Naming

What's in a name?

• IP (unlike other networking protocols) uses numbers only.
• Names provided for convenience.
• Names form a separate space of options from numbers.

Translating names:

• /etc/hosts (locally valid list of names)
• Network Information Service (/etc/hosts for a local network)
  • maintains and broadcasts several system tables.
  • UNIX-specific
  • works on almost all UNIX's.
  • distributes /etc/passwd in a frightfully insecure manner.
• NIS+ (/etc/hosts for an enterprise of hosts).
  • maintains and broadcasts several system tables.
  • UNIX-specific
  • barely works on Suns, and it was created for them.
• BIND (Berkeley Internet Name Domain: /etc/hosts for the internet)
  • just naming information
  • not UNIX-specific.

Berkeley Internet Name Domain (BIND):

• a.k.a. Domain Name Service (DNS)
• Hierarchical
• specific to task of translating names
• scalable

Hierarchy of names:

• root domain, root servers: top level of name service
• top level domains:
  • org: US non-profit
  • edu: US educational
  • gov: US government
  • com: US commercial (for-profit)
  • mil: US military organizations.
  • net: US network support organizations. (This has changed!)
  • info, biz, us: new toplevel domains
• geographical top level domains:
  • us: United States
  • fi: Finland
  • sg: Singapore
  • de: Germany. (Deutschland)
  • ch: Switzerland(!)
• Caveat: international abbreviations are in the language of the target country.

Hierarchical organization and delegation:

• hierarchy of servers.
• no machine gets to be a name server without being trusted.
• Top-level servers delegate subdomains to lower-level servers.

         edu
       /     \
   tufts.edu mit.edu
      |
   eecs.tufts.edu
  

• You can't just start up a nameserver and expect people to listen.
• Scope of a name server is the number of other servers that trust it to serve a particular domain.
• tualatin.eecs.tufts.edu: completely untrusted. Only works on the local wire within EECS.
• conmoto.eecs.tufts.edu: serves eecs.tufts.edu, trusted by ns1.tufts.edu serving tufts.edu.
• ns1.tufts.edu: serves tufts.edu, trusted by ns1.highwire.org.

Exploring names: nslookup and dig

• Way to explore names: look one up in the database.
• BIND only (you can look in /etc/hosts yourself).
• Old way: nslookup
• New way: dig

   tualatin{couch}55: dig conbrio.eecs.tufts.edu
   
   ; <<>> DiG 9.2.1 <<>> conbrio.eecs.tufts.edu
   ;; global options:  printcmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29696
   ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
   
   ;; QUESTION SECTION:
   ;conbrio.eecs.tufts.edu.                IN      A
   
   ;; ANSWER SECTION:
   conbrio.eecs.tufts.edu. 60      IN      A       130.64.23.39
   
   ;; AUTHORITY SECTION:
   eecs.tufts.edu.         60      IN      NS      ns2.tufts.edu.
   eecs.tufts.edu.         60      IN      NS      ns2.highwire.org.
   eecs.tufts.edu.         60      IN      NS      ns1.tufts.edu.
   eecs.tufts.edu.         60      IN      NS      ns1.highwire.org.
   
   ;; ADDITIONAL SECTION:
   ns1.tufts.edu.          83967   IN      A       130.64.1.8
   ns1.highwire.org.       2475    IN      A       171.66.121.100
   ns2.tufts.edu.          84364   IN      A       130.64.5.8
   ns2.highwire.org.       2475    IN      A       171.66.232.36
   
   ;; Query time: 1 msec
   ;; SERVER: 130.64.23.38#53(130.64.23.38)
   ;; WHEN: Mon Mar 15 13:43:49 2004
   ;; MSG SIZE  rcvd: 204
  

Kinds of maps

• Forward map: name to ip.
• Reverse map: ip to name.
• Exploring reverse maps

   tualatin{couch}56: dig -x 130.64.23.38
   
   ; <<>> DiG 9.2.1 <<>> -x 130.64.23.38
   ;; global options:  printcmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39953
   ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
   
   ;; QUESTION SECTION:
   ;38.23.64.130.in-addr.arpa.     IN      PTR
   
   ;; ANSWER SECTION:
   38.23.64.130.in-addr.arpa. 60   IN      PTR     conmoto.eecs.tufts.edu.
   
