DNS (Domain Name Service)

整理 DNS 概念筆記。

基本概念

名詞

DNS 全名有三種意思，分別是 Domain Name System、Domain Name Service、Domain Name Server，所以文章或者口語在溝通時，是哪一種要看前後文以及場景。
Zone Apex / Root Domain / Naked Domain: 網域名稱的根節點. 像是 www.google.com 的 root domain 就是 google.com
TLD: Top level domain, 就是第一層的名稱，像是 .com, .org, .gov, .edu, .net … 等
TTL: Time to live
Delegation: 網域代理, 有些網站翻譯成 “授權”. 就是子網域名稱 (sub domain) 交由另一台機器管理.
DKIM: DomainKeys Identified Mail

DNS 屬性

A: IPv4 位址, e.g. 192.168.1.1
AAAA: IPv6 位址, e.g. 2001:0db8:85a3:0:0:8a2e:0370:7334
CNAME: 全名 Canonical Name, 也可叫 domain name aliases. 就是 A Record 指定名稱的另一個別名。CNAME 不可以指向 IP 或者 MX record.
MX: 全名是 Mail Exchange, 指向郵件主機的位址, 位址必須是 A or AAAA record, 不可以是 CNAME. 網域 mail rely 的位址, 一般就是 SMTP.
NS: 指向 DNS Server 位址. 格式與網域名稱相同，是用來設定網域名稱的名稱服務主機。NS 與 SOA 是 Hosted Zone 基本 Record。Route 53 自動產生四筆 NS Record，把上層 NS 指向這四台。
PTR: IP 與 NS 的反解
SOA: 全名叫 start of authority, 提供基本的網域名稱資訊，有七個欄位:
- 第一欄：主要的 name server 名稱，像是 dns.example.com
- 第二個欄位：管理者資訊, 因為不可以使用 @, 所以大多都會用 . 取代。很容易誤解的欄位。
- 剩下的五個欄位以十進制數字表示，分別序列編號、更新時間、重試時間、有效時間與 TTL。
SPF: 全名 Sender Policy Framework (SPF), 不過 AWS Route53 文件建議使用 TXT 取代此 record.
- 深入的格式與介紹參考 Sender Policy Framework
- DNS 設定 spf 記錄 - Sender Policy Framework
SRV: 以四個以空白隔開的值。前三個十進制數字表示優先權、權重與通訊埠。第四個值為網域名稱。
TXT: 用來放至描述、說明等訊息。但是後來被拿來當作設定檔使用，像是前面提到的 SPF 格式、DKIM …等

參考文件：

DNS 限制

Domain Name 長度限制為 253
階層的上限：This tree of subdivisions may have up to 127 levels. see Domain Name System, Network Administration: Domains and Domain Names
- 但是 RFC 沒有明確規範
- 下圖是測試範例

相關工具

nslookup

一般 NS/IP 查詢: nslookup www.google.com
查詢 record by type: set type=${type}

~$ nslookup
> set type=mx
> gmail.com
Server:		8.8.8.8
Address:	8.8.8.8#53
Non-authoritative answer:
gmail.com	mail exchanger = 5 gmail-smtp-in.l.google.com.
gmail.com	mail exchanger = 10 alt1.gmail-smtp-in.l.google.com.
gmail.com	mail exchanger = 40 alt4.gmail-smtp-in.l.google.com.
gmail.com	mail exchanger = 30 alt3.gmail-smtp-in.l.google.com.
gmail.com	mail exchanger = 20 alt2.gmail-smtp-in.l.google.com.

> set type=soa
> google.com
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
google.com
	origin = ns1.google.com
	mail addr = dns-admin.google.com
	serial = 117708571
	refresh = 900
	retry = 900
	expire = 1800
	minimum = 60

使用 debug mode: set d2, 可以清楚地看到 DNS 查詢每一個 SendRequest / Response packet 的內容。

可以用來找尋未知 Record TTL, 通常是要做 DNS 切換時需要.

以下例子是使用 windows 的版本，分別會查詢 ipv4, ipv6 的資訊。如果網域中有字尾 domain, 那麼就會先查字尾 domain 的 DNS.

C:\Users\rickhwang>nslookup
Default Server:    dc1.gtcafe.corp
Address:    10.1.0.5

> set d2
> www.google.com

------------
SendRequest(), len 32
        HEADER:
                opcode = QUERY, id = 12, rcode = NOERROR
                header flags:    query, want recursion
                questions = 1,    answers = 0,    authority records = 0,    additional = 0

        QUESTIONS:
                www.google.com, type = A, class = IN

------------
------------
Got answer (48 bytes):
        HEADER:
                opcode = QUERY, id = 12, rcode = NOERROR
                header flags:    response, want recursion, recursion avail.
                questions = 1,    answers = 1,    authority records = 0,    additional = 0

        QUESTIONS:
                www.google.com, type = A, class = IN
        ANSWERS:
        ->    www.google.com
                type = A, class = IN, dlen = 4
                internet address = 216.58.200.196
                ttl = 70 (1 min 10 secs)

