gryffyn.io

A DNS Primer

Sat, 08 Oct 2022 00:00:00 +0000

Intro

It’s not DNS
There’s no way it’s DNS
It was DNS

SSBroski — Reddit

DNS is complicated. This series of blogposts will hopefully help untangle the Knot, and get you out of your BIND. This series begins with a short primer on DNS records and server types, and then will cover setting up an authoritative DNS server with PowerDNS, setting up a web frontend using PowerDNS-Admin, anycast mirroring, and DNSSEC.

DNS Records

www.example.com.      3600 IN A   10.20.30.40

This is an example of a DNS entry, known as an RRset (Resource Record set) in BIND-compatible format.

The first field, www.example.com., is the name or locator for the DNS entry. This example indicates that this line is to be returned when the server is queried for the domain name www.example.com. The trailing dot is due to the fact that domain names are treated as labels separated by dots. The last trailing dot indicates that this is a fully qualified domain name, and not relative to any origin or other name. This field can contain relative names, such as www, if an origin is set above it in the zonefile – such as $ORIGIN example.com..

The second field, 3600, is the TTL (Time To Live) interval of the record. It indicates how long the domain should be cached for before it is recursively resolved again.

The third field, IN, means Internet, as opposed to other networks in use at the time DNS was created. Some servers use this field for extra data – both coredns and PowerDNS use CH (Chaosnet) records for version information. But likely you’ll never see a record that’s not IN, or at the very least won’t have to fiddle with them.

The fourth field, A, is the type of query. There are a large number of query types in use in modern DNS servers, but the most common are A – an IPv4 address, AAAA – an IPv6 address, TXT – a text record, CNAME – a redirect to another domain, MX – defines mail server lookups, and NS – defines the nameservers used for the domain. Another query type, SOA, is not typically written by hand but created and updated by the DNS server. The SOA record, or Start of Authority, contains information about the zone itself. Examples of these query types can be found in the next section.

The final field is the record data, also called Rdata. The Rdata type and length depends on the record type, but is typically limited to 255 bytes.

SOA Record Format

The SOA record is composed of 7 fields. The first field contains the primary nameserver for the zone, terminated with a dot. The second field contains the contact email address, formatted with a dot instead of an at (@) sign.

The serial field, the third field in the SOA record, contains the serial number for the zone. There are multiple ways the serial can be formatted, including a UNIX timestamp of the latest change, or initially set to 1 and incrememnted by 1 on each change, however the format recommended by RFC 1912 is YYYYMMDDNN where NN indicates the revision number. This starts at 01 and is incremented on each change to the zone by the primary nameserver. For zone transfers to occur, the serial number should be formatted correct and be the same on both the primary nameserver and the secondary nameserver(s). When the primary nameserver is updated, it is larger than the secondary nameserver’s serial number, and when the secondary nameserver checks the SOA record on the primary afer the refresh timeout, it sees the serial has increased and initiates a zone transfer to update the zone on the secondary.

The next few fields set times for certain actions taken by the secondary nameserver(s). These times are typically in seconds, however newer versions of BIND and other DNS servers support using suffixes (such as s, m, d) to set times. The REFRESH time indicates in seconds how often the secondary namserver(s) query the SOA of the primary nameserver to check for changes. The RETRY field sets how long after an unsuccessful SOA query the secondary nameserver(s) may query the primary again. The EXPIRE field sets how long the secondaries should serve the zone after an unsuccessful query to the primary.

The MINIMUM field is a bit more confusing. This field, along with the SOA TTL value, determine the negative caching TTL for the zone. The authoritative nameserver uses the smaller of the two fields to determine the zone negative caching TTL. This field had historic uses which are no longer applicable.

BIND-compatible zonefiles

Zonefiles are a common standard for representing entire DNS zones as plaintext.

Below is an example zonefile for the domain example.com.

$ORIGIN example.com.

; the @ sign at the start of a record indicates the root of the zone.
@        3600 IN SOA  ns1.example.com. hostmaster.example.com. (
                      2022100901 ; serial
                      43200      ; refresh (12 hours)
                      7200       ; retry (2 hours)
                      1209600    ; expire (2 weeks)
                      300        ; minimum (1 hour)
                      )

; This zone defines its own nameserver A records.
; If using hosted DNS, these are unnecessary.
ns1      3600 IN A    10.20.30.40
ns2      3600 IN A    11.21.31.41

; Every zone is required to have NS records
; pointing to the authoritative DNS namservers
; for the zone.
@        3600 IN NS   ns1.example.com.
@        3600 IN NS   ns2.example.com.

