SCREEN 1: Web interface to Network Solutions' whois. |
An edited version of this paper appeared with the title "How DNS Works: DNS resources and tools to help you get connected" in Windows 2000 Magazine, June 2000.
This article is targeted at the system or network administrator responsible for a company getting connected to the Internet, possibly for the first time. This article will discuss domain name registration and obtaining IP numbers, as well as provide some details about the Domain Name System (DNS) and associated tools. This article extends Mark Minasi's DNS introduction that appeared in the January issue.
Obtaining Names and AddressesThe DNS, of course, is the distributed database on the Internet that maps host names to IP addresses. In addition, the DNS provides information about a domain's mail and name servers. But before we jump ahead of ourselves, let's review how one obtains an IP network number (NET_ID) and a domain name.
Historically on the Internet, names and addresses were doled out by the Internet Assigned Number Authority (IANA, http://www.iana.org). In 1993, the National Science Foundation (NSF) awarded a 5-year contract to Network Solutions, Inc. (NSI, http://www.networksolutions.com) to operate the name registration service of the then-new Internet Network Information Center (InterNIC, http://www.internic.net). The InterNIC, at the time, became the place to go to get a domain name in the .com, .org, or .net name space, as well as a NET_ID. For all practical purposes, you owned your IP address and could "take it with you" if you changed ISPs. The process today has changed significantly in two vital aspects.
IP Addressing in the Modern EraFirst, let's deal with addresses themselves. In the western hemisphere and some parts of the African continent, the IP number authority is the American Registry of Internet Numbers (ARIN, http://www.arin.net); InterNIC has not assigned IP addresses since about 1997. To keep the size of Internet routing tables manageable, the unused address space several years ago was organized into Classless Interdomain Routing (CIDR) address blocks which are, in turn, assigned to ISPs or other regional number authorities, such as RIPE (http://www.ripe.net) in Europe and the Asia-Pacific NIC (APNIC, http://www.apnic.net). If you're in the U.S., you need to obtain an IP NET_ID address from ARIN when you connect to the Internet, usually in coordination with your ISP.
Because of the rapid exhaustion of addresses, it is very difficult today to get a full Class C address (although less than 50% of all possible Class C addresses have been allocated). ISPs and ARIN actually want to distribute as small an address block as possible and will assign NET_IDs with as few as 8 host addresses to a customer. They do this using variable-length subnet masks (VLSMs), a way of implementing classless addressing. A full description of VLSMs is beyond the scope of this article, the sidebar provides the motivation for using them and an example.
But how can a company with several hundred systems operate with just a small handful of IP addresses? The answer is Network Address Translation (NAT) and Request for Comments (RFC) 1918 private addresses. A company may have a large number of users but generally has only a few servers that require publicly visible IP addresses. One increasingly common solution is that organizations are using private IP addressing internally and public servers are also assigned a public IP address; NAT statically maps the server's public address to an internal private address. When a client system communicates with the Internet, the client is dynamically and temporarily assigned a public address. Port Address Translation (PAT), also called NAT overload, is employed if more clients need addresses than there are available public addresses. NAT and PAT address management occurs transparently at the router or NAT server, so users never see this.
If you'd like to know more about the current address assignments, visit John Crossley's IP Network Index (http://www.ipindex.net/), an index relating IP Class A, B, and C network numbers to network names.
Registering Domain Names in the Internet's Commercial EraThe second big change is with respect to domain name registration. The NSF's contract with NSI expired in April 1998. Unfortunately, it seems to have never occurred to anyone what to do after that date so NSI's contract has been extended several times, now through at least September 2000. In 1998, the Internet Corporation for Assigned Names and Numbers (ICANN, http://www.icann.org) was formed to create a fair yet efficient domain name registration arrangement. There are many factors behind the formation of ICANN and a good description of the history and evolution of ICANN can be found at the National Telecommunications and Information Administration (NTIA) Web site (http://www.ntia.doc.gov/ntiahome/domainname/). The bottom line is that while NSI remains the sole administrator of names in the .com, .org, and .net name space, there are now many companies that can register names in that space, such as America Online (http://www.aol.com), Melbourne IT (http://www.ina.com.au), and register.com (http://www.register.com). A list of all accredited name registrars can be found at the ICANN Web site at http://www.icann.org/registrars/accredited-list.html.
The Internals of the DNSThe DNS is a distributed data base containing host, mail server, name server, and other domain information. A primary name server and at least one secondary name server must be maintained for every Internet domain. When a client system on the Internet needs to find the IP address of a server (e.g., a reader of this article surfing to www.winntmag.com or sending e-mail to gkessler@symquest.com), the client sends a DNS query to its local name server. If the local name server doesn't have the necessary address information for the target server, the local name server sends a query to one of 13 well-known root name servers on the Internet to determine the target domain's name servers. The query is then forwarded to one of the target domain's name servers for final resolution.
