| theme | background | fonts | ||||||
|---|---|---|---|---|---|---|---|---|
seriph |
|
shenchris & siriuskoan
- DNS
- How It Works
- Record Types
- Mail
- MUA / MTA / MDA / MRA
- Protocols
- How It Works
- DKIM
- SPF
- SRS
- DMARC
- LDAP
- How It Works
ldapsearch
layout: cover background: https://images.unsplash.com/photo-1491002052546-bf38f186af56?ixlib=rb-1.2.1&ixid=MnwxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8&auto=format&fit=crop&w=1208&q=80
shenchris & siriuskoan
-
IP Address - A numerical label to every device connect to the Internet. Similiar to address of a house.
-
Domain Name - A name that maps to a numeric IP address, used to access a website.
-
DNS - Like phone book, it maps domain name to IP address.
www.hs.ntnu.edu.tw->203.68.92.132) just like師大附中->台北市大安區信義路三段143號 -
Master - Main server, the real one to do name resolution and get data from disk.
-
Slave - It gets data from master server periodically.
-
nslookupanddigare useful tools that can check DNS records.
DNS is hierarchical and decentralized (prevent single point failure).
- Root Nameserver - First stop in a recursive resolver query. It directs the recursive resolver to a TLD nameserver based on the extension of that domain (
.com,.org, ...) - TLD - Standing for Top Level Domain. There are many TLD, and each one has its own TLD nameserver. It maintains information for domain names that share a common domain extension.
- Authoritative Nameserver - Last stop in the query. It returns the IP address or alias for the requested domain name back to the DNS Recursor.
- Resolver (DNS Recursor) - Agent between a client and a DNS nameserver.
DNS has two kinds of ways to do recursive query. One is iterative query, and the other one is recursive query.
- Iterative Query - Resolver asks root nameserver for the target domain name, and the root nameserver tells it to find another domain name server (TLD). When the resolver gets the response, it asks the TLD for the target, and the TLD tells it next server to ask. The steps repeat until the resolver asks the authoritative nameserver and get the final result.
- Recursive Query - Resolver asks root nameserver for the target domain name, and the root nameserver asks the next one (TLD). The steps repeat until the the query reaches the authoritative nameserver and get the final result. After getting it, the query goes back and gives the result to the resolver.
There are many types of DNS records, and each of them has its own usage.
Arecord - It contains the IP address of the domain name. For example,203.68.92.132is anArecord ofwww.hs.ntnu.edu.tw.AAAArecord - It contains the IPv6 address of the domain name.NSrecord - It is the IP address of the zone's authoritative nameserver. For example,dns.hs.edu.twis anNSrecord ofhs.ntnu.edu.tw.
MXrecord - It is the mail server. For example,cs.nctu.edu.twhasMXrecordcsmx[2,3].cs.nctu.edu.tw, so email to@cs.nctu.edu.twwill be sent tocsmx[2,3].cs.nctu.edu.tw.CNAMErecord - It is alias referring to the value of the specified record. For example, ifbar.example.comhasCNAMErecordfoo.example.com, then requests tobar.example.comis actually sent tofoo.example.com.SOArecord - It is some information about a domain or a zone. It contains email of admin, serial number (date), TTL, etc.
layout: cover background: https://images.unsplash.com/photo-1491002052546-bf38f186af56?ixlib=rb-1.2.1&ixid=MnwxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8&auto=format&fit=crop&w=1208&q=80
siriuskoan
In mail system, there are three important protocols.
SMTP- It is used to send and receives mails through mail servers.IMAP- It is used to allow users get their mails from anywhere.POP3- It is used to allow users get their mails from anywhere.
The difference between IMAP and POP3 is that the the former still stores the mails after users read them, while the latter removes them after being read.
They can all be encrypted and become SMTPS, IMAPS and POP3S.
MUA, MTA, MDA and MRA play important roles in mail system.
MUA- Mail User Agent. It is a software between users and mail server. Users can use it to write email and send it. For example,Outlook,Thunderbirdand webmail are all MUA.MTA- Mail Transfer Agent. It is so-called "mail server". It receives and sends (relays) emails from or to other mail servers, and gives users their own emails. For example,Postfixand built-insendmailare MTA.MDA- Mail Delivery Agent. It decides what to do to emails. It can receives them to INBOX, sends to another MTA, etc. For example,Procmail.MRA- Mail Retrieval Agent. It gets email from remote server and allows users to access their mailboxes. For example,Dovecot.
A mail server can sends (relays) mails to other mail servers when it finds that it cannot handle them.