; Example A records. Starting a record with an
; unqualified domain name (such as the www below)
; are relative to the $ORIGIN.
; So www would become www.example.com.
www      3600 IN A    20.30.40.50
mail     3600 IN A    20.30.40.50

; MX records have two parts to the data --
; the first field indicates the priority for the server,
; and the second field is the address of the mail server.
@        3600 IN MX   10 mail.example.com.

; TXT record data should be contained in double quotes.
@        3600 IN TXT  "v=spf1 mx include:example.com ~all"

; Example AAAA (IPv6) record
@        3600 IN AAAA 2001:db8:dead:beef::1

Resolver Types

(in no particular order)

Stub

Stub resolvers are fairly simple. They are often found running on home routers, sometimes filtering out some requests and serving records for them, and then forwarding the rest of the traffic to a recursive resolver. These resolvers do not actual resolution of their own, past minor static hostname configuration or perhaps mDNS support. Instead they relay DNS lookups to another server or servers.

Recursive

Recursive resolvers walk the DNS tree to resolve queries. As an example, let’s say we’ve queried the IP address of the domain www.example.com. A recursive resolver will start with the 13 DNS root nameservers – a.root-servers.net through m.root-servers.net – and look up the domain in reverse order of the labels. It will query one of those 13 root nameservers for the authoritative resolver for com. It then queries that nameserver (or one of them) for the domain example.com. That domain’s authoritative nameserver(s) are then queried for the A record at www.example.com. The resolver then returns that IP address. Typically, recursive resolvers maintain caches to minimize the number of queries they must do on frequently-resolved domains. Resolvers also may negatively cache domains, where if a queried domain does not exist (returns NXDOMAIN), the resolver caches the NXDOMAIN result.

Recursive resolvers do not serve any records themselves, but instead query records from authoritative servers.

Below is a recursive query for the domain www.example.com. DNSSEC is disabled because it clogs up the view and I haven’t explained it yet.

$ dig +trace +nodnssec www.example.com.

; <<>> DiG 9.18.5 <<>> +trace +nodnssec www.example.com
;; global options: +cmd
.			82209	IN	NS	k.root-servers.net.
.			82209	IN	NS	a.root-servers.net.
.			82209	IN	NS	f.root-servers.net.
.			82209	IN	NS	b.root-servers.net.
.			82209	IN	NS	e.root-servers.net.
.			82209	IN	NS	m.root-servers.net.
.			82209	IN	NS	d.root-servers.net.
.			82209	IN	NS	g.root-servers.net.
.			82209	IN	NS	l.root-servers.net.
.			82209	IN	NS	j.root-servers.net.
.			82209	IN	NS	i.root-servers.net.
.			82209	IN	NS	h.root-servers.net.
.			82209	IN	NS	c.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
;; Received 871 bytes from 192.33.4.12#53(c.root-servers.net) in 16 ms

example.com.		172800	IN	NS	a.iana-servers.net.
example.com.		172800	IN	NS	b.iana-servers.net.
;; Received 92 bytes from 192.48.79.30#53(j.gtld-servers.net) in 34 ms

www.example.com.	86400	IN	A	93.184.216.34
example.com.		86400	IN	NS	a.iana-servers.net.
example.com.		86400	IN	NS	b.iana-servers.net.
;; Received 108 bytes from 199.43.133.53#53(b.iana-servers.net) in 20 ms

As explained previously, dig starts with the root nameservers, and works down the address www.example.com. until it finds the authoritative resolver for that fully-qualified domain name, and returns the result.

Authoritative

Authoritative resolvers, the type we’ll be setting up today, serve authoritative records for the domains they are configured to serve. They do not recurse queries, and will typically answer REFUSED if queried for any domain outside of the set of domains it serves.

Below is an example of querying the A record for example.com directly from one of the authoritative nameservers that host that record.

$ dig +nodnssec @a.iana-servers.net. example.com.

