Linux - DNS
DNS
basic
DNS
- a fundamental application layer protocol
- resolving domain names to IP addresses.
- Protocol:
- UDP 53 for request
- TCP 53 for zone transfer
- step
- maintains a database of local
FQDNs
and their corresponding IP addresses. - enters FQDN into web browser;
- the browser cannot immediately send a packet destined for www.ciscopress.com.
- Computer needs to take the FQDN and resolve it into a corresponding IP address
- (inserte the destination IP address in an IP packet.)
- maintains a database of local
FQDN:
- fully-qualified domain name
- ICANN: domain name registrar.
uniform resource locator (URL):
- a string
- indicates both address (weibo.com) and method for accessing that address
(https://)
. - web address form:
https:// + FQDN
- Not only indicate the FQDN of your web address
- Also specify that you want to access this location using the HTTP protocol
DNS cache
- Linux dont have DNS cache by default:
NSCD. Name service caching daemon
basic
DNS is made up of servers
all over the world.
- Each server holds and manages the records for its own little corner of the globe,
namespace
. - Each of these records gives directions to or for a specific type of resource.
- Some records provide IP addresses for individual systems within your network, whereas others provide addresses for your e-mail servers.
- Some provide pointers to other DNS servers, which are designed to help people find what they’re looking for.
Domain names
- Domain names are arranged in a
hierarchy
- read by examining a domain name from right to left.
- Big huge servers might handle a namespace as big as the top-level domain “.com”
- another server further down the line holds all the records for “mheducation.com.”
- each server only has to worry about the name records for its own portion of the namespace
- and to know how to contact the server “above” it in the chain for the top-level namespace the client is asking about.
- Lower-level domains can point upward to higher-level DNS servers to resolve non-local FQDNs
- example:
- www.example.com
- root domain: a top-level domain (TLD) of
com
- Subdomain:
example.com
being a subdomain ofcom
www.example.com
being a subdomain ofexample.com
.
The entire system looks like an inverted tree
a request for a particular resource can easily be routed correctly to the appropriate server.
- domain names form a rooted tree
- each node corresponds to a domain.
- the children of a node correspond to its subdomains.
- The root is the empty domain name and the children of the root are associated with top-level domains.
- Example
- the server for
anyname.com
in the third level holds and manages all the records for that namespace - anyone looking for a resource (such as their website) could ask that server for an address.
- the server for
DNS variant
dynamic DNS (DDNS)
- A potential challenge when setting up DNS records: point to the IP address of a device, which might change its IP address.
- example
- cable modem or DSL modem in your home
- device might obtain its IP address from your service provider via DHCP Servers
- add the IP address of your cable modem or DSL modem to a DNS record (to allow users on the Internet to access one or more devices inside your network),
- But that record could be incorrect if your device obtains a new IP address from your service provider.
- To overcome such a challenge, turn to dynamic DNS (DDNS)
- A DDNS provider provide software run on PCs
- monitors the IP address of the device referenced in DNS record (cable modem or DSL modem)
- If the software detects a change in the monitored IP address, that change is reported to your service provider, which is also providing DNS service.
Extension Mechanisms for DNS (EDNS)
- another DNS variant is Extension Mechanisms for DNS (EDNS).
- The original specification for DNS had size limitations:
- prevented the addition of certain features (like security features)
- EDNS supports these additional features, while maintaining backwards compatibility with the original DNS implementation.
- EDNS sends optional pseudo-resource-records between devices supporting EDNS.
- Rather than using new flags in the DNS header, which would negate backwards compatibility.
- These records support 16 new DNS flags.
- If a legacy DNS server were to receive one of these optional records, the record would simply be ignored.
- (backwards compatibility is maintained, while new features can be added for newer DNS servers)
- The original specification for DNS had size limitations:
DNS Packet Structure [53]
- Name lookups generally use UDP
- zone transfers use TCP.
DNS queries and replies are transmitted
via a single UDP packet,- TCP being used as a substitute for requests or replies exceeding 512 bytes.
The only downside to this DNS system
- the record types held within your DNS system can tell a hacker all about your network layout.
- Example
- which server in the network holds and manages all the DNS records?
- where the e-mail servers are?
- where all the public-facing websites actually reside?
- All this can be determined by examining the DNS record types.
The standard UDP packet for DNS:
- a header, a query part, and an answer part.
- The header:
- a 16-bit query/transaction identifier
- identifies the query and response.
- The query part:
- a sequence of “questions” (usually just one)
- each consisting of the domain name queried and the type of record requested.
- The query ID is selected by the client sending the query and is replicated in the response from the server.
- The answer part:
- a sequence of DNS records:
NAME
fieldis: variable length and contains a full domain name.TYPE
field: 2-byte, the type of DNS record.
DNS record types:
- A/host record:
maps the host name to IPv4 address
- most commonly used record in a DNS server.
- A DNS client queries DNS with the name using a forward lookup request, and DNS responds with the IPv4 address from this record.
- AAAA:
maps the host name to IPv6 address
- similar to an A record except for IPv6.
- PTR / pointer record:
maps the IP address to host name.
- the opposite of an A record.
- for reverse DNS lookps
- DNS client queries the IP, the DNS server responds with the name.
- PTR records are optional, so these reverse lookups do not always work.
- Dont need PTR records for every entry in your DNS namespace,
- but are usually associared with E-mail server records.
