8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
1/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
111 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
2 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Understanding DHCP and DNS
Session NMS-1101
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
2/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
333 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Agenda
Introduction to Names and Addresses
Managing Addresses with DHCP
Hierarchy and Topology
Assignment and Reliability
Resolving Names with DNS
Protocol
DatabaseReliable Operation
New Things
444 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
128 64 32 16 8 4 2 1
0 00 01 100 00 10 000100 000000 0 0 0 0 0001
128 9 0 33
128 64 32 16 8 4 2 1128 64 32 16 8 4 2 1128 64 32 16 8 4 2 1
Address Review
IPv4 address 32 bits
Decimal, 8-bit fields, period separation
128.9.0.33 IPv6 address 128 bits
Hexadecimal, 16-bit fields, colon separation
2001:0DB8:0000:0001:02A0:C9FF:FE61:1216
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
3/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
555 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Address Hierarchy and Naming
Addresseshave a topological hierarchy
Nameshave a logical hierarchy
not necessarily aligned with each other
mylaptop.myenterprise.com 192.168.1.1
yourlaptop.yourenterprise.com192.168.1.2
666 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Address 128.9.0.33
Mask 255.255.255.0
Subnet Mask
Mask separates network (1)from host (0) part of the address
Prefix (longest match) routingcontiguous 1 bits to the left
0 00 01 100 00 10 000100 000000 0 0 0 0 0001
1 01 11 011 11 00 000111 111111 1 1 1 1 0111
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
4/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
777 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Subnets
Each range of addresses for hosts
defines a subnet e.g. 128.9.0.0/24
24 is the number of 1 in mask, bits in network address
32-24=8 is the number of bits in host address
Within the subnet, hosts communicate directly,
using layer 2
Special meaning for certain host addresses
All-onesbroadcast
All-zeronetwork
888 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Address Selection
A subnet is assigned to aphysical network (link)
Hosts on that network getunique address from thesubnet
Consequences:
Host gets initial addressbased on location
Host must change addressafter moving to new network
192.168.1.0192.168.1.0
192.168.2.0192.168.2.0
192.168.2.1192.168.2.1
192.168.1.1192.168.1.1
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
5/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
999 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Special Addresses
MulticastIPv4224-239.d.d.d [RFC 2365]IPv6FFxx:x:x:x:x:x:x:x
Anycast [RFC 1546]Unicast, but with multiple advertisers
Site-localIPv410/8, 172.16/12, 192.168/16 [RFC 1918]IPv6FEC0:0:0::
Link-localIPv4: 169.254/16
IPv6: FE80:0:0:0: Loopback
IPv4: 127.0.0.1IPv6: 0:0:0:0:0:0:0:1 (::1)
101010 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
.
.com
.edu
.net
.se
.uiuc
.unm
.umd.cs
.ncsa
.chem
Name Hierarchy
Independent of address hierarchy
Names length not limited by address size(63 bytes/label, 255 bytes/FQDN)
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
6/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
111111 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Agenda
Introduction to Names and Addresses
Managing Addresses with DHCP
Protocol
Assignment and Reliability
Resolving Names with DNS
Protocol
Database
Reliable Operation
New Things
121212 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
DHCP Basics
Ideal administratorDHCP server actsas proxy for network administrator
Assignment is temporaryaddress isassigned with a lease
Addresses can be reassigned when no
longer in use Backup for reliability
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
7/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
131313 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
How DHCP Works:Obtaining an Address
Server dynamically assignsIP address on demand
Administrator creates poolsof addresses available forassignment to hosts
Address is assigned withlease time
Client can extend lease
time dynamically
