15. Domain Name Service (DNS) Part 1
Domain name system or DNS. This is an application that listens to port 53 on both TCP and UDP transport. The primary goal for this application is to convert names to IP address. Because we as humans, we remember names better than bunch of numbers. And the example is we have F five. It is converted to 104 219-1168. Now, a lot of people think that operation of DNS is very simple. So we send data or we send a request, for example, f five. com, and the DNS will just provide us the IP address instantly. Well, for some cases, yes, that’s how simple DNS works, but it can be a little more complicated. And this is the DNS architecture. We’re going to provide you an example how DNS works not only on your local area network, but also through the internet.
So we have here a client, and a client is attempting to connect to zurion. com. So he enters this name zurion. com on his web browser. Now what it will do is it sends a DNS query to the DNS server, which is also known as the local DNS or Ldns. Now ideally, this local DNS has already a cache of zurion. com and it will simply provide him the IP address. But what if there is no cache for zurion. com? What will the local DNS do is it will send a DNS query to the root name server. And take note guys, if you are a DNS server, you will look for the first object here, which is the dot, and this is the root. And it is read Invertedly. It doesn’t start with zurion, it doesn’t start in the middle. the. com it will start from the very first, which is the right most.
It is invisible, you don’t see it, you don’t type it in your web browser. But there is a dot here which is the root. That is why the local DNS sends the query first to the root name server and the root name server will reply okay, the top level domain. com is valid and I will give you one or more IP address of the. com name server. And in this case it’s 101 one. Now the local DNS will send the same query he sent to the root name server. And the. com name server will check the domain name zurion. Once he verifies that zurion is a valid name, he will respond with the name server of zurion, which in this case it’s 1281-9926 214. Now, the local DNS already knows the name server of this organization.
So the local DNS now will send the same query to the name server which may reside in the organization’s data center. Now, the name server here, it can be intelligent, where it can verify its location. Let’s say this data center is the main data center. And it has more data center across globally in every region. It has one in California, it has one in London, in Dubai, in Singapore, and it verifies my IP address my source IP address. This IP address. It verifies. Hey, your IP address is in Asia. So I’m going to provide you an IP address of our data center in Singapore. So it will reply with an IP address and it will provide the client an IP address of 1281-992-2458.
Okay. Now as soon as the Local DNS receives this IP address, this will be cached and the reason why we want to cache this. So the next time someone requests for this name, the Local DNS will reply immediately with this IP address. So it doesn’t need to do or redo this process where it sent the query to the root name server and then to the. com name server. No need because the IP address and the name is already cached in the Local DNS. Now. The local DNS already have the IP address. Next stop is it will send the Http request to this IP IP address and this web server will provide the content to the client. And the client has successfully accessed the web application.
16. Domain Name Service (DNS) Part 2
As I mentioned from the previous slide, the local DNS sends query first to the root name server. The root name server checks if the top level domains are valid. What are the top level domains? The most popular? Probably the other popular top level domains are net, dot, gov and many others. Now we are using. com for this organization google, Amazon and F five and these are registered names. Now in the case of F five, with the domain of f five under the top level domain. com, they own this domain and they can do whatever they want. When I say do whatever they want, they can add what we called zones. Okay? They can configure one or more DNS servers with a database for their zones. You can see that there’s a downloads f five.
This is a zone dedicated zone for downloads, a dedicated zones Dev Central and a given DNS server will have a copy of its own zone files and become an authoritative name server for these zones. How critical a DNS application is since we as humans we always prefer names. In everyday browsing the internet we connect to the websites using fully qualified domain names and again DNS will convert it to IP address. But it’s not only web browsers we use DNS, so we also use DNS to integrate our PCs and devices. Sometimes we don’t want to use IP address, we rather use names. In this example we already use names in connecting to our website. We can also use names to connect to a network time protocol server.
This is an example of a server instead of entering an IP address for NTP configuration we use names. We also have here a client PC and it needs to be associated to an active directory domain or Ad domain. Now this requires names to be entered. It’s not IP address but rather a name. Imagine if your DNS server fails, it goes down. You don’t only access the internet with names, but this servers and this endpoint devices will no longer be able to be integrated to other servers. In this case this is Ad or Active Directory and this is NTP. So in short, some of our services will not work because the names that we are trying to reach is not reachable. And a best practice for DNS always make it available through redundancy and it is also recommended to protect these servers from different kinds of attacks.