- NS / name server records:
providing information about name servers
- 「我不知道這網域的紀錄,可是你可以問他」
- Defines the Name Servers with in your namespace
- Name servers are the ones that respond to requests for name resolution.
- to delegate a subdomain to other DNS service providers.
- MX records / (mail exchange/exchanger):
- 紀錄這個網域的郵件伺服器
- providing information about email resolution
identifies your e-mail server within your domain
- maps a domain name to an e-mail (or message transfer agent) server.
- Redirect mail to a mail server
- MX record is linked to the A / AAAA record of a mail server.
- The MX record preference is used when more than one MX record is entered for any single domain name that is using more than one mail server. In this case the preference number indicates the order in which the mail servers should be used. This enables the use of primary and backup mail servers.
- The lower preference number is the higher priority.
- Two MX records with the same priority will share the workload (typically used in large ISP mail server installations).
- The server with the higher preference number will be contacted only if the servers with lower preference number are unavailable (this is typically used for backup mail servers).
- CNAME/Canonical Name records:
- 將一個網域對應到另一個網域
- Provides for domain name alias within your zone.
- An alias record that associates a domain name with another domain name.
- an alias of an existing record, thus
allows a single system to have multiple names associated with a single IP address
. - Example:
- server named Server1 in the domain getcertifiedgetahead.com might have an alias of FileServer1 in the same domain.
- An FTP service and a web service running o the same IP address. CNAME records could be used to list both within DNS for you.
- TXT:
- 拿來紀錄一些東⻄
- A text record that contains human readable information
- SRV / service record:
- Defines the hostname and port number of servers providing specific services, Like a Directory Services server.
- A server resource record that is used to identify a server that uses a service.
- SRV records are commonly used in directory management for Microsoft systems.
- CAA
- A Certification Authority Authorization (CAA) record
- allows a domain name holder to specify one or more certification authorities (CAs) authorized to issue certificates for that domain.
- SOA / start of authority record:
provides authoritative information about a DNS zone
- includes info about the DNS zone and some of its settings.
- The
SOA record
provides loads of information- Identifies ans contains the hostname of the primary server in the DNS namespace (zone) which responsible for all DNS records within the namespace, and the basic properties of the domain.
- When a primary SOA is higher that a secondary SOA, a secondary name server request a zone transfer from a primary name server
- the
amount of time name servers should retain records
in cache.Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400)
Serial number, Refresh time, Retry time, Expire time, TTL
- The record contains the following info (default values from Microsoft DNS server settings):
- Source host:
- Host name of the primary DNS server for the zone
- (there should be an associated NSrecord for this as well).
- Contact e-mail:
- E-mail address of the person responsible for the zone file.
- Serial number:
- Revision number of the zone file. This number increment search time the zone file changes and is used by a secondary server to know when to update its copy (if the SN is higher than that of the secondary, it’s time to update!).
- Refresh time
- The amount of time a secondary DNS server will wait before asking for updates. The default value is 3,600 seconds (1 hour).
- Retry time
- The amount of time a secondary server will wait to retry if the zone transfer fails. The default value is 600 seconds.
- Expire time:
- The maximum amount of time a secondary server will spend trying to complete a zone transfer. The default value is 86,400 seconds (1 day).
- TTL:
- The minimum “time to live” for all records in the zone. If not updated by a zone transfer, the records will perish. The default value is 3,600 seconds (1 hour).
- Example
- the TTL (Time to Live) settings for DNS records.
- DNS clients use the TTL setting to determine how long to cache DNS results.
- TTL times are in seconds and lower times cause clients to renew the records more often.
The 2-byte CLASS field
: the broad category that the record applies to, such as IN for Internet domains.The 4-byte TTL field
: how long a record will remain valid, in seconds.The 2-byte RDLENGTH field
: the length of the data segment, in bytes.The variable-length RDATA segment
: the actual record data.- example, the RDATA segment of an A record is a 32-bit IP address.
- Source host:
SOA
- These records are maintained and managed by the authoritative server for your namespace (SOA)
- it
shares them with your other DNS servers (name servers)
so your clients can perform lookups and name resolutions. - zone transfer: The process of replicating all these records.
- Considering the importance of the records kept here,
- be careful about which IP addresses are actually allowed to perform a zone transfer (a network map on your website)
- Because of this, most administrators restrict the ability to even ask for a zone transfer to a small list of name servers inside their network.
- Additionally, some admins don’t even configure DNS at all and simply use IP addresses for their critical hosts.
- DNS propagation time: time to let world wide NS know a new domain name.
- Load balancing: more ip for one domain name.
- Internet: Internet name server (domain control): ip that cannot see from outside of internet.
- Root domain: .ad, .root
- Internet server, may have sensitive information.
NOTE
- for DNS, there are two real servers in play within your system.
- Name resolvers: simply answer requests.
- Authoritative servers: hold the records for a namespace, given from an administrative source, and answer accordingly.
IP address management
IP address management started with a little group: the Internet Assigned Numbers Authority (IANA)
, which finally gave way to the Internet Corporation for Assigned Names and Numbers (ICANN)
.
- ICANN manages IP address allocation and a host of other goodies.
- after get their IP addresses (ranges), simultaneously need to ensure the rest of the world can find them in DNS.
- This is done through one of any number of domain name registrants worldwide
Along with those registrant businesses, five regional Internet registries (RIRs) provide overall management of the public IP
address space:
- American Registry for Internet Numbers (ARIN) Canada, many Caribbean and North Atlantic islands, and the United States.