Many ISPs provide primary and secondary DNS service; others only provide secondary DNS service and require that the customer host the primary name server. Examining the DNS file structure, then, will remove a lot of mystery from the name lookup process and provide some practical detail that you may need in the future.
DNS information is, classically, kept in simple text files called zone files, each comprising different types of information called resource records (RRs). The most common RRs are:
The list below shows a sample zone file for the fictitious example.com domain, mapping host names to IP addresses. In this example, the domain hosts Web, FTP, e-mail, and name servers, and the ISP (ispexample.net) hosts the secondary DNS and backup mail server. The IP address in this example is actually a private IP address; it is used here for sample purposes only:
example.com. IN SOA dns.example.com. dnsowner.example.com.
(19991005 ; serial # (date format)
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400) ; TTL (1 day)
example.com. IN NS dns.example.com.
IN NS ns1.ispexample.net.
example.com. IN MX 20 mail.example.com.
IN MX 40 mail.ispexample.com.
dns.example.com. IN A 192.168.210.2
mail.example.com. IN A 192.168.210.4
www.example.com. IN A 192.168.210.5
ftp.example.com. IN CNAME www.example.com.
|
So what do all of these records indicate?
The SOA record includes the name of the primary DNS server for this domain and the e-mail address associated with this domain's naming administrator; note that the e-mail address of the DNS administrator is listed with a "." in lieu of the "@" because the at-sign has special meaning in DNS files. This resource record also contains five other parameters: a serial number indicating the version of this information (this is how a secondary server knows that there is new information to download), a refresh value that tells the secondary name server(s) how often to check for updated information, a retry value that tells the secondary server(s) how often to reattempt connections to the primary, an expire value that tells the secondary server(s) when the information in their databases is so old as to be unreliable, and a time-to-live (TTL) value that tells a requester how long the information can safely be cached.
The NS records contain the name of the name servers for this domain; note that the first one listed is the primary because it is the one named in the SOA record.
The MX record contains the name of the e-mail server for this domain. The number before the address is the preference value and is most useful when the domain has two or more e-mail servers. When a remote user sends mail to user@example.com, the remote mail system looks up the MX record for the example.com domain. The remote mailer will then attempt to establish a Simple Mail Transfer Protocol (SMTP) connection with the mail server with the lowest preference value. In this way, an organization can specify multiple mail servers with the same preference level for load balancing and/or servers with different preference levels to provide a backup.
The A records contain the IP address to be associated with each of the listed host names that are in the example.com domain.
The CNAME record contains alias host names. In this example, the FTP and Web services are on the same server, but given two different names that map to the same IP address. There is a good reason to do this; namely, the FTP service, for example, may be moved to another system in the future and the scheme shown here ensures that external users never need to know.
There is another important zone file associated with each domain and that is the reverse lookup file, which maps an IP address to a host name. The zone file for the fictitious 192.168.210.0 address space (assuming that there is a single owner of this entire Class C address) might look like the following:
210.168.192.in-addr.arpa. IN SOA dns.example.com. dnsowner.example.com.
(19990930 ; serial # (date format)
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400) ; minimum TTL (1 day)
210.168.192.in-addr.arpa. IN NS dns.example.com.
IN NS ns1.ispexample.net.
2.210.168.192.in-addr.arpa. IN PTR dns.example.com.
4.210.168.192.in-addr.arpa. IN PTR mail.example.com.
5.210.168.192.in-addr.arpa. IN PTR www.example.com.
|
The only new resource records shown here are the PTR records, which associate an IP address with a host name.
DNS server software may be found by a variety of names depending on the operating system; Windows NT usually refers simply to DNS while UNIX will have named (name daemon) or BIND (Berkeley Internet Name Daemon); BIND is the most common. Although the different DNS software packages implement some things differently, it is useful to understand the RRs and file formats to see how the domain name information is laid out.
Products are available from Microsoft and a number of third-parties that allow you to provide a DNS service on a Windows NT Server. Some of the product below support dynamic DNS (DDNS), a capability to dynamically update the DNS entries in those environments where host IP addresses are assigned dynamically. All take advantage of NT's GUI interface:
Shadow IPmanager for Windows is the part of Network TeleSystems' remote management suite that manages DNS and dynamic DNS databases (http://www.networktelesystems.com/products/remotemgmt.html).
All DNS software, whether using the regular DNS text file format or a proprietary file format, use the same terminology to refer to DNS information. Furthermore, although individual sites may not be using Unix-based DNS software, you can bet that the major ISPs are and you will need the correct terminology when discussing the DNS with them.
