1
Domain Name
System (DNS)
Chuan-Ming Liu
CSIE,NTUT
Spring ’04,TAIWAN
2
Contents
NAME SPACE
DOMAIN NAME SPACE
DISTRIBUTION OF NAME SPACE
DNS IN THE INTERNET
RESOLUTION
DNS MESSAGES
TYPES OF RECORDS
COMPRESSION
EXAMPLES
3
Domain Name System (DNS)
System mapping a name to an address
Using host file when the size of the Internet
is small
As the Internet grows,the host file becomes
too large to store
Two solutions for huge amount information
in a host file
Store entire host file into a single computer
Divide the information into smaller parts and
store each part on a different computer
4
Domain Name System
Providing the service for querying the
corresponding IP address or the domain name
A distributed database system
Database is divided into several sub-database and
each sub-database is self-maintained
Using client-server architecture
Using tree data structure
By replication and caching to achieve consistency,
efficiency,and stability.
The largest database system in the world
5
Name Space
Each host on the Internet has an unique IP
address for TCP/IP protocol
An unique name is assigned to each host
instead of numbers for people to remember
Name space mapping each address to a
unique name
Flat
Hierarchical (this is what we used today)
6
Domain Name Space
Hierarchical name space
Using an inverted-tree structure where
root is at the top
the tree has 128 levels (0 to 127)
each level defines a hierarchical level
each node has a label having maximum of
63 characters
7
Figure,Domain Name Space
8
Label
Root label is a null string (empty string)
Children of a node have different labels
9
Domain Name
Each node in the tree represents a domain
name
A full domain name is a sequence of
labels separated by dots (.).
The domain names are read from the
node up to the root.
The last label is the label of the root (null)
10
Domain names
and labels
11
Representations of Domain Name
Fully Qualified Domain Name (FQDN)
containing the full name of a host
terminated by a null string (the root)
also called absolute domain name
Example,csie.ntut.edu.tw.
Partially Qualified Domain Name (PQDN)
not terminated by a null string
used when the name to be solved belongs to the
same site
Missing part (suffix) can be supplied by resolver
12
FQDN and PQDN
13
Domain
A subtree of the domain name space
A domain may itself be divided into
domains (subdomains)
14
Domains
15
Distribution of Name Space
The domain name space should be stored.
Using one computer to store the whole
name space is
Inefficient,heavy load on the server
Unreliable,any failure makes data
inaccessible
16
Hierarchy of Name Servers
Distribute the information among many
computers instead of one computer
Divide the space into many domains
Each domains can be divided further into
subdomains
Each domain has a computer,DNS server,
to take of.
Hierarchy of servers is the same as that of
names
17
Hierarchy of name servers
18
Zone
What a serer is responsible for or has
authority over is called a zone
If the domain is not divided into
subdomain,the,domain” and the,zone”
refer to the same thing for a DNS server.
The server keeps a database called a
zone file and keeps all the information
for every node under the domain
The domain and the zone may refer to
different things.
19
Zones and Domains
delegation
20
Delegation
Server divides part of its domain and
delegates responsibility to the lower-
level servers
The zone of a server is made of
information which is not delegated,and
reference to the delegated information
21
Root Server
A root server in DNS is a server whose
domain covers all the whole tree.
There are 13 root replicated root servers
in the world.
22
Primary and Secondary Servers
Two types of servers in DNS
Primary (Master) server,stores a file about the
zone for which it is an authority
Secondary (Slave) server,transfers the complete
information about the zone from another servers
and store the file on its local disk
The slave server neither creates nor updates
the zone file.
Updating is done by the Master
23
Primary and Secondary Servers
A primary server loads all information from
the disk file
the secondary server loads all information
from the primary server
When the secondary downloads information
from the primary,it is called zone transfer
24
DNS in the Internet
The domain name space is divided into
three different sections:
Generic domains,gov,net,org,edu,biz,…
Country domains,tw,jp,kr,uk,…
Inverse domain,maps an address to a name
The type of query for inverse mapping is
called an inverse or pointer (PTR) query.