- Asia-Pacific Network Information Center (APNIC) Asia and the Pacific.
- Réseaux IP Européens (RIPE) NCC Europe, Middle East, and parts of Central Asia/Northern Africa. If you’re wondering, the name is in French.
- Latin America and Caribbean Network Information Center (LACNIC) Latin America and the Caribbean.
- African Network Information Center (AfriNIC) Africa.
Domain Name Registration
There are 2 primary types of top-level domains:
- Generic top-level domains: .com, .net, .edu, and .org
- Country-code top-level domains: .au (Australia), .de (Ger- many), .it (Italy), and .pt (Portugal), with use restricted to entities within a specific country
domain-name registrars: organizations
- register and assign Domain names
- accredited by
the Internet Corporation for Assigned Names and Numbers (ICANN)
- the same group responsible for allocating IP address space, or a country-code top-level domain that has been granted authority to designate registrars.
- Web site owners can contact a domain-name registrar to reserve or register a domain name on their behalf.
- The registration process itself is pretty simple.
- simply involves providing some contact information.
- it can be a source of valuable information for an attacker.
- example,
- common system utilities such as whois can be used to retrieve the contact information of the owner of a particular domain, which might then be used to initiate a social engineering attack.
- To avoid disclosing personal details
- use anonymous domain registration services that do not publish contact information for their customers.
- Unfortunately, this use of anonymity can sometimes be abused.
- Because of the revenue potential of memorable domain names, cybersquatting / domain squatting has become common-place.
- a person registers a domain name in anticipation of that domain being desirable or important to another organization,
- with the intent of selling the domain to that organization to gain significant profit.
- Some cybersquatters go so far as to post negative remarks or accusations about the target organization on this page to further encourage the target to purchase the domain in defense of its reputation.
- Such practices are now illegal under U.S. law, but it is often difficult to determine the line between malicious intent and coincidental luck in choosing marketable domain names.
Domain hierarchy
Due to the large number of Internet users, the Internet namespace is based on a hierarchical tree structure.
- Any host or router connected to the Internet has a unique domain name in the DNS hierarchy.
- A domain is a manageable division in the name space.
- Each domain has a label.
- Domain labels are separated with periods (.).
- Domains can be divided into subdomains and subdomains can be divided into lower-level subdomains.
- This creates
top-level domains, primary domains, and subdomains
.
The hierarchical nature of domain names
is reflected in the way the Internet infrastructure supporting the DNS system works.
Name servers
- To
resolve a domain name to its corresponding IP address
- the DNS hierarchy is used to query a distributed system of DNS servers, name servers.
- Every domain has at lease 1 name server.
- Subdomain is ip of name server. (exo.com)
- www. is host pc. (Www.exo.com)
DNS servers refer to other DNS servers by name
, not by IP:- sometimes must bootstrap by providing an IP along with a name, called a glue record
Root name servers
- At the top of the name-server hierarchy
- responsible for top-level domains (TLD):
.com, .it, .net, and .org
- responsible for top-level domains (TLD):
- If the local DNS server fails to resolve the requested domain name
- the local DNS server forwards the request to the root name server.
- The root name server returns the IP address of the TLD name server to the local DNS server.
TLD name servers
- managed by government and commercial organizations.
- example,
.com
TLD managed by VeriSign, a company incorporated in the U.S.,.it
TLD managed by the Italian National Research Council, an Italian government organization.
- example,
- TLD name servers store records for the authoritative name servers of their respective subdomains.
- the root name servers, store the root zone database of records
- indicating the authoritative name server of each top-level domain.
- (This important database is maintained by ICANN. )
A TLD name server manages registered second-level domains, such as www.example.com.
- The .com TLD domain server returns the IP address of the authoritative DNS server where the
second-level domain example.com
is stored.
Authoritative name server: (ANSs)
- ANSs must be installed as a NS in parent’s zone.
- the authoritative name servers are also organized in a hierarchy Information about root domain.
Address (A) record
: IP address associated with a host nameMail exchange(MX) record
: mail server of a domainName server (NS) record
: authoritative server for a domain
- An authoritative name server is the authority within a particular DNS zone and is responsible for maintaining the
association between domain names and IP addresses within the zone
.- Alibaba Cloud DNS serves as an authoritative name server.
Local DNS resolver or local DNS server
- A local DNS server responds to a recursive request from the client and forwards the request to other DNS servers that may have the result until the resolution is complete.
- select a local DNS server
- from DNS servers assigned by
ISPs
- or from public DNS servers such as
Google Public DNS and 114DNS
.
- from DNS servers assigned by
DNS resolution
The results of DNS queries are usually cached in the local DNS server.
- If the local DNS server finds requested results in its cache, the local DNS server returns the resolution results to the requester and the following steps are skipped.
- The following eight steps that are required for DNS resolution if the local DNS server cannot find requested results in its cache.
8 steps DNS resolution
The user enters example.com in a Web browser.
The local DNS server starts the recursive query, it sends an
iterative query
to the root name server.The root name server returns the IP address of the
.com
TLD domain server to the local DNS server.The local DNS server sends the query to the .com TLD domain server.
The .com TLD domain server returns the IP address of the
example.com
authoritative name server to the local DNS server.The local DNS server sends the query to the example.com authoritative name server.
The example.com authoritative name server returns the requested IP address to the local DNS server.
