. tp. edu. tw ns +norec ; ; ANSWER SECTION: cccs. tp. edu. tw. 3600 IN NS ; ; ADDITIONAL SECTION: tpjh 2008. cccs. tp. edu. tw. 3600 IN tpjh 2008. cccs. tp. edu. tw. A 192. 168. 132. 1 AAAA 2001: 288: 12 xx: 1: : 1 AAAA 2001: 288: 12 xx: 1: f 82 a: b 58 c: a 649: afb 1 67

dig @163. 21. 249. 166 dees. tp. edu. tw ns +norec ; ; AUTHORITY SECTION: dees. tp. edu. tw. 259200 IN NS ; ; ADDITIONAL SECTION: deesdns. dees. tp. edu. tw. 259200 IN deesdns. dees. tp. edu. tw. A 163. 21. 2 xx. 6 AAAA 2001: 288: 12 xx: : 1 dig @163. 21. 201. 6 dees. tp. edu. tw ns +norec ; ; ANSWER SECTION: dees. tp. edu. tw. 3600 IN ; ; ADDITIONAL SECTION: dns. v 6. dees. tp. edu. tw. 3600 NS IN dns. v 6. dees. tp. edu. tw. AAAA 2001: 288: 12 xx: : 1 68

如何確認上層授權與學校宣告是否一致 dig @163. 21. 249. 166 slhs. tp. edu. tw ns +norec ; ; AUTHORITY SECTION: slhs. tp. edu. tw. 259200 IN NS NS ; ; ADDITIONAL SECTION: dns. slhs. tp. edu. tw. 57267 IN dns. slhs. tp. edu. tw. 21211 IN netadm. slhs. tp. edu. tw. 6811 IN netadm. slhs. tp. edu. tw. 35605 IN netadm. slhs. tp. edu. tw. dns. slhs. tp. edu. tw. A 203. 72. 185. 1 AAAA 2001: 288: 1201: : 1 A 203. 72. 185. 15 AAAA 2001: 288: 1201: : 15 dig @203. 72. 185. 1 slhs. tp. edu. tw ns +norec ; ; ANSWER SECTION: slhs. tp. edu. tw. 86400 IN ; ; ADDITIONAL SECTION: dns. slhs. tp. edu. tw. 86400 netadm. slhs. tp. edu. tw. 86400 NS NS IN IN dns. slhs. tp. edu. tw. netadm. slhs. tp. edu. tw. A 203. 72. 185. 1 AAAA 2001: 288: 1201: : 1 A 203. 72. 185. 15 AAAA 2001: 288: 1201: : 15 69

如何確認市網授權與學校宣告是否一致 dig @163. 21. 249. 166 slhs. tp. edu. tw ns +norec ; ; AUTHORITY SECTION: slhs. tp. edu. tw. 259200 IN NS NS ; ; ADDITIONAL SECTION: dns. slhs. tp. edu. tw. 57267 IN dns. slhs. tp. edu. tw. 21211 IN netadm. slhs. tp. edu. tw. 6811 IN netadm. slhs. tp. edu. tw. 35605 IN netadm. slhs. tp. edu. tw. dns. slhs. tp. edu. tw. A 203. 72. 185. 1 AAAA 2001: 288: 1201: : 1 A 203. 72. 185. 15 AAAA 2001: 288: 1201: : 15 dig @203. 72. 185. 15 slhs. tp. edu. tw ns +norec ; ; ANSWER SECTION: slhs. tp. edu. tw. 86400 IN NS NS ; ; ADDITIONAL SECTION: dns. slhs. tp. edu. tw. 86400 IN netadm. slhs. tp. edu. tw. dns. slhs. tp. edu. tw. A 203. 72. 185. 1 AAAA 2001: 288: 1201: : 1 A 203. 72. 185. 15 AAAA 2001: 288: 1201: : 15 70

IPv 4與IPv 6都要測 dig @2001: 288: 1201: : 1 slhs. tp. edu. tw ns +norec ; ; ANSWER SECTION: slhs. tp. edu. tw. 86400 IN ; ; ADDITIONAL SECTION: dns. slhs. tp. edu. tw. 86400 netadm. slhs. tp. edu. tw. 86400 NS NS IN IN netadm. slhs. tp. edu. tw. dns. slhs. tp. edu. tw. A 203. 72. 185. 1 AAAA 2001: 288: 1201: : 1 A 203. 72. 185. 15 AAAA 2001: 288: 1201: : 15 71