25
DNS in the Internet
26
Generic
Domains
27
Figure 18-9
Country
Domains
28
Inverse
Domain
29
Resolution
Host needs to map an address to a name or a
name to an address calls a DNS client called
a resolver
The resolver accesses the closest DNS server
with the request
If the server has the information,it returns;
otherwise,it
refers the resolver to other servers (iterative
resolution) or
asks other servers to provide the information
(recursive resolution)
30
Recursive resolution
Iterative resolution
32
Caching
When a server asks for a mapping from
another server and receives the response,
it caches this information in its memory
before sending it to the client
To inform the client the response is from
the cache,the server marks the response
as un-authoritative.
Caching speeds up resolution.
Use TTL to delete the old information
33
DNS Messages
Two types have the same format
Query
Response
Both messages have the same header
format
34
DNS messages
35
Query and Response Messages
36
Header format
37
QR,Query/Response
OpCode,0 standard,1 inverse,2 server status
AA,Authoritative
TC,Truncated
RD,Recursion Desired
RA,Recursion Available
rCode,Status of the error
Flags Fields
38
Types of Records
Question Records (QR),used in
the question section of the query,and
response message
Resource Records (RR),used in
The answer,authoritative,and additional
sections of the response message
39
Question Record Format
40
admin.atc.fhda.edu.
Query Name Format
41
Resource Record
Each domain dame (node on the tree) is
associated with a record called the
resource record.
The server database consists of resource
records
42
Resource Record Format
43
Resource Data
Variable-length
Containing the answer,authoritative,or
additional information sections
The format and contents of this field
depend on the value of the field type and
can be one of the following:
Number
Domain name
Offset pointer
Character string
44
Format of an Offset Pointer
45
Example 1
A resolver sends a query message to a
local server to find the IP address for the
host,chal.fhda.edu.”.
46
Query Message
47
Response Message
48
Example 2
An FTP server has received a packet
from an FTP client with IP address
153.2.7.9,The FTP server wants to
verify that the FTP client is an authorized
client.
49
Inverse Query Message
50
Inverse Response Message
51
DNS can use the services of
UDP or TCP
using the well-known port 53.
52
Complementary
The following slides are provided by the
TWNIC,http://www.twnic.org.tw/
Courtesy of TWNIC
53
DNS 整體架構,樹狀結構為網域名稱或機器名稱為上一層與下一層的委任關係註 DNS 的搜尋由上往下
Root
tw cn com net biz arpa …
com net gov …
twnic twnic
www whois cdns Zone1
host1 host1
in-addr ip6 e164
211
72
211210
IPv4 反解
IPv6 反解
54
DNS 整體架構,網域
網域即是一個名稱空間 (namespaces)
在,com 之下的稱為 com 網域
在 ripe.net 之下的稱為 ripe.net 網域,同時也是,net 網域
此時 ripe.net,可說是 net 的 Zone (Subdomain)
net domain com domain
ripe.net domain
net com
ripe
www www
edu
isi tislabs
disi
ws1ws2
ftp
sun
moon
google
授權關係
55
網域 (Domain)及轄區 (Zone)
edu orgcom
wisc nwu purdue
“,
edu domain
edu zone
wisc.edu zone purdue.edu zone
委任 (delegation)
運作原理 圖示介紹查詢
ww
w.
tw
nic
.ne
t.tw
是否屬於自己的 DN? 是則回應結果是否有 Cache 資料? 是則回應結果皆非則向 root,.” 詢問 --->
得到的 DNS 資料及主機資料都會
Cache 以備下一次資料末過期時使用
root
.tw
詢問,tw 再哪?
回應,tw 位址 s
詢問 net.tw 再哪?
回應 net.tw 位址
net.tw
詢問 twnic.net.tw 再哪?
回答 DNS 位置詢問 www.twnic.net.tw 到底再哪?
twnic.net.tw
回答 210.17.9.228
回應結果
57
ping www.twnic.net.tw.
DNS解析流程
讓我們一步一步來看 DNS解析的步驟,
Pc001.abc.com.tw
58
DNS解析流程
個人電腦向他設定的 DNS 168.95.1.1查詢
www.twnic.net.tw的 IP
www.twnic.net.tw
的 IP是什麼?
168.95.1.1
ping www.twnic.net.tw.
Pc001.abc.com.tw
59
DNS解析流程
168.95.1.1會向 root server M查詢 www.twnic.net.tw的
IP address
m.root-servers.net
ping www.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1 www.twnic.net.tw
的 IP是什麼?