The local DNS server returns the
requested IP address
to the Web browser.
After the IP address associated with example.com is returned
- The browser sends an HTTP request to the IP address.
- The Web server at the IP address returns the Web page to be rendered in the browser.
Dynamic Resolution
- Many large providers have more than one authoritative name server for a domain
- Problem:
- to locate the instance of domain geographically closest to user
- Proposed solution:
- include first 3 octets of requester’s IP in recursive requests to allow better service
- Content distribution networks / CDN already do adaptive DNS routing
DNS Queries
- client machine wishes to resolve a domain name
www.example.com
to an IP address - it contacts a designated name server assigned to the machine.
- This designated name server can be
- a
name server of the corporate network
to which the client machine belongs. - or a
name server of the ISP / Internet service provider
.
- a
- The designated name server handles the resolution of the domain name and returns the result to the client machine, as follows.
- First, the designated name server issues a
DNS query
to a root name server. - The root server responds with the address of the Authoritative name server
- name server that is authoritative for the next level of the hierarchy,
- the name server responsible for the
.com top-level domain name
.
- On querying this next-level server, it would respond with the address of the name server responsible for the next subdomain,
example.com
. - requests and responses continues until a name server responds with the IP address of the requested domain.
- This final name server is therefore the authoritative responder for the requested domain name,
www.example.com
.
- First, the designated name server issues a
recursive query
- a query, in which the DNS server that received your query will perform all the necessary operations to return an accurate query result.
- If the DNS server cannot find the requested result in its cache, the server forwards the request to other servers and returns the query result.
iterative query
- In an iterative query, the DNS server does not return the query result by itself but returns the IP address of another DNS server.
- You must send the DNS request to this DNS server.
- This process repeats until the query result is returned.
DNS Caching
- billions of machines connected to the Internet, DNS place an incredible burden on high-level name servers (like the root name servers)
- There would be too much network traffic if a path in the DNS tree would be traversed for each query
- Root zone would be rapidly overloaded.
DNS queries are typically issued over UDP on port 53 – 16-bit request identifier in payload
- To overcomes the massive amounts of traffic directed at root name servers: reduce DNS traffic, resolve domain names more efficiently:
DNS cache
- DNS servers cache results for a specified amount of time.
- Specified by ANS reply’s time-to-live field
DNS cache: a table of recently received DNS records.
Operating systems, browsers, both clients and lower-level DNS servers
keep a DNS cache to resolve queries.also maintain resolvers and DNS caches- Associated privacy issues
- Caching changes how DNS resolution works.
- Instead of directly querying each time a root name server,
- the designated name server first checks its cache, returns the requested IP if a record is found.
- If not, the designated name server queries the root name server and resolves the domain name as described above, caching the result as it is returned to the client.
- time-to-live (TTL): determines how long a DNS response record remains in a DNS cache.
- This value is specified in the DNS response.
- administrators can configure local settings that override the provided TTL values.
- Once a cached record has expired
- the query process resorts back to asking a higher-level name server for a response.
- Some operating systems maintain a local DNS cache on the machine.
- If a valid record is found, this record is used, no DNS queries are issued.
- The details of DNS caching depend on the chosen operating system and application.
- Windows features its own DNS cache,
- View in Windows with command
ipconfig /displaydns
- View in Windows with command
- many Linux distributions do not.
- opt to query predetermined name servers for each resolution instead.
- Windows features its own DNS cache,
- In general, web browsers are responsible for extracting domain name and passing it to the OS’s networking component (handles the sending of a corresponding DNS request).
- The reply will then be received by the OS and passed back to the browser.
- if the OS has its own DNS cache, it stores the DNS reply information in the cache before passing it back to the application.
- DNS caches maintained by OS have privacy implications for users.
- Even the user deletes the browsing history and cookies, the DNS cache will preserve evidence of recently visited sites, which could be unveiled by forensic investigation.
- several cross-platform browsers, including Firefox, support their own DNS caches.
- Internet Explorer does not implement this feature because Windows has its own cache.
To the possibility of infinite loops.
- Example:
- the .com name server replied that the authoritative name server for the
example.com
domain isns1.example.com
.- DNS responses that delegate 托付 to other name servers identify these name servers by name, rather than by IP address
- so an additional DNS request is required to resolve the IP address of ns1.example.com.
- However, because the name server is both a subdomain of
example.com
and its authoritative name server, there is a circular dependency that cannot be resolved.- to resolve example.com, ns1.example.com must be resolved first
- but in order to resolve ns1.example.com, example.com must first be resolved.
To break these loops
- responses include glue records that provide enough information to prevent these dependencies.
- example
- the .com name server would include a glue record resolving
ns1.example.com to its IP address
, giving the client enough information to continue.
- the .com name server would include a glue record resolving
Command-Line Tools
- Network Security II
- S+ 7th ch4. Identity and Access Management
experiment with DNS resolution with the help of several command-line tools.
- On Windows,
nslookup
can be used at a command prompt to issue DNS requests. - On Linux, users may use either
nslookup or dig
Tracert
- Windows: tracert
- Linux: traceroute
- display the entire path to a given address.
- ping tells you if a given address is reachable
- tracert or traceroute tells you how to get there.
- Common tracert flags
- -h : Maximum hops. By default it is 30, but you can change it.
- -w : Time out.
- -6 : Force using IPv6.
