Network Services: DHCP, DNS, and NTP for University Computer Science

Network Services Topics

21 23Network Services Topics 4/9

• DHCP
• DNS
• NTP
• Corporate and Datacenter Network Architecture
• Cloud Concepts and Connectivity Options

(cont four previous module )

Dynamic Host Configuration Protocol (DHCP)

An automated way to assign IP addresses to hosts on a network Based on the earlier BOOTP protocol Client issues a Layer 2 broadcast to request an IP address from any listening DHCP server Server has pre-configured pool of available IP addresses Server "leases" an address for a limited time to the client Communications are in clear text with no authentication Server port = UDP 67 Client port = UDP 68

DHCP DORA Process

Layer 2 Broadcast Lease can be limited time or indefinite Lease will include: · IP Address · Subnet Mask Lease can include options: . Default Gateway · DNS Server(s) · DNS Domain Name · Other options DHCP CLIENT DHCP SERVER DISCOVER OFFER I - REQUEST ACK

DHCP Scope Configuration

A DHCP scope is a set of configurations for a particular network segment The scope is defined by its range of IP addresses and subnet mask Contains the pool of addresses that can be leased to clients After a scope is created, any of its settings can be modified except for the subnet mask New Scope Wizard x IP Address Range You define the scope address range by identifying a set of consecutive IP addresses. Enter the range of addresses that the scope distributes. Start IP address: 192.168. 0 . 10 End IP address: 192.168. 0 .100 A subnet mask defines how many bits of an IP address to use for the network/subnet IDs and how many bits to use for the host ID. You can specify the subnet mask by length or as an IP address. Length: 24 Subnet mask: 255.255.255. 0 · Back Next > Cancel

Scope Options and Settings

Scope options are additional information for the clients: · Address of the default gateway · Domain name to be used (a favorite technique of ISPs) · Address of the WINS server (deprecated Microsoft LAN name resolution server) . NetBIOS node type (deprecated) Scopes also have other configuration options such as lease time, reservations, and exclusions A DHCP server will have one scope for each network segment/subnet it services DHCP File Action View Help DE DHCP Option Name Vendor Value Policy Name lon-dc01.lab1.int 003 Router Standard 192.168.1.1 None IPv4 006 DNS Servers Standard 192.168.1.150 None Scope [192.168.1.0] LAN 015 DNS Domain Name Standard lab1.int None Address Pool Address Leases Reservations Scope Options Policies

DHCP Lease Time Management

The length of time (in days or hours) that a client may use the IP address The client is responsible for enforcing the lease and attempting to renew the lease before the lease time is up If a client does not renew its lease, the DHCP server marks the address as potentially unused . Eventually the IP address is returned to the pool for another client to use Scope [192.168.0.0] Subnet01Scope Properties ? X General DNS Network Access Protection Advanced Scope Scope name: Subnet01Scope Start IP address: 192.168. 0 . 55 End IP address: 192 .168. 0 . 90 Subnel mask 255 255 255 0 Lengthy 24 Lease duration for DHCP clients Limited to: Days: Hours: Minutes: 0 - . 3 -- Unlimited Description: The first scope for first subnet OK Cancel Apply

Exclusion Ranges in DHCP

IP addresses in a subnet range that are set aside for static configuration Ensures that these addresses are not accidentally leased out to clients Exclusions often include the first 10, 20, or even more IP addresses in a subnet Excluded addresses are statically assigned to the router, switches, servers, printers, and clients that cannot use DHCP DHCP File Action View Help 22 DHCP Start IP Address End IP Address Description Actions Server2012.test.com "@ 192.168.0.50 192.168.0.200 Address range for distribution Address Pool IPV4 A Scope [192.168.0.0] Sale Managers Address Pool Address Leases pu Reservations Scope Options Policies Type the IP address range that you want to exclude. If you want to exclude a single address, type an address in Start IP address only. Start IP address: 192 168 0 100 End IP address: 192 168. 0 120 Add Case More Actions Add Exclusion X Server Options Policies Filters IPvő

MAC Reservations in DHCP

An IP address that is assigned to a specific MAC address If a client has that MAC address, the server leases it that particular IP address When the host broadcasts a discover message, the DHCP server checks to see if its MAC address matches any of the reservations This ensures that the same MAC always gets the same IP address Useful if you need to ensure that servers always have the same IP address, but that other DCHP configuration options might be updated New Reservation ? X Provide information for a reserved client. Reservation name: work.printer IP address: 192 .168 .100 . 77 MAC address: 00:0c:29:e7:61:7f Description: printer Supported types Both DHCP BOOTP Add Close