; <<>> DiG 9.18.7 <<>> +nodnssec @a.iana-servers.net. example.com.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50695
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		86400	IN	A	93.184.216.34

;; Query time: 16 msec
;; SERVER: 199.43.135.53#53(a.iana-servers.net.) (UDP)
;; WHEN: Sun Oct 09 01:48:06 EDT 2022
;; MSG SIZE  rcvd: 56

To All the Little Tools I've Written

Mon, 14 Mar 2022 15:46:02 +0100

I have half a million little projects I’ve started (in nearly as many languages), written a bit of code for, and then promptly forgotten about. Rather than focus on the projects I haven’t done, I decided to take a bit of a look at the ones I have done. I was inspired to write this based on this blog post by Carl M. Johnson that I saw on lobste.rs.

A lot of these (nearly all in fact) I wrote as a small script to do a task on a group of files. I could have written some of these in Bash, all of them in Python, but Go compiles so quickly it’s basically usable as a scripting language. I have many other small scripts in Bash, Go, and Python, but nearly all of them were written for a very specific purpose. For this post I’ve only selected the tools that can be used by others fairly easily.

One of these, strangelove, I wrote for a larger project (my dissertation), but the rest of them were written for my own personal use. I just prettied them up a bit and switched the repos to public, in the hopes that if they benefited me they may benefit someone else.

strangelove

Description // strangelove is a bit of a WIP tool for inserting binary data into binary files, writing in-place at a specified offset.
Origin // I wanted to make a tool that would scan a binary, find the largest continguous block of zero-value bytes, print those offsets, and then also have the ability to insert data at that (maybe automatically selected?) offset or a user-specified one.
Status // WIP, this is one I’ll definitely keep working on.
Usage // It’s a bit niche, but I wrote it for a larger project I’m working on, and I use it there frequently.
Satisfaction // I completed the most important part of the program, which is the manual insertion of binary data. The hard stuff, I still haven’t done. Overall, fairly satisfied.

osiris

Description // osiris renames video files based on a provided regex/named capture group specification.
Origin // I had a whole lot of very unorganized files floating around which I needed to get into the same naming format.
Status // Complete-ish
Usage // Pretty frequent.
Satisfaction // I’m pretty happy with this. I know it’s a bit annoying to have to remember how the regex works, but I adore regex, and I haven’t found this tool hard to remember.

cbr2cbz

Description // cbr2cbz converts RAR-compressed comic book archives into ZIP-compressed comic book archives. If it detects a file is already a ZIP but named as if it were a RAR (a surprisingly common occurence), it can simply rename it instead of un- and re-compressing the file.
Origin // I had a lot of CBR files, and converting them to CBZ by hand was not very appealing. CBR files are not that widely supported due to RAR being a proprietary format.
Status // Complete
Usage // Not too frequent, but when I need it it’s nice to have.
Satisfaction // I’m quite happy with this tool. It does everything I need from it.

pdf2cbz

Description // pdf2cbz converts a PDF to a ZIP-compressed comic book archive (CBZ). It can crop the PDF pages before archiving them in the CBZ, drastically reducing file size on PDFs with a lot of blank space.
Origin // As is apparently the case with every tool I have, I had a few PDFs I wanted in CBZ format, and doing it by hand was really not appealing.
Status // WIP. JPEG export works, PNG export is a litle broken. See the README for details.
Usage // Not very frequently, but it’s a very nice tool to have.
Satisfaction // I would be happier with this if I figured out the PNG issue. I haven’t had much time to work on it, and JPEG is usually the correct choice anyways, so it may be a while before it’s completed.

exren

Description // exren takes in a format string and a file with EXIF data, and renames the file using the EXIF tags present in the image metadata and the format string
Origin // One day we’ll find a tool I haven’t made because I had a bunch of files of the wrong name/format and I didn’t want to convert them manually. But today is not that day.
Status // Complete-ish
Usage // I used this extensively to reformat my photo library, then I got busy and stopped taking pictures nearly as often, so unfortunately I haven’t used this tool in a while.
Satisfaction // I would like this tool if I found a better way to specify the EXIF tags. Right now it relies on a hardcoded list of tags, which isn’t ideal as far as format support goes. It currently works on Nikon RAW, JPEG, and PNG files, as that’s all I’ve tested it on.

