Difference between revisions of "DNS Servers"

From "PTTLink Wiki"
Jump to navigation Jump to search
(Created page with "Category: Infrastructure ASL utilizes DNS servers based on powerdns with a mysql backend. These DNS servers support the following: * AllStarlink.org DNS authoritative...")
 
 
(7 intermediate revisions by 2 users not shown)
Line 10: Line 10:
 
= Authoritative DNS servers =   
 
= Authoritative DNS servers =   
  
The authoritative DNS servers run on karl-tpa.allstarlink.org and smithers-fnt.allstarlink.org with the backend in the distributed database. These servers may be administered via 'pdnsutil' on the cli or via the gui at http://karl-tpa.allstarlink.org:9191 or http://smithers-fnt.allstarlink.org:9191  over the VPN or via the bastion hosts. 
+
The authoritative DNS server runs on caustic-sea.allstarlink.org with the backend in the distributed database.
  
DNSSEC is enabled on all domains and trust is expanded to all sub servers.
+
DNSSEC was enabled on all domains and trust is expanded to all sub servers.  This is currently broken.
  
Secondary DNS is very important as provided by ns[1-4].keekles.org and ns6.gandi.net.  This is very important as if the database is hard down in FNT and TPA, the primary DNS will be offline.  With the secondary servers online DNS will continue to work, and NMS requires DNS for the allstarlink.org zone.
+
Secondary DNS is very important and is provided by several DNS servers.  This is very important as if the database is hard down in SEA, the primary DNS will be offline.  With the secondary servers online DNS will continue to work, and NMS requires DNS for the allstarlink.org zone.
  
 
= regsvcs.allstarlink.org =  
 
= regsvcs.allstarlink.org =  
  
This Zone is served by the registration servers, and is pulled directly from the database.  There is no secondary on these zones, just the three primary servers on the registration servers.
+
This Zone is served by the registration servers, and is pulled directly from the database.  There is no secondary on these zones, just the primary DNS servers on the registration servers.
  
 
The redundancy of registration is handled by a TTL of 120 seconds on all the records.  We've added another field in the 'records' table 'UnixSeconds' which is NULL by default, but updated by the heartbeat health check scripts on the servers.  If the heartbeat script detects the DB or connectivity down at a site, it will shut down that server and stop updating the DNS UnixSeconds.   
 
The redundancy of registration is handled by a TTL of 120 seconds on all the records.  We've added another field in the 'records' table 'UnixSeconds' which is NULL by default, but updated by the heartbeat health check scripts on the servers.  If the heartbeat script detects the DB or connectivity down at a site, it will shut down that server and stop updating the DNS UnixSeconds.   
Line 24: Line 24:
 
On the DNS server we have modified the default query for a lookup to:  
 
On the DNS server we have modified the default query for a lookup to:  
  
  gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 AND (UnixSeconds is NULL OR UnixSeconds > (UNIX_TIMESTAMP() - 120)) and type=? and name=?
+
gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 AND (UnixSeconds is NULL OR UnixSeconds > (UNIX_TIMESTAMP() - 120)) and type=? and name=?
  
 
This will only return a record if UnixSeconds is Null or has been updated in the last 120 seconds.   
 
This will only return a record if UnixSeconds is Null or has been updated in the last 120 seconds.   
Line 30: Line 30:
 
If the node loses connectivity, it will be timed out of DNS due to this in 120 seconds.  This is a "dead-man switch" function which will enable losing any one node in the cluster.
 
If the node loses connectivity, it will be timed out of DNS due to this in 120 seconds.  This is a "dead-man switch" function which will enable losing any one node in the cluster.
  
register.allstarlink.org is a CNAME to register.regscvs.allstarlink.org under this.  The node list servers are under this as well as node[1-4].allstarllink.org  CNAME nodes.regsvcs.allstarlink.org
+
'''register.allstarlink.org''' is a CNAME to '''register.regscvs.allstarlink.org''' under this.  The node list servers are under this as well as '''node[1-4].allstarllink.org''' CNAME '''nodes.regsvcs.allstarlink.org
 
+
'''
== recovery of a down server ==
 
 
 
Need to fill this out, right now it's a manual verification, db edit and reset.
 
  
 
= DNS node lookup =  
 
= DNS node lookup =  
Line 45: Line 42:
 
_iax._srv.<nodenumber>.allstarlink.org. will return for a node as follows:
 
_iax._srv.<nodenumber>.allstarlink.org. will return for a node as follows:
  
  _iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.nodes.allstarlink.org.
+
_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.nodes.allstarlink.org.
  
where 4569 is the IAX port and then it will do a A lookup on 50000.nodes.allstarlink.org. for the IP.
+
where 4569 is the IAX port and then it will do an A lookup on 50000.nodes.allstarlink.org. for the IP.
  