- -4 : Force using IPv4.
arp (Address Resolution Protocol)
- maps IP addresses to MAC addresses.
- this one will only work with at least one flag,
- Common arp flags
- -d : Removes a listing from the arp cache. You won’t use this very often.
- -a : Displays all of the current arp entries for all interfaces. This is the most common flag.
- -g : Displays all of the current arp entries for all interfaces. Same as -a.
- -N : Lists arp cache for a specified interface.
ipconfig/ip/ifconfig
- ipconfig in Windows
- ifconfig in Linux
- one of the more basic network commands.
- Provide information about network interfaces.
- Common ipconfig flags
- /all : Show all information for all network interfaces.
- /release : Release any dynamically assigned IP addresses.
- /renew : Renew the dynamically assigned IP address.
nslookup/dig
- The nslookup command is a bit different than the other commands.
- It will start by verifying that the machine can connect to the DNS server.
- Then, however, it also opens a command prompt wherein you can enter DNS-related commands.
- From the prompt, you can attempt a zone transfer:
- run: nslookup.exe
- ls -d domain_name
- zone transfer: get the DNS server to send you all of its zone information.
- A properly configured DNS server will refuse.
- To verify whether or not your DNS server is secure.
Fruzzer
To determine if an app remains vulnerable to SQL injection attacks.
Ali cloud DNS
- a secure, fast, stable, and scalable authoritative Domain Name System (DNS) service.
- helps enterprises and developers translate human-readable domain names into machine-readable IP addresses and routes user queries to corresponding websites or application servers.
Architecture
- Alibaba Cloud DNS is composed of the control layer and resolution data layer.
- Control layer: a visualized management platform for domain name resolution, allowing you to
add, delete, modify, and query DNS records
. - Resolution data layer: synchronizes the resolution configurations at the control layer in real time to DNS servers deployed around the globe.
Benefits
Stable
- high stability, high availability
- 100% compliance with the service-level agreement (SLA).
Secure
- protect the domain names against DNS flood attacks with a maximum of 500 thousand DNS queries per second.
Fast
- leverages the global anycast network
- ensure that DNS servers respond to user queries based on geographical location.
- provides low-latency query performance and the capability for DNS record changes to take effect within seconds. Global nodes
- Note Zhangjiakou, Beijing, Shijiazhuang, Qingdao, Wuhan, Shanghai, Hangzhou, Shenzhen, Hong KongChina, Tokyo, Singapore, Malaysia, US East, US West, Dubai, Australia, India, Germany, Indonesia, and London
Scalable
- provides scalable APIs and supports SDKs in Java, Python, PHP, .NET, and Go.
Features
DNS records
- supports the following types of DNS records: A, CNAME, MX, TXT, SRV, AAAA, NS, and CAA.
Intelligent DNS resolution
- performs intelligent DNS resolution based on the geographic locations of requesters.
Subdomain management
- provides DNS hosting and domain name resolution services for subdomains
- such as second-level domains and third-level domains.
Time to live (TTL)
- the period of time that a DNS record remains in the cache memory of a DNS server.
- Alibaba Cloud DNS allows you to modify the value of TTL.
- Valid values of TTL are 1 second, 60 seconds, and 600 seconds.
- If you set the TTL of a DNS record to 1 second, changes to the DNS record will require 1 second to take effect around the globe.
IPv6
- supports IPv4/IPv6 dual stack.
- If you use IPv6, when the local DNS server sends a DNS request to Alibaba Cloud DNS, Alibaba Cloud DNS returns both the IPv6 and IPv4 addresses to the local DNS server.
- The local DNS server returns the IPV6 address to the user side.
Weight setting
- supports weighted round-robin.
- You can set weights for IP addresses to balance DNS traffic.
- Alibaba Cloud DNS responds to queries based on pre-set weights.
Query volume
- provides you with the statistics of DNS queries for domain names and subdomain names.
- You can download DNS query reports.
DNS attack defense
- use the DNS attack defense feature provided by Alibaba Cloud DNS to defend against DNS flood attacks.
Secondary DNS
- can use Alibaba Cloud DNS as a secondary DNS server.
- Alibaba Cloud DNS automatically updates the changes to DNS records in your primary DNS server.
API
- provides scalable APIs and supports SDKs in Java, Python, PHP, .NET, and Go.
Global Traffic Manager
- a DNS-based service
- allows you to balance concurrent traffic across multiple nodes and access the nearest node where your application is running.
- health checks
- Based on health checks, Global Traffic Manager isolates faulty applications or switches them to healthy nodes for disaster recovery.
- Disaster recovery plan
- can create a disaster recovery plan in Global Traffic Manager to test disaster recovery capabilities and switch traffic when failures occur.
Testing tool
- provides a DNS testing tool to help you test whether DNS records are valid on local DNS servers, authoritative name servers, and public DNS servers.
Amazon Route 53
- a Tier 0 service
- it is designed and maintained with the highest level of availability in mind.
- a highly available and scalable cloud Domain Name System (DNS) web service.
- Route 53 is where to configure and manage web domain for website /application that host on AWS
- Services that has 100% uptime availability SLA
- Primarily uses UDP 53 (can use TCP). The DNS servers respond to queries on port UDP 53
- provides a worldwide distributed DNS service.
- Route 53 is located alongside all edge locations.
- Can extend an on-premises DNS to VPC.
- cannot extend Route 53 to on-premises instances.