Launch Week

Tue, 01 Feb 2022 02:28:56 +0000

I’ll be the first to admit, I’m not exactly skilled at keeping a regular blog. Or a regular journal. Or a regular anything, really.

However, I’ve just overhauled this site’s code (which was much needed), and I’ll at least try to post things.

Wish me luck, I guess.

Quotes

Thu, 24 Dec 2020 00:00:00 +0000

Disavowal, says the silence.

Maggie Nelson — Bluets

But I am not interested in longing to live in a world in which I already live.

Maggie Nelson — Bluets

I think my art getting better has made my art much worse.

AC Stuart — Twitter

Born free but still, they hate
Born me, no I can’t change

Tim McIlrath — Make It Stop (September's Children)

If life transcends death, then I will seek for you there. If not, then there too.

James S.A. Corey — Caliban's War

Once is never. Twice is always.

James S.A. Corey — Cibola Burn

Against all evidence, I keep thinking the assholes are outliers.

James S.A. Corey — Babylon's Ashes

No, let us not conquer the heavens. It is enough to have the power to do so. War engenders war, and victory defeat. God, conquered, will become Satan; Satan, conquering, will become God. May the fates spare me this terrible lot!‎

Anatole France — The Revolt of the Angels

I believe that life is a game, that life is a cruel joke, and that life is what happens when you’re alive and that you might as well lie back and enjoy it.

Neil Gaiman — American Gods

There’s none so blind as those who will not listen.

Neil Gaiman — American Gods

ᴛᴀᴋᴇ ᴛʜᴇ ᴜɴɪᴠᴇʀsᴇ ᴀɴᴅ ɢʀɪɴᴅ ɪᴛ ᴅᴏᴡɴ ᴛᴏ ᴛʜᴇ ꜰɪɴᴇsᴛ ᴘᴏᴡᴅᴇʀ ᴀɴᴅ sɪᴇᴠᴇ ɪᴛ ᴛʜʀᴏᴜɢʜ ᴛʜᴇ ꜰɪɴᴇsᴛ sɪᴇᴠᴇ ᴀɴᴅ ᴛʜᴇɴ sʜᴏᴡ ᴍᴇ ᴏɴᴇ ᴀᴛᴏᴍ ᴏꜰ ᴊᴜsᴛɪᴄᴇ, ᴏɴᴇ ᴍᴏʟᴇᴄᴜʟᴇ ᴏꜰ ᴍᴇʀᴄʏ. ᴀɴᴅ ʏᴇᴛ — Death waved a hand. ᴀɴᴅ ʏᴇᴛ ʏᴏᴜ ᴀᴄᴛ ᴀs ɪꜰ ᴛʜᴇʀᴇ ɪs sᴏᴍᴇ ɪᴅᴇᴀʟ ᴏʀᴅᴇʀ ɪɴ ᴛʜᴇ ᴡᴏʀʟᴅ, ᴀs ɪꜰ ᴛʜᴇʀᴇ ɪs sᴏᴍᴇ…sᴏᴍᴇ ʀɪɢʜᴛɴᴇss ɪɴ ᴛʜᴇ ᴜɴɪᴠᴇʀsᴇ ʙʏ ᴡʜɪᴄʜ ɪᴛ ᴍᴀʏ ʙᴇ ᴊᴜᴅɢᴇᴅ.
Yes, but people have got to believe that, or what’s the point—
ᴍʏ ᴘᴏɪɴᴛ ᴇxᴀᴄᴛʟʏ.

Terry Pratchett — Hogfather

All dwarfs have beards and wear up to twelve layers of clothing. Gender is more or less optional.

Terry Pratchett — Guards, Guards!

It is perfectly true, as philosophers say, that life must be understood backwards. But they forget the other proposition, that it must be lived forwards.

Søren Kierkegaard — Journalen JJ:167

“Hear, hear!” I said. “‘Less than perfect.’ What I’ve been aiming for all my life.”

Robert A. Heinlein — The Moon is a Harsh Mistress

About

Mon, 01 Jan 0001 00:00:00 +0000

i do terrible things to computers and sometimes i undo them

dict2229 Privacy Policy

Mon, 01 Jan 0001 00:00:00 +0000

Collection of Personal Information

The app does not collect, transmit, share, or sell any information, personal or otherwise.