60
DNS解析流程
M root server會回應,TW 的 dns在那裡
m.root-servers.net
這裡有,TW DNS的清單,請向其中之一查詢,
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
61
DNS解析流程
168.95.1.1會向,TW name server,
c.dns.tw查詢 www.twnic.net.tw的 IP
address
m.root-servers.net
www.twnic.net.tw
的 IP是什麼?
c.dns.tw
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
62
DNS解析流程
c.dns.tw回應 net.tw的 DNS在那裡
m.root-servers.net
這裡有,NET.TW
DNS的清單,請向其中之一查詢,
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
c.dns.tw
63
DNS解析流程
168.95.1.1會向,TW name server,
b.twnic.net.tw查詢 www.twnic.net.tw的
IP address
m.root-servers.net
b.twnic.net.tw
www.twnic.net.tw
的 IP是什麼?
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
c.dns.tw
64
DNS解析流程
b.twnic.net.tw回應 twnic.net.tw的 DNS在那裡
m.root-servers.net
ping www.twnic.net.tw.Pc001.abc.com.tw
這裡有
.TWNIC.NET.TW
DNS的清單,請向其中之一查詢,
168.95.1.1
c.dns.tw
b.twnic.net.tw
65
DNS解析流程
168.95.1.1會向 ns.twnic.net查詢
www.twnic.net.tw的 IP address
m.root-servers.net
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
www.twnic.net.tw
的 IP是什麼?
66
DNS解析流程
ns.twnic.net回應 www.twnic.net.tw的 IP
是什麼
m.root-servers.net
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
www.twnic.net.tw
的 IP是
111.222.123.221
67
www.twnic.net.tw
的 IP是
111.222.123.221
DNS解析流程
168.95.1.1回應 pc001.abc.com.tw
www.twnic.net.tw的 IP是
111.222.123.221
m.root-servers.net
ping www.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
68
DNS解析流程 (Caching)
在前次查詢後 168.95.1.1知道了下列紀錄,
TW的 dns及其 IP
NET.TW的 dns及其 IP
TWNIC.NET.TW的 dns及其 IP
WWW.TWNIC.NET.TW的 IP
讓我們看下一次的解析流程
ping ftp.twnic.net.tw.
Pc001.abc.com.tw
69
ftp.twnic.net.tw
的 IP是什麼?
DNS解析流程 (Caching)
個人電腦向他設定的 DNS 168.95.1.1查詢 ftp.twnic.net.tw的 IP
m.root-servers.net
ping ftp.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
70
ftp.twnic.net.tw
的 IP是什麼?
DNS解析流程 (Caching)
168.95.1.1已經有 twnic.net.tw的 NS紀錄,所以直接過去詢問 ftp.twnic.net.tw的 IP
m.root-servers.net
ping ftp.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
71
DNS解析流程 (Caching)
ns.twnic.net回應 ftp.twnic.net.tw的 IP是什麼
m.root-servers.net
ping ftp.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
ftp.twnic.net.tw
的 IP是
128.41.241.155
72
ftp.twnic.net.tw
的 IP是
128.41.241.155
DNS解析流程 (Caching)
168.95.1.1回應 pc001.abc.com.tw
ftp.twnic.net.tw的 IP是 128.41.241.155
m.root-servers.net
ping ftp.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
73
資源記錄 (RR,Resource Record)
名稱 (FQDN)
快取時間 ( TTL,Time to Live )
網路類別 (class),
資料類型 (type)
答案 (rdata)
TTL 是此一筆資料被別的 DNS Cache 的時間值
IN 即是 Internet
資料類型分許多種正解,什麼是資源記錄 RR
FQDN TTL class type rdata
www.xxx.com.tw,3600 IN A 10.10.10.2
74
xxx.com.tw,38400 IN SOA ns1.xxx.com.tw,abelyang.twnic.net.tw,(
2001061501 ; Serial
43200 ; Refresh 12 hours
14400 ; Retry 4 hours
345600 ; Expire 4 days
7200 ; Negative cache 2 hours
)
xxx.com.tw,86400 IN NS ns1.xxx.com.tw.
xxx.com.tw,86400 IN NS ns2.xxx.com.tw.
