EuroPython 2014: For Lack of a Better Name(server): DNS Explained

Transcript

1. For Lack of a Better Name(server): DNS Explained Lynn Root

   | @roguelynn

2. $ whoami • Backend Engineer at Spotify • Founder/leader of

   the PyLadies of San Francisco • Board Member of the Python Software Foundation
3. None
4. None
5. None

6. tl;dr • What it is and why you care about

   DNS • What to do with it • Awesomeness I learned along the way

7. rogue.ly/dns

8. why DNS? • Visit productive websites like reddit.com • Receive

   critical emails from Groupon and Gilt • Deploy your One-of-a-Kind ToDo™ list application • Allow for your corporate meme generator to not be accessible by non-employees

9. The Phonebook

10. Domain Name System • Distributed storage system for Resource Records

    • Stores records in its cache or local zone file • Record: label, class, type, and data

11. >>> from scapy.all import *! >>>! >>> a=sniff(filter="udp and port

    53", count=10)! >>> a! <Sniffed: TCP:0 UDP:10 ICMP:0 Other:0>! >>>! >>> a.show()! 0000 Ether / IP / UDP / DNS Qry "www.google.com." ! 0001 Ether / IP / UDP / DNS Qry "reddit.com." ! 0002 Ether / IP / UDP / DNS Ans "74.125.239.144" ! 0003 Ether / IP / UDP / DNS Ans "96.17.109.11" ! 0004 Ether / IP / UDP / DNS Qry "roguelynn-spy.herokuapp.com." ! 0005 Ether / IP / UDP / DNS Ans "us-east-1-a.route.herokuapp.com." ! 0006 Ether / IP / UDP / DNS Qry "roguelynn.com." ! 0007 Ether / IP / UDP / DNS Ans "81.28.232.189" ! 0008 Ether / IP / UDP / DNS Qry "www.roguelynn.com." ! 0009 Ether / IP / UDP / DNS Ans "roguelynn.com."

12. example.com vs example.com.

13. ../static vs /Users/lynnroot/Dev/site/static

14. $ cat /etc/resolv.conf $ curl example.com DNS Query: example.com.example.net $

    curl example.com. DNS Query: example.com search example.net

15. # router's DNS! $ host 75.75.75.75! 75.75.75.75.in-addr.arpa domain name !

    pointer cdns01.comcast.net.

16. # router's DNS! $ whois 75.75.75.75! # snip! Comcast Cable

    Communications Holdings, Inc CCCH-3-34 (NET-75-64-0-0-1) 75.64.0.0 - 75.75.191.255! ! Comcast Cable Communications Holdings, Inc COMCAST-47 (NET-75-75-72-0-1) 75.75.72.0 - 75.75.79.255

17. $ dig +trace python.org! ; <<>> DiG 9.8.3-P1 <<>> +trace

    python.org! ;; global options: +cmd! .! ! ! 88784! IN! NS! i.root-servers.net.! .! ! ! 88784! IN! NS! h.root-servers.net.! .! ! ! 88784! IN! NS! j.root-servers.net.! .! ! ! 88784! IN! NS! e.root-servers.net.! .! ! ! 88784! IN! NS! g.root-servers.net.! ;; Received 496 bytes from 192.168.1.1#53(192.168.1.1) in 221 ms! ! org.!! ! 172800! IN! NS! b0.org.afilias-nst.org.! org.!! ! 172800! IN! NS! d0.org.afilias-nst.org.! org.!! ! 172800! IN! NS! b2.org.afilias-nst.org.! ;; Received 430 bytes from 202.12.27.33#53(202.12.27.33) in 469 ms! ! python.org.! ! 86400! IN! NS! ns1.p11.dynect.net.! python.org.! ! 86400! IN! NS! ns3.p11.dynect.net.! python.org.! ! 86400! IN! NS! ns2.p11.dynect.net.! python.org.! ! 86400! IN! NS! ns4.p11.dynect.net.! ;; Received 114 bytes from 199.19.53.1#53(199.19.53.1) in 141 ms! ! python.org.! ! 43200! IN! A! 140.211.10.69! python.org.! ! 86400! IN! NS! ns4.p11.dynect.net.! python.org.! ! 86400! IN! NS! ns2.p11.dynect.net.! python.org.! ! 86400! IN! NS! ns3.p11.dynect.net.! python.org.! ! 86400! IN! NS! ns1.p11.dynect.net.! ;; Received 130 bytes from 208.78.71.11#53(208.78.71.11) in 13 ms

