4.3 Explain the role of DHCP and DNS within the network
Remember that a computer understands addresses in numeric format (like 8.8.8.8) and a human understands text (like google.com). We use the DNS (Domain Name Service) to convert the human-readable address into a computer-readable address.
When I try to visit google.com, my computer calls up the nearest DNS and asks it to provide information about google.com. google.com is known as a domain name. A DNS will contain a set of records about each domain name, which are provided by the owner. What kind of information can it provide?
- A or AAA. The A (Address Mapping) record tells us the IPv4 address of the server that is hosting the website. The AAA record tells us the IPv6 address.
- TXT (SPF, DKIM). The TXT (Text) record tells us some text. Two common uses of TXT records
- SPF or Sender Policy Framework. Think of an e-mail like a letter. It has a “to” address and a “from” address. I could send a fake letter and use a fake “from” address because nobody can verify that the “from” address is correct. An e-mail is the same. A spammer could spoof the “from” address and make it look somebody legitimate sent the e-mail. How can we stop this?
The sender must use an e-mail server to send the e-mail. This server has a unique IP address. If the legitimate sender has control over his domain name and server, he can create a Text entry called the SPF and put the IP address of his e-mail server in there.
When a recipient receives a message, he checks the IP address in the SPF belonging to the legitimate sender. If it matches the actual sender, then he knows that the e-mail is legitimate.
- DKIM or DomainKeys Identified Mail is another way to identify an e-mail’s legitimate sender. A user of DKIM creates a unique signature via public key cryptography. It’s essentially a signature that can’t be forged – it has two parts, a private key that only the sender knows, and a public key that recipients can use to verify his identity. The legitimate sender places a copy of the public key in DKIM. He uses the private key to digitally sign every e-mail he sends. When a recipient receives an e-mail, he verifies that the signature matches the public key in the record.
- SPF or Sender Policy Framework. Think of an e-mail like a letter. It has a “to” address and a “from” address. I could send a fake letter and use a fake “from” address because nobody can verify that the “from” address is correct. An e-mail is the same. A spammer could spoof the “from” address and make it look somebody legitimate sent the e-mail. How can we stop this?
- SRV. The SRV (Server) record tells us about the location of servers that operate specific processes. The server location includes an IP address or domain name and a port number. The domain name in an SRV record must itself have an A record or else it won’t be located.
- MX. The MX (Mail Exchanger) record tells us the IP address or domain name of the mail server that receives e-mail on behalf of the domain. If my e-mail is hazim@hsmservices.ca and I host my own e-mail, then the record may point to my own server. If my e-mail is hosted by Gmail, my MX record may point to gmail.com.
When you send an e-mail, your e-mail program (or SMTP server) will query the MX records for each recipients’ address so that it knows where to send the message.
The domain name in an MX record must have its own record, or else it won’t be located. - CNAME or Canonical Name points one domain name to another. The purpose of a CNAME record is to point one name to another. The CNAME record must itself have an A name record.
For example, foo.example.com can point to bar.example.com. bar.example.com must have an A record or else it won’t be located.
When a computer receives a CNAME reply, it must then look for the corresponding A record. - NS or Name Server. The NS record tells us which DNS server is authoritative for the domain. The owner of a domain name maintains DNS records for his name on an authoritative name server. The authoritative name server has the most accurate records.
Since the internet is distributed, DNS servers operated by other users might copy the records from the authoritative name server and respond to queries. When you access a website, your computer won’t necessarily query the authoritative name server for that site. It may query a local nameserver operated by your organization or ISP. - PTR or Pointer Record. A Pointer is like a CNAME, but the computer does not look further for the A record.
For example, foo.example.com can point to bar.example.com. bar.example.com must have an A record or else it won’t be located.
Each record can contain multiple entries for load balancing. We can give each entry a different priority. For example, we might have multiple servers to handle our e-mail or website hosting.
An internal DNS is one that is operated by an organization for use on its internal network. A network might have devices that are accessible internally such as servers, switches, and printers. Each device is assigned a unique hostname on the network. The internal DNS server provides users with DNS records corresponding to these internal devices. A user may need to access both internal devices and external hosts. Therefore, the user may need to program his computer to query both an internal DNS server and an external DNS server. The external DNS provides information about hosts that are available to the public (on the internet). It is possible for an internal DNS to also be an external DNS.