ns1.xxxcom.tw,86400 IN A 211.72.211.1
ns2.xxx.com.tw,86400 IN A 211.72.211.2;以下略正解,資源記錄範例
資源記錄的 TYPE 有許多不同類型正解,SOA RR
SOA (Start Of Authority) 記錄用於 DNS自身
SOA 提供此一 Zone 之基本資料及更新時間參數
xxx.com.tw 1D IN SOA ns1.xxx.com.tw,abelyang.twnic.net.tw,
(
2001061501 ;序號,用於 AXFR 時,Master 資料是否變動判斷
43200 ;refresh,請 Slave 主機每隔此一時間向 Master AXFR
14400 ;retry,更新失敗,則每隔此一時間再做 AXFR
345600 ;expire,Slave 主機的資料超過此值則放棄此 Zone
172800 ;min ttl,在此 refresh + N x retry 小於此一時間內此會;做 AXFR,以確保資料的正確性與同步,超過此時間,Slave;即不會再和 Master 做 AXFR 請求,需重啟 DNS
)
網域名稱,可用 @ 代 SOA 記錄 Master 主機名稱 網域管理 Email,原 @ 用,代
76
Zone File,SOA 說明
在 Zone File 中 @ 符號表示現在這個 Zone 的名稱,
故原來 Email 的 @ 要以,代替
若原來 Email 中有,,則需以 \,表示
TTL 一般建議值多為 半天 (38400)或一天 (86400),如果您的 DNS 資料很穩定則可設得更高些
SOA 資料中的時間參數在於同步 Master/ Slave 間的 Zone file 資料一致
每次更改了 Zone File 的任何內容,請務必加大序號值,讓 AXFR 能順利進行
相關的時間建議值可參考 RFC 1912 說明
77
正解,NS/A RR
NS (NameServer) 用於 DNS 的搜尋
每個 Zone File 如何 SOA 一般,皆要有 NS RR,
且接於 SOA 之後 NS 記錄之 RDATA 若屬同一個 zone以內者需接一 A (Address) RR,以標明其 IP Address
xxx.com.tw,IN NS ns1.xxx.com.tw.
xxx.com.tw,IN NS ns2.xxx.com.tw.
ns1.xxx.com.tw,IN A 211.72.211.1
ns2.xxx.com.tw,IN A 211.72.211.2
78
正解,NS/A RR
NS 記錄說明了那些主機管理此一網域名稱 (權威主機 ),需與上層 (如 TWNIC) 的指定一致
NS 記錄之 RDATA 需接一 FQDN 記錄,不可用
IP,也不可接到一 CNAME 記錄 ( RFC 規範 )
NS 記錄的取用順序是隨機決定的,而非取用第一筆
A 記錄為指出某一 FQDN 其 IP 為何
xxx.com.tw,IN NS ns1.xxx.com.tw.
xxx.com.tw,IN NS ns2.xxx.com.tw.;ns1 ns2 位址略
79
正解,CNAME RR
CNAME 用於機器別名,如查詢 FTP,則會查到 WWW 位址
CNAME 常用於僅有少數 IP 之單位
建議使用 A 記錄來替 CNAME,以避免 NS/MX
等出現問題
www.xxx.com.tw,3600 IN A 211.72.211.80
ftp.xxx.com.tw,3600 IN CNAME www.xxx.com.tw.
80
xxx.com.tw,86400 IN SOA ns1.xxx.com.tw,root.xxx.com.tw,
(
2002021301 ; serial
1D ; refresh
1H ; retry
1W ; expiry
2D ; min ttl
)
xxx.com.tw,86400 IN NS ns1.xxx.com.tw.
xxx.com.tw,86400 IN NS ns2.xxx.com.tw.
xxx.com.tw,86400 IN NS dns.hinet.net.
Ns1.xxx.com.tw,86400 IN A 211.72.211.1
Ns2.xxx.com.tw,86400 IN A 211.72.211.2
www.xxx.com.tw,86400 IN A 211.72.211.80
ftp.xxx.com.tw,86400 IN CNAME www.xxx.com.tw.
xxx.com.tw,86400 IN MX 10 mail.xxx.com.tw.
xxx.com.tw,86400 IN MX 20 imap.xxx.com.tw.
