Detailed Explanation of DNS Deployment and Security (Part 1)

---

1. DNS

  The full name of DNS is Domain Name Service (Domain Name Service) , and its function isProvide domain name resolution service for clients。

2. Composition of Domain Names

1. Overview of Domain Name Composition

  For example, "www.sina.com.cn" is a domain name. Strictly speaking, "sina.com.cn" is called a domain name (unique in the world), and "www" is a host name .
  " Hostname.Domain Name " is called Fully Qualified Domain Name (FQDN-Full Quality Domain Name) . Speaking of this, some friends may wonder:Hostname and domain nameWhat's the difference? And isn't the domain name unique in the world? Why add a host name?

  The domain name "sina.com.cn" was bought by Sina Corporation. After buying it, the company wanted to provide users with the service of browsing news online, so it spent money to buy a server. The name of this server was "www.com.cn". ", and then bind the purchased domain name to provide services for users. That is to say, "www.sina.com.cn" actually points to a specific server of Sina Company, so it is also called " fully qualified domain name ", that is,Can be precisely limited to a certain server. Later, the company plans to develop mail sending and receiving business, and buys another server named "mail". The domain name will definitely not need to be purchased again, and the domain name already purchased will continue to provide services for users. At this time, the user visits "mail.sina. com.cn", in fact, it is to access the server that provides email services within Sina.

  Here we do a small experiment, use the nslookup command in the console to view the original IP address of the domain name, as shown in the following figure:

  Through the above experiments, we can see that: www.sina.com.cn and mail.sina.com.cn point to two different servers. So in layman's terms,The host name is the name of a server within the company,andThe domain name is the unique identification of the company externally. Take "sina.com.cn" as an example, generallyAdministrators name their hosts according to their functions. For example, the website is www, the blog is blog, and the forum is bbs, then the corresponding FQDNs are www.sina.com.cn, blog.sina.com.cn, bbs.sina.com.cn. Although there are multiple FQDNs, we only need to apply for one domain name, namely "sina.com.cn".

2. Domain Name Composition

  The domain name is composed of a tree structure, as shown in the following figure:

  The root domain name is a dot " . ", and the root domain name is called the top-level domain name, also called the first-level domain name, such as .com, .cn, .org, etc., which we cannot buy. Below the first-level domain name is the second-level domain name, such as baidu, qq, taobao, etc., and so on. As shown in the following example:

Such as: www.baidu.com.
. is the root domain name
. com is the top-level domain
baidu is the second-level domain name
www is the host name

  注意：www.baidu.com.，后面是有一个点“.”，这个点代表的就是根域名，但是我们一般不敲，是浏览器已经给我们敲了，这个点不能没有，代表世界顶尖的那个根服务器。这就代表我们正在访问全世界根下面的com结尾的下面的baidu下面的www那台主机。从世界定位到某个公司内部的某台主机。

FQDN=hostname.DNS suffix
FQDN (full domain name)

3. Listening port

  The port number of the DNS server is 53 , but it is very special, it has both TCP and UDP

TCP53
UDP53

4. Types of DNS resolution

  There are many types of DNS servers providing resolution services for clients

1. Classified according to query method:

1. Recursive query: between the client and the local DNS server
2. Iterative query: the resolution process between the local DNS server and other DNS servers such as the root

  The process of the client looking for resolution : If the client wants to visit Baidu now, enter www.baidu.com and press Enter, it will first look at the browser cache, if there is no Baidu resolution record in the cache, then look at the local host file, there is not yet , just seek the help of the local DNS server for resolution. The local DNS server here does not necessarily refer to the company, but the nearest server that provides DNS resolution services for itself. It may be in the company or in the local city. , or provincial capital cities, etc.
  DNS server resolution process : When the client sends a resolution request to the local DNS server , the local DNS server will check the IP information corresponding to all its domain names. Here comes the question: Will there be www.baidu.com domain name resolution information on this DNS server? Not necessarily, because there are hundreds of millions of domain name information in the world,It is impossible for one server to contain all domain name information. Assuming that there is no Baidu domain name information in the local DNS server, he will seek help from the root domain. As shown in the figure above, after receiving the request, the root domain will tell him the IP of the top-level domain name resolution server ending in .com, because The next level of the root domain is the top-level domain name. He must know what and where his next level is, and then the local DNS server will request the .com domain name server, and the .com domain name server will tell him the IP of the baidu.com domain name server address, and finally requesting the domain name server of baidu.com, the domain name server will give the real IP address of www.baidu.com resolved to the local DNS server, and the server will give the IP to the client, and at the same time he will give the IP address It is also stored in its own cache, so that other clients can directly provide it when parsing in the future.
  It can be seen from the above two processes that:Client and local DNS serverAll questions are answered , that is, the real IP corresponding to the domain name requested by the client will be given by the local DNS server. This relationship is also called recursive query ;Local DNS server and other serversThe question is not the answer , he needs to traverse the request step by step, this relationship is also called iterative query ;

Note: There are only 13 root servers in the world, one is the main root server in the United States, and the remaining 12 are auxiliary root servers, of which 9 are in the United States, 2 are in Europe (located in the UK and Sweden), and 1 is in Asia ( located in Japan).

