D. J. Bernstein
Internet publication
djbdns

Case study: a firewalled office network

This is a small network, with nine computers: forcewall, stoneport, muncher, gggg, twog, thoth, crystal, fireball, and silverton. The network is firewalled: forcewall is set up to stop most packets from reaching the other computers.

Finding addresses of Internet hosts

The computers find addresses of Internet hosts through an external DNS cache running on forcewall:

                       +---------+         cnn.com?          +-----------+
                       |         |        --------->         |192.5.5.241|
                       |         | <------------------------ |root       |
                       |         |      &com:192.5.6.30      |DNS server |
                       |         |                           +-----------+
+-------+   cnn.com?   |         |         cnn.com?          +----------+
|gggg   |  --------->  |forcewall|        --------->         |192.5.6.30|
|browser| <----------- |DNS cache| <------------------------ |.com      |
+-------+  +cnn.com:   |         |  &cnn.com:149.174.213.151 |DNS server|
           64.236.24.4 |         |                           +----------+
                       |         |         cnn.com?          +---------------+
                       |         |        --------->         |149.174.213.151|
                       |         | <------------------------ |.cnn.com       |
                       +---------+    +cnn.com:64.236.24.4   |DNS server     |
                                                             +---------------+

Each computer has the DNS cache IP address listed in /etc/resolv.conf:

     nameserver 131.193.178.159

On forcewall, the DNS cache was set up with

     dnscache-conf Gdnscache Gdnslog /etc/dnscache 131.193.178.159
     ln -s /etc/dnscache /service

Publishing addresses of Internet hosts

stoneport and muncher are .yp.to DNS servers. They publish the addresses of yp.to hosts:

+----------+         cr.yp.to?           +--------+
|stoneport |        <----------          |DNS     |
|DNS server| --------------------------> |caches  |
+----------+  +cr.yp.to:131.193.178.160  |around  |
                                         |the     |
+----------+         cr.yp.to?           |Internet|
|muncher   |        <----------          |        |
|DNS server| --------------------------> |        |
+----------+  +cr.yp.to:131.193.178.160  +--------+

The DNS server on stoneport was set up with

     tinydns-conf Gtinydns Gdnslog /etc/tinydns 131.193.178.160
     ln -s /etc/tinydns /service

and the DNS server on muncher was set up with

     tinydns-conf Gtinydns Gdnslog /etc/tinydns 131.193.178.181
     ln -s /etc/tinydns /service

Changes to the DNS data are made in /service/tinydns/root/data on stoneport. Running make in the /service/tinydns/root directory then creates data.cdb, the source of information for tinydns. Changes are also copied to muncher.

The commands

     cd /service/tinydns/root
     ./add-ns yp.to 131.193.178.181
     ./add-ns yp.to 131.193.178.160
     ./add-alias cr.yp.to 131.193.178.160
     ./add-mx cr.yp.to 131.193.178.160
     ./add-mx list.cr.yp.to 131.193.178.160

created a data file containing

     .yp.to:131.193.178.181:a
     .yp.to:131.193.178.160:b
     +cr.yp.to:131.193.178.160
     @cr.yp.to:131.193.178.160:a
     @list.cr.yp.to:131.193.178.160:a

Translation of the same data into English:

yp.to has a DNS server a.ns.yp.to with IP address 131.193.178.181. (The yp.to administrator also gave this information to the .to DNS administrator.)
yp.to has a DNS server b.ns.yp.to with IP address 131.193.178.160. (The yp.to administrator also gave this information to the .to DNS administrator.)
cr.yp.to has IP address 131.193.178.160.
Mail for cr.yp.to is delivered to an SMTP server with IP address 131.193.178.160.
Mail for list.cr.yp.to is delivered to an SMTP server with IP address 131.193.178.160.