The basics. Karst Koymans. Tuesday, September 13, 2016

Transcription

1 .. DNS The basics Karst Koymans Informatics Institute University of Amsterdam (version 16.6, 2016/09/16 12:18:40) Tuesday, September 13, 2016 Karst Koymans (UvA) DNS Tuesday, September 13, / 68

2 .1 DNS: basic ideas and functionality.2 A short history of DNS.3 Basic concepts.4 Delegation.5 Root servers.6 Lookups Karst Koymans (UvA) DNS Tuesday, September 13, / 68

3 DNS: basic ideas and functionality Outline.1 DNS: basic ideas and functionality.2 A short history of DNS.3 Basic concepts.4 Delegation.5 Root servers.6 Lookups Karst Koymans (UvA) DNS Tuesday, September 13, / 68

4 DNS: basic ideas and functionality Specification versus implementations DNS (Domain Name System) Specification Concepts Theory BIND (Berkeley Internet Name Domain) Server implementation Software Practice Other implementations NSD/Unbound, PowerDNS, djbdns(tinydns),... Karst Koymans (UvA) DNS Tuesday, September 13, / 68

5 DNS: basic ideas and functionality Primary use case Finding IP addresses Starting with a domain name (human form) Translating to an IP address (machine form) What is the IP address of Client asks server Server responds with answer... case closed? Karst Koymans (UvA) DNS Tuesday, September 13, / 68

6 DNS: basic ideas and functionality Secondary use case routing Where to deliver for The domain os3.nl is an aggregate and might not have an IP address (in fact it has, but shouldn t) MX record is used to refer to smtp.os3.nl which has (and should have) an IP address What about for subdomains? What about other services? Karst Koymans (UvA) DNS Tuesday, September 13, / 68

7 DNS: basic ideas and functionality Important entities in DNS Source: Niels Sijm, CIA lecture Karst Koymans (UvA) DNS Tuesday, September 13, / 68

8 DNS: basic ideas and functionality First architectural option: centralized Define a protocol for HOSTS.TXT access One single DNS server: Simple: one place for all your questions! SPoF (Single Point of Failure) and bottleneck Multiple DNS servers: , , ,... Simple: multiple predefined places for all your questions! Easy to remember, easy to use, resilient to network failures. Scaling issues Easy for 10 hosts; impossible for 1,000,000,000 hosts Also the network traffic does not scale Administration of database becomes infeasible too Karst Koymans (UvA) DNS Tuesday, September 13, / 68

9 DNS: basic ideas and functionality Second architectural option: decentralized Use a hierarchy instead of one big flat master file Solves all of your scaling issues Need to tweak protocol to redirect questions Seems simple, introduces quite some challenges (and issues) How to split up the database? Use subdomain to split up database? Use the first letter of a domain name? Create a cryptographical hash and use first octet? Use /dev/random and remember the outcome?... Karst Koymans (UvA) DNS Tuesday, September 13, / 68

10 DNS: basic ideas and functionality Third architectural option: distributed Not a hierarchy but an unmanaged network Who owns what part of the database? Distributed Hash Table (DHT) works well in practice Works for P2P networks, BitCoins, CDNs and Skype... Authority problems Can you hijack a part of the database as in a DHT? What if a node goes down? How to duplicate information? How to redirect questions? How to keep information up-to-date? Karst Koymans (UvA) DNS Tuesday, September 13, / 68

11 DNS: basic ideas and functionality DNS s choice Decentralized and hierarchical architecture Subdomains creating new zones are delegation points Delegation of authority is done in-band Delegation information is put in the database itself which turned out problematic afterwards Karst Koymans (UvA) DNS Tuesday, September 13, / 68

12 DNS: basic ideas and functionality First way of resolving in a decentralized network Recursive (would put too much load on the root server) Source: Niels Sijm, CIA lecture Karst Koymans (UvA) DNS Tuesday, September 13, / 68

13 DNS: basic ideas and functionality Second way of resolving in a decentralized network Iterative (scales nicely) Source: Niels Sijm, CIA lecture Karst Koymans (UvA) DNS Tuesday, September 13, / 68