- available and cost-effective way to route users to internet applications
- translating names into the IP addresses that computers use to connect to each other.
Feature: Route 53 can perform any combination of these functions
- offers Domain Name Registration
- purchase and manage domain names (like example.com)
- use the AWS Management Console or API to register new domain names.
- default limit of 50 domain names but can be increased by contacting support.
- When you register a domain with Route 53
- Route 53 will automatically configure DNS settings for the domains.
- it becomes the authoritative DNS server for that domain
- creates a public hosted zone.
- cannot automatically register EC2 instances with private hosted zones (would need to be scripted).
- authoritative DNS
- To make Route 53 the authoritative DNS for an existing domain without transferring the domain
- create a Route 53 public hosted zone and change the DNS Name Servers on the existing provider to the Route 53 Name Servers.
- Changes to Name Servers may not take effect for up to 48 hours due to the DNS record Time To Live (TTL) values.
- transfer domains
- can transfer domains to Route 53 only if the Top Level Domain (TLD) is supported.
- can transfer a domain from Route 53 to another registrar by contacting AWS support.
- can transfer a domain to another account in AWS however it does not migrate the hosted zone by default (optional).
- It is possible to have the domain registered in one AWS account and the hosted zone in another AWS account.
- DNS resolution.
- can be used to route Internet traffic for domains that registered by another domain registrar (any domain).
- effectively connects user requests to
- infrastructure running in AWS (EC2 instances, ELB load balancers, or S3 buckets…)
- infrastructure that is outside of AWS.
- Health checking of resources.
- verify Internet connected resources are reachable, available and functional.
- check the instance health by connecting to it.
- A health check can monitor the health of an HTTP or HTTPS page every 30 / 10 seconds.
- Health checks can be pointed at:
- A / multiple Endpoints.
- Status of other health checks.
- Status of a CloudWatch alarm.
- Private DNS
- lets you have 有权威的 authoritative DNS within the VPCs without exposing the DNS records
- (including the name of the resource and its IP address(es) to the Internet.
- reliable:
- distribute loads across Regions
- it has redundant locations
- backed with 100% SLA
- fast
- utilizes worldwide anycast
- network addressing and routing methodology
- in which a single destination address has multiple routing paths
- changes are quickly propagated 增殖
- utilizes worldwide anycast
- Easy use:
- accessible via the AWS console or programmatic APIs.
- Domain name management
- Cost-effective:
- Inexpensive
- pay-as-you-go model.
- Integrated with AWS:
- ELB-Alias Queries
- set up latency-based routing
- customers will be directed to the fastest server based on latency.
- Flexible:
- use geolocation rounding
- helpful for business where data has to stay in the country of origin.
- For example, if a customer originates in Germany, their network traffic never leaves Germany.
- Weighted round robin, WRR
- Self-aliasing
- fully compliant with IPv6.
- offers Domain Name Registration
- use Amazon Route 53 to configure DNS health checks so you that can route traffic to healthy endpoints or independently monitor the health of the application and its endpoints.
- Amazon Route 53 traffic flow helps you manage traffic globally through several routing types, which can be combined with DNS failover to enable various low-latency, fault-tolerant architectures.
- use Amazon Route 53 traffic flow’s simple visual editor to manage how the users are routed to the application’s endpoints—whether in a single AWS Region or distributed around the globe.
ROUTING POLICIES
- determine how Route 53 responds to queries.
The following table highlights the key function of each type of routing policy:
- Simple routing (round robin)
- a single record within a hosted zone that contains one or more values.
- for a single resource that performs a given function for the domain
- Simple routing in / distribute load to a single server environment
- such as a web server that serves content for the example.com website
- Route 53 responds to DNS queries based only on the values in the resource record set
- like the IP address in an A record
- An A record is associated with one or more IP addresses.
- When queried, a simple routing policy record returns all the values in a randomized order.
- Uses round robin.
- Does not support health checks.
- Weighted round robin routing WWR
- a network scheduling discipline 纪律
- Weighted routing policies are based on the weight of each record and total weight of associated weighted records.
- the number of packets served is in proportion to the assigned weight, and in inverse proportion to the size of the packets.
- specify a weight per IP address
- create records that have the same name and type and assign each record a relative weight.
- Numerical value that favours one IP over another.
- Weights can be any number between 0 and 255
- To stop sending traffic to a resource: change the weight of the record to 0.
- route traffic to multiple resources in proportions 均衡 that you specify.
- assign weights to resource record sets, to specify the desired access frequency with which different responses are served.
- Example:
- You might want to use this capability to do A/B testing
- testing a new application
- send a small portion of traffic to a server where you made a software change, see if it works.
- send a small amount of that traffic to the new application to see if everything is working properly
- have two record sets that are associated with one DNS name: one with weight 3 and one with weight 1.
- 75 percent of the time, Amazon Route 53 will return the record set with weight 3
- 25 percent of the time, Amazon Route 53 will return the record set with weight 1.
- Latency routing (LBR)
- For every record that you created that uses latency-based routing, you specify the region.
- resources in multiple AWS Regions
- route traffic to the Region that provides the best latency.
- Fastest connection to the application.
- Provides the fastest experience nased on actual performance measurements of the different AWS regions where app in running.
- Improve application’s performance for a global audience.
- routing the customers to the AWS endpoint (for example, EC2 instances, Elastic IP addresses, or load balancers) that provides the fastest experience based on actual performance measurements of the different AWS Regions where the application runs.