17. Network Time Protocol (NTP)
Network Time Protocol, or NTP. This listens to port one, two, three onboat UDP on PCB transport. Now, NTP is a network protocol for time synchronization. So the idea is all of our computer system find, PC desktops, even printers, even servers or other devices such as network firewalls and application delivery controller. They have all their time synchronized. And NTP is a client server model and it sends and receive timestamps again using UDP port and sometimes TCP port. Now it allows to get the correct time from internal or external time source. It can be local, it can also be through the internet. So there are many public NTP servers available in the internet.
Now, why do we need to use NTP? Well, that’s a good question because NTP can also be critical just like any other applications. So correct time allows to track for many events in the network in the correct order. It’s also used for troubleshooting and forensic investigation. So imagine if you’re going to investigate or troubleshoot events, log events from many different sources, from many different devices, network device, router switches, firewalls, adcs and other endpoints as well such as client PCs and servers. It’s always good if the time and event are all in the right order, so you can do the troubleshooting and investigation more effectively.
Also, Mtp is used to synchronize servers and other device for an effective time synchronization for digital certificate. And imagine if your digital certificate expires not after a year, not after ten years, it expires now or in the next day because of improper time synchronization, you may affect or impact not just your network, but many other applications as well. NTP is used for device integration, so other devices in order to integrate to each other, for example our f five big IP, if we integrate this to ahhh server for example, it requires to have a time synchronized or at least a five minutes or less difference for the time. But it’s always preferred to enable NTP.
Another example for this is our F five big IP. If we enable clustering or high availability, it will not be successful if the time difference is far apart. And lastly, NTP or time synchronization is required by law you can configure NTP on most devices if not all, such as hosts, servers and workstations and network on security security security devices such as router switches on our F five big IP device. So I don’t know any devices that are host operating system that doesn’t support NTP. It’s always available. So what we have here is Windows Ten configuration where we enable synchronization of clock and we use the internet time server.
And for Windows Ten this is already available time NISD gov we also have a Linux server NTP configuration and it’s pointing to this NTP server ubuntu pool NTP. org and we have multiple NTP destination. Okay, we have the first and we have the seconds. Some devices will allow you to add either IP address and domain name for the NTP server for F Five and for other devices such as router switches and other network compliance, you may add either IP address or domain name. But some hosts, such as Windows will only allow you to add pre configured NTP server, and we used names. Now, if you do this, make sure that your DNS settings is set to proper DNS server and your DNS server. Make sure, because this is very critical, it’s working properly.
18. Syslog
Syslog. It is standard for message logging and it listens to UDP port five one four. It allows separation of the software that generates message, the system that stores them and the software that reports and analyzes them. Message can be viewed in real time by a console console and it can also be viewed real time via remote access cli such as Ssh. Also take note that messages can be stored in the buffer, the disk or it can be also stored remotely in third party devices on external software application. Now, each message is labeled with facility code and indicating the software type generating the message.
In big IP we have different facility code for different modules. Ltm has a different facility code, same as with ASM. It has a different facility code Gtmdns and many other modules and it is also assigned different severity levels which we’re going to talk about more in the next slide. Now, Syslog is storing messages in every devices. So as you imagine in our devices here in our topology such as routers and big IP device, it has its own buffer or disk where it is by default is storing the messages. Imagine if you want to troubleshoot, investigate or analyze if there’s something going on in your network, you have to log in in every single devices and review the logging messages and analyze it.
It can be conversant and it can be very difficult to manage. Now, would it be good if we can store all of the messages coming from many different devices? Because in our example we only have four devices, but in our real environment we can have plenty like 2050 or even hundreds. We want to store them centrally in a Syslog server and the Syslog servers listens to port 5114 and this clients, it can forward the logging messages to the Syslog server. So we can easily search the messages and easily identify what’s happening in our data center and in our enterprise environment.
Now, this is what we called the Syslog client server architecture where we again uses Syslog server that listens for log messages coming from different clients. Now, in big IP as well in other devices, this is very easy to configure. You go to Syslog configuration, specify the IP address of the Syslog server and also specify the UDP port 5114, which is the default port, the Syslog server. Listens, if you click okay, you can verify if the Syslog server is receiving the message coming from many different clients. Loginformation Levels we have eight information levels and some of these are very useful. The first one we have or the lowest one is the debug and this is used most of the time for troubleshooting or advanced troubleshooting.