14 A short history of DNS Outline.1 DNS: basic ideas and functionality.2 A short history of DNS.3 Basic concepts.4 Delegation.5 Root servers.6 Lookups Karst Koymans (UvA) DNS Tuesday, September 13, / 68

15 A short history of DNS December 1973 HOSTS.TXT (RFC 606) November 1983 DNS invented (RFC 882) October 1984 TLDs defined (RFC 920) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

16 A short history of DNS RFC 920, October 1984 Section Initial Set of Top Level Domains (gtlds) gtld stands for gemeric Top Level Domain.ARPA ( temporary ) Categories.GOV.EDU.COM.MIL.ORG Countries: At first, later to become cctlds Multiorganizations: At first (now obsolete) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

17 A short history of DNS RFC 920, definition of country code. Countries. The English two letter code identifying a country according to the ISO Standard for Codes for the Representation of. Names of Countries : ISO alpha-2. Karst Koymans (UvA) DNS Tuesday, September 13, / 68

18 A short history of DNS RFC 920, definition of multiorganization. Multiorganizations. A multiorganization may be a top level domain if it is large, and is composed of other organizations; particularly if the multiorganization can not be easily classified into. one of the categories and is international in scope. Karst Koymans (UvA) DNS Tuesday, September 13, / 68

19 A short history of DNS January 1985 SRI runs DNS service Stanford Research Institute is a not for profit organisation SRI-NIC, in cooperation with IANA.NET added to top level domains ( forgotten in RFC 920) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

20 A short history of DNS July 1985 cctlds established.us (February 15, 1985).UK,.GB (July 24, 1985).AU (March 5, 1986).NL (April 25, 1986).JP (August 5, 1986) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

21 A short history of DNS November 1987 DNS Specification STD 13 (IETF standard), RFC 1034, RFC 1035 November 1988.INT domain established May 1991 DISA (Defense Information Systems Agency) transfers the DDN (Defense Data Network) NIC contract from SRI International to Government Systems Inc. (GSI) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

22 A short history of DNS April 1993 InterNIC starts, initiated by NSF and operated by NSI (Network Solutions Inc.) and AT&T June 1994 Commercial use becomes dominant September 1995 Charging for domain name registration starts Karst Koymans (UvA) DNS Tuesday, September 13, / 68

23 A short history of DNS Start planning for competition. On July 1, 1997, as part of the Administration s Framework for Global Electronic Commerce, the President directed the Secretary of Commerce to privatize the management of the domain name system (DNS) in a manner that increases competition and facilitates international participation in its. management. Source: MoU (Memorandum of Understanding; November 1998) 1 1 Also see RFC 2860 (June 2000) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

24 A short history of DNS 1998 November 1998 Start of ICANN Internet Corporation for Assigned Numbers and Names Responsibilities IP address assignment, via ASO Address Supporting Organization Internet domain names, via GNSO and ccnso Generic Names Supporting Organization Country Code Names Supporting Organization Protocol parameters and port numbers, supported by IANA Internet Assigned Numbers Authority Karst Koymans (UvA) DNS Tuesday, September 13, / 68

25 A short history of DNS More TLDs http: //newgtlds.icann.org/en/program-status/delegated-strings IDNs (Internationalized Domain Names) Many more gtlds, including grtlds (generic-restricted;.name,.pro,.biz) stlds (sponsored Top Level Domains) Highly political Karst Koymans (UvA) DNS Tuesday, September 13, / 68

26 A short history of DNS 2012 now Unlimited TLDs (New gtld Program) GeoTLDs introduced DotBrand introduced gtlds and IDNs now have categories Commerce, Culture, Education, Food & Drink, Government, Health, Industry, Lifestyle, Media, Professional, Real Estate, Sport, Technology Even more political Karst Koymans (UvA) DNS Tuesday, September 13, / 68

27 Basic concepts Outline.1 DNS: basic ideas and functionality.2 A short history of DNS.3 Basic concepts.4 Delegation.5 Root servers.6 Lookups Karst Koymans (UvA) DNS Tuesday, September 13, / 68

28 Basic concepts DNS concepts Domain Name Space (Domain Name Tree) Resource Records (the data itself) Name Servers (server side) Resolvers (client side) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

