Cosc 4750 Domain Name Service (DNS) IP Addresses Machines on the Internet need an addressing scheme (or couldn’t receive packets!) Each machine has a.

Cosc 4750

Domain Name Service (DNS)

IP Addresses• Machines on the Internet need an addressing scheme (or

couldn’t receive packets!)• Each machine has a 32-bit address assigned by the

Internet Corporation for Assigned Names and Numbers (ICANN).

• In the U.S., American Registry for Internet Numbers (ARIN)• In Europe, Réseaux IP Européens (RIPE)• Addresses are written in dotted decimal notation:

• 128 . 2 . 218 . 2

10000000 00000010 11011010 00000010• Current max number of IP addresses = 232 ~ 4,000,000,000

Domain Names• IP addresses are inconvenient to remember

129.72.216.5 v. meru.cs.uwyo.edu (fully qualified)• Domain names are alphanumeric aliases for IP addresses.

They form a tree structure of FQDNs:

ROOT

.GOV .COM .MIL .NET .EDU .ORG .IT

UWYO PITT MITAMAZON MCKINSEY YAHOO

GSIA SDVC CS HEINZ

YEN MERU DOLLAR K2

207.237.113.94

129.72.216.5

208.216.182.15

129.72.216.12

DNS services

• Name to IP translations• Host aliasing

– asuwlink.uwyo.edu, also know as w3.uwyo.edu, ftp.uwyo.edu, etc.

• Mail server aliasing– In Cosc, all mail goes to one machine, even if sent to

different machines in the department

• Load Distribution– One DNS name points to different machines, the DNS

then uses round robins (or better algorithms) to give out IP numbers.

How it works

• At one point it was a single host for all machines– provided single point of failure– Traffic volumes could overwhelm it– Distant centralized database– Maintenance

• Would be a real problem now.

● Today, it functions in a hierarchy of name servers● Lots of local name servers

● Provides easy updates and quick response since local.● Local name servers have local name servers above them.● 10-15 root servers, right now

● root servers point to top level local servers, don’t hold any hosts names except root servers.

● Each name server has authoritative name servers (one level higher in the hierarchy usually) to kept rogue name servers from misdirecting people.

DNS Namespace● Two sorts of top-level domains (TLD)

● US: .edu, .net, .com, .gov, .mil, .arpa (rarely used)

● Rest of the world● two letter country codes: .us (USA), .au, .de, .fi, .dk,

.is, .md, .tv dozens of others.● New ones are being added, .biz and several

others.● .edu, .com, .net, .arpa are used outside us.

DNS names● several countries have sold their domain

● .md sold to a company, now used for doctors and residents of Maryland

● .tv now used for Television stations● Squatting

● purchase a name, but not using it. Then sell it to a company for a huge profit.

● used for nationally/internationally recognized names● Also used for people using similar names

● ie. www.whitehouse.com (Porn site), www.whitehouse.gov● Companies are now successfully suing and getting the names

changed.

BIND software

● two versions common. v4 and v9● 4 has been discontinued (v 4.9.X), but very

stable● 9 has many new features, but security issues

● the daemon that does the work is called named. ● Name servers, come in three types:● master, slave, cache/forwarding

Example name servers structure

ROOT

.GOV .COM .MIL .NET .EDU .ORG .IT

UWYO PITT MITAMAZON MCKINSEY YAHOO

GSIA SDVC CS HEINZ

BIGHORN MERU

Config files

Forward lookup files: meru.cs.uwyo.edu IN A 129.72.216.4<hostname> IN A <IP> Other partswww.cs.uwyo.edu IN CNAME hive.cs.uwyo.edu<alias hostname> IN canonical name <real hostname> www.cs.uwyo.edu IN MX 0 alameda.cs.uwyo.edu<alias hostname> IN mail <weight> <hostname to send the mail

to> 

IN NS pike.cs.uwyo.edu<no name> IN Name server <hostname> Also you can multiple names for CNAME, MX, A: named uses a round-robin method for

handing them outhive.cs.uwyo.edu IN A 129.72.216.51

IN A 129.72.216.50

Subdomains in DNS

• meru.cs.uwyo.edu IN A 129.72.216.4• pike.cs.uwyo.edu IN A 129.72.216.13• cs IN NS meru.cs.uwyo.edu• IN NS pike.cs.uwyo.edu

• These are uwyo.edu records, when it gets a request for cs.uwyo.edu, it then sends the name server to meru or pike.

Reverse Name files

• 129.72.216.4 IN PTR meru.cs.uwyo.edu.

• <IP number> IN PTR <name>

• NS records are also included in the reverse name files as well.

nslookup & dig

• nslookup meru.cs.uwyo.edu – provides the IP

• nslookup <return>– enter the shell programs

• >meru

• returns the ip number, 129.72.216.4

• >129.72.216.4– returns the name, meru

• >set type=MX

• >hive.cs.uwyo.edu– returns the mail server redirection, alameda

• dig provides same info, but stat’s number of requests, and query time

/etc/resolv.conf

• File on UNIX listing the name servers

nameserver 10.216.218.13

nameserver 10.216.218.12

nameserver 10.84.60.8

search cs.uwyo.edu uwyo.edu

(OR) domain cs.uwyo.edu

win2k

• changed the standard for DNS– microsoft: embrace, extend, exterminate or change two

things and call it microsoft’s– Win2k comes with it own version of DNS (needs

updated before using).