DHCP Renewal Process

When 50% of the lease time has expired, the client attempts to contact the DHCP server to request a renewal If the server does not respond, the client tries again at 87.5% of the lease time If the server still does not respond, the client issues a DHCP DISCOVER broadcast in hopes of finding any DHCP that will respond When the lease expires, the client either self-assigns an APIPA address or sets its address to 0.0.0.0

DHCP Relay Agent/IP Helper

A hardware device or software program that can pass DHCP or BOOTP messages between DHCP clients and servers · Cisco IP helpers use UDP to carry the DHCP messages Necessary if the DHCP server is on a different subnet from its clients · Routers do not pass broadcasts RFC 1542-compliant routers can be configured as DHCP relay agents 192.168.10.100 192.168.10.101 FF-FF-FF-FF-FF-FF 192.168.10.1 10.4.3.1

Domain Name System (DNS)

Maps IP addresses to "friendly" host names Exists for human convenience Uses a hierarchical naming scheme · Places all organizations in that hierarchy (namespace) Allows IP addresses to change DNS servers exist at different levels of the namespace · Database management is distributed · organizations can manage their own records Uses UDP and TCP port 53 · UDP for queries · TCP for zone transfers (replication) between servers

DNS Records and Security

Transmissions are in clear text Records are stored as plain text files on DNS servers Types of records - A, AAAA, CNAME, MX, PTR, NS, SOA, SRV, TXT, and others DNSSEC - accompanying digital signature used to verify authenticity of a record

DNS Terminology

DNS Namespace and Zones

Term Description DNS namespace The entire DNS tree structure, from root to the last subdomain Zone a specific portion of the DNS namespace that is managed by a specific organization or administrator Can be comprised of a single node, or related parent and child nodes Zone file A plain text file that contains all records for that zone A part of the DNS database Zone transfer Replication of a zone file from one DNS server to another Start of Authority (SOA) The original DNS server that was used to create the zone Record TTL and zone transfer intervals are defined on this server

DNS Server Types

Term Description Authoritative DNS server Any DNS server with a copy of the zone file Master (primary) DNS server A DNS server with a writable copy of the zone file Slave (secondary) DNS server A DNS server with a read-only copy of the zone file Caching DNS server A DNS server that performs lookups for clients It does not have a copy of the zone, and thus must query other DNS servers It caches a copy of the record for the record's time to live

DNS Hierarchy Elements

The DNS hierarchy is comprised of the following elements · Root Level, Top Level Domains, Second Level Domains, Sub-domain, and Hosts The DNS root zone is the highest level in the DNS hierarchy tree . It answers the requests for records in the root zone · Provides a list of authoritative name servers for the appropriate TLD (top-level domain) · They are the first step in resolving a domain name The next level in the DNS hierarchy is Top level domains (there are many) . They are organizational hierarchy and geographic hierarchy

DNS Hierarchy Levels

The next level in the DNS hierarchy is Top level domains (there are many) . They are organizational hierarchy and geographic hierarchy The next level in the DNS hierarchy is the Second Level Domains . This includes the main part of the domain name The sub-domain is the next level in the DNS hierarchy . The sub-domain can be defined as the domain that is a part of the main domain . The only domain that is not also a sub-domain is the root domain

DNS Hierarchy Example

Top Level Domains RAW Root "." Pointers to TLD NS servers - - - .org .edu .uk com Domains - A 50.57.255.51 www.ituonline.com ituonline google MX 192.168.45.67 mail.ituonline.com Sub-domains - I'm delegating you to manage europe.comptia.org database americas.comptia.org records are in the parent comptia.org database Delegation comptia 1 europe americas .net

DNS Resolution Process

DRAW Root (".") DNS Server - "Ask the .com server - here's its address." "Ask the company.com server - here's its address." "www.company.com?" Local DNS Server .com DNS Server "www.company.com?" "Please hold while I retrieve the information for you." "www.company.com?" company.com DNS Server - "Yes I have it. Here it is." "I need the IP address for www.company.com." DNS Client 192.168.1.52 mail.company.com 192.168.1.68 www.company.com

DNS Resolution Continuation

DRAW ( as part of the same fr .com - DNS Server diagram previous sticle Root (".") DNS Server - Local DNS Server - "Here you go." 192.168.1.52 mail.company.com 192.168.1.68 www.company.com "Thanks." company.com DNS Server - DNS Client 192.168.1.52 mail.company.com 192.168.1.68 www.company.com

Forward vs. Reverse DNS Lookup

Forward lookup = you know the name but you need the IP Reverse lookup = you know the IP but you need the name · Commonly used as a security mechanism to verify host authenticity Nslookup is a useful command line tool to query a DNS server · It uses reverse lookups . You won't be able to use it to query a DNS server that does not have a reverse lookup zone configured