ot Nikolai Hristov(6-09-2012)

reiting (39)   [ dobre ]  [ zle ]

Printer Friendly Variant za otpechatvane

DNS e vidimata za potrebitelia "osnova" na Internet. Kompyutrite si komunikirat chrez IP adresi, no vsichki komunikatsii mezhdu potrebitelite v Internet zapochvat s DNS - zaiavka. Za da si proveri poshtata v gmail.com (primerno), potrebiteliat izpisva v poleto na brauzura "www.gmail.com". Tui kato kompyutrite rabotiat s IP - adresi, operatsionnata sistema se obrushta kum konfiguriraniia predvaritelno DNS - survur, za da razbere na koi IP - adres otgovaria "www.gmail.com", i v posledvstvie da ustanovi vruzka i dostavi na potrebitelia nachalnata stranitsa na www.gmail.com.

DNS - survurite sa dva vida. Authoritative - survuri, koito otgovariat na zaiavki za dadena zona i Cache - survuri, koito otgovariat na vsichki potrebitelski zaiavki, izvurshvaiki translatsiiata ot ime na domein kum IP adres.

Resolvers - klientskata chast, koiato otgovaria za purvonachalnite dns zapitvaniia. Te bivat dva vida:

stub resolver - klientska chast, koiato sama po sebe si ne mozhe da izpulni vsichkite zaiavki do namiraneto na zhelanata informatsiia. Te zavisiat ot recursive dns cache resolvers. Te ne mogat da izpulniavat recursive dns- zapitvaniia. Zaiavkata e ot tipa - na koe IP otgovaria "www.gmail.com", kato ochakva konfiguriraniia dns cache - survur da izvurshi vsichko neobhodimo do namiraneto na IP adresa.

recursive dns cache resolver - narichani za po-kratko dns cache - survuri. Te izpulniavat recursive - zapitvaniia kato se grizhat da izpulniat dopulnitelnite zapitvaniia do dostigane na zhelaniia rezultat. Primer:

web browser -> www.gmail.com
stub resolver -> koe e ip-to na www.gmail.com -> dns cache server (konfiguriraniia dns survur)
dns cache survur -> recursive zaiavka
dns cache survur -> koi sa authoritative dns survurite otgovariashti za gmail.com
(sushtoto kato)

# host -t ns gmail.com
gmail.com name server ns2.google.com.
gmail.com name server ns1.google.com.
gmail.com name server ns3.google.com.
gmail.com name server ns4.google.com.

dns cache survur -> ok, koe e IP-to na edin ot tezi survuri, za da moga da go pitam za www.gmail.com

(sushtoto kato)

# host ns3.google.com.
ns3.google.com has address 216.239.36.10

dns cache survur -> pitam 216.239.36.10 na koe IP otgovaria www.gmail.com

(sushtoto kato)
# host www.gmail.com 216.239.36.10
Using domain server:
Name: 216.239.36.10
Address: 216.239.36.10#53
Aliases:

www.gmail.com is an alias for mail.google.com.
mail.google.com is an alias for googlemail.l.google.com.
googlemail.l.google.com has address 209.85.148.17
googlemail.l.google.com has address 209.85.148.19
googlemail.l.google.com has address 209.85.148.18
googlemail.l.google.com has address 209.85.148.83
googlemail.l.google.com has IPv6 address 2a00:1450:4001:c01::11

dns cache survur -> www.gmail.com e psevdonim kum googlemail.l.google.com, koito ima niakolko IP adresa.

dns cache survur -> otgovor kum stub resolver-a www.gmail.com -> 209.85.148.17, 209.85.148.18, 209.85.148.19, 209.85.148.83 dns cache survur -> otgovorut se "keshira".

Klientska konfiguratsiia na DNS.