18. local! DNS Try one of these:! i.root-servers.net j.root-servers.net h.root-servers.net root

    net com org python python python www blog hg

19. local! DNS Try one of these:! a.org.afilias-nst.org b.org.afilias-nst.org d.org.afilias-nst.org root

    net com org python python python www blog hg

20. local! DNS Try one of these:! ns1.p11.dynect.net ns2.p11.dynect.net ns3.py11.dynect.net root

    net com org python python python www blog hg

21. local! DNS I know!! It’s at 140.211.10.69 root net com

    org python python python www blog hg

22. local! DNS CNAME for! virt-7yvsjn.psf.osuosl.org. root net com org python

    python python www blog hg

23. $ dig +nocmd +noqr +nostats python.org -t ANY! ! ;;

    QUESTION SECTION:! ;python.org.! ! ! IN! ANY! ! ;; ANSWER SECTION:! python.org.! ! 36202! IN! A!140.211.10.69! python.org.! ! 25683! IN! NS! ns3.p11.dynect.net.! python.org.! ! 25683! IN! NS! ns4.p11.dynect.net.! python.org.! ! 25683! IN! NS! ns1.p11.dynect.net.! python.org.! ! 25683! IN! NS! ns2.p11.dynect.net.! ! ;; AUTHORITY SECTION:! python.org.! ! 25683! IN! NS! ns1.p11.dynect.net.! python.org.! ! 25683! IN! NS! ns2.p11.dynect.net.! python.org.! ! 25683! IN! NS! ns3.p11.dynect.net.! python.org.! ! 25683! IN! NS! ns4.p11.dynect.net.! ! ;; ADDITIONAL SECTION:! ns1.p11.dynect.net.!16710! IN! A!208.78.70.11! ns2.p11.dynect.net.!16710! IN! A!204.13.250.11! ns3.p11.dynect.net.!16710! IN! A!208.78.71.11! ns4.p11.dynect.net.!16710! IN! A!204.13.251.11!

24. $ dig +nocmd +noqr +nostats pyladies.com -t ANY! ! ;;

    QUESTION SECTION:! ;pyladies.com.!! ! IN! ANY! ! ;; ANSWER SECTION:! pyladies.com.! ! 130!IN! MX! 10 ASPMX.L.GOOGLE.com.! pyladies.com.! ! 130!IN! SOA!ns1qsy.name.com. ! ! ! support.name.com. 1 10800 3600 604800 300! pyladies.com.! ! 1!! IN! A!81.28.232.189! pyladies.com.! ! 130!IN! NS! ns2fkr.name.com.! pyladies.com.! ! 130!IN! NS! ns3jkl.name.com.! pyladies.com.! ! 130!IN! NS! ns4kpx.name.com.! pyladies.com.! ! 130!IN! NS! ns1qsy.name.com.! ! ;; AUTHORITY SECTION:! pyladies.com.! ! 130!IN! NS! ns3jkl.name.com.! pyladies.com.! ! 130!IN! NS! ns4kpx.name.com.! pyladies.com.! ! 130!IN! NS! ns1qsy.name.com.! pyladies.com.! ! 130!IN! NS! ns2fkr.name.com.

25. caching

26. Caching • Query: • Local Cache • “Closer” name server

    • Authoritative name server • Response now cached
27. None

28. Nerdy things I learned

29. Interesting ways to interact with DNS

30. dnsmap

31. $ dnsmap pyladies.com! dnsmap 0.30 - DNS Network Mapper by

    pagvac (gnucitizen.org)! ! [+] searching (sub)domains for pyladies.com using built-in wordlist! [+] using maximum random delay of 10 millisecond(s) between requests! ! dc.pyladies.com! IP address #1: 81.28.232.189! ! sf.pyladies.com! IP address #1: 81.28.232.189! ! tw.pyladies.com! IP address #1: 23.23.245.47! ! www.pyladies.com! IP address #1: 81.28.232.189