Last but not least, DNS queries are carried in UDP datagrams on port 53. DNS zone transfers between primary and secondary name servers use TCP on port 53. If you run the primary DNS on your network and connect to an outside secondary DNS, be sure to configure your firewall so that zone transfers can only occur between the designated name servers.
Tools to Examine DNS and Domain InformationThe most basic tool with which to search a domain name or IP number database is whois. While whois is available on all Unix systems and some Windows systems, it is easiest to access the database via the Web. For example, NSI's Web interface to whois can be found at http://www.networksolutions.com/cgi-bin/whois/whois. The screen shot below shows a whois query for the winntmag.com domain; the response shows contact information for the domain, when this record was last updated, and the associated name servers (in preference order). You can use whois to lookup information based on domain names and contact names. This is also the best way to see if a particular domain name is already taken or not.
|
SCREEN 1: Web interface to Network Solutions' whois. |
There is also a very handy TCP/IP utility to examine the DNS database called nslookup. This program is a standard part of Windows NT (and Unix) systems, and there are versions of nslookup for Windows 9x as well. The nslookup utility can be used not only to examine the DNS, but is also a valuable test aid.
The listing below shows a sample nslookup session (bold entries indicate user input):
C:\>nslookup
Default Server: ns2.together.net
Address: 204.97.120.31
> help
Commands: (identifiers are shown in uppercase, [] means optional)
NAME - print info about the host/domain NAME using default server
NAME1 NAME2 - as above, but use NAME2 as server
help or ? - print info on common commands
set OPTION - set an option
all - print options, current server and host
[no]debug - print debugging information
[no]d2 - print exhaustive debugging information
[no]defname - append domain name to each query
[no]recurse - ask for recursive answer to query
[no]search - use domain search list
[no]vc - always use a virtual circuit
domain=NAME - set default domain name to NAME
srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1,N2, etc.
root=NAME - set root server to NAME
retry=X - set number of retries to X
timeout=X - set initial time-out interval to X seconds
querytype=X - set query type, e.g., A,ANY,CNAME,MX,NS,PTR,SOA
type=X - synonym for querytype
class=X - set query class to one of IN (Internet), CHAOS, HESIOD or ANY
server NAME - set default server to NAME, using current default server
lserver NAME - set default server to NAME, using initial server
finger [USER] - finger the optional NAME at the current default host
root - set current default server to the root
ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)
-a - list canonical names and aliases
-d - list all records
-t TYPE - list records of the given type (e.g. A,CNAME,MX,NS,PTR etc.)
view FILE - sort an 'ls' output file and view it with pg
exit - exit the program
> www.winntmag.com
Server: ns2.together.net
Address: 204.97.120.31
Name: www.winntmag.com
Address: 204.56.55.202
> set type=MX
> winntmag.com
Server: ns2.together.net
Address: 204.97.120.31
winntmag.com MX preference = 30, mail exchanger = mail2.rockymtn.net
winntmag.com MX preference = 10, mail exchanger = mail.duke.com
winntmag.com MX preference = 20, mail exchanger = mail.rockymtn.net
winntmag.com nameserver = ns1.duke.com
winntmag.com nameserver = ns2.duke.com
mail2.rockymtn.net internet address = 166.93.8.2
mail.duke.com internet address = 204.56.55.3
mail.rockymtn.net internet address = 166.93.8.2
ns1.duke.com internet address = 204.56.55.1
ns2.duke.com internet address = 204.56.55.2
> set type=SOA
> winntmag.com
Server: ns2.together.net
Address: 204.97.120.31
winntmag.com
primary name server = ns1.duke.com
responsible mail addr = dnsadmin.duke.com
serial = 99021009
refresh = 3600 (1 hour)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
winntmag.com nameserver = ns1.duke.com
winntmag.com nameserver = ns2.duke.com
ns1.duke.com internet address = 204.56.55.1
ns2.duke.com internet address = 204.56.55.2
> exit
C:\>
|
The operations shown above are:
Sharp readers, by the way, will observe that the NS host information shown by nslookup (ns1.duke.com and ns2.duke.com) does not match that shown by the whois lookup (ns1.rockymtn.net and ns2.rockymtn.net). This is very unusual but merely indicates that the whois database has not been synchronized with the name server information advertised on the Internet. Given this discrepancy, the display from nslookup is more definitive than that displayed with whois.