mail.xxx.com.tw,86400 IN A 211.72.211.25
imap.xxx.com.tw,86400 IN A 211.72.211.143
wk1.dept1.xxx.com.tw,86400 IN A 211.72.211.101
wk2.dept1.xxx.com.tw,86400 IN A 211.72.211.102
正解,全貌
Domain Name
System (DNS)
Chuan-Ming Liu
CSIE,NTUT
Spring ’04,TAIWAN
2
Contents
NAME SPACE
DOMAIN NAME SPACE
DISTRIBUTION OF NAME SPACE
DNS IN THE INTERNET
RESOLUTION
DNS MESSAGES
TYPES OF RECORDS
COMPRESSION
EXAMPLES
3
Domain Name System (DNS)
System mapping a name to an address
Using host file when the size of the Internet
is small
As the Internet grows,the host file becomes
too large to store
Two solutions for huge amount information
in a host file
Store entire host file into a single computer
Divide the information into smaller parts and
store each part on a different computer
4
Domain Name System
Providing the service for querying the
corresponding IP address or the domain name
A distributed database system
Database is divided into several sub-database and
each sub-database is self-maintained
Using client-server architecture
Using tree data structure
By replication and caching to achieve consistency,
efficiency,and stability.
The largest database system in the world
5
Name Space
Each host on the Internet has an unique IP
address for TCP/IP protocol
An unique name is assigned to each host
instead of numbers for people to remember
Name space mapping each address to a
unique name
Flat
Hierarchical (this is what we used today)
6
Domain Name Space
Hierarchical name space
Using an inverted-tree structure where
root is at the top
the tree has 128 levels (0 to 127)
each level defines a hierarchical level
each node has a label having maximum of
63 characters
7
Figure,Domain Name Space
8
Label
Root label is a null string (empty string)
Children of a node have different labels
9
Domain Name
Each node in the tree represents a domain
name
A full domain name is a sequence of
labels separated by dots (.).
The domain names are read from the
node up to the root.
The last label is the label of the root (null)
10
Domain names
and labels
11
Representations of Domain Name
Fully Qualified Domain Name (FQDN)
containing the full name of a host
terminated by a null string (the root)
also called absolute domain name
Example,csie.ntut.edu.tw.
Partially Qualified Domain Name (PQDN)
not terminated by a null string
used when the name to be solved belongs to the
same site
Missing part (suffix) can be supplied by resolver
12
FQDN and PQDN
13
Domain
A subtree of the domain name space
A domain may itself be divided into
domains (subdomains)
14
Domains
15
Distribution of Name Space
The domain name space should be stored.
Using one computer to store the whole
name space is
Inefficient,heavy load on the server
Unreliable,any failure makes data
inaccessible
16
Hierarchy of Name Servers
Distribute the information among many
computers instead of one computer
Divide the space into many domains
Each domains can be divided further into
subdomains
Each domain has a computer,DNS server,
to take of.
Hierarchy of servers is the same as that of
names
17
Hierarchy of name servers
18
Zone
What a serer is responsible for or has
authority over is called a zone
If the domain is not divided into
subdomain,the,domain” and the,zone”
refer to the same thing for a DNS server.
The server keeps a database called a
zone file and keeps all the information
for every node under the domain
The domain and the zone may refer to
different things.
19
Zones and Domains
delegation
20
Delegation
Server divides part of its domain and
delegates responsibility to the lower-
level servers
The zone of a server is made of
information which is not delegated,and
reference to the delegated information
21
Root Server
A root server in DNS is a server whose
domain covers all the whole tree.
There are 13 root replicated root servers
in the world.
22
Primary and Secondary Servers
Two types of servers in DNS
Primary (Master) server,stores a file about the
zone for which it is an authority
Secondary (Slave) server,transfers the complete
information about the zone from another servers
and store the file on its local disk
The slave server neither creates nor updates
the zone file.
Updating is done by the Master
23
Primary and Secondary Servers
A primary server loads all information from
the disk file
the secondary server loads all information
from the primary server
When the secondary downloads information
from the primary,it is called zone transfer
24
DNS in the Internet
The domain name space is divided into
three different sections:
Generic domains,gov,net,org,edu,biz,…
Country domains,tw,jp,kr,uk,…
Inverse domain,maps an address to a name
The type of query for inverse mapping is
called an inverse or pointer (PTR) query.
25
DNS in the Internet
26
Generic
Domains
27
Figure 18-9
Country
Domains
28
Inverse
Domain
29
Resolution
Host needs to map an address to a name or a
name to an address calls a DNS client called
a resolver
The resolver accesses the closest DNS server
with the request
If the server has the information,it returns;
otherwise,it
refers the resolver to other servers (iterative
resolution) or
asks other servers to provide the information
(recursive resolution)
30
Recursive resolution
Iterative resolution
32
Caching
When a server asks for a mapping from
another server and receives the response,
it caches this information in its memory
before sending it to the client
To inform the client the response is from
the cache,the server marks the response
as un-authoritative.