Tipichnata konfiguratsiia na edno potrebitelsko PC s operatsionna sistema, koito e konfiguriran da ima dostup do internet, vklyuchva nastroika za DNS - survur.
Na UNIX - podobnite operatsionni sistemi tazi konfiguratsiia se pravi vuv faila /etc/resolv.conf (primer ot NetBSD):

# cat /etc/resolv.conf
# Created by dhclient from vr0
nameserver 10.1.42.1


Pri Windows tova se namira v Control Panel -> Network -> Local Area Connection -> Properties -> TCP/IP Settings. Mozhem da vidim tekushtite DNS nastroiki i s komandata: ipconfig /all

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : horizon9.org
Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 00-1A-4D-9A-BF-00
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.42.137 (Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 22 yuli 2012 g. 08:43:33 ch.
Lease Expires . . . . . . . . . . : 24 yuli 2012 g. 08:43:37 ch.
Default Gateway . . . . . . . . . : 10.1.42.1
DHCP Server . . . . . . . . . . . : 10.1.42.1
DNS Servers . . . . . . . . . . . : 10.1.42.1
Primary WINS Server . . . . . . . : 10.1.42.1
NetBIOS over Tcpip. . . . . . . . : Enabled


V goreposocheniia primer konfiguriraniia DNS cache - survur e 10.1.42.1.
Operatsionnite sistemi imat i lokalen fail, v koito mozhe statichno da se opisvat dns - adresi da otgovariat na dadeni IP - adresi. Failut se naricha "hosts" i se namira, kakto sledva:

Pri UNIX - podobnite operatsionni sistemi tova e:

# cat /etc/hosts
# $NetBSD: hosts,v 1.7 2004/08/29 13:26:17 chs Exp $
#
# Host Database
# This file should contain the addresses and aliases
# for local hosts that share this file.
# It is used only for "ifconfig" and other operations
# before the nameserver is started.
#
::1 localhost localhost.
127.0.0.1 localhost localhost.
10.1.42.1 sativa-amd64 www.horizon9.org
#
# RFC 1918 specifies that these networks are "internal".
# 10.0.0.0 10.255.255.255
# 172.16.0.0 172.31.255.255
# 192.168.0.0 192.168.255.255

Sushto taka, UNIX ima mehanizum, po koito da se ukazva reda na DNS - zapitvaniiata. Tova se pravi ot faila /etc/nsswitch.conf

# cat /etc/nsswitch.conf
# $NetBSD: nsswitch.conf,v 1.5 1999/10/24 12:36:52 lukem Exp $
#
# nsswitch.conf(5) -
# name service switch configuration file
#
# These are the defaults in libc
#
group: compat
group_compat: nis
hosts: files dns
netgroup: files [notfound=return] nis
networks: files
passwd: compat
passwd_compat: nis
shells: files

# List of supported sources for each database
#
# group: compat, dns, files, nis
# group_compat: dns, nis
# hosts: dns, files, nis
# netgroup: files, nis
# networks: dns, files, nis
# passwd: compat, dns, files, nis
# passwd_compat: dns, nis
# shells: dns, files, nis


Kakto se vizhda ot tazi konfiguratsiia reda e:
1. tursi se vuv faila /etc/hosts
2. ako tam niama zapis pitame konfiguriraniia DNS survur

V komentarite ima primer (hosts: dns, files, nis), pri koito purvo se pita DNS - survura, i ako tam niama takuv zapis, se gleda v /etc/hosts faila, i ako tam sushto niama zapis, se izprashta zapitvane kum konfigurirania NIS - survur.

Pri Windows ne sum siguren, dali mozhe da se promenia reda na zapitvaniiata, no mehanizmut e sledniia:

1. Tursi se v hosts - faila dali ima zapis. Toi se namira v C:\Windows\System32\drivers\etc.

C:\Windows\System32\drivers\etc>type hosts
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost


2. Pita se lokalnata usluga dns cache (DNS client, ako e startiran). V sluchaia tova e stub resolver, zashtoto sam po sebe si toi ne mozhe da izvurshva recursive zaiavki. Poddurzha lokalno "keshirane".