Server can reassignaddress after leaseexpires
DHCP delivers otherconfiguration
information in options
Here is Your Configuration:
IP Address: 192.204.18.7Subnet Mask: 255.255.255.0Default Routers: 192.204.18.1, 192.204.18.3DNS Servers: 192.204.18.8, 192.204.18.9Lease Time: 5 days
Here is Your Configuration:IP Address: 192.204.18.7Subnet Mask: 255.255.255.0Default Routers: 192.204.18.1, 192.204.18.3DNS Servers: 192.204.18.8, 192.204.18.9Lease Time: 5 days
DHCPServer
DHCPClient
Send MyConfiguration
Information
141414 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
(Broadcast)
Server 1 Client Server 2
OFFER-1
DISCOVER
(Broadc
ast)DISCOV
ER
REQUEST-2REQUES
T-2
OFFER-
2
ACK
(Unicast
)
(Unicas
t)
(Broadc
ast)
(Unicast)
(Broadcast)
How DHCP Works: Message Exchange DHCP client
broadcastsDISCOVER packeton local subnet
DHCP servers sendOFFER packet withlease information
DHCP client selects
lease and broadcastsREQUEST packet
Selected DHCP serversends ACK packet
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
8/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
151515 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
DHCP Server161.44.54.7
DHCP Server161.44.55.8
DHCPClient
DHCPPacket
DHCPPacket
GIADDR
Physical Network161.44.18.0/24
Physical Network161.44.18.0/24
161.44.18.1161.44.18.1
Router with DHCP RelayInterface Ethernet 0
ip helper 161.44.54.7ip helper 161.44.55.8
DHCP Relay: Centralized DHCP Service
DHCP clients broadcastsa DISCOVER packet
DHCP relay (ip helper address)on the router hears theDISCOVER packet and forwards(unicast) the packet to theDHCP server
DHCP relay fills in theGIADDR field with IPaddress of the receivinginterface of router
DHCP relay can be configuredto forward the packet to multiple
DHCP servers; client will choosethe best server
DHCP servers use GIADDRfield of DHCP packet as an indexin to the list of address pools
161616 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
DHCP Options for Applications
Options are registeredwith IANA
Service LocationProtocol (SLP)[RFC 2610]
Novell directoryservices [RFC 2241]
Time, NIS,TCP and IPparameters[RFC 2131]
DHCPServer
DHCPServer
NTPServer
NTPServer
DHCPClient
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
9/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
171717 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Agenda
Introduction to Names and Addresses
Managing Addresses with DHCP
Protocol
Assignment and Reliability
Resolving Names with DNS
Protocol
Database
Reliable Operation
New Things
181818 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
DHCP Reliability
Multiple servers with split address pools
Failover
Draft based on our (Cisco) design
Two servers can share address pools and
continue to operate if one fails
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
10/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
191919 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
DHCP Safe Failover Protocol
All DHCP requests aresent to both servers
Primary updates backupwith lease information
Backup takes over
when primary fails
Backup serveruses dedicated poolof addresses allocatedby the primary toprevent duplicate IP address
Servers synchronizewhen primary is up
IETF Internet draftdraft-ietf-dhc-failover-12.txt
Primary Address Pool
172.16.18.101-200
Primary Address Pool
172.16.18.101-200
Primary DHCPServer
Backup DHCPServer
Backup Address Pool
172.16.18.191-200
Backup Address Pool
172.16.18.191-200
202020 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Transaction ID (XID)Transaction ID (XID)
OP CodeOP CodeHardware
Type
HardwareType
HardwareLength
HardwareLength
HOPSHOPS
Your IP Address (YIADDR)Your IP Address (YIADDR)
SecondsSeconds
Client IP Address (CIADDR)Client IP Address (CIADDR)
Server IP Address (SIADDR)Server IP Address (SIADDR)
Gateway IP Address (GIADDR)Gateway IP Address (GIADDR)
FlagsFlags
Server Name (SNAME)64 bytesServer Name (SNAME)64 bytes
Filename128 bytesFilename128 bytes
DHCP OptionsDHCP Options
Client Hardware Address (CHADDR)16 bytesClient Hardware Address (CHADDR)16 bytes
How DHCP Works: DHCP Packet
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
11/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
212121 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Summary
DHCP
Questions?
222222 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Agenda
Introduction to Names and Addresses
Managing Addresses with DHCPProtocol
Assignment and Reliability
Resolving Names with DNSProtocol
DatabaseReliable Operation
New Things
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
12/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
232323 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Domain Name Service
DNS is a database
And the protocol to access it
Distinctive features:
Design for look-up queries
Replicated content
Distributed control (zones)
242424 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
DNS Servers and Resolvers
Application connects by name, the applicationgets the address from the resolver
Most applications use addresses in the orderprovided by the resolver
Internal OSInternal OS
Network ApplicationNetwork Application
DNS ResolverDNS Resolver
Address of
DNS Server
Address of
DNS ServerDHCP
Server
DHCP
Server
DNS
Server
DNS
Server
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
13/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
252525 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
TCP and UDP Ports
Port 53 for both TCP and UDP
UDP for queries if small enough
TCP for zone transfer
Server can use source port of 53when forwarding
262626 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Redirection and Recursion
Redirection:Take your question down the hall
Recursion:Ill get back to you
Resolver sets recursion desired (RD),
server responds with recursion available(RA) through bits in the DNS header
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
14/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
272727 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
A. 128.8.126.2A. 128.8.126.2
Root Name ServerIncluding .edu
.UMDName Server
cs.umd.eduName Server
LocalDNS
Server ringding.cs.umd.edu
DNS First Query
Clients (stub resolvers)query local DNS serverfor IP addresses (RD on)
Local server queries (RDoff) the root name serverand follows referrals untilit finds a server that hasthe answer
Local servers sendanswers back to theclients and cachethe answers
Q. IP Addressfor ringding.cs.umd.edu
Q. IP Addressfor ringding.cs.umd.edu
282828 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
DNS Subsequent Queries Clients (stub resolvers)
query local DNS serverfor IP addresses (RD on)
After the first time, theanswer is found in thecache
Local servers sendanswers back to the
clients and cache theanswers A. 128.8.126.2A. 128.8.126.2
LocalDNS
Server ringding.cs.umd.edu
Q. IP Addressfor ringding.cs.umd.edu
Q. IP Addressfor ringding.cs.umd.edu
Root Name ServerIncluding .edu
.UMDName Server
cs.umd.eduName Server
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
15/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
292929 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Caching and Forwarders
Caching is controlled by the Time to Live
Negative caching (saving informationthat record doesnt exist) is required byRFC 2308
The minimum TTL parameter in the SOA(or the ttl of the SOA RR itself if it is lower)determines the TTL for caching negative
answers Sending a recursive query to a forwarder
builds a cache for the site
303030 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Time to Live
Changing host addresses
Reduce TTL prior to change
Then restore to manage the load
CNR dynamically updates DNS TTLwith 1/3 DHCP lease time
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
16/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
313131 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Agenda
Introduction to Names and Addresses
Managing Addresses with DHCP
Protocol
Assignment and Reliability
Resolving Names with DNS
Protocol
DatabaseReliable Operation
New Things
323232 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Terminology
Label (name, owner)
Resource Record (type)
Value (encoded by type)
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
17/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
333333 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Record Format
[] []
VAXA.ISI.EDU. IN A 10.2.0.27
VAXA.ISI.EDU. IN A 128.9.0.33
Label RR-Type Value
Optional Fields:We Only Care About Class=IN (Internet)ttl Will Get Attention Later
343434 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Address Examples
Label RR-Type Value
In Standardized Format for ZoneDescription, Empty Label Is the Same
as Previous Line
VAXA.ISI.EDU. A 10.2.0.27
A 128.9.0.33
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
18/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
353535 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
IP Version 6
AAAA resource records defined in RFC3152
v6host.example.com. AAAA 4321:0:1:2:3:4:567:89ab
363636 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Address and Canonical Name
A (address) resource record (RR)
The value is a 32 bit IPv4 address
CNAME
The value is the name of a new label
The value of a canonical name is not allowedto be the label of an CNAME record
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
19/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
373737 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
EduEdu
WWW
UmdUmd
Lab
Chem
Faculty
Delegation Zone
Hierarchical name space
Each node in treerepresentsdomain/subdomain
Some subdomains aredefined as zones
Each zone has a primaryname server responsiblefor all lower nodes, butdelegation is to all
authoritative name servers
Resource Records (RR)can, but dont have to, bedefined for each node
Subordinate Zone
383838 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Delegation Records
Distributes database administration
Name Server (NS) RR
Refer in parent and child zone to authoritativename servers for child (delegated) zone
Zone Start of Authority (SOA) RR
Contain administrative information fordelegated zone, in delegated zone only
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
20/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
393939 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
SRI.COM. NS KL.SRI.COM.
KL.SRI.COM. A 10.1.0.2
NS
Delegation: NS and Glue
NS Resource Record (RR)
Glue entries in parent zone when nameserver is in delegated zone
404040 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Delegation: SOA
[] [] SOA (
)
$ORIGIN ARPA.
@ IN SOA SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA. (
45 ;serial (sequential)3600 ;refresh (1 hour regular check)
600 ;retry (10 minutes between check)
3600000 ;expire (42 days until refresh)
86400 ) ;minimum (a day)
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
21/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
414141 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Reverse DNS for IPv4 Addresses
Another hierarchy for in-addr.arpa.
Reverse the order in the label becausenames aggregate within suffixesrather than (address) prefixes
27.0.2.10.IN-ADDR.ARPA. PTR VAXA.ISI.EDU.
33.0.9.128.IN-ADDR.ARPA. PTR VAXA.ISI.EDU.
ARPA: Addressing and Routing Parameters Area
424242 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Reverse DNS for IPv6 addresses
Reverse DNS for IPv6 in IP6.ARPA
v6host.example.com. AAAA 4321:0:1:2:3:4:567:89ab
b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2
.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.IP6.ARPA.
PTR v6host.example.com.
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
22/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
434343 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
For every IP address, there shouldbe a matching PTR record in thein-addr.arpa. domain.
Reverse Requirement
RFC 1912,Common DNS Operational and Configuration Errors
444444 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Reverse Complication
Address field separations not on dotteddecimal boundaries
Create CNAMEs in in-addr.arpa.
Parent creates labels:
0/25.1.2.10.in-addr.arpa. IN NS ns.example.com.
13.1.2.10 IN CNAME 13.0/25.1.2.10.in-addr.arpa.
Child create PTR:
13.0/25.1.2.10.in-addr.arpa. IN PTR foo.example.com.
Instead of PTR have CNAME to different labelwhich is in a zone already delegated to holderof IP-address
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
23/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
454545 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Records for Applications
MX
SRV
NAPTR
464646 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
MX
Mail eXchange RR
Where the mail for the host is to be sent
Round-robin within equal preferences
Mailers send only to lower preference numbers
po2 is only allowed to send to po1 in example below
Name TTL Class MX Preference Target
BAZ.FOO.COM. MX 10 PO1.FOO.COM.
MX 20 PO2.FOO.COM.
MX 20 PO3.FOO.COM.
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
24/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
474747 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Wildcards
Special treatment for * in the label
Any name in the query matches,and the answer is synthesized
Most often used in mail exchange
Create problems with DNSSEC
FOO.COM. MX 10 RELAY.CS.NET.*.FOO.COM. MX 20 RELAY.CS.NET.
484848 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
SRV
Generalize the MX idea
Find hosts offering service in a domain
Add structure to the name
Add fields to the RRspecializepriority and weight (replace preference)
Target must not be an alias (CNAME)
RFC 2782
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
25/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
494949 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
SRV
Format of RR and Example
_Service._Proto.Name. SRV Priority Weight Port Target
_ldap._tcp.example.com. SRV 1 10 389 ldap1.example.com.
SRV 1 20 389 ldap2.example.com.
505050 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
NAPTR
Naming Authority PoinTeR
Universal resource identifier
Regular expressions
Replacement strings
RFC 2915
Used for example in ENUM
ENUM is mapping from E.164 number to URIs
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
26/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
515151 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Agenda
Introduction to Names and Addresses
Managing Addresses with DHCP
Protocol
Assignment and Reliability
Resolving Names with DNS
Protocol
DatabaseReliable Operation
New Things
525252 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Secondary Servers
Reliability depends on separation
Locationphysical and subnet
Independent fateseparate power
Separate administration if possible
RFC 2182best current practice
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
27/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
535353 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Replication
Transfer zone contents (AXFR)
Transfer controlled by serial numberand refresh parameters in SOA
Secondary query for SOA and compare serialnumber with what it already has. If serial ishigher, client will request a zone transfer.