Caching speeds up resolution.
Use TTL to delete the old information
33
DNS Messages
Two types have the same format
Query
Response
Both messages have the same header
format
34
DNS messages
35
Query and Response Messages
36
Header format
37
QR,Query/Response
OpCode,0 standard,1 inverse,2 server status
AA,Authoritative
TC,Truncated
RD,Recursion Desired
RA,Recursion Available
rCode,Status of the error
Flags Fields
38
Types of Records
Question Records (QR),used in
the question section of the query,and
response message
Resource Records (RR),used in
The answer,authoritative,and additional
sections of the response message
39
Question Record Format
40
admin.atc.fhda.edu.
Query Name Format
41
Resource Record
Each domain dame (node on the tree) is
associated with a record called the
resource record.
The server database consists of resource
records
42
Resource Record Format
43
Resource Data
Variable-length
Containing the answer,authoritative,or
additional information sections
The format and contents of this field
depend on the value of the field type and
can be one of the following:
Number
Domain name
Offset pointer
Character string
44
Format of an Offset Pointer
45
Example 1
A resolver sends a query message to a
local server to find the IP address for the
host,chal.fhda.edu.”.
46
Query Message
47
Response Message
48
Example 2
An FTP server has received a packet
from an FTP client with IP address
153.2.7.9,The FTP server wants to
verify that the FTP client is an authorized
client.
49
Inverse Query Message
50
Inverse Response Message
51
DNS can use the services of
UDP or TCP
using the well-known port 53.
52
Complementary
The following slides are provided by the
TWNIC,http://www.twnic.org.tw/
Courtesy of TWNIC
53
DNS 整體架構,樹狀結構為網域名稱或機器名稱為上一層與下一層的委任關係註 DNS 的搜尋由上往下
Root
tw cn com net biz arpa …
com net gov …
twnic twnic
www whois cdns Zone1
host1 host1
in-addr ip6 e164
211
72
211210
IPv4 反解
IPv6 反解
54
DNS 整體架構,網域
網域即是一個名稱空間 (namespaces)
在,com 之下的稱為 com 網域
在 ripe.net 之下的稱為 ripe.net 網域,同時也是,net 網域
此時 ripe.net,可說是 net 的 Zone (Subdomain)
net domain com domain
ripe.net domain
net com
ripe
www www
edu
isi tislabs
disi
ws1ws2
ftp
sun
moon
授權關係
55
網域 (Domain)及轄區 (Zone)
edu orgcom
wisc nwu purdue
“,
edu domain
edu zone
wisc.edu zone purdue.edu zone
委任 (delegation)
運作原理 圖示介紹查詢
ww
w.
tw
nic
.ne
t.tw
是否屬於自己的 DN? 是則回應結果是否有 Cache 資料? 是則回應結果皆非則向 root,.” 詢問 --->
得到的 DNS 資料及主機資料都會
Cache 以備下一次資料末過期時使用
root
.tw
詢問,tw 再哪?
回應,tw 位址 s
詢問 net.tw 再哪?
回應 net.tw 位址
net.tw
詢問 twnic.net.tw 再哪?
回答 DNS 位置詢問 www.twnic.net.tw 到底再哪?
twnic.net.tw
回答 210.17.9.228
回應結果
57
ping www.twnic.net.tw.
DNS解析流程
讓我們一步一步來看 DNS解析的步驟,
Pc001.abc.com.tw
58
DNS解析流程
個人電腦向他設定的 DNS 168.95.1.1查詢
www.twnic.net.tw的 IP
www.twnic.net.tw
的 IP是什麼?
168.95.1.1
ping www.twnic.net.tw.
Pc001.abc.com.tw
59
DNS解析流程
168.95.1.1會向 root server M查詢 www.twnic.net.tw的
IP address
m.root-servers.net
ping www.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1 www.twnic.net.tw
的 IP是什麼?