- improving performance by routing to the region with the lowest latency.
- create latency records for resources in multiple EC2 locations.
- Route 53 consults a latency database each time a request occurs to a given latency-based host in DNS from the resolver server.
- Geolocation routing
- choose the resources that serve the route traffic based on
- the location of the users.
- Or the origin of the DNS queries.
- Can be used for spreading load evenly between regions.
- If you have multiple records for overlapping regions, Route 53 will route to the smallest geographic region.
- can create a default record for IP addresses that do not map to a geographic location.
- If a requestor’s IP can’t be placed to a geographic location or no record exists for that location, they will receive a defaulted version of a website (if a default record is placed).
- can localize the content:
- present different content to users in different geographic regions.
- present website in the language of the users.
- Caters to different users in different countries and different languages.
- Contains users within a particular geography and offers them a customized version of the workload based on their specific needs.
- Can also protect distribution rights.
- restrict the distribution of content to only the locations where have distribution rights.
- balancing the load across endpoints in a predictable, easy-to-manage way,
- so that each user location is consistently routed to the same endpoint.
- If multiple Geolocation records are present for overlapping regions, it will route based on the most specific path to its user’s location.
- priority goes to the smallest geographic region, specific of the requestor.
- Geoproximity routing (requires Route Flow):
- route traffic based on the distances between users and the resources if you’re using Route 53 traffic flow
- and, optionally, shift traffic from resources in one location to resources in another.
- can route more or less traffic to each resource by specifying a positive or negative bias.
- In AWS, When create a traffic flow policy, you can specify either an AWS Region, or the latitude and longitude for each endpoint
- Failover routing (DNS failover)
- Failover routing allows you to create 2 records with the same name.
- Use when you want to configure active-passive failover.
- Associated with a health check.
- track the health status of the resources and take action when an error occurs.
- Routes only when the resource is healthy.
- help detect an outage of the website and redirect the users to alternate locations where the application is operating properly.
- health-checking agents will monitor each locationor endpoint of the application to determine its availability.
- Creating health checks to monitor the health and performance of the web applications, web servers, and other resources.
- Each health check that you create can monitor one of the following
- the health of a specified resource, such as a web server;
- the status of other health checks;
- the status of an Amazon CloudWatch alarm.
- Can be used with ELB.
- You can take advantage of this feature to
- increase the availability of the customer-facing application.
- Configuring backup and failover scenarios for the own applications.
- Enabling highly available multi-Region architectures on AWS.
- configure backup and failover scenarios for the applications with Route 53 ⁃
- The process of configuring these Route 53 settings is minimal
- improve health checks by combining multiple health checks, using domain name interval.
- string matching: the health check looks for a particular string in the page body, within the first 5 KB of content.
- could use string matching to confirm whether the DB instance is working by matching on a string that the page would contain only if it successfully connects to the DB.
- When used with Alias records set Evaluate Target Health to “Yes” and do not use health checks.
- Failover to the static backup site would then be triggered in the following situations:
- the web server goes down,
- the DB instance goes down,
- if the web server hangs,
- or if the web server returns invalid content
- example of how DNS failover works in a typical architecture for a multi-tiered web app
- Route 53 passes traffic to an ELB load balancer, which then passes the traffic to a fleet of EC2 instances that use Auto Scaling.
- do the following tasks with Route 53 to ensure high availability
- create two DNS records for the CNAME www with a routing policy of Failover Routing.
- The first record is the primary, points to the ELB load balancer for web application.
- The second record is the “Secondary” route policy, points to the static Amazon S3 website.
- If something happened to the primary link, traffic would automatically be redirected to the static website that’s hosted in the S3 bucket.
- Failover to a secondary IP address.
- Use Route 53 health checks to make sure the primary is up.
- If is the primary is up, all traffic will default to the web application stack. ⁃ ⁃
- Multivalue answer routing
- configure Amazon Route53 to return multiple values (like IP addresses for the web servers) in response to DNS queries.
- route traffic approximately randomly to multiple resources,
- Iike web servers, you can create one multivalue answer record for each resource
- associate an Amazon Route 53 health check with each record
- configure Route 53 to return multiple health-checkable IP addresses so can use DNS to improve availability and load balancing.
- Use when you want Route53 to respond to DNS queries with up to 8 healthy records that selected at random.
- can specify multiple values for almost any record,
- enables to check the health of each resource so that Route53 returns only values for healthy resources.
- not a substitute for a load balancer
- but the ability to return multiple health-checkable IP addresses is a way to use DNS to improve availability and load balancing.
- Example
- manage an HTTP web service with a dozen web servers that each have their own IP address.
- No one web server could handle all of the traffic,
- create a dozen multivalueanswer records, Amazon Route 53 responds to DNS queries with up to eight healthy records in response to each DNS query.
- Amazon Route 53 gives different answers to different DNS resolvers.
- If a web server becomes unavailable after a resolver caches a response, client software can try another IP address in the response.
Multi-Region deployment.
- two deployments
- one in the us-west-2 Region on the west coast of the United States,
- one in the Asia Pacific Southeast Region.
- Both load balancers will respond to https://amgogreen.com .
- The load balancers will direct the user to the closest https://amgogreen.com.
- offers a better user experience.
- If the west coast site went down, all traffic would automatically be redirected to the Asia Pacific Southeast domain.