------------
Non-authoritative answer:
------------
SendRequest(), len 32
        HEADER:
                opcode = QUERY, id = 13, rcode = NOERROR
                header flags:    query, want recursion
                questions = 1,    answers = 0,    authority records = 0,    additional = 0

        QUESTIONS:
                www.google.com, type = AAAA, class = IN

------------
------------
Got answer (60 bytes):
        HEADER:
                opcode = QUERY, id = 13, rcode = NOERROR
                header flags:    response, want recursion, recursion avail.
                questions = 1,    answers = 1,    authority records = 0,    additional = 0

        QUESTIONS:
                www.google.com, type = AAAA, class = IN
        ANSWERS:
        ->    www.google.com
                type = AAAA, class = IN, dlen = 16
                AAAA IPv6 address = 2404:6800:4004:800::2004
                ttl = 174 (2 mins 54 secs)

------------
Name:        www.google.com
Addresses:    2404:6800:4004:800::2004
                    216.58.200.196

不曉得為什麼，unix 版的 debug 資訊都沒有 format 過，只是把 function stack 印出來，不管是 OS X or Linux 都是如此.

~$ nslookup
> set d2
> www.google.com
addlookup()
make_empty_lookup()
looking up www.google.com
start_lookup()
setup_lookup(0x7f91e9821208)
resetting lookup counter.
cloning server list
clone_server_list()
make_server(10.11.1.5)
make_server(8.8.8.8)
using root origin
recursive query
add_question()
starting to render the message
done rendering
create query 0x10d7fade8 linked to lookup 0x7f91e9821208
create query 0x10d800008 linked to lookup 0x7f91e9821208
do_lookup()
send_udp(0x10d7fade8)
bringup_timer()
have local timeout of 1
working on lookup 0x7f91e9821208, query 0x10d7fade8
sockcount=1
recving with lookup=0x7f91e9821208, query=0x10d7fade8, sock=0x10d801000
recvcount=1
sending a request
lock_lookup /Library/Caches/com.apple.xbs/Sources/bind9/bind9-45.101/bind9/bin/dig/dighost.c:2332
success
send_done()
sendcount=0
check_if_done()
list empty
unlock_lookup /Library/Caches/com.apple.xbs/Sources/bind9/bind9-45.101/bind9/bin/dig/dighost.c:2361
recv_done()
lock_lookup /Library/Caches/com.apple.xbs/Sources/bind9/bind9-45.101/bind9/bin/dig/dighost.c:3057
success
recvcount=0
lookup=0x7f91e9821208, query=0x10d7fade8
before parse starts
after parse
printmessage()
Server:		10.11.1.5
Address:	10.11.1.5#53

Non-authoritative answer:
printsection()
Name:	www.google.com
Address: 216.58.197.164
still pending.
cancel_lookup()
check_if_done()
list empty
clear_query(0x10d800008)
clear_query(0x10d7fade8)
sockcount=0
check_next_lookup(0x7f91e9821208)
try_clear_lookup(0x7f91e9821208)
destroy
freeing server 0x7f91e9804608 belonging to 0x7f91e9821208
freeing server 0x7f91e9822808 belonging to 0x7f91e9821208
start_lookup()
check_if_done()
list empty
shutting down
dighost_shutdown()
unlock_lookup /Library/Caches/com.apple.xbs/Sources/bind9/bind9-45.101/bind9/bin/dig/dighost.c:3534
>

dig

# look up by type
~ $dig gmail.com -t mx

; <<>> DiG 9.8.3-P1 <<>> gmail.com -t mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61679
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gmail.com.			IN	MX

;; ANSWER SECTION:
gmail.com.		3599	IN	MX	5 gmail-smtp-in.l.google.com.
gmail.com.		3599	IN	MX	40 alt4.gmail-smtp-in.l.google.com.
gmail.com.		3599	IN	MX	30 alt3.gmail-smtp-in.l.google.com.
gmail.com.		3599	IN	MX	20 alt2.gmail-smtp-in.l.google.com.
gmail.com.		3599	IN	MX	10 alt1.gmail-smtp-in.l.google.com.

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 21 22:22:40 2016
;; MSG SIZE    rcvd: 150

其他工具

whois: 查詢 DNS 註冊資訊
tracert (windows)
tractroute (unix)
https://www.internet.nl: 測試 DNSSec, IPv6, HTTPS

清理 DNS Cache

## Chrome
chrome://net-internals/#dns

## macOS
sudo killall -HUP mDNSResponder && echo macOS DNS Cache Reset

## Windows
ipconfig /flushdns

DNS (Domain Name Service)

基本概念

名詞

DNS 屬性

DNS 限制

相關工具

nslookup

dig

其他工具

清理 DNS Cache

延伸閱讀 (站內)

參考資料

相關資料

Comments

About

著作

演講

Facebook

AWS Certifications