   ;; AUTHORITY SECTION:
   23.64.130.in-addr.arpa. 60      IN      NS      ns2.tufts.edu.
   23.64.130.in-addr.arpa. 60      IN      NS      ns2.highwire.org.
   23.64.130.in-addr.arpa. 60      IN      NS      ns1.tufts.edu.
   23.64.130.in-addr.arpa. 60      IN      NS      ns1.highwire.org.
   
   ;; ADDITIONAL SECTION:
   ns1.tufts.edu.          83839   IN      A       130.64.1.8
   ns1.highwire.org.       2347    IN      A       171.66.121.100
   ns2.tufts.edu.          84236   IN      A       130.64.5.8
   ns2.highwire.org.       2347    IN      A       171.66.232.36
   
   ;; Query time: 1 msec
   ;; SERVER: 130.64.23.38#53(130.64.23.38)
   ;; WHEN: Mon Mar 15 13:45:57 2004
   ;; MSG SIZE  rcvd: 227
  

• Painful: exploring reverse maps via nslookup:

   tualatin{couch}63: nslookup
   Note:  nslookup is deprecated and may be removed from future releases.
   Consider using the `dig' or `host' programs instead.  Run nslookup with
   the `-sil[ent]' option to prevent this message from appearing.
   > set type=ptr
   > 38.23.64.130.in-addr.arpa.
   Server:         130.64.23.38
   Address:        130.64.23.38#53
   
   38.23.64.130.in-addr.arpa       name = conmoto.eecs.tufts.edu.
   > 
  

  • set type=PTR: use address-to-name rather than name-to-address mapping.
  • 38.23.64.130: address in reverse.
  • .in-addr.arpa.: magical suffix of address-to-name mapping
    • in-addr: internet addresses.
    • arpa: in arpanet (the predecessor of the internet).

Name resolution is complex and has several parts:

• a BIND server that runs on specific hosts.
• a runtime library libresolv.a of programs that translates names of particular servers, on demand.
• a configuration file /etc/resolv.conf that determines how the library works
• a debugging program /sbin/nslookup (/usr/sbin/nslookup) that allows one to test the infrastructure (also see /sbin/dig)
• a name service control file /etc/nsswitch.conf that determines which sources of names are locally valid.

Bind parts:

• /usr/lib/libresolv.a: the name resolution library.
  • compiled into (or dynamically linked into) all programs using names.
  • queries nameservers as described in /etc/resolv.conf
  • /usr/lib/libresolv.a or -lresolv
• /etc/resolv.conf: configuration file.
  • tells which servers to use for DNS queries.
  • sets defaults.
• /usr/sbin/named: name service daemon.
  • configured by /etc/named.conf or equivalent.
  • responds to queries by translating names to numbers and vice-versa.
• /etc/nsswitch.conf
  • tells whether to use files, NIS, NIS+, or DNS to resolve name queries.

resolve.conf: control the resolver.

• /etc/resolv.conf (on andante):

   domain eecs.tufts.edu
   search eecs.tufts.edu tufts.edu
   nameserver 130.64.23.38       # conmoto.eecs.tufts.edu
   nameserver 130.64.5.5         # tufts.edu
  

• no names (we don't know how to translate them yet).
• a list of suffixes to append in searching for a name.
  • fully qualified name (FQN) doesn't use this(ends with .).

     telnet allegro.eecs.tufts.edu.
    

  • short (unqualified) name tries each suffix(no ending .).

     telnet allegro
    

  • if there's not . at the end of a name, tries allegro.eecs.tufts.edu. followed by allegro.tufts.edu.