C:\Windows\System32\drivers\etc>net start
These Windows services are started:

Base Filtering Engine
COM+ Event System
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
Desktop Window Manager Session Manager
DHCP Client
Diagnostic Policy Service
Diagnostic Service Host
Distributed Link Tracking Client
DNS Client
ESET Service
Function Discovery Resource Publication
Group Policy Client
Human Interface Device Access
......
......
[ cut ]

Kakto se vizhda, uslugata lokalen DNS - cache veche e startirana. Mozhem da vidim kakvo ima v lokalniia kesh s komandata: C:\Windows\System32\drivers\etc>ipconfig /displaydns.

3. Ako zapisut go niama nito vuv faila "hosts", nito v lokalnata usluga DNS client, (ili toi ne e pusnat) se pravi zapitvane kum konfiguriraniia DNS survur v TCP/IP settings.

DNS cache survur

DNS cache e survur, koito pravi zapitvaniia kum authoritative dns vmesto klienta, otgovaria na klienta i lokalno zapazva ("keshira") veche poluchenite zaiavki za opredelen period. Printsipno klientskiia kompyutur nikoga ne bi triabvalo da pravi zapitvaniia direktno kum authoritative dns - survuri.

Vsiaka instalatsiia na DNS Cache - survur vklyuchva i fail, v koito sa opisani imenata i IP - adresite na osnovnite DNS - survuri, narecheni dns root hints. Pri BIND tova e named.root, pri djbdns tova e /service/dnscache/root/servers/@, pri Windows Server tova e C:\WINDOWS\system32\dns\cache.dns. Sudurzhanieto na edin takuv fail e:

A.ROOT-SERVERS.NET 198.41.0.4
B.ROOT-SERVERS.NET 192.228.79.201
C.ROOT-SERVERS.NET 192.33.4.12
D.ROOT-SERVERS.NET 128.8.10.90
E.ROOT-SERVERS.NET 192.203.230.10
F.ROOT-SERVERS.NET 192.5.5.241
G.ROOT-SERVERS.NET 192.112.36.4
H.ROOT-SERVERS.NET 128.63.2.53
I.ROOT-SERVERS.NET 192.36.148.17
J.ROOT-SERVERS.NET 192.58.128.30
K.ROOT-SERVERS.NET 193.0.14.129
L.ROOT-SERVERS.NET 199.7.83.42
M.ROOT-SERVERS.NET 202.12.27.33


Tozi fail e nuzhen na DNS Cache - survura, za da mozhe ot niakude da "zapochne" recursive - zapitvaniiata za daden domein.

Za primer shte izpolzvam konfiguratsiiata v moiata domashna mrezha:
10.1.42.130 - klientsko PC s konfiguriran DNS 10.1.42.1
10.1.42.1 - DNS recursive cache survur (v sluchaia dnscache ot paketa djbdns)

(potrebitel) 10.1.42.130 -> na koe IP otgovaria www.google.bg? -> 10.1.42.1
(potrebitel) 10.242.42.130 - 10.1.42.1 otgovaria:

answer: www.google.bg 86400 CNAME www-cctld.l.google.com
answer: www-cctld.l.google.com 300 A 173.194.35.152
answer: www-cctld.l.google.com 300 A 173.194.35.159
answer: www-cctld.l.google.com 300 A 173.194.35.151


www.google.bg vsushtnost e prepratka (CNAME) kum adresa www-cctld.l.google.com, koito ima prisvoeni tri IP adresa . CNAME zapisut ima TTL (time to live) 86400 sekundi dokato vseki ot IP adresite ima TTL 300 sekundi.

Eto kakvi operatsii izvurshva dns cache - survura, za da dostavi otgovora na klienta.