60
DNS解析流程
M root server會回應,TW 的 dns在那裡
m.root-servers.net
這裡有,TW DNS的清單,請向其中之一查詢,
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
61
DNS解析流程
168.95.1.1會向,TW name server,
c.dns.tw查詢 www.twnic.net.tw的 IP
address
m.root-servers.net
www.twnic.net.tw
的 IP是什麼?
c.dns.tw
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
62
DNS解析流程
c.dns.tw回應 net.tw的 DNS在那裡
m.root-servers.net
這裡有,NET.TW
DNS的清單,請向其中之一查詢,
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
c.dns.tw
63
DNS解析流程
168.95.1.1會向,TW name server,
b.twnic.net.tw查詢 www.twnic.net.tw的
IP address
m.root-servers.net
b.twnic.net.tw
www.twnic.net.tw
的 IP是什麼?
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
c.dns.tw
64
DNS解析流程
b.twnic.net.tw回應 twnic.net.tw的 DNS在那裡
m.root-servers.net
ping www.twnic.net.tw.Pc001.abc.com.tw
這裡有
.TWNIC.NET.TW
DNS的清單,請向其中之一查詢,
168.95.1.1
c.dns.tw
b.twnic.net.tw
65
DNS解析流程
168.95.1.1會向 ns.twnic.net查詢
www.twnic.net.tw的 IP address
m.root-servers.net
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
www.twnic.net.tw
的 IP是什麼?
66
DNS解析流程
ns.twnic.net回應 www.twnic.net.tw的 IP
是什麼
m.root-servers.net
ping www.twnic.net.tw.Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
www.twnic.net.tw
的 IP是
111.222.123.221
67
www.twnic.net.tw
的 IP是
111.222.123.221
DNS解析流程
168.95.1.1回應 pc001.abc.com.tw
www.twnic.net.tw的 IP是
111.222.123.221
m.root-servers.net
ping www.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
68
DNS解析流程 (Caching)
在前次查詢後 168.95.1.1知道了下列紀錄,
TW的 dns及其 IP
NET.TW的 dns及其 IP
TWNIC.NET.TW的 dns及其 IP
WWW.TWNIC.NET.TW的 IP
讓我們看下一次的解析流程
ping ftp.twnic.net.tw.
Pc001.abc.com.tw
69
ftp.twnic.net.tw
的 IP是什麼?
DNS解析流程 (Caching)
個人電腦向他設定的 DNS 168.95.1.1查詢 ftp.twnic.net.tw的 IP
m.root-servers.net
ping ftp.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
70
ftp.twnic.net.tw
的 IP是什麼?
DNS解析流程 (Caching)
168.95.1.1已經有 twnic.net.tw的 NS紀錄,所以直接過去詢問 ftp.twnic.net.tw的 IP
m.root-servers.net
ping ftp.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
71
DNS解析流程 (Caching)
ns.twnic.net回應 ftp.twnic.net.tw的 IP是什麼
m.root-servers.net
ping ftp.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
ftp.twnic.net.tw
的 IP是
128.41.241.155
72
ftp.twnic.net.tw
的 IP是
128.41.241.155
DNS解析流程 (Caching)
168.95.1.1回應 pc001.abc.com.tw
ftp.twnic.net.tw的 IP是 128.41.241.155
m.root-servers.net
ping ftp.twnic.net.tw.
Pc001.abc.com.tw
168.95.1.1
c.dns.tw
b.twnic.net.tw
ns.twnic.net
73
資源記錄 (RR,Resource Record)
名稱 (FQDN)
快取時間 ( TTL,Time to Live )
網路類別 (class),
資料類型 (type)
答案 (rdata)
TTL 是此一筆資料被別的 DNS Cache 的時間值
IN 即是 Internet
資料類型分許多種正解,什麼是資源記錄 RR
FQDN TTL class type rdata
www.xxx.com.tw,3600 IN A 10.10.10.2
74
xxx.com.tw,38400 IN SOA ns1.xxx.com.tw,abelyang.twnic.net.tw,(
2001061501 ; Serial
43200 ; Refresh 12 hours
14400 ; Retry 4 hours
345600 ; Expire 4 days
7200 ; Negative cache 2 hours
)
xxx.com.tw,86400 IN NS ns1.xxx.com.tw.
xxx.com.tw,86400 IN NS ns2.xxx.com.tw.