     telnet allegro.eecs.tufts.edu
    

    tries to translate all of allegro.eecs.tufts.edu., allegro.eecs.tufts.edu.eecs.tufts.edu. and allegro.eecs.tufts.edu.tufts.edu(!). First match wins.
• /etc/nsswitch.conf: determines whether DNS is used or not

  contents of names/nsswitch.conf...
  #
  # /etc/nsswitch.conf
  #
  # An example Name Service Switch config file. This file should be
  # sorted with the most-used services at the beginning.
  #
  # The entry '[NOTFOUND=return]' means that the search for an
  # entry should stop if the search in the previous entry turned
  # up nothing. Note that if the search failed due to some other reason
  # (like no NIS server responding) then the search continues with the
  # next entry.
  #
  # Legal entries are:
  #
  #	nisplus or nis+		Use NIS+ (NIS version 3)
  #	nis or yp		Use NIS (NIS version 2), also called YP
  #	dns			Use DNS (Domain Name Service)
  #	files			Use the local files
  #	db			Use the local database (.db) files
  #	compat			Use NIS on compat mode
  #	hesiod			Use Hesiod for user lookups
  #	[NOTFOUND=return]	Stop searching if not found so far
  #
  
  # To use db, put the "db" in front of "files" for entries you want to be
  # looked up first in the databases
  #
  # Example:
  #passwd:    db files nisplus nis
  #shadow:    db files nisplus nis
  #group:     db files nisplus nis
  
  passwd:     files ldap
  shadow:     files ldap
  group:      files ldap
  
  #hosts:     db files nisplus nis dns
  hosts:      files dns
  
  # Example - obey only what nisplus tells us...
  #services:   nisplus [NOTFOUND=return] files
  #networks:   nisplus [NOTFOUND=return] files
  #protocols:  nisplus [NOTFOUND=return] files
  #rpc:        nisplus [NOTFOUND=return] files
  #ethers:     nisplus [NOTFOUND=return] files
  #netmasks:   nisplus [NOTFOUND=return] files     
  
  bootparams: nisplus [NOTFOUND=return] files
  
  ethers:     files
  netmasks:   files
  networks:   files
  protocols:  files ldap
  rpc:        files
  services:   files ldap
  
  netgroup:   files ldap
  
  publickey:  nisplus
  
  automount:  files ldap
  aliases:    files nisplus
  
  ...end of names/nsswitch.conf
  

named: the name service daemon

• UNIX process.
• daemon: a process that runs all the time in the background.
• responds to requests on udp port 42
• returns either information or a pointer to a server with more information.
• different kinds of named service:
  • primary: authoritative source for a domain.
  • secondary: a backup source slaved to a primary.
  • cacheing-only: only queries remote servers and remembers the answer.

named control files (for our class):

• named.conf: instructions about what information to serve.

  contents of names/named.conf...
  // generated by named-bootconf.pl
  
  options {
  	directory "/var/named";
  };
  
  controls {
  	inet 127.0.0.1 allow { localhost; } keys { rndckey; };
  };
  
  zone "." IN {
  	type hint;
  	file "named.ca";
  };
  
  zone "localhost" IN {
  	type master;
  	file "localhost.zone";
  	allow-update { none; };
  };
  
  zone "0.0.127.in-addr.arpa" IN {
          type master;
          file "pz/127.0.0";
  	allow-update { none; }; 
  };
  
  zone "eecs.tufts.edu" {         // name to address 
          type master;                  // standalone 
          notify no;                    // don't do zone transfers  
  	allow-update { none; }; 
          file "pz/eecs.tufts.edu";     // where to get zone info  
  };
  
  zone "118.10.10.in-addr.arpa" { //address to name  
          type master;                  // standalone  
          notify no;                    // don't do zone transfers 
  	allow-update { none; };       
          file "pz/118.10.10";          // where to get zone info 
  };
  include "/etc/rndc.key";
  ...end of names/named.conf
  

• named.ca: "cache" of all the root servers on the Internet:

  contents of names/named.ca...
  ;       This file holds the information on root name servers needed to
  ;       initialize cache of Internet domain name servers
  ;       (e.g. reference this file in the "cache  .  <file>"
  ;       configuration file of BIND domain name servers).
  ;
  ;       This file is made available by InterNIC 
  ;       under anonymous FTP as
  ;           file                /domain/named.cache
  ;           on server           FTP.INTERNIC.NET
  ;
  ;       last update:    Nov 5, 2002
  ;       related version of root zone:   2002110501
  ;
  ;
  ; formerly NS.INTERNIC.NET
  ;
  .                        3600000  IN  NS    A.ROOT-SERVERS.NET.
  A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
  ;
  ; formerly NS1.ISI.EDU
  ;
  .                        3600000      NS    B.ROOT-SERVERS.NET.
  B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107
  ;
  ; formerly C.PSI.NET
  ;
  .                        3600000      NS    C.ROOT-SERVERS.NET.
  C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
  ;
  ; formerly TERP.UMD.EDU
  ;
  .                        3600000      NS    D.ROOT-SERVERS.NET.
  D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
  ;
  ; formerly NS.NASA.GOV
  ;
  .                        3600000      NS    E.ROOT-SERVERS.NET.
  E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
  ;
  ; formerly NS.ISC.ORG
  ;
  .                        3600000      NS    F.ROOT-SERVERS.NET.
  F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
  ;
  ; formerly NS.NIC.DDN.MIL
  ;
  .                        3600000      NS    G.ROOT-SERVERS.NET.
  G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
  ;
  ; formerly AOS.ARL.ARMY.MIL
  ;
  .                        3600000      NS    H.ROOT-SERVERS.NET.
  H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
  ;
  ; formerly NIC.NORDU.NET
  ;
  .                        3600000      NS    I.ROOT-SERVERS.NET.
  I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
  ;
  ; operated by VeriSign, Inc. 
  ;
  .                        3600000      NS    J.ROOT-SERVERS.NET.
  J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
  ;
  ; housed in LINX, operated by RIPE NCC
  ;
  .                        3600000      NS    K.ROOT-SERVERS.NET.
  K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129 
  ;
  ; operated by IANA
  ;
  .                        3600000      NS    L.ROOT-SERVERS.NET.
  L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
  ;
  ; housed in Japan, operated by WIDE
  ;
  .                        3600000      NS    M.ROOT-SERVERS.NET.
  M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
  ; End of File
  ...end of names/named.ca
  

• eecs.tufts.edu: zone file for name to address

  contents of names/eecs.tufts.edu...
  ;
  ; Zone file for comp150net.eecs.tufts.edu
  ;
  ; The full zone file
  ;
  $TTL 3D
  @       IN      SOA     ns.eecs.tufts.edu. hostmaster.eecs.tufts.edu. (
                          200403102       ; serial, todays date + todays serial #
                          8H              ; refresh, seconds
                          2H              ; retry, seconds
                          4W              ; expire, seconds
                          1D )            ; minimum, seconds
  ;
                  NS      ns              ; Inet Address of name server
  ;
  hostmaster 	CNAME	tualatin
  ns 		CNAME	tualatin
  localhost       A       127.0.0.1
  tualatin	A	10.10.118.1
  host01		A	10.10.118.129
  host02		A	10.10.118.130
  ...
  host28		A	10.10.118.156
  host29		A	10.10.118.157
  
  couch		A	10.10.118.33
  ningwu		A	10.10.118.35
  bgrubi01	A	10.10.118.36 
  asidrane	A	10.10.118.37
  ipapas		A	10.10.118.165
  dcasaz01	A	10.10.118.166
  jmeattle	A	10.10.118.167
  ...
  cbradley	A	10.10.118.225
  pjoshi01	A	10.10.118.226
  tthomas		A	10.10.118.227
  ...end of names/eecs.tufts.edu
  

• 118.10.10: zone file for reverse map (address to name).

  contents of names/118.10.10...
  $TTL 3D
  @       IN      SOA     ns.eecs.tufts.edu. hostmaster.eecs.tufts.edu. (
                          200403102 ; Serial, todays date + todays serial
                          8H      ; Refresh
                          2H      ; Retry
                          4W      ; Expire
                          1D)     ; Minimum TTL
                  NS      ns.eecs.tufts.edu.
  
  1               PTR     ns
  
  33		PTR	couch
  35		PTR	ningwu
  36		PTR	bgrubi01
  37		PTR	asidrane
  
  129		PTR	host01
  130		PTR	host02
  131		PTR	host03
  132		PTR	host04
  ...
  156		PTR	host28
  157		PTR	host29
    
  165		PTR	ipapas
  166		PTR	dcasaz01
  167		PTR	jmeattle
  ...
  226		PTR	pjoshi01
  227		PTR	tthomas
  ...end of names/118.10.10
  

Name data:

• Structured into several kinds of records.
• Each record has a key and a value.