Ako zapisa go ima veche v lokalniia kesh i vse oshte ne mu e izteklo TTL (time to live) stoinostta, klientut poluchava keshiraniia zapis. Ako zapis lipsva, ili ako TTL e iztekul, toest zapisa e star, DNS Cache - survurut pravi slednoto:

* DNS cache survurut izbira edin ot IP adresite ot root dns hints faila na sluchaen (ili round robin) printsip (primerno 193.0.14.129, k.root-servers.net) i go pita za SOA (Start of Authority) zapis.

(dns cache) 10.1.42.1 -> kogo da pitam za google.bg zonata? -> 193.0.14.129 (k.root-servers.net)
(dns cache) 10.1.42.1 - za google.bg ne znam, no znam koi otgovaria za .bg, pitai tezi DNS survuri - 193.0.14.129(k.root-servers.net)

# dnsq soa .bg 193.0.14.129
6 bg:
347 bytes, 1+0+6+9 records, response, noerror
query: 6 bg
authority: bg 172800 NS bg.cctld.authdns.ripe.net
authority: bg 172800 NS ns.register.bg
authority: bg 172800 NS ns2.register.bg
authority: bg 172800 NS ns3.register.bg
authority: bg 172800 NS ns4.register.bg
authority: bg 172800 NS ns-ext.isc.org
additional: bg.cctld.authdns.ripe.net 172800 A 193.0.9.61
additional: ns.register.bg 172800 A 192.92.129.99
additional: ns2.register.bg 172800 A 193.68.3.232
additional: ns3.register.bg 172800 A 94.155.14.10
additional: ns4.register.bg 172800 A 194.0.32.1
additional: ns-ext.isc.org 172800 A 204.152.184.64
additional: bg.cctld.authdns.ripe.net 172800 AAAA 2001:67c:e0:0:0:0:0:61
additional: ns4.register.bg 172800 AAAA 2001:678:3c:0:0:0:0:1
additional: ns-ext.isc.org 172800 AAAA 2001:4f8:0:2:0:0:0:13

Zabelezhka: additional zapisite za GLUE - zapisi, koito shte budat obiasneni vuv vtorata chast na tazi statiia.

* Neka popitame otnovo koi e SOA za .bg izpolzvaiki niakoi ot tezi survuri:

# dnsq soa .bg ns.register.bg
6 bg:
214 bytes, 1+1+6+0 records, response, authoritative, noerror query: 6 bg
answer: bg 345600 SOA ns.register.bg hostmaster.register.bg 2012090506 3600 1800 2592000 86400
authority: bg 345600 NS ns.register.bg
authority: bg 345600 NS bg.cctld.authdns.ripe.net
authority: bg 345600 NS ns4.register.bg
authority: bg 345600 NS ns2.register.bg
authority: bg 345600 NS ns-ext.isc.org
authority: bg 345600 NS ns3.register.bg

* Sledvashtata stupka na DNS cache - survura e da popita edin ot tezi survuri - primerno 192.92.129.99 (ns.register.bg) za google.bg


(dns cache) 10.1.42.1 -> kogo da pitam za google.bg zonata? ---> 192.92.129.99 (ns.register.bg)
(dns cache) 10.1.42.1 - za google.bg pitai niakoi ot [ns1,ns2,ns3,ns4].google.com - 192.92.129.99 (ns.register.bg)

# dnsq ns google.bg ns.register.bg
6 google.bg:
109 bytes, 1+0+4+0 records, response, noerror
query: 6 google.bg
authority: google.bg 345600 NS ns3.google.com
authority: google.bg 345600 NS ns2.google.com
authority: google.bg 345600 NS ns1.google.com
authority: google.bg 345600 NS ns4.google.com

* V sluchaia Start of Authority (SOA) zapisut ne v sushtniia domein (.bg) a e v .com domeina, zatova sledvashtata stupka e otnovo da se izprati SOA - zapitvane tozi put do .com.