An organization may choose to host its DNS with a third party. Examples of third-party DNS include Amazon (AWS) Route 53 and CloudFlare. A third-party DNS is scalable and can provide inquiries to many users at the same time. In addition, a third-party DNS is centrally located so that updates to the DNS propagate across the internet quickly.
The hierarchy of a DNS starts at the authoritative server, which is maintained by the owner of the domain name. Below the authoritative server are servers operated by national internet service providers. They aggregate DNS records from the different authoritative servers. Below them are servers operated by local ISPs. Below them are servers operated by organizations for local networks.
When we query a DNS server, we might start at the local level. If the local server doesn’t have an answer, we check at the next level. If it doesn’t have an answer, we continue working our way to the top until we reach the authoritative server.
A Reverse DNS lookup is when we have an IP address and want to know which domain name it belongs to. An IP address may belong to multiple domain names. The PTR record is used for the Reverse DNS lookup.
We can obtain the domain name corresponding to an IP address by querying the domain name in-addr.arpa. If we want to know the domain name for the IP address 1.2.3.4, we would query the name:
4.3.2.1.in-addr.arpa
Notice that we prepended the IP address in reverse to the front of the in-addr.arpa domain name.
Each DNS record has a TTL or Time To Live. This is a number that tells the non-authoritative DNS servers the length of time (in seconds) until a record expires. For example, if a TTL is 3600, then the DNS record expires after one hour. If my local DNS server obtains authoritative DNS records from google.com’s DNS, and the TTL is one hour, then it should check again for updated records after one hour.
If we make the TTL long, then any changes will take a long time to propagate across the entire internet. If we make the TTL short, then changes will propagate quickly, but our DNS server will receive more queries.
I covered DHCP earlier but let’s look at a few more details. Remember that when a computer joins a network, and doesn’t have a static IP address, it gets one through DHCP.
If I want a specific device to obtain the same IP address each time, I create a MAC Reservation. I must know the device’s MAC address. If I don’t know the MAC address, I can check my switch or DHCP server. I program my DHCP server with the device’s MAC address and corresponding DHCP address. When the device joins the network and requests a DHCP address, the server checks if its MAC address is on the list. If so, it offers it the corresponding IP address.
A pool is a group of IP addresses that can be assigned to devices requesting addresses over DHCP. An administrator should make the range wide enough to accommodate all the devices that would request addresses, taking the lease time into consideration. An IP Exclusion is a list of IP addresses that should not be assigned via DHCP.
The Lease Time is the length of time that an IP address is assigned to a device. A common lease time is seven days. Once the lease time expires, the device must obtain a new IP address. Once a DHCP address is assigned, the server reserves that address for the entire length of the lease time, even if the device disconnects from the network. If the device rejoins the network during the lease time, it will be assigned the same address. A device can give up its DHCP address during the lease time by sending the server a Release message, but in practice devices rarely do so.
When we have a network with many guests (such as a guest Wi-Fi), we should make the lease time short. Otherwise, we will have many thousands of leased IP addresses for devices that are no longer connected. Think about the Wi-Fi at an airport. You might connect for a few hours and then get on your plane. If the lease time was seven days, the airport’s network would continue to reserve your IP address for seven days, which would be six days and 22 hours longer than necessary.
The DHCP Scope Options provide options such as gateway and DNS servers. When a client device receives a DHCP address, the DHCP server also tells it about the default gateway and DNS servers on the network.
The DHCP server is usually part of the router or is somewhere on the local network (subnet). When a client joins the network and requests an address via DHCP, its request will not travel past the router. Remember that a DHCP message is a broadcast message and that routers do not forward broadcast messages.
What if I have a large distributed network with multiple routers but I only have one central DHCP server? I use a tool called a DHCP Relay. The DHCP Relay lives in the router. It listens for DHCP messages and forwards them to an external DHCP server. It also receives DHCP reply messages from the external server and forwards them to requesting devices on the internal network. On a Cisco router, this is known as an IP Helper Address.
We can configure the IP Helper address on a Cisco router by entering the applicable interface’s configuration and typing ip helper-address <IP address>.