This is repeated by client as specified inRefresh in SOA.
545454 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Replication Efficiency
Notify (new protocol operation) enablesprimary to inform secondary when zonehas changed [RFC 1996]
In reality, it informs client to set Refresh timerto zero, so client will restart new Refresh cycleimmediately
Incremental transfer (IXFR) sends justchanges to the zone [RFC 1995]
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
28/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
555555 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Agenda
Introduction to Names and Addresses
Managing Addresses with DHCP
Protocol
Assignment and Reliability
Resolving Names with DNS
Protocol
DatabaseReliable Operation
New Things
565656 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Dynamic Update
Atomic update of RR-set
Base specificationRFC 2136
Secure versionRFC 3007
Created so that DHCP serversand clients can update DNS
http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
29/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
575757 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Securing Queries
TSIG
Transaction SignatureRFC 2845
Secret-key hash of the transaction(HMAC-MD5) to the forwarder
Pseudo RR, not cached or saved
Only useful with local forwarders
585858 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Securing Zone Transfer
TSIG is used
Secondary servers have an administrativerelationship that can support secret keys
Dont need the overhead of public keys
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
30/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
595959 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
TKEY
Transaction KEYnot stored
Use DNS to establish secret keysalternative to manual keys
Modes include
Diffie-Hellman
GSS-API
Server or Resolver assigned encrypted(encrypted using KEY RR)
RFC 2930
606060 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
SIG(0)
Use DNS for client to authenticateto server
Authenticates the transaction
Public KEY in DNS
Private key in client RFC 2931
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
31/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
616161 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Securing Zone Contents
DNS security
Key RRdistributes publickeys for records
SIG RRauthenticates (signs) one RR set
NXT RRnext record enablesauthentication of non-existence
DS RRdelegation signer~key in parentwith which the child zone is signed
RFC 2535being revised
626262 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Deployment of DNS Security
Experimental only now
Trust depends on the entire pathfrom the resolver
Signing all the RRsets in large zones,
like .com, is an unresolved problem
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
32/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
636363 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Split DNS
External holds limited contents for public
Internal
Isolated clients query DNS serversconfigured as root
Internal (secondary) servers forward to
external caching server for other domains
646464 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Internal Root
DNS Server For Zone
Resolver
Query From
Outside
Query From
OutsideQuery From
Inside
Query From
Inside
InternalForwarder
Internal
Root
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
33/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
656565 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Internal Forwarding Server
External DNS Server
Internal DNS Server
Resolver
InternalForwarder
Internal
RootWith Recursion ONWith Recursion OFF
666666 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Load Sharing
Resolvers use addresses in the orderreceived, although the original conceptwas that they choose randomly
DNS server can rotate the order of the(multiple) addresses of a hostname to
distribute the load
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
34/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
676767 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Source-Dependent Answers
Return addresses in the order ofcloseness to the resolver
Same subnet is close, but requiresknowing the subnet mask
Can look into the routing structure
DNS support for content networking usesother metrics for which answer to give
686868 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Distributed Director
DD Server is authoritativenameserver for zone withname as webserver
When query arrives, DDserver verify with DRPagents which webserveris closest to client
DD server respond with
best IP-address
DD server can also doHTTP redirects inHTTP mode
DistributedDirector
Brussels
Web Server
InternetParis
User
Los Angeles
User
San JoseWeb Server
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