  For a local DNS server, just remember where the root server is. As long as you don't know the domain name, you can access the root server, and then find the answer. For example, if we want to make our computer a DNS server, then download a DNS software from the Internet, thisAfter the software is installed, there must be 13 built-in root server IP addresses. When you can’t resolve it yourself, you will definitely ask the root server.
  Due to business needs, many companies need to set up a DNS server within their own company, allowing company employees to directly point to the internal DNS server to resolve Internet domain names. This server is called a local DNS server , so here comes the question: Do I need to find the root server for the server I set up myself? Of course it is necessary,Any server to do DNS resolution must find the root server, That is to say, if the company employees want to visit Baidu, when using the local DNS server for resolution, the server must ask for help from the root server, because the domain name file in the newly installed DNS server is blank, and the DNS server must Go abroad to visit the root server once, and it takes multiple iterative queries to find Baidu. Moreover, the DNS server we built locally is a lightweight server , so it is easy for him to be overloaded with frequent requests to external servers, so what should we do? Engineers can artificially add a forwarder
  to the local DNS server , and the forwarder points to our local public network DNS server . In this case, if the client visits Baidu and requests the local DNS server to resolve the domain name, the local DNS server will first check the cache. If you have resolved Baidu, there is a local cache. If not, then see if you are responsible for resolving baidu.com If the server of the domain name is not, at this time, the request is not sent to the root server, but directly sent to the public network DNS server pointed to by the forwarder. The working principle of the transponder is recursive query. I send the request to the DNS server of the public network, and you just need to give me the result. If you don’t have one, you request the root server yourself, and then iterate multiple times to get the final result and give it to me. Then I'm relieved.   so
After the company generally builds its own DNS server, it will let him forward the resolution request to the local public DNS server through the forwarder, which greatly relieves the load pressure on the local DNS server。

2. Classify according to query content:

1. Forward resolution : known domain name, resolve IP address
2. Reverse analysis : known IP address, resolve domain name

  Ordinary users basically use forward analysis, and firewalls use reverse analysis。

Five, DNS server construction process

1. Make sure the IP address of the server is fixed

We useWindows server2003 virtual machineAs the server to build DNS, firstCheck whether the IP is fixed,Proceed as follows:

1. Right-click [ My Network Places ], and click [ Properties ] in the pop-up list

2. Right-click [ Local Area Connection ], and click [ Properties ] in the pop-up list
   
3. Double-click [ Internet Protocol (TCP/IP) ]
   
4. You can see that it is a fixed IP address, if not, change it to a fixed IP
   

2. Install DNS software

The steps to install DNS software are as follows:

1. In [ My Computer ], double-click to open the CD-ROM drive
   

2. Select [ Install optional Windows components ]
   

3. Find [ Network Services ], and double-click to open it
   

4. Check [ Domain Name System (DNS) ], and then click [ OK ] to install
   

5. Before installing the DNS domain name service, we first enter the console with cmd and enter the command: netstat -an to view all currently open port services, as shown in the figure below. It was found that there is no port number 53 , because it has not been installed yet.
   

6. Then go back to the DNS service installation page just now. After checking, click OK, and then click Next to start the installation. During the installation process, a window as shown in the figure below will pop up, and it will pop up twice.
   

7. We need to change D to E, because the optical drive is installed on the E drive, after the change, click [ OK ], you need to change it twice, then confirm, the next step
   

8. After the installation is successful, click [ Finish ]
   

9. Click [ Start ] in the lower left corner of the mouse, click [ All Programs ], click [ Management Tools ], and you can see that [ DNS ] software is already in it
   

10. Then cmd to enter the black console, enter the command: netstat -an , press Enter to seePort 53 for TCP and UDPhave been opened to proveDNS service is enabledup
    

  So far, the DNS service on my computer has been downloaded, and my computer can access the Internet normally. The employee originally pointed to our city’s public network DNS server to resolve the domain name to go online, and then I told an employee that you don’t need to change your IP or subnet mask, and point the DNS to my IP manually, can he go online? ?

  The answer is that you can access the Internet . Let me explain the whole principle to you: I have not done anything now, but installed the DNS software on the computer, that is, turned on the DNS service. Now the employee sent me the request, saying that he wants to visit Baidu. I also talked about the server’s resolution process above. After receiving the request, first check whether there is Baidu’s domain name resolution cache locally? I just built it, so I definitely don’t have it. Secondly, it depends on whether my server is responsible for the resolution of this type of domain name. We have not specified which domain name to resolve for this computer, and have not done any configuration in this regard, so it is certain It is not responsible for this analysis. If there is none, then the server will look for a forwarder, and I have not set a forwarder for this server, so there is the last method - to find a root server. My server can access the Internet, that is, it has built-in IP information of 13 root servers, so I can go abroad to find the corresponding root server for iterative analysis. In the end, I can analyze Baidu and give it to customers machine.
  In fact, after we install the DNS software, our computer is a real DNS server, but this kind of server with only DNS software installed, we call it: DNS cache server . What does that mean? That is to say, my server itself is not responsible for any type of analysis. If you ask me what domain name, I will go to the root server to analyze it step by step, and finally get the resolved result and return it to the client. Once I ask too much After that, my local cache will be more and more, and the cache time can be set longer. After a period of time, I get all the domain names that everyone visits frequently. When employees visit me again, I don't need to go to the Internet to find the root server to ask, which can improve the speed of employees' access. Assuming that the public DNS server in the city where I live is paralyzed one day, I can still provide you with resolution services. so weAs long as the DNS service software is installed, it is actually a complete DNS server..
  In the next blog, I will talk about the subsequent configuration of this DNS server so that it can truly be responsible for a certain type of domain name resolution and verification, and then do some DNS hijacking and forwarder experiments . And the transponder must be able to do it, because as long as the company itself has a DNS server, it will definitely use the transponder.