Name resolution, service discovery
Name resolution
hosts file
DNS
Authoritative and non-authoritative; iteration and recursion
Duplication and minimizing load
Resource record; zones
A
NS, SOA, and delegation
CNAME
TXT
MX
AAAA
HINFO
PTR
DNSSEC records
Zone transfers
NXDOMAIN records
Domain name transfers
"Public DNS"
The first few also known as
- 'simple-to-remember things to ping to test connectivity without name resolution'
- 'easy for helpdesk to speak out over the phone if they suspect DNS issues'
4.2.2.2 Level 3, also 4.2.2.1, 4.2.2.3 8.8.8.8 Google, also 8.8.4.4 1.1.1.1 cloudflare DNS, also 1.0.0.1
UltraDNS
OpenDNS
"Private DNS"
DNS over HTTPS, DNS over TLS, DNSCrypt
DNS over HTTPS (DoH) is a proposed standard (RFC 8484) that transfers DNS records as they currently are, but over HTTP/2.
It is currently in "ongoing experiment, but functions" status, and right now is mainly supported by browsers.
It is not supported by OSes, though you could use a relatively lightweight proxy.
Oblivious DNS-over-HTTPS is a flavour with more obfuscation.
https://en.wikipedia.org/wiki/DNS_over_HTTPS#Oblivious_DNS-over-HTTPS
DNS over TLS (DoT) is a more established standard (RFC 7858), and has been used between DNS servers.
Android and iOS contain support, though neither default to it(verify); Windows, linux and OSX can also be made to use it with varying amounts of effort.
https://en.wikipedia.org/wiki/DNS_over_TLS
Unsorted
Internet TLDs
infrastructure top-level domain
- .arpa
Mainly meant as a transition from ARPANET to DNS naming.
Has stuck around because it was used to implement reverse DNS lookup, and has found some similar uses since.
testing top-level domains (tTLD)
- .test
- .example
- .invalid
- .localhost
...some of those to say to should never become part of the DNS root zone.
country code top-level domains (ccTLD)
Strongly correlated to ISO 3166-1 alpha-2 codes; see also Language codes, country codes
- ...though there are a few unused
- ...and a few that are not in that list, e.g. uk, eu, ac (arguably GeoTLDs instead)
There were quickly between 200 and 300 of these in use.
generic top-level domains (gTLD)
The original set of top level domains (1984(verify)) was roughly
- .com - intended for commercial things, but not effectively restricted
- .net - originally for network infrastructure, since unrestrcted
- .edu - US education (mostly)
- .gov - US government (mostly)
- .mil - US military (mostly)
- .int -
- .org - was meant as a 'doesn't fit into the above' organisations, now unrestricted and has some correlation to less-commerical organisations
and later the ccTLDs (1985(verify))
Those became managed by ICANN once it existed(verify)
ICANN (founded 1997) has introduced
- 2000 .aero, .biz, .coop, .info, .museum, .name, .pro
- 2004 .asia, .cat, .jobs, .mobi, .tel, .travel
...so up to then there were about two gTLD (alongside the ccTLDs, infrastructure and testing(verify))
- around 2009 ICANN introduced the New gTLD Program which is basically the start of hundreds of extra TLDs, some of which can be categorized into the below
Geographic gTLD (GeoTLD)
"....invoking an association with a geographical, geopolitical, ethnic, linguistic or cultural community"
Initially (2007?(verify)) only
- .cat (Catelan language)
- .asia
- .eu (European Union)
There have since been thousands of proposals (2000+ in 2012), things like:
- .london
- .paris
- .berlin
- .nyc
- .amsterdam
- .wien (Vienna)
- .toronto (Toronto)
- .αθήνα (Athens)
- .bcn (Barcelona)
- .lat (Latin America)
- .saarland
- .kiwi (New Zealand)
- .quebec
- .corsica
- .africa
- .scot
- .cym (Wales, Cymru)
- .cymru (Wales, Cymru))
- .wales (Wales)
- .vlaanderen (Flanders)
- .bzh (Breton community)
- .scot (Scots community)
- .eus (Basque language)
- .gal (Galician language)
- .上海 (Shanghai)
...which seem to be examined and approved on an ongoing basis(verify).
Apparently 50 of them are current?(verify)
https://en.wikipedia.org/wiki/GeoTLD
restricted generic top-level domains (grTLD)
Domains you can only get after you prove eligibility.
This includes
- .name - personal name
- .pro - certified professionals
sponsored top-level domains (sTLD)
Sponsored by specific organizations, restricted by said agencies.
Older ones considered sponsored:
- .edu - US education (mostly)
- .gov - US government (mostly)
- .mil - US military (mostly)
- .int -
Newer ones include:
- .aero
- .asia
- .cat
- .coop
- .jobs
- .museum
- .post
- .tel
- .travel
- .xxx
https://en.wikipedia.org/wiki/Sponsored_top-level_domain
Internationalized country code top-level domains (IDN ccTLD)
Internationalized domain name (IDN) allows non-ASCII coding in DNS, using IDNA encoding (see also punycode).