# dnsq soa .com k.root-servers.net
6 com:
509 bytes, 1+0+13+15 records, response, noerror
query: 6 com
authority: com 172800 NS a.gtld-servers.net
authority: com 172800 NS b.gtld-servers.net
authority: com 172800 NS c.gtld-servers.net
authority: com 172800 NS d.gtld-servers.net
authority: com 172800 NS e.gtld-servers.net
authority: com 172800 NS f.gtld-servers.net
authority: com 172800 NS g.gtld-servers.net
authority: com 172800 NS h.gtld-servers.net
authority: com 172800 NS i.gtld-servers.net
authority: com 172800 NS j.gtld-servers.net
authority: com 172800 NS k.gtld-servers.net
authority: com 172800 NS l.gtld-servers.net
authority: com 172800 NS m.gtld-servers.net
additional: a.gtld-servers.net 172800 A 192.5.6.30
additional: b.gtld-servers.net 172800 A 192.33.14.30
additional: c.gtld-servers.net 172800 A 192.26.92.30
additional: d.gtld-servers.net 172800 A 192.31.80.30
additional: e.gtld-servers.net 172800 A 192.12.94.30
additional: f.gtld-servers.net 172800 A 192.35.51.30
additional: g.gtld-servers.net 172800 A 192.42.93.30
additional: h.gtld-servers.net 172800 A 192.54.112.30
additional: i.gtld-servers.net 172800 A 192.43.172.30
additional: j.gtld-servers.net 172800 A 192.48.79.30
additional: k.gtld-servers.net 172800 A 192.52.178.30
additional: l.gtld-servers.net 172800 A 192.41.162.30
additional: m.gtld-servers.net 172800 A 192.55.83.30
additional: a.gtld-servers.net 172800 AAAA 2001:503:a83e:0:0:0:2:30
additional: b.gtld-servers.net 172800 AAAA 2001:503:231d:0:0:0:2:30

* Pitame niakoi ot tezi survuri: koi otgovaria za google.com?

# dnsq soa google.com f.gtld-servers.net
6 google.com:
164 bytes, 1+0+4+4 records, response, noerror
query: 6 google.com
authority: google.com 172800 NS ns2.google.com
authority: google.com 172800 NS ns1.google.com
authority: google.com 172800 NS ns3.google.com
authority: google.com 172800 NS ns4.google.com
additional: ns2.google.com 172800 A 216.239.34.10
additional: ns1.google.com 172800 A 216.239.32.10
additional: ns3.google.com 172800 A 216.239.36.10
additional: ns4.google.com 172800 A 216.239.38.10


* Tuk veche ima glue - zapisi za [ns1,ns2,ns3,ns4].google.com. Pitame ns1.google.com otnovo SOA.

# dnsq soa google.bg ns1.google.com
6 google.bg:
219 bytes, 1+1+4+4 records, response, authoritative, weird rd, noerror
query: 6 google.bg
answer: google.bg 86400 SOA ns1.google.com dns-admin.google.com 2012032600 21600 3600 1209600 300
authority: google.bg 345600 NS ns4.google.com
authority: google.bg 345600 NS ns1.google.com
authority: google.bg 345600 NS ns2.google.com
authority: google.bg 345600 NS ns3.google.com
additional: ns4.google.com 345600 A 216.239.38.10
additional: ns1.google.com 345600 A 216.239.32.10
additional: ns2.google.com 345600 A 216.239.34.10
additional: ns3.google.com 345600 A 216.239.36.10

Ot tozi otgovor veche znaem kude sus sigurnost ima authoritative - informatsiia za domeina google.com. SOA - zapisut na daden domein e taka narecheniiat "master dns", dokato vsichki ostanali se vodiat slave. SOA zapisut sudurzha i druga dopulnitelna informatsiia za domeina kato imeil za kontakti (dns-admin@google.com) kakto serien nomer, TTL i t.n., na koito shte oburnem vnimanie vuv vtora chast na tazi statiia.

