2. DOMAIN NAME SYSTEM
⢠What is DNS?
⢠Internet Directory Service
⢠A client-server application that maps host names into their
corresponding IP addresses
⢠Mapping host names into their corresponding IP addresses is called
name resolution or name translation or name mapping or Address
Resolution
⢠Why we need to use names instead of IP
numbers?
â˘
IP addresses are difficult to remember
⢠IP addresses can change
⢠Problem: Network only understands numeric addresses
⢠Solution:
⢠Use alphanumeric names to refer to hosts
⢠Add a distributed, hierarchical protocol (called DNS) to map between
alphanumeric host names and IP addresses
3. HISTORY
⢠Using a name as a more human-legible abstraction of a machine's numerical address on
the network predates even TCP/IP
⢠All the way to the ARPAnet era
⢠Back then however, a different system was used, as DNS was only invented in 1983, shortly
after TCP/IP was deployed.
⢠With the older system, each computer on the network retrieved a file called
HOSTS.TXT from a computer at SRI (now SRI International).
⢠The HOSTS.TXT file mapped numerical addresses to names.
⢠A hosts file still exists on most modern operating systems, either by default or
through configuration
⢠Allows users to specify an IP address (eg. 192.0.34.166) to use for a hostname (eg.
www.example.net) without checking DNS.
⢠Nowadays, the hosts file serves primarily for troubleshooting DNS errors or for mapping
local addresses to more organic names
⢠Systems based on a hosts file have inherent limitations
⢠The obvious requirement that every time a given computer's address changed, every
computer that seeks to communicate with it would need an update to its hosts file
On Windows: C:WINDOWSsystem32driversetc>
4. NAME SPACE
⢠IP addresses are unique ď¨Host names must be unique
⢠How to manage this large number of names?
⢠Where ?
⢠Centralized? ď¨ inefficient & unreliable why?
⢠Heavy traffic because of requests from all over the world
⢠Failure makes data not available
⢠Hard to maintain
⢠Thus, DNS record database is distributed.
5. NAME SPACE
⢠Solution:
⢠Each name is made of several parts (hierarchical)
⢠Each part is called a label
⢠Names are defined on tree structure with the root at the top
⢠This is called hierarchical name space
⢠Each node has a label
⢠DNS requires that children of a node (nodes that branch from the same
node) have different labels to guarantee uniqueness
⢠This will allow the control of names assignment to be decentralized
⢠A central authority IANA assigns the part of the name that defines the
nature of the organization (com, net, org, IN, âŚ) and its name (IEEE, Intel,
Microsoft, GoogleâŚ)
6. THE DNS NAME SPACE
⢠The Internet is divided into more than 200 top-level domains
⢠Domain: It is sub tree of the domain name space and consists of group of hosts that
are under the administrative control of a single entity such as a company or a
government agency.
⢠Each domain is subdivided into subdomains
⢠The leaves represent domains that have no subdomains
⢠A leaf domain may contain a single host, or represent a company with thousands of
hosts
in
Top level domains
A portion of the Internet domain name space.
7. DOMAIN
ď§ Domain is a sub tree of domain name space
ď§ Root node is empty
ď§ Domain is divided into sub-domains
ď§ Domain name is the domain name of the node at the top of the sub tree
Sub-
Sub-
Sub-
8. HIERARCHY OF NAME SERVERS
â˘
Where the information contained in the domain name
space is stored?
â˘
DNS is a distributed database system
â˘
â˘
â˘
Uses a large number of computers called name servers
Organized in a hierarchical way and distributed all over the world
No single host has all the exact mappings for all the hosts in the Internet
Knows about all
names below it
Knows about all
names below it
9. DNS QUERY
⢠DNS works on well known port 53 to serve requests and uses UDP
protocol or TCP protocol
⢠DNS Message
⢠Each message has the same generic format with 5 sections.
Section
Meaning/Use
Section 1
Message Header
Section 2
The DNS question being asked
Section 3
The Resource Record(s) which answer
the question
Section 4
The Resource Record(s) which point to
the domain authority
Section 5
The Resource Record(s) which may hold
additional information
10. DNS RECORD TYPES:
⢠DNS Internal types
⢠Authority: NS, SOA,
⢠List names of Name Servers and Start Of Authority/zone.
⢠DNSSEC: DS, DNSKEY, RRSIG, NSEC
⢠Used for DNSSEC
⢠Meta types: OPT, TSIG, TKEY, SIG(0)
⢠Meta Types: Not stored in DNS zones, transfer information between DNS nodes
⢠Indirect: CNAME, DNAME
⢠Indirect types, cause Resolver to change direction of search
â˘
Server must have special processing code
⢠Terminal RR:
⢠Address records: A, AAAA,
⢠Informational: TXT, HINFO, KEY, SSHFP âŚ
⢠carry information to applications
⢠Non Terminal RR: MX, SRV, PTR, KX, A6, NAPTR, AFSDB
⢠contain domain names that may lead to further queries.
11. DNS RECORD TYPES:
The âAâ Record
â˘
The âAddressâ record
â˘
One or more normally defines a host
â˘
Contains an IPv4 Address (the address computers use to uniquely identify each other
on the internet)
â˘
Eg. The record:
www
In
A
127.0.0.1
the example.com domain, defines the host uniquely
âwww.example.comâ to be reachable at the IPv4 Address 127.0.0.1
identifiable
as
The âCNAMEâ Record
â˘
A CNAME defines an alias
â˘
The alias will then be resolved, if another CNAME is encountered then the process
continues until an A record is found
â˘
Eg. The record:
mail
CNAME
ghs.google.com.
In the charusat.ac.in domain, defines the name uniquely
âmail.charusat.ac.inâ to be and alias to âghs.google.comâ
identifiable
as
12. DNS RECORD TYPES:
The âMXâ Record
â˘
An MX record defines the mail servers for a particular domain
â˘
Mail exchange records hold the name of hosts, and their priorities, able to deliver
mail for the domain.
â˘
Eg. The record:
mail.example.com
MX 10
mail
In the example.com, defines the host mail to be the priority 10 mail server for the
âexample.comâ domain
The âNSâ Record
â˘
An NS record defines the authoritative Name servers for the domain.
â˘
The âName Serverâ records also define the name servers of children domains
â˘
Eg. The record:
internal
NS
ns1.example.com
In the google.com, defines the host âns1.example.comâ to be a name sever for the
âinternal.example.comâ sub-domain
13. LEGAL USERS OF DOMAINS
⢠Registrant
⢠Depending on the various naming convention of the
registries, legal users become commonly known as
"registrants" or as "domain holders"
⢠ICANN holds a complete list of domain registries in the world
⢠For most of the more than 240 country code top-level domains
(ccTLDs), the domain registries hold the authoritative WHOIS
(Registrant, name servers, expiry dates, etc.).
⢠However, some domain registries, such as for .COM, .ORG,
.INFO, etc., use a registry-registrar model
⢠Since about 2001, most gTLD registries (.ORG, .BIZ, .INFO) have
adopted a so-called "thick" registry approach, i.e. keeping the
authoritative WHOIS with the various registries instead of the
registrars
14. RECURSIVE AND ITERATIVE QUERIES
⢠There are two types of queries:
⢠Recursive queries
⢠Iterative (non-recursive) queries
⢠The type of query is determined by a bit in the DNS query
⢠Recursive query: When the name server of a host cannot
resolve a query, the server issues a query to resolve the query
⢠Iterative queries: When the name server of a host cannot
resolve a query, it sends a referral to another server to the
resolver
15. LOOKUP METHODS
Recursive query:
⢠Server goes out and searches for
more info (recursive)
root name server
2
⢠Only returns final answer or ânot
foundâ
iterated query
3
Iterative query:
⢠Server responds with as much as it
knows (iterative)
⢠âI donât know this name, but ask
this serverâ
7
local dns server
1
typically
name server
Intermediate Server
5
8
Workload impact on choice?
⢠Local server
recursive
4
6 authoritative name
server
Dns.Google.com
does
⢠Root/distant server does iterative
requesting host
Mail.google.com
16. DNS QUERY
⢠QNAME: mail.Google.com
⢠QCLASS: IN
⢠QTYPE: A.
Root Server
Ask com NS
mail.Google.com
Com Server
Ask google.com NS
Google.com Server
Stub resolver
Mail.Google.com
A 173.194.115.22
Recursive
Resolver
Mail.Google.com A
173.194.115.22
17. 1- RECURSIVE RESOLUTION â EXAMPLE
(CONTINUED)
In the previous example, the mapping will be done as follows:
Host contacts the local name server to query for the IP address of host mail.Google.com
1. If local name server does not have the answer in its cache or in its database, it will
contact the root name server to query for the IP address of host mail.Google.com
2. If the root name server does not have the answer in its cache or in its database, it will
contact the name server responsible for the .com domain (DNS.com) to query for the IP
address of host mail.Google.com
3. If (DNS.com) does not have the answer in its cache or in its database, it will contact
(DNS.Google.com) which has the IP address for host (mail.Google.com)
4. (DNS.Google.com) will return the answer to (DNS.com)
5. (DNS.com) will return the answer to the root name server
6. The root name server will return the answer to local DNS server.
7. Local DNS server will return the answer to Host.
18. 2- ITERATIVE RESOLUTION â EXAMPLE
(CONTINUED)
1- Host contacts the local name server to query for the IP address of
mail.Google.com
host
2- If local name server does not have the answer in its cache or in its database, it will
reply to host with the IP address of the root name server
3- Host will contact the root name server to query for the IP address of
mail.Google.com
host
4- If the root name server does not have the answer in its cache or in its database, it will
reply to host with the IP address of the name server for the (.com) domain which is
(DNS.com)
5- Host will contact the name server (DNS.com) to query for the IP address of host
mail.Google.com
6- If (DNS.com) does not have the answer in its cache or in its database, it will reply to
host with the IP address of the name server DNS.Google.com which is the local name
server for domain Google.com
7- Host will contact the name server (DNS.Google.com) to query for the IP address of
host mail.Google.com
8- Since name server DNS.Google.com is the local name server for Google.com domain it
will reply to host with the IP address for host mail.Google.com
19. HOW DNS WORKS
⢠A network host is configured with an initial cache (so called hints) of
the known addresses of the root name servers. Such a hint file is
updated periodically by an administrator from a reliable source.
⢠DNS zone is loaded on authoritative servers,
⢠servers keep in sync using information in SOA RR via AXFR, IXFR or other
means.
⢠DNS caches only store data for a âshortâ time
⢠defined by TTL.
⢠DNS Recursive Resolvers start at âlongest matchâ on query name they
have when looking for data, and follow delegations until an answer or a
negative answer is received.
⢠DNS transactions are fast if servers are reachable.
20. SECURITY ISSUES
⢠Some domain names can spoof other, similar-looking domain names.
⢠For example, "paypal.com" and "paypa1.com" are different names, yet users may
be unable to tell the difference when the user's typeface(font) does not clearly
differentiate the letter l and the number 1.
⢠DNS responses are traditionally not cryptographically signed, leading to many
attack possibilities;
⢠Cache Poisoning
⢠Denial of Service (DoS)
⢠Masquerading
⢠Client Flooding
⢠Information Leakage
⢠Compromise of DNS serverâs authoritative data
21. DNSSEC
⢠DNSSEC works by digitally signing records for DNS lookup using public-key
cryptography. The correct DNSKEY record is authenticated via a chain of
trust, starting with a set of verified public keys for the DNS root zone which is
the trusted third party.
⢠DNSSEC modifies DNS to add support for cryptographically signed responses
⢠There are various extensions to support securing zone transfer information as well
⢠From the results of a DNS lookup, a security-aware DNS resolver can
determine whether the authoritative name server for the domain being queried
supports DNSSEC, whether the answer it receives is secure, and whether there
is some sort of error. The lookup procedure is different for recursive name
servers such as those of many ISPs, and for stub resolvers such as those
included by default in mainstream operating systems.