ConclusionIn the not-too-recent past, Internet connections, IP addresses, and domain naming were the responsibility of the Unix system administrator. As Windows NT continues to represent a growing percentage of servers on the Internet, however, these issues are increasingly of importance to system administrators who traditionally concentrated on the LAN. The DNS is one of the most important aspects of a site's Internet connection; if not done correctly, your public hosts may be unreachable and your users may not be able to reach hosts on the rest of the Internet. If you really want to know the nitty-gritty behind the DNS, the industry-standard text is DNS and Bind, 3rd. ed. by P. Albitz, C. Liu, and M. Loukides (Ed.) from O'Reilly & Associates. For NT-specific information, see DNS on Windows NT by Albitz, M. Larson, and Liu (also O'Reilly & Associates).
SIDEBAR: Subnetting and variable length subnet masks
IP addresses are 32 bits in length and, historically, have been classified based upon the length of the network identifier (NET_ID) portion of the address. In particular, Class A, B, and C addresses have an 8-, 16-, and 24-bit NET_ID, respectively. For routing purposes, an IP device such as a host or router has to be able to separate the network portion of an address from the host identifier (HOST_ID) portion of the address. This task is accomplished with a subnet mask.
Subnet masks are usually specified as a string of 1s that indicate the number of bits of the address that form the NET_ID. Class A addresses, for example, have an implicit 8-bit subnet mask, denoted 255.0.0.0. Class B and Class C addresses use the subnet masks 255.255.0.0 and 255.255.255.0, respectively. Subnet masks can also be used to further segment the HOST_ID; some sites, for example, will use the HOST_ID portion of the address to create a subnetwork identifier and smaller host identifier.
Over the last several years, IP address exhaustion has become a problem on the Internet. Address exhaustion has not occurred merely because of all the new networks getting connected but because "classful" IP addresses are inefficiently assigned; a site requiring 500 addresses, for example, would historically have been allocated an entire Class B block of over 65,000 addresses.
To deal with this problem, the Internet address administrators have adopted variable-length subnet masks (VLSMs), allowing NET_IDs of most lengths between 8 and 30 bits (you typically won't see subnet masks with a length of 9, 15, 17, 23, or 25 bits, though, because they look like single-bit subnets which are not allowed; that is another story and a longer article!). With VLSMs, the network address space can be much more efficiently assigned and a great deal of flexibility is built into the system. Without going into considerably more detail, perhaps an example will suffice.
The Class A address 24.0.0.0 has been assigned to the U.S. Cable Networks, a consortium of U.S. cable TV companies. As a Class A address, it is often denoted 24.0.0.0/8 (the "/8" is a shorthand notation for the subnet mask 255.0.0.0).
The "24 block" address is shared by a number of cable TV company ISPs. For example, the NET_ID block 24.48.0.0 is assigned to Adelphia Cable Communications (their ISP service was formerly known as Hyperion). This is the equivalent of a Class B address, denoted 24.48.0.0/16.
Adelphia's ISP customers, in turn, are assigned IP addresses out of the 24.48.0.0 space and, using VLSM, are usually assigned something smaller than a Class C address space. For example:
Because sub-Class C addresses have become so common today, it is a good idea to understand how subnet masking works. Table 1 shows the possible subnet masks that can be used with a Class C address.
| Number of Bits in Mask | Subnet Mask | Number of Host Addresses | Notes... |
|---|---|---|---|
| 24 | 255.255.255.0 | 256 (254 usable) | Standard full Class C |
| 25 | 255.255.255.128 | -- | Single-bit subnet masks becoming common although not preferred |
| 26 | 255.255.255.192 | 64 (62 usable) | Common |
| 27 | 255.255.255.224 | 32 (30 usable) | Common |
| 28 | 255.255.255.240 | 16 (14 usable) | Becoming more common |
| 29 | 255.255.255.248 | 8 (6 usable) | Becoming common |
| 30 | 255.255.255.252 | 4 (2 usable) | Typically used on point-to-point link between ISP and customer |
| 31 | 255.255.255.254 | -- | Invalid; results in single-bit HOST_ID |
| 32 | 255.255.255.255 | -- | Invalid; no room for HOST_ID |
Assigning sub-Class C addresses preserves address space, but VLSMs have another important benefit in that they enable Classless Interdomain Routing (CIDR). CIDR was introduced several years ago in an attempt to reduce the size of Internet routing tables. In the current environment, customers are assigned an IP address from a block of addresses assigned to their ISP, rather than being assigned an IP address sequentially (as in the "old" days!). In the example above, consider that all packets being sent to Adelphia or any of Adelphia's customers can just be routed to the 24.48.0.0/16 network; those hundreds or thousands of networks can be referenced in a single line in a routing table. Once the packet gets to Adelphia, their routers have to know how to deliver it to the correct destination network, but that detail is transparent to the rest of the Internet.
About the Author: Gary C. Kessler is a senior network security analyst at SymQuest Group (www.symquest.com), a network integration consulting company in South Burlington, VT. His e-mail addresses is kumquat@sover.net.