ns1.xxxcom.tw,86400 IN A 211.72.211.1
ns2.xxx.com.tw,86400 IN A 211.72.211.2;以下略正解,資源記錄範例
資源記錄的 TYPE 有許多不同類型正解,SOA RR
SOA (Start Of Authority) 記錄用於 DNS自身
SOA 提供此一 Zone 之基本資料及更新時間參數
xxx.com.tw 1D IN SOA ns1.xxx.com.tw,abelyang.twnic.net.tw,
(
2001061501 ;序號,用於 AXFR 時,Master 資料是否變動判斷
43200 ;refresh,請 Slave 主機每隔此一時間向 Master AXFR
14400 ;retry,更新失敗,則每隔此一時間再做 AXFR
345600 ;expire,Slave 主機的資料超過此值則放棄此 Zone
172800 ;min ttl,在此 refresh + N x retry 小於此一時間內此會;做 AXFR,以確保資料的正確性與同步,超過此時間,Slave;即不會再和 Master 做 AXFR 請求,需重啟 DNS
)
網域名稱,可用 @ 代 SOA 記錄 Master 主機名稱 網域管理 Email,原 @ 用,代
76
Zone File,SOA 說明
在 Zone File 中 @ 符號表示現在這個 Zone 的名稱,
故原來 Email 的 @ 要以,代替
若原來 Email 中有,,則需以 \,表示
TTL 一般建議值多為 半天 (38400)或一天 (86400),如果您的 DNS 資料很穩定則可設得更高些
SOA 資料中的時間參數在於同步 Master/ Slave 間的 Zone file 資料一致
每次更改了 Zone File 的任何內容,請務必加大序號值,讓 AXFR 能順利進行
相關的時間建議值可參考 RFC 1912 說明
77
正解,NS/A RR
NS (NameServer) 用於 DNS 的搜尋
每個 Zone File 如何 SOA 一般,皆要有 NS RR,
且接於 SOA 之後 NS 記錄之 RDATA 若屬同一個 zone以內者需接一 A (Address) RR,以標明其 IP Address
xxx.com.tw,IN NS ns1.xxx.com.tw.
xxx.com.tw,IN NS ns2.xxx.com.tw.
ns1.xxx.com.tw,IN A 211.72.211.1
ns2.xxx.com.tw,IN A 211.72.211.2
78
正解,NS/A RR
NS 記錄說明了那些主機管理此一網域名稱 (權威主機 ),需與上層 (如 TWNIC) 的指定一致
NS 記錄之 RDATA 需接一 FQDN 記錄,不可用
IP,也不可接到一 CNAME 記錄 ( RFC 規範 )
NS 記錄的取用順序是隨機決定的,而非取用第一筆
A 記錄為指出某一 FQDN 其 IP 為何
xxx.com.tw,IN NS ns1.xxx.com.tw.
xxx.com.tw,IN NS ns2.xxx.com.tw.;ns1 ns2 位址略
79
正解,CNAME RR
CNAME 用於機器別名,如查詢 FTP,則會查到 WWW 位址
CNAME 常用於僅有少數 IP 之單位
建議使用 A 記錄來替 CNAME,以避免 NS/MX
等出現問題
www.xxx.com.tw,3600 IN A 211.72.211.80
ftp.xxx.com.tw,3600 IN CNAME www.xxx.com.tw.
80
xxx.com.tw,86400 IN SOA ns1.xxx.com.tw,root.xxx.com.tw,
(
2002021301 ; serial
1D ; refresh
1H ; retry
1W ; expiry
2D ; min ttl
)
xxx.com.tw,86400 IN NS ns1.xxx.com.tw.
xxx.com.tw,86400 IN NS ns2.xxx.com.tw.
xxx.com.tw,86400 IN NS dns.hinet.net.
Ns1.xxx.com.tw,86400 IN A 211.72.211.1
Ns2.xxx.com.tw,86400 IN A 211.72.211.2
www.xxx.com.tw,86400 IN A 211.72.211.80
ftp.xxx.com.tw,86400 IN CNAME www.xxx.com.tw.
xxx.com.tw,86400 IN MX 10 mail.xxx.com.tw.
xxx.com.tw,86400 IN MX 20 imap.xxx.com.tw.
mail.xxx.com.tw,86400 IN A 211.72.211.25
imap.xxx.com.tw,86400 IN A 211.72.211.143
wk1.dept1.xxx.com.tw,86400 IN A 211.72.211.101
wk2.dept1.xxx.com.tw,86400 IN A 211.72.211.102
正解,全貌