• BIND version 8 and 9 will accept microsoft’s implementation of DNS– needs to understand the _ and -– dynamic updates, but not with kerberos 5 (secure

updates)

Cosc 4750

NFS and NS

NFS

● NFS = Network File System● NFS is almost transparent to the users and is

“stateless”, meaning that no information is lost when an NFS server crashes

● Introduced by Sun in 1985● Used for sharing a “filesystem” from a

server to client machines

● Currently two versions in use● NFS version 2

● All UNIX O/S can use this version● NFS version 3

● Used by Sun, Sgi, HP-UX, and FreeBSD● used by most linux distro’s, but a little buggy.

● NFS version 4● still new, lot of problems with configurations.● Is supposed to be able to deal with firewalls.

● Filesytems and file ownership● The Server assumes that the client is using

the same UIDs and GIDs● The server and the client had better be using the

same set or there will be major security problem.

● Root access● An exported NFS filesystem can be set to block

incoming root (UID 0) requests.● Since root can su into another users account, root

can still gain access to the files.● the nobody account

● UID –2, or -65,534 [2’s complement of –2] are also blocked.

● File locking● NFS file locking has a tendency to be “flaky”.● Since so many machines can be using the same

file at the same time, it is a difficult process handled by lockd and statd.

● Disk quotas● handled by the server’s stated filesystem, but

the users on a remote system won’t know that unless rquotad is running on the server.

Security

● By default NFS provides no security● You can Sun’s public key system or

Kerberos for NFS● If you have a firewall, you can block port

2049 (UDP and TCP) ● unless you are using Sun’s WebNFS

Server-Side NFS

● It uses, nfsd, mountd, and portmap (since NFS relies on rpc)

● mountd and nfsd rely on a file, that tells them what filesystems are to be exported– /etc/exports (solaris: /etc/dfs/dfstab)

● To tell mountd and nfsd you changed the file, you must run: exportfs –a (solaris: shareall)

exports file

● The syntax is different between vendors● 1 line for each filesystem to be exported and

the following can (are) listed.– the filesystem– computers that have read/write priv’s– computers that have read only priv’s– computers that have root priv’s

● If a machine is listed by it’s name (NOT the IP number)● Then the machine name and IP number must be

listed in the /etc/hosts file. Otherwise, it will be denied access

● Some NFS servers allow a wildcard *● Fedora/Redhat linux does

Example

• Redhat version

• /home meru(rw,no_root_squash) *.cs.uwyo.edu(rw)

• /usr/local *.cs.uwyo.edu(rw)

• /var *.cs.uwyo.edu(ro)

• Standard NFS (Not used by many venders though)

• /meru3 rw,access=meru:alameda:k2,root=meru

Client-side NFS

● Uses the mountd daemon (can also use the nfsiod daemon as well).

• auto mounting on boot– uses the /etc/fstab (/etc/vfstab for Sun)

● manual mounting– uses the mount command– mount <machine>:<filesystem> <mount point>

● fstab file, used for both nfs and local drives● What it looks like:

● <machine>:<filesystem> <mount point> <flags> 0 0

● flags: (some of them)● rw Read/Write ro Read Only● bg background the mount of the filesystem● soft If nfs server fails, access fails with an error● hard if nfs server fails, access to blocked until server

returns● intr Allows users to interrupted blocked operations

Stat’s and debugging

● nfsstat –s ● shows stat’s and information about an nfs

server, rpc stat’s, timeouts, and many filesystem commands

● nfsstat -c● shows stat’s and information about an nfs

client, rpc stat’s, timeouts, and many filesystem commands

● Showmount● List all hosts that have mounted a nfs filesystem

● showmount –a● list all hosts and what they mounted

● showmount –d● list all the fileystems that have been mounted

● showmount –e● list all exported filesystems and who can mount them

● showmount [-a –e –d] <host>● Same as above, but for a remote host.

automatic mounting

● Besides mounting at boot time, an automouting daemon can be setup to mount the filesystem only when needed and removed when not used.

● Allows you to provide a list of replicated filesystems, for that case that a nfs server fails.

NIS

● NIS: the Network Information Service● originally called Sun Yellow Pages (yp),

but sued by the AT&T and changed the name.

● Allows you to share account information (passwd, shadow, group), as well as other system files, like hosts and services.

Advantages

● You can setup a user account on one machine and the information is distributed out to the other machines in the group.● The user can then login into any machine in

group● Combined with NFS, the user has the same file

space and account information on a variety of computers.

How it works.

● One computer acts as a master server● Other machines can act as slave server

● Client machines then ask for information from the server (master or slave).

● Example of a password file:

… normal password line

+seker::::::: User seker can have access

+ All NIS accounts have access

● All information about the user is gotten from the server password file

● So for user seker, it will ask the server which shell to use

● For security reasons, only UID over 100 are shared out in Fedora/Redhat. ● Can be configured to share all UIDs, except

root.

● ypserv is the server program ● yppasswd (maybe part of ypserv), used on

the server for new passwords● ypbind is the client program, which also

runs the server● ypasswd, used on the client machine instead

of passwd to change a users password.

● The reason that ypbind runs on server machines that all server machines are also client machines.

QA&