This is mostly used for ccTLDs in the relevant language's own alphabet,
There are currently around 50 in use.
https://en.wikipedia.org/wiki/Internationalized_country_code_top-level_domain
See also
- http://www.dns.net/dnsrd/rfc/ ("DNS related RFCs")
NSS
Originally, account and host information came from /etc/{passwd, group, shadow, hosts}, which you could sort of do yourself though usually had a library or other interface for.
(note that hosts.allow and hosts.deny is not part of NSS, but of tcpwrappers and applies only to it(verify))
Then NIS and DNS and such came about,
and it became a more pressingly good idea to have a single interface unify lookup of accounts, passwords, and hostnames.
This is basically what the Name Service Switch (NSS) subsystem is. It's part of glibc and used to backs calls like getaddrinfo() and gethostbyname().
NSS allows dynamically hooking things into hostname resolution, user/group, password. Since you can have multiple sources, it also lets you configure when and how each is used and in what order.
A sensible question is "So what about PAM? it deals with similar stuff."
PAM is primarily the logic of how to apply such sources of information (when and how to authenticate, what to allow, etc.), but not itself the thing that accesses them.
So in most ways, it's a generalizing layer on top of NSS, and other things.
So yes, there are a subset of things you can get done in either NSS and PAM. (which you'd choose depends a bit on what your program is. If you're part of the OS you would probably use PAM because it ends up being more flexible, if you're just a random application that wants to look up a username or such you would probably use NSS because it's easier to hook into than PAM.
There's some funny specific cases, particularly hostname lookup.
- Some command line tools (e.g. dig, host, nslookup) only query the nameserver, and bypass your local system (so great for people debugging DNS)
- "I want hostname lookup the same way the OS does" basically means using gethostbyname() (or getent), which is actually backed by NSS, so whatever /etc/nsswitch.conf configures
That NSS configuration is at /etc/nsswitch.conf and the relevant line is usually at least (the order can vary):
hosts: files dns myhostname
On workstations it may be something like:
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
Where
- order is fallback style
- files refers to files like /etc/hosts,
- dns is basically whatever's configured in /etc/resolv.conf
- some form of mDNS
- (mdns4_minimal: 4 to avoid timeout-based delays when you don't use IPv6, and _minimal to avoid attempts to resolve things that don't end in .local (which is why the "if tried but not found, then give up resolving it completely" makes sense))
- myhostname is /etc/hostname and /etc/hosts (mainly to ensure your own hostname always resolves).
- may be added last in a "well in case everything fails at least we have a name"
- there are a few more, like nis, nisplus, hesiod, windbind, wins, systemd
local DNS (mDNS, LLMNR)
Multicast DNS is the concept of having a functional subset of DNS communicating on your LAN via local multicast.
Basically exists in two forms:
- Apple's mDNS (moderately common)
- Microsoft's LLMNR [1] (less common)
The two are similar, and apparently the only reason they aren't the same thing is some popcorn-worthy drama - mDNS is essentially the standard, and MS continues to do their own thing.
mDNS notes
So how do you resolve .local?
- OSX does this pretty natively
- Linux does lookups typically through avahi, so requires that to be installed, and hooked into nss.
- Windows by default chooses not to support mDNS (or, since ~Win10, only some of it), because of LLMNR related grump.
- There's Bonjour for windows, though a newer version of it is only available packaged with iTunes and a few other things[2].
- Also note
- some apps have their own mDNS built in
- devices (like printers) may have it to ease finding them for initial setup
https://serverfault.com/questions/118237/how-to-use-zeroconf
https://en.wikipedia.org/wiki/.local
https://serverfault.com/questions/118652/how-to-use-bonjour
-->
On zeroconf and service discovery
Zeroconf refers vaguely/broadly to things that both allow automated network configuration, and discover of services available on that same network.
A little more precisely:
- assignment of addresses for devices,
- resolution of hostnames,
- location of network services.
Since the assign-address part was covered by DHCP that existed long before it,
zeroconf may largely refer to the latter two, often:
- Multicast DNS for name resolution, often either
- mDNS (all platforms)
- LLMNR (mostly for windows)
- plus some means of service discovery, for example
- Apple's DNS-SD (DNS based Service Discovery)
- Microsoft's SSDP (Simple Service Discovery Protocol), part of UPnP [3]
Implementations:
- Bonjour (probably the most common Zeroconf setup) (previously 'Rendezvous')
- from Apple
- is mDNS and DNS-SD
- available for Mac, Linux, other POSIX, and Windows
- XLLMNRD
- is LLMNR on linux
- systemd-resolved
- mDNS and LLMNR? (verify)
- seems to mostly be a local cache(verify)
- Howl (old, not developed anymore [6])
- UPnP allows network device setup [7]
- (though its lack of authentication makes it a security problem in a few cases)
- Windows CE 5.0 has an LLMNR-based implementation
- Windows 10 seems to have an mDNS for printers
- apparently for proper mDNS, you should disable that and install Bonjour(verify)
Related:
- SLP (Service Location Protocol) [8]
- seemlingly aimed at printers, also used for some other shared services(verify)
- systems that already use LDAP will probably use that instead of SLP
- WS-Discovery [9]
- multicast
- Jini [10]
- Device/service coordination
- Salutation [11]
- Device/service coordination
- Other device configurers:
- Bluetooth's [12]