5. Domain Name System
The Domain Name System is a distributed, hierarchical directory service.
Its official root is the authoritative name servers that are responsible for the DNS Root Zone. These are also generally known as Root Servers.
"hosts" file
Before a client uses a network service, it will ask its local "table". This file can be found in all popular operating systems. Its content can be output as follows:
Debian GNU/Linux
$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 debian.localdomain debian
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Apple Macintosh OS X
$ cat /etc/hosts
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
Microsoft Windows
PS C:\Users\user> type C:\Windows\System32\drivers\etc\hosts
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
DNS Cache
If a local DNS cache is available on the client (this depends on the operating system and its version), the client will not yet ask a network service in the second step. If a local DNS cache is in place, the storage time for successful queries unfortunately varies.
Linux
In LINUX Mint 18 "Sarah", DNS queries are directed to localhost (127.0.1.1) by default:
$
grep
-F "nameserver" /etc/resolv.conf
nameserver
127.0.1.1
A service called "dnsmasq" will answer such DNS queries:
$
sudo
ss
-natup | grep -F "127.0.1.1:53"
udp UNCONN 0 0 127.0.1.1:53 *:* users:(("dnsmasq",pid=1036,fd=4))
tcp LISTEN 0 5 127.0.1.1:53 *:* users:(("dnsmasq",pid=1036,fd=5))
The
NetworkManager
service configures the network by default.
This means that standard dnsmasq configuration files are missing (e.g.: /etc/dnsmasq.conf).
NetworkManager uses a plugin (nm-dns-dnsmasq) to start dnsmasq and sets the configuration.
The LINUX Mint project has individualised the activation of dnsmasq in the plugin:
$
ps
ax | grep -F "dnsmasq" | grep -v -F "grep"
1036 ? S 0:00 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces
--pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1
--cache-size=0
--proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq
--conf-dir=/etc/NetworkManager/dnsmasq.d
This means that the cache is disabled ("--cache-size=0").
Log DNS queries ("--log-queries") is not activated either here or in any file in the configuration directory provided ("/etc/NetworkManager/dnsmasq.d").
Consequently, DNS queries and the answers to them are unfortunately not recorded.
Apple Macintosh OS X
$ sudo killall -INFO mDNSResponder
$ sudo sed -n -e '/mDNSResponder.*BEGIN STATE LOG/,/mDNSResponder.*END STATE LOG/p' /var/log/system.log
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: ---- BEGIN STATE LOG ---- mDNSResponder mDNSResponder-576.30.4 (Jul 22 2015 00:26:56) OSXVers 14
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: Timenow 0xE30DA78F (-485644401)
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: ------------ Cache -------------
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: Slt Q TTL if U Type rdlen
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 0 20 -U- Addr 4 e5153.a.akamaiedge.net. Addr 2.16.207.69
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 5 328 -U- CNAME 37 gspe35-ssl.ls-apple.com.akadns.net. CNAME gspe35-ssl.ls.apple.com.edgekey.net.
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 8 329 -U- CNAME 22 clients1.google.com. CNAME clients.l.google.com.
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 9 30720 -U- CNAME 37 1-courier.push.apple.com. CNAME 1.courier-push-apple.com.akadns.net.
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 25 4459 en0 + PTR 47 _sftp-ssh._tcp.local. PTR PHK\032Neumanns\032MacBook\032Pro._sftp-ssh._tcp.local.
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 40 * 28 -U- - PTR 0 lb._dns-sd._udp.dvg.lan. PTR
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 44 1958 -U- CNAME 31 ocsp.apple.com. CNAME ocsp.pki-apple.com.akadns.net.
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 48 751301 -U- TXT 9 sandbox.push.apple.com. TXT count=10
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 48 28 -U- Addr 4 crl.pki-apple.com.akadns.net. Addr 17.151.28.6
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 51 4428 -U- CNAME 33 sd.symcb.com. CNAME crl.ws.symantec.com.edgekey.net.
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 53 28 -U- CNAME 38 1.courier-push-apple.com.akadns.net. CNAME mu-courier.push-apple.com.akadns.net.
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 56 3853 -U- - Addr 0 internalcheck.apple.com. Addr
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 56 3853 -U- SOA 67 apple.com. SOA gridmaster-ib.apple.com. hostmaster.apple.com. 2010093780 900 900 2016000 86500
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: 58 330 -U- Addr 4 appleid.apple.com.akadns.net. Addr 17.151.2.13
[...]
[... Lots of lines with import/export removed...]
[...]
