In the top of DNS tree there are 13 root servers. Why 13? Because, UDP packets, which is used for DNS, have a header size that can only accomodate 13 entries.
Root servers are called using A, B, C.........M. And some roots are also replicated.
Bangladesh has a replica of F-root.
Underneath root there are top level domains.
Open recursive name servers finds answers for any query coming from anyone. But, the case should be, it should only find answers for his clients. Due to this open recursiveness, there are many DDoS attacks. Reverse DNS is used for security purposes. Many secured servers will not comply to your request if you do not resolve to a reverse DNS query.
In IPv4 for mapping we use 'A' records in zone files, such as
www. A 10.23.2.1
mail. A 10.23.3.1
In IPv6 we use 'quad A' records, such as
www. AAAA 2001:AA::1
A records and quad A records can be mixed in the same zone file.
If zone files have wrong entries about name servers, it is called lame delegation.
For reverse zone records, there is a top level domain named 'arpa', and under that 'in-addr' for inverse address. And then, underneath that we have /8, /16, /24 and then /32 quads in hierarchical order. So while reading we need to read from the bottom, such as, 2.23.10.in-addr.arpa
The catch is, the DNS system is arranged at the classful boundary, but if we have a CIDR addressign like /21 then how can we resolve that? Then we need to go to the nearest classful boundary that we own. For a /21 address, we need to create reverse zone files for all the block of /24 that we own, i.e., all the 8 /24 blocks that are in our /21 domain. And this kind of records are called pointer records or 'ptr' because they point to actual names. So, at the beginning of the reverse zone file, we put the origin of our site which includes everything upto the network part. For example: origin 2.23.10.in-addr.arpa, and then we start putting the seperate machine addresses in different lines. And the lines contain only the machine addresses. For example:
1 PTR www.sumanta.com
2 PTR mail.sumanta.com
Remember, if we dont put any dot after the digits in the left column, DNS assumes that it is not a fully qualified domain name and it appends the origin after it. But if we put dot after it, then the DNS assumes it as a FQDN and doesn't put the origin after it.
Glue records are the records in my name server where I put the name server entries of my own subdomains. For example, if I am sumanta.com and my customer is computing.sumanta.com, then I should have a record in my zone file pointing to the ns server of computing.sumanta.com
Reverse for CIDR addresses:
For CIDR address such as 202.159.0/26 where you cannot keep zone files for any classful boundaries which is lower than the actual classless boundary we use a different trick. They use something like a range. In DNS conf file, the ns server is defined as:
0-63 NS ns.computing.sumanta.com
and in reverse zone files we have records like
$origin 0-63.0.159.202.in-addr.arpa
1 PTR www.computing.sumanta.com
Now, as we didn't put any dot after the left column digit, so the DNS engine will derive the address as 1.0-63.0.159.202.in-addr.arpa, but that is not what we want, we dont want the 0-63 part in the address. That's why we use another trick called CNAME. CNAME is used for synonyms. If we put something like
1.0-63 CNAME 1
then the erroneous 1.0-63 part will be replaced by only 1, which is correct.
IPv6
For IPv6 the hierarchy is root->arpa->ip6->ip6 address divided at every hex boundary
So, at the reverse zone file, we have to write something like 1.0.0.0.0.0E.F.0.0.A.2.2.so on.ip6.arpa PTR www.sumanta.com
But fortunately, we can use the $origin and write all the common part only once and then just write the last part at the PTR records.
Use "DIG" for checking the configuration of the DNS servers.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment