Introduction
Some DNS record types are very common, including (but not limited to):
Record Type Function
A Maps domain name to IPv4 address
AAAA Maps domain name to IPv6 address
CNAME Maps one domain to another
NS Defines a domain's name server
PTR Maps an IP address to a domain name
MX Defines a domain's mail exchanger
TXT Returns some specified text content
Another DNS record type, one that’s less-common/less-well-known is the SRVrecord. SRV records are defined inRFC 2782 from February 2000,co-authored by Farsight’s very own Dr. Paul Vixie.
Overview / Review
SRV records are found at standardized names (
_servicename._protocol.domain
),and define both the port number and the domain name used by a service. Forexample, SRV records for some popular Google services look like:
_imaps._tcp.gmail.com. 86400 IN SRV 5 0 993 imap.gmail.com._submission._tcp.gmail.com. 86400 IN SRV 5 0 587 smtp.gmail.com._caldavs._tcp.gmail.com. 86400 IN SRV 5 0 443 calendar.google.com.
In this case, the port numbers are the “expected ones” for the respectiveservices, but that may not always be true. SRV records allow sites to redefineservices for delivery over an alternative port if that’s locally necessary ordesirable.
There may be multiple SRV records for a given service at a given domain. Inthat case, the priority values associated with the SRV record will be used todetermine which record gets tried first. Lowest numeric values have the highestpriority/get tried first.
_jabber._tcp.gmail.com. 900 IN SRV 5 0 5269 xmpp-server.l.google.com.
_jabber._tcp.gmail.com. 900 IN SRV 20 0 5269 alt1.xmpp-server.l.google.com.
_jabber._tcp.gmail.com. 900 IN SRV 20 0 5269 alt2.xmpp-server.l.google.com.
_jabber._tcp.gmail.com. 900 IN SRV 20 0 5269 alt3.xmpp-server.l.google.com.
_jabber._tcp.gmail.com. 900 IN SRV 20 0 5269 alt4.xmpp-server.l.google.com.
SRV records also have the ability to use weights (see RFC2782 at page 2 and atpage 4). The original intent for the weight field is that if you had onemachine that was three times as powerful as one of your other systems, youcould reflect that in the SRV record weights, allowing those systems to be moreefficiently utilized. In reality, as is often the case, all servers areinterchangeable/equally powerful, and the weight field is just set tozero/isn’t really used.
Got A SRV Record? That’s Really Just The First Step
It may be self-obvious, but mapping the domains mentioned in SRV records downto an actual IPv4 or actual IPv6 address will require additional processing.That is, after retrieving an SRV record, you need additional work to actuallyget an IP address. For example,
_imaps._tcp.gmail.com
uses a SRV record topoint at
imap.gmail.com
, which we can then go on to resolve to:
imap.gmail.com. 79 IN CNAME gmail-imap.l.google.com.
gmail-imap.l.google.com. 254 IN A 173.194.203.109
gmail-imap.l.google.com. 254 IN A 173.194.203.108imap.gmail.com. 252 IN CNAME gmail-imap.l.google.com.
gmail-imap.l.google.com. 127 IN AAAA 2607:f8b0:400e:c04::6d
Occasional Confusion When SRV Records End Up Getting Used
Because most people don’t even know that SRV records exist, it is common forthere to be confusion if a site uses them.
If manually chasing SRV records with
dig
or similar tools, you need toexplicitly ask to see the SRV records. For instance, if you discovered thename
_xmpp-client._tcp.arin.net
and attempted to resolve it, you’d see:
$ dig +short _xmpp-client._tcp.arin.net
[nothing]
You need to explicitly ask to be told about SRV records, instead:
$ dig +short _xmpp-client._tcp.arin.net SRV
5 0 5222 jabber.arin.net.
$ dig +short jabber.arin.net
192.149.252.4
$ dig +short jabber.arin.net AAAA
2001:500:4:13::4
DNSDB Robustness
SRV is at the core of Farsight’s robustness for uploads and site to site datatransfer. The tool
allowsanyone to take a simple TCP host connection and enables an administrator toleverage SRV records to add opportunities to retry after failures. The
wrapsrv
tool is part of the sie-passivedns-sensor code.
Finding SRV Records in DNSDB
If you use DNSDB, many SRV records can be found. For example, if a user whohas API access to DNSDB wanted to find Active Directory domain controllers, hecould look for
_ldap._tcp.pdc._msdcs.domain
names with the command:
$ dnsdb_query.py -l 1000000 -r _ldap._tcp.pdc._msdcs.\*/SRV > active-directory.txt
That command returns over 5,000 known Active Directory domain controllers fromover 2,000 unique effective top level domains. If all those AD domaincontrollers are in fact Internet accessible, that would be a potential sourceof concern since many Microsoft users believe that it is “not a good idea” toexpose AD domain controllers on public networks unless it is absolutelynecessary.
Joe St Sauver, Ph.D. is a Scientist with Farsight Security, Inc.
Heading