Name service records:

• SOA: start of authority
• NS: name server
• A: name to address
• PTR: address to name
• MX: mail exchanger
• CNAME: canonical name (alias)
• HINFO: host information.
• WKS: well known service.

Example: forward (zone) map eecs-tufts.zone

• preamble (Start-of-authority record) describes this map:

   @   IN      SOA     NS1.Tufts.EDU.  jco.EECS.Tufts.EDU. (
                         2001030203 ; Serial number of this file,
                                 ; MUST be incremented upon ANY change.
                                 ; Format is YYYYMMDDXX where XX is 00-...
                         7200    ; Secondaries Refresh every 2 hours.
                         1800    ; Retry failed refresh every 30 min.
                         604800  ; Secondaries Expire data after 1 week
                                 ; isolation from primary.
                         86400 ) ; TTL's default to 1 day.
   ; here we list all our backup servers; they're 
   ; `authorized' to serve as authoritative for our domain 
         IN      NS      Ns1.Tufts.EDU.
         IN      NS      Ns2.Tufts.EDU.
         IN      NS      Ns1.Highwire.ORG.
         IN      NS      Ns2.Highwire.ORG.
  

  • A record starts with a name and translates it to a value.
  • IN: internet naming.
  • SOA: start of authority record.
  • NS: name server record.
  • The @ name is magic. It stands for the domain we're trying to define (eecs.tufts.edu).
• Address record:

   Yogi    IN     A       130.64.23.171
  

  • Yogi: the name we're translating.
  • IN A: define the address of the record.
  • 130.64.23.171: number corresponding to name.
• Canonical name: defines logical alias.

   Smtp    IN     CNAME   Allegro.EECS.Tufts.EDU.
  

  • Smtp: name of alias (implicitly append eecs.tufts.edu!)
  • IN CNAME: define Internet canonical name.
  • Allegro.EECS.Tufts.EDU: translation of that name.
• Mail exchanger record: what mail server do we send email to?

   @       IN      MX     10      Allegro.EECS.Tufts.EDU.
  

  • @: for eecs.tufts.edu
  • IN MX: define an Internet mail exchanger.
  • 10: priority 10 (lowest wins).
  • Allegro.EECS.Tufts.EDU: the server for mail in this domain.
• Host information record: what kind of host is this?

   Yogi   IN   HINFO   Pentium-II   Redhat-6.2
  

  • Yogi: host to define.
  • IN HINFO: define host information.
  • Pentium-II: hardware.
  • Redhat-6.2: software.

Maintaining name service:

• updating tables.
  • edit files.
  • update serial numbers (otherwise, other name servers won't update their tables to contain your new information).
• restarting the daemons.

   kill -HUP $PID
  

  where $PID is the process identifier of named. This tells the process to re-read its tables. It does not kill the process.

Summary

• dig and nslookup spy on names.
• /etc/resolv.conf determines name sources.
• /etc/nsswitch.conf determines whether DNS is enabled.

Naming caveats

• naming service serves not only name to IP, but also other identifying info.
  • Mail exchangers.
  • Authority for domain.
  • Machine type.
  • Geographical location.
• Marvelous hack: Realtime blackhole list (anti-spam)

Network Debugging

• Three levels of networking.
  • MAC/ARP
  • IP/RIP
  • DNS (domain name service)
• You never know which has failed.
• Start from the top down or bottom up (depending upon circumstances).
• Move up or down as appropriate.

Debugging ARP

• operative commands
  • ping <address>
  • arp -a
• procedure: bottom up
  • Are we connected?
  • Can we ping a host connected to the same hub?
  • Can we ping a host connected to the same switch?

Debugging Routes

• operative commands:
  • traceroute <address>
  • netstat -rn
• Procedure: bottom up
  • Can we ping our gateway?
  • Can we ping another interface on our gateway?
  • Can we ping the next hop after our gateway?
  • Can we traceroute to the desired host?

Debugging names

• operative commands:
  • /usr/sbin/nslookup
  • /local/bin/dig
• Procedure: bottom-up
  • Does our own nameserver know the appropriate IP address?
  • Do our secondary servers know the appropriate address?
  • Do the root servers know the appropriate address?