Oct 15 14:26:28 mbpwire.dvg.lan mDNSResponder[91]: ---- END STATE LOG ---- mDNSResponder mDNSResponder-576.30.4 (Jul 22 2015 00:26:56) OSXVers 14
Microsoft Windows
PS C:\Users\user> ipconfig /displaydns
Windows-IP-Konfiguration
[...]
www.msn.com
----------------------------------------
Eintragsname . . . . . : www.msn.com
Eintragstyp . . . . . : 5
GÅltigkeitsdauer . . . : 41
DatenlÑnge . . . . . . : 8
Abschnitt. . . . . . . : Antwort
CNAME-Eintrag . . . . : www-msn-com.a-0003.a-msedge.net
bedrock-prod-zlb.vips.scl3.mozilla.com
----------------------------------------
Eintragsname . . . . . : bedrock-prod-zlb.vips.scl3.mozilla.com
Eintragstyp . . . . . : 1
GÅltigkeitsdauer . . . : 25
DatenlÑnge . . . . . . : 4
Abschnitt. . . . . . . : Antwort
(Host-)A-Eintrag . . : 63.245.215.20
bedrock-prod-zlb.vips.scl3.mozilla.com
----------------------------------------
Eintragsname . . . . . : bedrock-prod-zlb.vips.scl3.mozilla.com
Eintragstyp . . . . . : 28
GÅltigkeitsdauer . . . : 13
DatenlÑnge . . . . . . : 16
Abschnitt. . . . . . . : Antwort
AAAA-Eintrag . . . . : 2620:101:8016:5::2:20
[...]
[... Lots of lines with import/export removed...]
[...]
Normally, the client will subsequently ask a DNS cache in its own network or the
ISP
's
network (which can also return manipulated answers).
However, we will assume in the following that the client contacts the root servers directly.
DNS of the Internet
The client asks one of the root servers for the IP address of an internet domain (e.g. "webmail.123-reg.co.uk").
However, since the root servers only know which name servers are responsible for resolving the ".uk" (and ".co.uk") TLD s, the root server will refer the client to the relevant name server (in our example, this is "ns.webfusion.co.uk").
This delegation is controlled in what is called NS Resource Record.
Linux/BSD/Unix
$ dig NS 123-reg.co.uk
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> NS 123-reg.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27033
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;123-reg.co.uk. IN NS
;; ANSWER SECTION:
123-reg.co.uk. 216 IN NS ns.webfusion.co.uk.
123-reg.co.uk. 216 IN NS ns2.webfusion.co.uk.
;; Query time: 0 msec
;; SERVER: 10.1.1.11#53(10.1.1.11)
;; WHEN: Tue Aug 23 15:23:53 CEST 2016
;; MSG SIZE rcvd: 76
Microsoft Windows
PS C:\WINDOWS\system32> nslookup -q=NS 123-reg.co.uk
Server: fritz.box
Address: 192.168.178.1
Non-authoritative answer:
123-reg.co.uk nameserver = ns2.webfusion.co.uk
123-reg.co.uk nameserver = ns.webfusion.co.uk
The Nominet UK name servers themselves do not know the answer either.
They also refer the client to the name server responsible for the internet domain (e.g."123-reg") (in our example, this is "ns.webfusion.co.uk").
If further name servers are responsible for additional subdomains, this will go on until the last name server will finally know the answer.
Depending on the record the client requested (A for IPv4, AAAA for IPv6, CNAME for an alias or MX for the Email Server), the last name server will return the requested answer.
Linux/BSD/Unix
$ dig MX 123-reg.co.uk
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> MX 123-reg.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1582
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;123-reg.co.uk. IN MX
;; ANSWER SECTION:
123-reg.co.uk. 216 IN MX 5 edge01.webfusion.com.
123-reg.co.uk. 216 IN MX 5 edge02.webfusion.com.
;; Query time: 0 msec
;; SERVER: 10.1.1.11#53(10.1.1.11)
;; WHEN: Tue Aug 23 15:23:53 CEST 2016
;; MSG SIZE rcvd: 90
Microsoft Windows
PS C:\WINDOWS\system32> nslookup -q=MX 123-reg.co.uk
Server: fritz.box
Address: 192.168.178.1
Non-authoritative answer:
123-reg.co.uk MX preference = 5, mail exchanger = edge01.webfusion.com
123-reg.co.uk MX preference = 5, mail exchanger = edge02.webfusion.com
The SOA Resource Record contains the following information in the order shown below:
- the primary name server for the zone
- the name server Administrator's email address (Note that any dot must be replaced by the @ symbol.)
- serial number (recommended by RFC 1912: date of last modification with a suffixed two-digit counter)
- [...]
- the expire time (86400 seconds = 24 hours)
Linux/BSD/Unix
$ dig SOA 123-reg.co.uk
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> SOA 123-reg.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10357
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;123-reg.co.uk. IN SOA
;; ANSWER SECTION:
123-reg.co.uk. 300 IN SOA ns.webfusion.co.uk. hostmaster.123-reg.co.uk. 2014020702 86400 3600 1209600 300
;; Query time: 25 msec
;; SERVER: 10.1.1.11#53(10.1.1.11)
;; WHEN: Tue Aug 23 15:23:53 CEST 2016
;; MSG SIZE rcvd: 91
Microsoft Windows
PS C:\WINDOWS\system32> nslookup -q=SOA 123-reg.co.uk
Server: fritz.box
Address: 192.168.178.1
Non-authoritative answer:
123-reg.co.uk
primary name server = ns.webfusion.co.uk
responsible mail addr = hostmaster.123-reg.co.uk
serial = 2014020702
refresh = 86400 (1 day)
retry = 3600 (1 hour)
expire = 1209600 (14 days)
default TTL = 300 (5 mins)
eToolz
In the case of CNAME or MX Identifier Records, the result of the query can be yet another internet domain.