Take note, you want to only check the debug login if you want to troubleshoot because this can be many. We also have the notice and informational. This is something that you can ignore error Warning something that you may want to review because this can be very important. Now I would like to highlight the critical alert and emergency, all these three reports some kind of failure. And it’s very important to review these messages because this may be may affect the performance of your device and possibly affect the performance of the entire network of your environment.
19. Simple Network Management Protocol (SNMP)
Simple network management protocol or snmp. This is a protocol for collecting and organizing information about managed devices on IP networks. It is listening to port UDP one six one and for traps, UDP port one six two. It can also modify information to change the device behavior. And it has to privilege the read only and read write access. It supports many different devices. So this is what we call agents. This can be routers switches, firewalls, application delivery controllers. It can also receive information from servers and models or cable models. Now, the key components of an Snmp architecture is the agent and the Network Management System, or NMS.
The agents are the devices or hosts. So this routers here, this big IP devices, these are what we called agents. And the Snmp manager here is our network management system, or NMS. Now, there are two ways to configure and how NMS, excuse me. Snmpbas One is what we call traps. And traps is something that we configure on our agents, on our devices. The best example of traps is something like this. For example, this router here, it has another interface, may be connected to the Web. And this is something that is critical. This is something that we need to monitor proactively. So I can set a trap, okay? And it will report, okay, every time that something goes wrong in this interface, if this interface, let’s say this is E One, if this interface went down, I will report it to Snmp.
I will just send a traffic, which is Snmp UDP port 162. Not only interface, it can be a tunnel, it can also be routing. For example, this router here is establishing BGP, a dynamic routing protocol from other layered three devices. For example, this is another router and this is a BGP. Now, this is something critical, something that we need to be notified if something went wrong. Now, if BGP lost its establishment to the neighbor device, I will send again a trap to the Snmp manager. And the SNP manager will be notified. Hey, your BGP session on your neighbor device just went down. I can create a ticket or do other actions. Now, that is what we called Snmp trap, which is a device reports to the Snmp manager.
We also have what we called the Get or Set request and response. This action, this is initiated by the Snmp manager. Not the device, not the agent, but again, the Snmp manager. How it works is like this. The Snmp manager continuously send what we called Set request. And this is to verify if the devices are still alive, if they are still online. So they will frequently reply with Set response. Hey, we’re still alive, we’re good. There’s nothing critical, nothing to worry about. But what happens if one device goes down? Again, snmp will always send Set request and he’s not getting response and get response. So therefore, there’s an MP manager will assume there is no get response from this device, I will assume the IP one is down and this alert may be forwarded to another software or another application like ticketing system.
Snmp has three major versions. The first one is the first version one and this is the initial implementation is not widely used anymore due to its poor security features. Now we have the version two C. This is a revision of version one and includes improvements on the areas of performance, security and communications. Now, Snmp version two C is still very commonly deployed in many environments and I know a lot of organizations still using this version, whether it’s a small medium or a large enterprise. Some of them are still using version two C. Now inversion two C, well, it also used inversion one. We use what we call community strings and this is like a user ID or a password that allows access by the Snmp manager.
This allows Snmp manager to read or write information to the agents. We also have Snmp version three. Now version three, it makes no changes to the protocol aside from the additional of cryptographic security. So in short, the version three is more secure because we don’t only have authentication, we also have hashing and encryption. Now security aspect is addressed by offering again both authentication and data encryption or privacy. And we implement user base security model or USM. This is the communication mechanism for Snmp USM model. And we have here authentication and privacy is not enabled. This is what we call no auth, no prim. So what happens here is even if you are Snpp version three, you have the ability to disable this security feature.
We also have authentication but no privacy your encryption. So this is more related to the previous version where yes, it can be authenticated, but we don’t set any encryption at all. And also take note in Snmp version three, how we configure it under the user based security model or USM is that we configure a group where we enable both hashing and encryption. Now we create a user and this user is associated to the group. That’s how we enable the security features. And lastly, we also have communications with authentication and privacy. And we call this authority. Take note. The available authentication and privacy for Snmp version three supports for authentication. Three application in hashing mt five Shah and Hmac Sha two.