However, if a mail server relays all mails to other mail servers, it may be used by bad buys to overwhelm other mail servers.
It is considered to be an open relay server and will be banned.
To prevent this, every mail server should configure correctly that which domain it should relay.
An email is just a text file, and after user logins the mail server, he or she can send mail with any address and sender.
Therefore, it is easy to send a spoofing mail to anyone.
However, people must not allow this to happen, so there are many mechanisms to solve this problem.
SPF stands for Sender Policy Framework. The mechanism makes all domain has one DNS record that records which IP addresses its mail servers have.
By doing so, if a bad guy uses his or her own mail server to send mail as someone in other domain, the mail will not pass SPF test and thus being classifies as unsafe mail or spam.
However, if the mail is intercepted and the content is changed by a bad guy, SPF is useless.
SPF is good, however, if the mail server want to forward the mail, SPF test will fail since the sender domain and forwarder domain is not the same.
SRS, standing for Sender Rewriting Scheme, is used in order to solve this problem.
It can rewrite the sender and make it pass SPF test. After passing SPF test, the destination server can convert it back to original sender and show it to receivers.
To prevent the situation mentioned above, DKIM is proposed.
DKIM stands for DomainKeys Identified Mail. The mechanism encrypts some of the headers (specified by mail server) and content and add its hash to header.
In this way, if the mail is intercepted and modified by others, DKIM can detect it and mark the mail unsafe.
However, the sender shown on MUA is header.from, and SPF and DKIM check smtp.MailFrom.
Therefore, if a bad guy setup a mail server and set header.from as fake one (for example, gmail.com), smtp.MailFrom as original one, both of SPF and DKIM cannot detect this.
DMARC stands for Domain-based Message Authentication, Reporting and Conformance.
It will check whether header.from and smtp.MailFrom are the same, and the process is called "alignment".
Besides, it will also check whether SPF and DKIM are passed. If any one of them are not passed, the action (policy) admin specifies will be performed.
It will send report about authentication information to domain admin.
layout: cover background: https://images.unsplash.com/photo-1491002052546-bf38f186af56?ixlib=rb-1.2.1&ixid=MnwxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8&auto=format&fit=crop&w=1208&q=80
siriuskoan
Suppose that you are a system admin, and the system you are responsible for is large.
There are 10 mail servers, 1 DNS master server, 2 DNS slave servers, 10 web servers including load balancer and 1 NFS server in this system.
You and your team have to manage this system, so everyone should be able to login to the server, so all of them have accounts on all these servers.
That is, everyone has to add an account when a new server is set. But there are too many servers, it is unendurable.
LDAP, standing for Lightweight Directory Access Protocol, is a good system to solve this problem.
LDAP stores all users data in one server, and other servers can get users data from it to do authentication or get users' home directories (by NFS).
LDAP is for Linux, and AD (Active Directory) is for Windows.
LDAP is hierarchical as well.
It has DIT (Directory Information Tree), and it contains dc, ou, cn, o, c, etc.
dc- Domain Component (edu,tw,com, ...)ou- Organization Unit (People,Group, ...)cn- Common Name (Username)o- Organization namec- Country name
dn- Distinguish Name, it manifests one and only one node.rdn- Relative Distinguish Name
For example, my DN in CNMC may be cn=siriuskoan,ou=People,dc=sirius,dc=cnmc,dc=tw and RDN is cn=siriuskoan.
A node stores many things, like real name, phone number, email, home directory, objectClass, etc.
objectClass is an entry template, just like database schema. It defines what an entry should contain.
Some common objectClass:
PersonPosixAccount
For example, Person defines an entry must contain sn (surname) and cn (common name), and it can contain password, phone number, etc.
LDIF stands for LDAP Interchange Format.
It is the standard text file format for storing LDAP config information and directory content.
For example, we have two LDAP entries.
# siriuskoan, People, cnmc.tw
dn: cn=siriuskoan,ou=People,dc=cnmc,dc=tw
objectClass: person
sn: koan
# shenchris, People, cnmc.tw
dn: cn=shenchris,ou=Person,dc=cnmc,dc=tw
objectClass: person
sn: shen
We can use ldapsearch command to search LDAP entries.
For example, we want to find user siriuskoan on cnmc.tw.
$ ldapsearch -h cnmc.tw "cn=siriuskoan"
Or we want to find the users who have objectClass Person.
$ ldapsearch -h cnmc.tw "objectClass=*"
Or list all users.
$ ldapsearch -h cnmc.tw ""