DNS In General

DNS Server

All DNS servers fall into one of four categories:

  1. Recursive Resolvers
  2. Root Nameservers
  3. TLD Nameservers
  4. Authoritative Nameservers

A recursive resolver (also known as a DNS recursor) is almost always the first stop in a DNS query. The recursive resolver acts as a middleman between a client and a DNS nameserver.

https://www.cloudflare.com/learning/dns/dns-server-types/

cc @ https://www.cloudflare.com/learning/dns/dns-server-types/

DNS primarily uses UDP on port number 53 to serve requests. DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. When the length of the answer exceeds 512 bytes and both client and server support EDNS, larger UDP packets are used. Otherwise, the query is sent again using the TCP. TCP is also used for tasks such as zone transfers. Some resolver implementations use TCP for all queries.

DNS Messages

The DNS protocol uses two types of DNS messages, queries and replies, and they both have the same format. Each message consists of,

Type Of Record

  1. A record - The record that holds the IP address of a domain.
  2. CNAME record - Forwards one domain or subdomain to another domain, does NOT provide an IP address.
  3. TXT record - Lets an admin store text notes in the record.
  4. NS record - Stores the name server for a DNS entry.
  5. SOA record - Stores admin information about a domain. The “start of authority” record can store important info about the domain such as the email address of the administrator, when the domain was last updated, and how long the server should wait between refreshes.
  6. SRV record - Specifies a port for specific services. Ex. [@_sip._tcp.example.com.] [SRV] [8080 example2.com] [TTL], _sip indicates the type of service, _tcp indicates the protocol, and 8080 indicates the port.
  7. PTR record - Provides a domain name in reverse-lookups, which return the domain associated with a given IP address.

Resource Record

Field Description Length (octets)
NAME Name of the node to which this record pertains. @ is a placeholder used to represent “the current domain” without any www or sub-domain name. Variable
TYPE Type of RR in numeric form (e.g., 15 for MX RRs) 2
CLASS Class code, basically IN 2
TTL Count of seconds that the RR stays valid (The maximum is 231−1, which is about 68 years) 4
RDLENGTH Length of RDATA field (specified in octets) 2
RDATA Additional RR-specific data Variable, as per RDLENGTH

Label

aaaaaa.bbbbbb.cccccc
--^--  --^--  --^--
label  label  label

A label may contain zero to 63 characters. The null label, of length zero, is reserved for the root zone.

DNS Setting In Linux (Ubuntu)

/etc/resolv.conf

Dnsmasq

Comes with the stock Ubuntu 16.04.

To find the dnsmasq config,

ps -ef | grep dnsmasq

#/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --cache-size=0 --conf-file=/dev/null --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d

To see NetworkManager managed DHCP and DNS info,

nmcli d show enp0
              ^
       *your major NIC*

Detailed info of dnsmasq,

man dnsmasq

Ways To Override DNS Conf

dhcp.conf

If use DHCP to get the dynamic IP.

#/etc/dhcp/dhcp.conf
supersede domain-name-servers 1.1.1.1,8.8.8.8,8.8.4.4;

resolv.conf

#/etc/resolv.conf
nameserver 1.1.1.1

dnsmasq.d

echo 'server=1.1.1.1' > /etc/NetworkManager/dnsmasq.d/use-cloudflare-dns
systemctl restart NetworkManager

Reverse lookup

For example, assuming the IPv4 address 208.80.152.2 is assigned to Wikimedia, it is represented as a DNS name in reverse order: 2.152.80.208.in-addr.arpa. When the DNS resolver gets a pointer (PTR) request, it begins by querying the root servers, which point to the servers of American Registry for Internet Numbers (ARIN) for the 208.in-addr.arpa zone. ARIN's servers delegate 152.80.208.in-addr.arpa to Wikimedia to which the resolver sends another query for 2.152.80.208.in-addr.arpa, which results in an authoritative response.

DDNS

Clients can notify their respective DNS server of the updated IP address they had received from a DHCP server or through self-configuration.

If we use a single, combined DNS+DHCP solution which can maintain the consistency between both tables by itself, there's no need to enable DDNS.

Else, we need to either,

  1. enable DDNS for clients notifying DNS server with the new IP address allocated by DHCP server, or,
  2. let DHCP server to notify DNS server the new assignments directly

DNS In Docker

For containers NOT using default bridge network, Dockerd will config DNS in the container as,

  1. There's an embedded DNS server handling all DNS queries from containers (also for inter-container name resolving)

  2. If no config flag, docker use filtered host's /etc/hosts and /etc/resolv.conf. Fliter will eliminate localhost unreachables, like nameserver 127.0.1.1. Since 127.0.0.0/8 of host can't be accessed within containers except for --network=host. If empty after filtered, 8.8.8.8 is added by default

  3. Both /etc/hosts and /etc/resolv.conf inside the container are managed by Dockerd. So, to change the config, use docker run --[flags] instead of editing the files inside the container or using mount.

  4. Flag --dns. The IP address of a DNS server.

    • For multiple DNS servers, use multiple flags
    • container:/etc/resolv.conf will always be 127.0.0.11 which will not be effected by this flag
    • Instead, input value of --dns is keeped and used by the embedded DNS server to forward the DNS query if embedded DNS server is unable to resolve a name resolution request from the containers
    • If you need access to the host's localhost resolver (like dnsmasq), modify DNS service on the host to listen on a non-localhost address which is reachable within the container. (^stackoverflow)
  5. Flag --dns-search. A DNS search domain to search non-fully-qualified hostnames

    • For multiple DNS search prefixes, use multiple flags
  6. Flag --hostname. The hostname a container uses for itself. Defaults to the container's ID if not specified

DNS In K8s

https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/

CoreDNS

https://coredns.io/manual/toc/

Be aware that CoreDNS does NOT have a native recursive resolver. ^

Service Discovery

DNS can be use for service discovery by,

  1. Using SRV records in DNS as database and,
  2. Service actively send DDNS request to DNS to update the SRV record.

However, DNS-SD also have cons:

Build Your Own Dns Server

Be aware if the DNS has looped dependencies.

Ref.

  1. https://docs.docker.com/v17.09/engine/userguide/networking/configure-dns/
  2. https://en.wikipedia.org/wiki/Domain_Name_System
  3. https://ns1.com/resources/dns-protocol
  4. https://linux.die.net/man/5/resolv.conf
  5. https://www.cloudflare.com/learning/dns/dns-server-types/
  6. https://tools.ietf.org/html/rfc1035
  7. https://en.wikipedia.org/wiki/Dynamic_DNS
  8. https://www.haproxy.com/blog/dns-service-discovery-haproxy/
  9. https://en.wikipedia.org/wiki/Multicast_DNS
  10. https://www.linux.com/tutorials/advanced-dnsmasq-tips-and-tricks/