Benefits include:
- Latency-based routing to the Region
And load balancing routing to the Availability Zone
hosted zone ⁃
- Allows for a private (internal) version of a website while using the same domain name as a public website
- Private zones are associated with VPCs.
- allows these VPCs to see a version of a website specified by the private zone’s A record. Hosted Zones
- control management access to the Route 53 hosted zone by using IAM.
- a collection of records for a specified domain.
- analogous 相似的 to a traditional DNS zone file;
- it represents a collection of records that can be managed together.
- 2 types of zones:
- maintain both a private and public hosted zone with the same domain name for split-view DNS with Route 53.
- Allows for a private (internal) version of a website while using the same domain name as a public website
- Public host zone
- determines how traffic is routed on the Internet.
- The host (www) portion is not included in a public zone’s naming convention.
- Private hosted zone for VPC
- determines how traffic is routed within VPC (resources are not accessible outside the VPC)
- allows these VPCs to see a version of a website specified by the private zone’s A record.
- Route 53 automatically creates the Name Server (NS) and Start of Authority (SOA) records for the hosted zones.
- Amazon Route 53 creates a set of 4 unique name servers (a delegation set) within each hosted zone.
- You can create multiple hosted zones with the same name and different records.
- NS servers are specified by Fully Qualified Domain Name (FQDN)
- can get the IP addresses from the command line (e.g. dig or nslookup).
- For private hosted zones you can see a list of VPCs in each region and must select one.
- For private hosted zones you must set the following VPC settings to “true”:
- Enable DnsHostname.
- Enable DnsSupport.
- You also need to create a DHCP options set.
- Endpoints can be IP addresses or domain names.
RECORDS
- Amazon Route 53 currently supports the following DNS record types:
- A (address record).
- AAAA (IPv6 address record).
- CNAME (canonical name record).
- CAA (certification authority authorization).
- MX (mail exchange record).
- NAPTR (name authority pointer record).
- NS (name server record).
- PTR (pointer record).
- SOA (start of authority record).
- SPF (sender policy framework).
- SRV (service locator).
- TXT (text record).
- Alias (Amazon Route 53-specific virtual record).
- Alias records are used to map resource record sets in the hosted zone to ELB load balancers, CloudFront distributions, Elastic Beanstalk environments, or S3 buckets that are configured as websites.
- can use Alias records to map custom domain names (such as api.example.com) both to API Gateway custom regional APIs and edge-optimized APIs and to Amazon VPC interface endpoints.
- The Alias is pointed to the DNS name of the service.
- You cannot set the TTL for Alias records for ELB, S3, or Elastic Beanstalk environment (is service’s default).
- Alias records work like a CNAME record in that you can map one DNS name (e.g. example.com) to another ‘target’ DNS name (e.g. elb1234.elb.amazonaws.com).
- can be used for resolving apex / naked domain names (e.g. example.com rather than sub.example.com).
- CNAME record can’t be used for resolving apex / naked domain names.
- Generally use an Alias record where possible. The following table details the differences between Alias and CNAME records: ⁃
- Route 53 supports wildcard entries for all record types, except NS records.
TRAFFIC FLOW
- Route 53 Traffic Flow provides Global Traffic Management (GTM) services.
- Traffic flow policies allow to
- create routing configurations for resources using routing types such as failover and geolocation.
- Create policies that route traffic based on specific constraints, including latency, endpoint health, load, geo-proximity and geography.
- includes a versioning feature that allows to maintain history of changes of routing policies, easy roll back to previous policy version using the console or API.
- Scenarios include:
- Add a simple backup page in Amazon S3 for a website.
- Building sophisticated routing policies that consider an end user’s geographic location, proximity to an AWS region, and the health of each of the endpoints.
ROUTE 53 RESOLVER
- a set of features enable bi-directional querying between on-premises and AWS over private connections.
- for enabling DNS resolution for hybrid clouds.
- Inbound query capability is provided by Route 53 Resolver Endpoints,
- allowing DNS queries that originate on-premises to resolve AWS hosted domains.
- Connectivity needs to be established between the on-premises DNS infrastructure and AWS through a Direct Connect (DX) or a Virtual Private Network (VPN).
- Endpoints are configured through IP address assignment in each subnet for which you would like to provide a resolver. ⁃
- Conditional forwarding rules:
- Outbound DNS queries are enabled through the use of Conditional Forwarding Rules.
- Domains hosted within the on-premises DNS infrastructure can be configured as forwarding rules in Route 53 Resolver.
- Rules will trigger when a query is made to one of those domains
- and will attempt to forward DNS requests to the DNS servers configured along with the rules.
- Like the inbound queries, this requires a private connection over DX or VPN. ⁃
CHARGES
- You pay per hosted zone per month (no partial months).
- A hosted zone deleted within 12 hours of creation is not charged (queries are charges).
- Additional charges for:
- Queries.
- Traffic Flow.
- Health Checks.
- charged with different prices for AWS vs non-AWS endpoints.
- Route 53 Resolver ENIs + queries.
- Domain names.
- Alias records are free of charge when the records are mapped to one of the following:
- Elastic Load Balancers.
- Amazon CloudFront distributions.
- AWS Elastic Beanstalk environments.
- Amazon S3 buckets that are configured as website endpoints.
- You do not pay for the records that you add to the hosted zones.
- Latency-based routing queries are more expensive.
- Geo DNS and geo-proximity also have higher prices.
.
Comments powered by Disqus.