Difference between revisions of "DNS Servers"
m |
m (→SRV record) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 14: | Line 14: | ||
DNSSEC was enabled on all domains and trust is expanded to all sub servers. This is currently broken. | DNSSEC was enabled on all domains and trust is expanded to all sub servers. This is currently broken. | ||
− | Secondary DNS is very important | + | Secondary DNS is very important and is provided by several DNS servers. This is very important as if the database is hard down in SEA, the primary DNS will be offline. With the secondary servers online DNS will continue to work, and NMS requires DNS for the allstarlink.org zone. |
= regsvcs.allstarlink.org = | = regsvcs.allstarlink.org = | ||
Line 32: | Line 32: | ||
'''register.allstarlink.org''' is a CNAME to '''register.regscvs.allstarlink.org''' under this. The node list servers are under this as well as '''node[1-4].allstarllink.org''' CNAME '''nodes.regsvcs.allstarlink.org | '''register.allstarlink.org''' is a CNAME to '''register.regscvs.allstarlink.org''' under this. The node list servers are under this as well as '''node[1-4].allstarllink.org''' CNAME '''nodes.regsvcs.allstarlink.org | ||
''' | ''' | ||
− | |||
− | |||
− | |||
= DNS node lookup = | = DNS node lookup = | ||
Line 45: | Line 42: | ||
_iax._srv.<nodenumber>.allstarlink.org. will return for a node as follows: | _iax._srv.<nodenumber>.allstarlink.org. will return for a node as follows: | ||
− | + | _iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.nodes.allstarlink.org. | |
− | where 4569 is the IAX port and then it will do | + | where 4569 is the IAX port and then it will do an A lookup on 50000.nodes.allstarlink.org. for the IP. |
A remote base will be returned like: | A remote base will be returned like: | ||
− | _iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.remotebase.nodes.allstarlink.org. | + | _iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.remotebase.nodes.allstarlink.org. |
== A record == | == A record == |
Latest revision as of 01:23, 14 December 2020
ASL utilizes DNS servers based on powerdns with a mysql backend.
These DNS servers support the following:
- AllStarlink.org DNS authoritative
- registration server redundancy
- DNS lookup for nodes information
Authoritative DNS servers
The authoritative DNS server runs on caustic-sea.allstarlink.org with the backend in the distributed database.
DNSSEC was enabled on all domains and trust is expanded to all sub servers. This is currently broken.
Secondary DNS is very important and is provided by several DNS servers. This is very important as if the database is hard down in SEA, the primary DNS will be offline. With the secondary servers online DNS will continue to work, and NMS requires DNS for the allstarlink.org zone.
regsvcs.allstarlink.org
This Zone is served by the registration servers, and is pulled directly from the database. There is no secondary on these zones, just the primary DNS servers on the registration servers.
The redundancy of registration is handled by a TTL of 120 seconds on all the records. We've added another field in the 'records' table 'UnixSeconds' which is NULL by default, but updated by the heartbeat health check scripts on the servers. If the heartbeat script detects the DB or connectivity down at a site, it will shut down that server and stop updating the DNS UnixSeconds.
On the DNS server we have modified the default query for a lookup to:
gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 AND (UnixSeconds is NULL OR UnixSeconds > (UNIX_TIMESTAMP() - 120)) and type=? and name=?
This will only return a record if UnixSeconds is Null or has been updated in the last 120 seconds.
If the node loses connectivity, it will be timed out of DNS due to this in 120 seconds. This is a "dead-man switch" function which will enable losing any one node in the cluster.
register.allstarlink.org is a CNAME to register.regscvs.allstarlink.org under this. The node list servers are under this as well as node[1-4].allstarllink.org CNAME nodes.regsvcs.allstarlink.org
DNS node lookup
nodes.allstarlink.org is delegated to a DNS running on the db servers. The users_Nodes table has a trigger which is run and creates entries/edits them on the records table in the 'allstar' database. This populates a SRV, TXT and A record for every node in the system when it's updated. The trigger has been optimized and has little to no preformance impact on the registration process.
Note that servers not in nodes list can appear in DNS, there is no ageing out of entries in DNS. It's up to the server to know it's registered.
SRV record
_iax._srv.<nodenumber>.allstarlink.org. will return for a node as follows:
_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.nodes.allstarlink.org.
where 4569 is the IAX port and then it will do an A lookup on 50000.nodes.allstarlink.org. for the IP.
A remote base will be returned like:
_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.remotebase.nodes.allstarlink.org.
A record
<nodenumber>.nodes.allstarlink.org. and <nodenumber>.remotebase.nodes.allstarlink.org. will return the IP address of the IAX server or the proxy IP if defined.
TXT Record
The TXT record is used for debugging purposes with a query below:
TXT <nodenumber>.nodes.allstarlink.org.
This will return:
"NN=50000" "RT=2019-02-28 18:41:29" "RB=0" "IP=44.98.248.144" "PIP=" "PT=4569" "RH=register-fnt" NN is node number RT is the last update registration time RB is 0 for node is not a remote base, RB is 1 if it is a remote base IP is the IP address of the node PIP is the proxy IP of the node if set PT is the port RH is the registration server the node last registered to.
Miscellaneous
Until very recently some of the ASL powerdns servers were configured (as a joke) to return Microsoft DNS 6.1.7600 (1DB04228) for their version.
If you are a research organization, registrar, ISP, or other individual or entity looking for servers vulnerable to CVE-2020-1350 --
please stop contacting us about how you think our DNS servers may be vulnerable to this CVE. They are not.