35/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
696969 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
DRPDirector Response Protocol
Operates with routersin the field todetermine:
Client to servernetwork proximity
Client to server linklatency (RTT)
UDP-based
Client
Web
Server Distributed Director
DRP Agents
Web
Server
Internet
707070 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Anycast
Announce the same IP-address from multipleservers
Only works with UDP
Two versions:
Anycast inside anAS (ok)
Anycast where the same
AS is announced frommultiple sources(dangerous due tosecurity reasons) Client
130.237.222.71130.237.222.71
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
36/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
717171 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Boomerang
1. Content is distributed
2. Client query content router via local DNS Server
3. Content servers are told to respond to DNS query
4. Responses are sent back
5. First response arriving is closest
6. Client connect to that IP-address
Origin WebServer
Origin WebServer
ContentRouter
ContentRouter
Server LoadBalancer and
Content Servers
Server LoadBalancer and
Content Servers
Local DNSServer
Local DNSServer
Server LoadBalancer and
Content Servers
Server LoadBalancer and
Content Servers
Server LoadBalancer and
Content Servers
Server LoadBalancer and
Content Servers
Server Load
Balancer andContent Servers
Server Load
Balancer andContent Servers
727272 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Summary
Addresses can be allocated automatically
DNS can support more than just name toaddress lookup
For more details: Sessions NMS-1301 and
NMS-1302
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
37/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
737373 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
NMS-1001 Introduction to Network Management
NMS-1011 Principles of Fault Management
NMS-1021 Principles of Configuration Management
NMS-1031 Introduction to Collecting Traffic Accounting Information
NMS-1041 Introduction to Performance Management
NMS-1201 Improving Network Availability
NMS-2001 Network Troubleshooting Tools and Techniques
NMS-2021 Large Scale Deployment of CiscoWorks
NMS-2041 Performance Measurement with Cisco IOS
NMS-2051 Securely Managing Your Network
NMS-2102 Deploying and Troubleshooting NAT
NMS-2201 Deploying Highly Available Enterprise Networks
NMS-4031 Advanced NetFlow Accounting
NMS-4041 Adv. Perform. Mgmt. with Cisco Service Assurance Agent
Other Network Management Sessions
747474 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Recommended Reading
IP AddressingFundamentalsISBN: 1587050676
Available on-site at the Cisco Company Store
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
38/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
757575 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Please Complete YourEvaluation Form
Session NMS-1101
767676 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2 767676 2003, Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
39/40
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
777777 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Reverse Delegation
RFC 23172.3/12 CNAME xxx.IN-ADDR.ARPA
For delegation of
192.0.2.0/25 to organization A
192.0.2.128/26 to organization B
192.0.2.192/26 to organization C
787878 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Reverse Delegation Problem
$ORIGIN 2.0.192.in-addr.arpa.
;
1 PTR host1.A.domain.
2 PTR host2.A.domain.
3 PTR host3.A.domain.
;
129 PTR host1.B.domain.
130 PTR host2.B.domain.
131 PTR host3.B.domain.
;
193 PTR host1.C.domain.194 PTR host2.C.domain.
195 PTR host3.C.domain.
8/14/2019 Understanding DHCP and DNS (Cisco - 2003)
40/40
797979 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Reverse Delegation Solution
$ORIGIN 2.0.192.in-addr.arpa.
@ IN SOA my-ns.my.domain.
hostmaster.my.domain. (...)
;...
; /25
0/25 NS ns.A.domain.
0/25 NS some.other.name.server.
;
1 CNAME 1.0/25.2.0.192.in-addr.arpa.
2 CNAME 2.0/25.2.0.192.in-addr.arpa.
3 CNAME 3.0/25.2.0.192.in-addr.arpa.
; /26
128/26 NS ns.B.domain.
128/26 NS some.other.name.server.too.;
129 CNAME 129.128/26.2.0.192.in-addr.arpa.
130 CNAME 130.128/26.2.0.192.in-addr.arpa.
131 CNAME 131.128/26.2.0.192.in-addr.arpa.
808080 2003, Cisco Systems, Inc. All rights reserved.NMS-11017969_05_2003_c2
Reverse Delegation Solution (Cont.)
; /26
192/26 NS ns.C.domain.
192/26 NS some.other.third.name.server.
;
193 CNAME 193.192/26.2.0.192.in-addr.arpa.
194 CNAME 194.192/26.2.0.192.in-addr.arpa.
195 CNAME 195.192/26.2.0.192.in-addr.arpa.
$ORIGIN 0/25.2.0.192.in-addr.arpa.
@ IN SOA ns.A.domain. hostmaster.A.domain. (...)
@ NS ns.A.domain.
@ NS some.other.name.server.
;
1 PTR host1.A.domain.
2 PTR host2.A.domain.
3 PTR host3.A.domain.