Speaker Russell Coker
Time 2009-05-04 19:00
Conference LUV

hierarchical system

Only need A and NS records. MX is not needed.

SOA record also required. Not an optional type.

PTR records? Under dispute - optional or not optional depending on what RFC you refer to. Without it ISPs will block email. Certain major ISPs will do so. PTR records required because they are the right thing to do.

RFC1035 defines how DNS system works. Obsoletes some of the older standards. Covers everything.

Many thousands of DNS root servers. Only 13 IPv4 and 6 IPv6 addresses defined. Designed so list of all root servers will fit in one DNS UDP packet. Anycast is used.

Use TCP instead of UDP by default, make harder to forge responses, but increase resources required. Normally UDP is used by default, and if response won’t fit it UDP packet TCP is used instead. TCP used for zone transfers.

dnstrace - trace DNS queries to source.

Some people believe zone transfers should be restricted. I consider this as security by obscurity, so anybody can obtain any information on the zone. Zone shouldn’t contain private data.

Testing DNS data.

  • dig
  • dlint - download and compare zones.
  • dnswalk
  • nslookup - available everywhere; regarded as obsolete. Only program on windows.
  • host
  • fpdns - guess what software server runs.
  • dns_browse/dns_tree - dns_browse package - X based GUI program supplied - doesn’t work for me.
  • ldnsutils - primary used for dnssec.

DNS for other applications:

  • dec - hesoid - DNS for authentication data.
  • phone number to IP address mapping in VOIP.
  • address book data in DNS.
  • spam status database.
  • IP over DNS.


  • Xelerance developed a tool to configure dnssec.
  • Getting dnssec-configure working in Debian is tricky.
  • .gov domain uses key type not supported in Debian Lenny.
  • No dnssec on .au domain.

tunnels over DNS:

  • iodine: tunnel IP over DNS.
  • dns2tcp - more effecient - TCP only.
  • some OS can’t cope with entries that time out immediately and will still cache then. As such hotels/airports/etc can’t give fake answers because these computers will continue using fake DNS entries after user pays for service. Microsoft only drops entries when DNS server is changed.