* Tui kato veche znaem kogo sus sigurnost da pitame za google.bg, podavame zapitvane: koi dns survuri otgovariat za google.bg?


# dnsq ns google.bg ns1.google.com
2 google.bg:
173 bytes, 1+4+0+4 records, response, authoritative, weird rd, noerror
query: 2 google.bg
answer: google.bg 345600 NS ns4.google.com
answer: google.bg 345600 NS ns1.google.com
answer: google.bg 345600 NS ns3.google.com
answer: google.bg 345600 NS ns2.google.com
additional: ns4.google.com 345600 A 216.239.38.10
additional: ns1.google.com 345600 A 216.239.32.10
additional: ns3.google.com 345600 A 216.239.36.10
additional: ns2.google.com 345600 A 216.239.34.10


* Pitame niakoi ot tiah za A zapis za www.google.bg.

(dns cache) 10.1.42.1 -> na koe IP otgovaria www.google.bg? -> 216.239.34.10 (ns2.google.com)
(dns cache) 10.1.42.1 - otgovor - 216.239.34.10 (ns2.google.com)

# dnsq a www.google.bg 216.239.34.10
1 www.google.bg:
115 bytes, 1+4+0+0 records, response, authoritative, weird rd, noerror
query: 1 www.google.bg
answer: www.google.bg 86400 CNAME www-cctld.l.google.com
answer: www-cctld.l.google.com 300 A 173.194.35.159
answer: www-cctld.l.google.com 300 A 173.194.35.152
answer: www-cctld.l.google.com 300 A 173.194.35.151

* Rezultatut se "keshira" i se vrushta otgovor na klienta:

(dns cache) 10.1.42.1 -> www.google.bg ima tri IP adresa i te sa 173.194.35.159,173.194.35.151, 173.194.35.152 -> 10.1.42.130

Vsichki tezi prepratki, dokato se stigne do authoritative otgovor, se narichat delegirane.

Forwarders

Nakratko tova sa dns cache - survuri koito ne praviat recursive zapitvaniia a prosto "keshirat" zaiavkite. Za izpulnenie na recursive zapitvaniia se izpolzva drug survur, koito se konfigurira dopulnitelno.

10.1.42.130 (klient) -> 10.1.42.1 (cache only server) -> 212.73.138.38 (sns.neterra.bg)

V sluchaia zapitvaniiata ot klienta se preprashtat ot 10.1.42.1 survura kum treti vunshen dns cache, koito izpulniava recursive zapitvaniia, vrushta otgovora na 10.1.42.1, koito "keshira" informatsiiata i sled tova otgovaria na klienta. Tazi konfiguratsiia e udobna za filtrirane na opredeleni domeini. Za primer iskame da sprem www.vbox7.com na sluzhitelite si i nai-lesniiat nachin za tova e da se konfigurira dns forwarder kato na zapitvaniiata za vbox.com da otgovaria s IP adres, na koito ima web stranitsa - dostuput zabranen! Vsichki ostanali zaiavki se preprashtat na istinskiia dns cache - survur koito pravi recursive zaiavki.

Tova e v obshti linii printsipa na rabota na DNS ot kum klientska gledna tochka. V sledvashtata statiia shte razgledame Authoritative DNS survuri, instalatsiia i konfiguratsia.

(V primerite e izpolzvana programata dnsq ot paketa djbdns, koiato pozvoliava izprashtaneto na non-recursive - zaiavki. Sintaksisut e sledniiat: dnsq [a,mx,ns,soa...] domain.com dnscache/authority server)

Sledva produlzhenie...

Drug link za statiiata s po-dobro formatirane http://geroyblog.blogspot.com/2012/07/dns-1-resolvers-cache.html


<< Jabber (XMPP) survur pod Debian Squeeze | Vuvedenie v daemontools (DJB Way) >>