The Magic of SRV Records
Introduction
Some DNS record types are very common, including (but not limited to):
Record Type Function A Maps domain name to IPv4 address AAAA Maps domain name to IPv6 address CNAME Maps one domain to another NS Defines a domain's name server PTR Maps an IP address to a domain name MX Defines a domain's mail exchanger TXT Returns some specified text content
Another DNS record type, one that’s less-common/less-well-known is the SRV record. SRV records are defined in RFC 2782 from February 2000, co-authored by Farsight’s very own Dr. Paul Vixie.
Overview / Review
SRV records are found at standardized names (_servicename._protocol.domain
),
and define both the port number and the domain name used by a service. For
example, SRV records for some popular Google services look like:
_imaps._tcp.gmail.com. 86400 IN SRV 5 0 993 imap.gmail.com. _submission._tcp.gmail.com. 86400 IN SRV 5 0 587 smtp.gmail.com. _caldavs._tcp.gmail.com. 86400 IN SRV 5 0 443 calendar.google.com.
In this case, the port numbers are the “expected ones” for the respective services, but that may not always be true. SRV records allow sites to redefine services for delivery over an alternative port if that’s locally necessary or desirable.
There may be multiple SRV records for a given service at a given domain. In that case, the priority values associated with the SRV record will be used to determine which record gets tried first. Lowest numeric values have the highest priority/get tried first.
_jabber._tcp.gmail.com. 900 IN SRV 5 0 5269 xmpp-server.l.google.com. _jabber._tcp.gmail.com. 900 IN SRV 20 0 5269 alt1.xmpp-server.l.google.com. _jabber._tcp.gmail.com. 900 IN SRV 20 0 5269 alt2.xmpp-server.l.google.com. _jabber._tcp.gmail.com. 900 IN SRV 20 0 5269 alt3.xmpp-server.l.google.com. _jabber._tcp.gmail.com. 900 IN SRV 20 0 5269 alt4.xmpp-server.l.google.com.
SRV records also have the ability to use weights (see RFC2782 at page 2 and at page 4). The original intent for the weight field is that if you had one machine that was three times as powerful as one of your other systems, you could reflect that in the SRV record weights, allowing those systems to be more efficiently utilized. In reality, as is often the case, all servers are interchangeable/equally powerful, and the weight field is just set to zero/isn’t really used.
Got A SRV Record? That’s Really Just The First Step
It may be self-obvious, but mapping the domains mentioned in SRV records down
to an actual IPv4 or actual IPv6 address will require additional processing.
That is, after retrieving an SRV record, you need additional work to actually
get an IP address. For example, _imaps._tcp.gmail.com
uses a SRV record to
point at imap.gmail.com
, which we can then go on to resolve to:
imap.gmail.com. 79 IN CNAME gmail-imap.l.google.com. gmail-imap.l.google.com. 254 IN A 173.194.203.109 gmail-imap.l.google.com. 254 IN A 173.194.203.108 imap.gmail.com. 252 IN CNAME gmail-imap.l.google.com. gmail-imap.l.google.com. 127 IN AAAA 2607:f8b0:400e:c04::6d
Occasional Confusion When SRV Records End Up Getting Used
Because most people don’t even know that SRV records exist, it is common for there to be confusion if a site uses them.
If manually chasing SRV records with dig
or similar tools, you need to
explicitly ask to see the SRV records. For instance, if you discovered the
name _xmpp-client._tcp.arin.net
and attempted to resolve it, you’d see:
$ dig +short _xmpp-client._tcp.arin.net [nothing]
You need to explicitly ask to be told about SRV records, instead:
$ dig +short _xmpp-client._tcp.arin.net SRV 5 0 5222 jabber.arin.net. $ dig +short jabber.arin.net 192.149.252.4 $ dig +short jabber.arin.net AAAA 2001:500:4:13::4
DNSDB Robustness
SRV is at the core of Farsight’s robustness for uploads and site to site data
transfer. The tool wrapsrv
allows
anyone to take a simple TCP host connection and enables an administrator to
leverage SRV records to add opportunities to retry after failures. The
wrapsrv
tool is part of the sie-passivedns-sensor
code.
Finding SRV Records in DNSDB
If you use DNSDB, many SRV records can be found. For example, if a user who
has API access to DNSDB wanted to find Active Directory domain controllers, he
could look for _ldap._tcp.pdc._msdcs.domain
names with the command:
$ dnsdb_query.py -l 1000000 -r _ldap._tcp.pdc._msdcs.\*/SRV > active-directory.txt
That command returns over 5,000 known Active Directory domain controllers from over 2,000 unique effective top level domains. If all those AD domain controllers are in fact Internet accessible, that would be a potential source of concern since many Microsoft users believe that it is “not a good idea” to expose AD domain controllers on public networks unless it is absolutely necessary.
Joe St Sauver, Ph.D. is a Scientist with Farsight Security, Inc.