32. local cache

33. $ sudo killall -INFO mDNSResponder

34. $ tail -n 500 /var/log/system.log! ! SOA 60 spotify.net. SOA

    ns2.spotify.net. dns-! ! ! ! ! ! admin.spotify.com. 2014040507 60 25 3628800 900! AAAA 0 isa.spotify.net. AAAA! SOA 60 spotify.net. SOA ns2.spotify.net. dns-! ! ! ! admin.spotify.com. 2014040507 60 25 3628800 900! Addr 0 isa.spotify.net. Addr! SOA 60 spotify.net. SOA

35. ###[ Ethernet ]###! dst = 04:a1:51:90:af:d4! src = 14:10:9f:e1:54:9b! type

    = 0x800! ###[ IP ]###! ttl = 255! proto = udp! chksum = 0x12ee! src = 192.168.1.7! dst = 192.168.1.1! ###[ UDP ]###! sport = 54929! dport = domain! ###[ DNS ]###! id = 11102! opcode = QUERY! rcode = ok! qdcount = 1! ancount = 0! nscount = 0! arcount = 0! \qd \! |###[ DNS Question Record ]###! | qname = 'zr.spotify.net.'! | qtype = A! | qclass = IN!

36. Twisted DNS

37. from twisted.internet import reactor! from twisted.names import client, dns, server!

    ! def main():! """! Run the server.! """! factory = server.DNSServerFactory(! clients=[client.Resolver(resolv=‘/etc/resolv.conf')]! )! ! protocol = dns.DNSDatagramProtocol(controller=factory)! ! reactor.listenUDP(10053, protocol)! reactor.listenTCP(10053, factory)! ! reactor.run()! ! if __name__ == '__main__':! raise SystemExit(main())

38. ###[ Ethernet ]###! dst = 04:a1:51:90:af:d4! src = 14:10:9f:e1:54:9b! type

    = 0x800! ###[ IP ]###! ttl = 64! proto = udp! chksum = 0x4a0c! src = 192.168.1.7! dst = 192.168.1.1! \options \! ###[ UDP ]###! sport = 33408! dport = domain! ###[ DNS ]###! opcode = QUERY! rcode = ok! \qd \! |###[ DNS Question Record ]###! | qname = 'python.org.'! | qtype = A! | qclass = IN

39. ###[ Ethernet ]###! dst = 14:10:9f:e1:54:9b! src = 04:a1:51:90:af:d4! type

    = 0x800! ###[ IP ]###! ttl = 64! proto = udp! chksum = 0xb74c! src = 192.168.1.1! dst = 192.168.1.7! ###[ UDP ]###! sport = domain! dport = 54438! ###[ DNS ]###! qr = 1L! opcode = QUERY! \qd \! |###[ DNS Question Record ]###! | qname = 'python.org.'! | qtype = A! | qclass = IN! \an \! |###[ DNS Resource Record ]###! | rrname = 'python.org.'! | type = A! | rclass = IN! | ttl = 39777! | rdlen = 4! | rdata = '140.211.10.69'

40. dnsmap finding your local DNS cache running your own Python

    DNS Interact with DNS

41. Interesting ways to use DNS

42. Anycast

43. DANE

44. Service Discovery

45. $ dig +short ! _spotify-client._tcp.spotify.com SRV! ! 10 12 4070

    AP1.spotify.com.! 10 12 4070 AP2.spotify.com.! 10 12 4070 AP3.spotify.com.! 10 12 4070 AP4.spotify.com.

46. … search user storage playlist browse Web API Access Point

    Clients

47. DHT ring

48. key: bd Spotify Song ID: spotify:track:foobar some hash function

49. 14 B C D E F 3f 68 9e c1

    37 A key: bd Spotify Song ID: spotify:track:foobar some hash function

50. tracks.4301.lon-tracks-a1.lon.spotify.net 14 B C D E F 3f 68 9e

    c1 37 A

51. Anycast DANE Service Discovery DHT ring Use DNS

52. tl;dr: DNS is hard

53. rogue.ly/dns @roguelynn fin