 
A remote base will be returned like:
 
A remote base will be returned like:
  
_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.remotebase.nodes.allstarlink.org.
+
_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.remotebase.nodes.allstarlink.org.
  
 
== A record ==
 
== A record ==
Line 72: Line 69:
 
  PT is the port
 
  PT is the port
 
  RH is the registration server the node last registered to.
 
  RH is the registration server the node last registered to.
 +
 +
== Miscellaneous ==
 +
 +
Until very recently some of the ASL powerdns servers were configured (as a joke) to return '''Microsoft DNS 6.1.7600 (1DB04228)''' for their version.
 +
 +
If you are a research organization, registrar, ISP, or other individual or entity looking for servers vulnerable to CVE-2020-1350 --
 +
 +
'''''please stop contacting us about how you think our DNS servers may be vulnerable to this CVE.'''''  They are not.

Latest revision as of 01:23, 14 December 2020


ASL utilizes DNS servers based on powerdns with a mysql backend.

These DNS servers support the following:

  • AllStarlink.org DNS authoritative
  • registration server redundancy
  • DNS lookup for nodes information

Authoritative DNS servers

The authoritative DNS server runs on caustic-sea.allstarlink.org with the backend in the distributed database.

DNSSEC was enabled on all domains and trust is expanded to all sub servers. This is currently broken.

Secondary DNS is very important and is provided by several DNS servers. This is very important as if the database is hard down in SEA, the primary DNS will be offline. With the secondary servers online DNS will continue to work, and NMS requires DNS for the allstarlink.org zone.

regsvcs.allstarlink.org

This Zone is served by the registration servers, and is pulled directly from the database. There is no secondary on these zones, just the primary DNS servers on the registration servers.

The redundancy of registration is handled by a TTL of 120 seconds on all the records. We've added another field in the 'records' table 'UnixSeconds' which is NULL by default, but updated by the heartbeat health check scripts on the servers. If the heartbeat script detects the DB or connectivity down at a site, it will shut down that server and stop updating the DNS UnixSeconds.

On the DNS server we have modified the default query for a lookup to:

gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 AND (UnixSeconds is NULL OR UnixSeconds > (UNIX_TIMESTAMP() - 120)) and type=? and name=?

This will only return a record if UnixSeconds is Null or has been updated in the last 120 seconds.

If the node loses connectivity, it will be timed out of DNS due to this in 120 seconds. This is a "dead-man switch" function which will enable losing any one node in the cluster.

register.allstarlink.org is a CNAME to register.regscvs.allstarlink.org under this. The node list servers are under this as well as node[1-4].allstarllink.org CNAME nodes.regsvcs.allstarlink.org

DNS node lookup

nodes.allstarlink.org is delegated to a DNS running on the db servers. The users_Nodes table has a trigger which is run and creates entries/edits them on the records table in the 'allstar' database. This populates a SRV, TXT and A record for every node in the system when it's updated. The trigger has been optimized and has little to no preformance impact on the registration process.

Note that servers not in nodes list can appear in DNS, there is no ageing out of entries in DNS. It's up to the server to know it's registered.

SRV record

_iax._srv.<nodenumber>.allstarlink.org. will return for a node as follows:

_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.nodes.allstarlink.org.

where 4569 is the IAX port and then it will do an A lookup on 50000.nodes.allstarlink.org. for the IP.

A remote base will be returned like:

_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.remotebase.nodes.allstarlink.org.

A record

<nodenumber>.nodes.allstarlink.org. and <nodenumber>.remotebase.nodes.allstarlink.org. will return the IP address of the IAX server or the proxy IP if defined.

TXT Record

The TXT record is used for debugging purposes with a query below:

TXT <nodenumber>.nodes.allstarlink.org.

This will return:

"NN=50000" "RT=2019-02-28 18:41:29" "RB=0" "IP=44.98.248.144" "PIP=" "PT=4569" "RH=register-fnt"
NN is node number
RT is the last update registration time
RB is 0 for node is not a remote base, RB is 1 if it is a remote base
IP is the IP address of the node
PIP is the proxy IP of the node if set
PT is the port
RH is the registration server the node last registered to.

Miscellaneous

Until very recently some of the ASL powerdns servers were configured (as a joke) to return Microsoft DNS 6.1.7600 (1DB04228) for their version.

If you are a research organization, registrar, ISP, or other individual or entity looking for servers vulnerable to CVE-2020-1350 --

please stop contacting us about how you think our DNS servers may be vulnerable to this CVE. They are not.