In the past, a domain's " www " subdomain regularly referred to a HTTPD (webserver). However, today, "www" is increasingly often omitted in an internet domain.
In a LINUX/BSD/Unix shell the answer can be output as follows (as long as it is possible to establish a direct contact with the root servers or the Resolver/Cache admits a corresponding query):
$ dig @193.0.14.129 +recurse +trace webmail.123-reg.co.uk
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @193.0.14.129 +recurse +trace webmail.123-reg.co.uk
; (1 server found)
;; global options: +cmd
. 518400 IN NS k.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20160902050000 20160823040000 46551 . C2NM1S7/NzZQDbx9H1tWLl1VotgaC0+YG0LtkW6Gfy5l91WCLoK7RZJf l2joYyU4KnB/4/jRJhV4tbfvB4+GA7ppc0V/v00KLipbCB+i39RFP5WV y9nlBgyXbqy8AqzJKnPHBePme3m4q36RESbBxl3fENeoPPUWtO4/iSbx gsg=
;; Received 913 bytes from 193.0.14.129#53(193.0.14.129) in 13 ms
uk. 172800 IN NS nsc.nic.uk.
uk. 172800 IN NS nsa.nic.uk.
uk. 172800 IN NS dns1.nic.uk.
uk. 172800 IN NS dns4.nic.uk.
uk. 172800 IN NS nsb.nic.uk.
uk. 172800 IN NS dns3.nic.uk.
uk. 172800 IN NS dns2.nic.uk.
uk. 172800 IN NS nsd.nic.uk.
uk. 86400 IN DS 43876 8 2 A107ED2AC1BD14D924173BC7E827A1153582072394F9272BA37E2353 BC659603
uk. 86400 IN RRSIG DS 8 1 86400 20160902050000 20160823040000 46551 . Pdt3HfuUQRsGlm1KgU0oAw02XqHj8L5fQAdWXZJ4rz5redsJsXl1aK8G dDl53HCycGWIDCb4TeRSUueISenN8OcUX3P9oaDBTUUC2X04SyK68ynS Lfv4yNl2KPCm/1RixJH6A61z8RWRYJ0cA158PTUGZnHwZCIiM1u/dQw9 tRQ=
;; Received 677 bytes from 199.7.91.13#53(d.root-servers.net) in 6 ms
123-reg.co.uk. 172800 IN NS ns.webfusion.co.uk.
123-reg.co.uk. 172800 IN NS ns2.webfusion.co.uk.
G9F1KIIHM8M9VHJK7LRVETBQCEOGJIQP.co.uk. 10800 IN NSEC3 1 1 0 - G9HKV8PHGJ1NMH94L9RMIQM0J64UCIPK NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
G9F1KIIHM8M9VHJK7LRVETBQCEOGJIQP.co.uk. 10800 IN RRSIG NSEC3 8 3 10800 20160924101840 20160820095942 33621 co.uk. K25xNki0DnD84sx4OC4XDfw/LNAtOy+bfMgHNK2NvwpxE7/kHSKLjnNy sY96DoJARVN85XsgiHYaQ3EvdwRseuGmufrjNnYFC27Gp0hKcJkhr22L uGpnKSB6LeHdwAvNy2oGRYGszsUSe1ooIPEagzNKBRDm50yZJeDH4Ub5 P1M=
UIC4RRJOUQLB6R2KTN7BC1AJB1OTCOLA.co.uk. 10800 IN NSEC3 1 1 0 - UIDESR2P0GQF6RM5T1O6EQO52969A0A1 NS DS RRSIG
UIC4RRJOUQLB6R2KTN7BC1AJB1OTCOLA.co.uk. 10800 IN RRSIG NSEC3 8 3 10800 20160927100645 20160823095823 33621 co.uk. NQG/3lcsBbDKzdmyM9pZeVt5UQFk1/L19IWPRnta6LWtWktNWHrs8vpW MJBGu+MGs4Qkx4mzy79cwgDRGTEbl83MhatpI4BKDhS9A0F8/fXBT0bl aZk9zIOI84EOR255ad0Zr8Te853jQs+PVycyT8kL8M+VuFmY6VrLdenG /Zg=
;; Received 650 bytes from 103.49.80.1#53(dns2.nic.uk) in 24 ms
webmail.123-reg.co.uk. 300 IN A 94.136.40.161
;; Received 66 bytes from 212.67.202.1#53(ns.webfusion.co.uk) in 23 ms