29 Basic concepts Domain names Nodes (internal and leaf) have a label (sequence of octets) root label is empty: (not or ) non-root labels must be non-empty labels are 0-63 octets long (only the root label has length 0) A domain name is a sequence of labels 2 specifying the labels on the path to the root and thus ending in the (empty) root label A domain is a domain name together with all domain names below it 2 in text representation separated by. (dot) with maximum length 254 Karst Koymans (UvA) DNS Tuesday, September 13, / 68

30 Basic concepts Where to put your slashes To slash or not to slash Compare domain names to pathnames in a filesystem Labels (filenames) separated by / (slash) Absolute versus relative pathnames Karst Koymans (UvA) DNS Tuesday, September 13, / 68

31 Basic concepts Where to put your dots To dot or not to dot Absolute domain (FQDN) mail.serv.os3.nl. Relative domain mail mail.serv machine.cs can (or is it could?) give problems Why? Karst Koymans (UvA) DNS Tuesday, September 13, / 68

32 Basic concepts Resource Records (RRs) owner (domain name) ttl (time to live (in cache)) class (IN, CH, HS,... ) Only IN is actively used CH is used with Chaosnet, an early LAN protocol HS implements the Hesiod lookup service type (A, AAAA, CNAME, DNAME, MX, NS, PTR, SOA, SRV,... ) resource data (depends on type) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

33 Basic concepts Textual representation of Resource Records Differs between implementations Most well-known is BIND syntax owner [ttl] [class] type data ttl and class are optional and default to $TTL and IN Karst Koymans (UvA) DNS Tuesday, September 13, / 68

34 Basic concepts A record An A record (address record) translates a domain name to an IPv4 address mail.serv.os3.nl Multihomed hosts have several A records Routers may have multiple A records Example (assuming the $ORIGIN 3 is os3.nl.) mail.serv A BIND variable, but this idea is widely used Karst Koymans (UvA) DNS Tuesday, September 13, / 68

35 Basic concepts Example of multiple A records (os3.nl) router.studlab.os3.nl. A router.studlab.os3.nl. A router.studlab.os3.nl. A router.studlab.os3.nl. A router.studlab.os3.nl. A router.studlab.os3.nl. A router.studlab.os3.nl. A router.studlab.os3.nl. A in-addr.arpa. PTR router.studlab.os3.nl. Source: The domain name system ( T191940Z) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

36 Basic concepts Example of multiple A records (phil.uu.nl) router.phil.uu.nl. CNAME frege.phil.uu.nl. frege.phil.uu.nl. A frege.phil.uu.nl. A frege.phil.uu.nl. A frege.phil.uu.nl. A frege.phil.uu.nl. A frege.phil.uu.nl. A frege.phil.uu.nl. A frege.phil.uu.nl. A frege.phil.uu.nl. A frege.phil.uu.nl. A in-addr.arpa. PTR frege.shrapnel.phil.uu.nl. Source: The domain name system (historic data) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

37 Basic concepts AAAA record AAAA records are sometimes called quad-a records A quad-a record translates a domain name to an IPv6 address mail.serv.os3.nl. 2001:610:158:960::25 Many hosts have multiple AAAA records It is quite normal in IPv6 to belong to multiple subnets Example (assuming the $ORIGIN is os3.nl.) mail.serv AAAA 2001:610:158:960::25 Karst Koymans (UvA) DNS Tuesday, September 13, / 68

38 Basic concepts CNAME record A CNAME (canonical name) record defines an alias www-prd.cms.uva.nl. cms-prd- CNAME www-prd.cms.uva.nl. www-prd.cms.uva.nl. CNAME cms-prd- No other RRs are allowed Does not work for subdomains DNAME record proposed for that (see next slide) Example (assuming the $ORIGIN is os3.nl.) www CNAME info4u 4 4 This is now historic and has been replaced by a direct A record. Karst Koymans (UvA) DNS Tuesday, September 13, / 68

39 Basic concepts DNAME record A DNAME is used for non-terminal DNS Name Redirection Allows other RR types at the same owner except CNAME DNAME RRset not allowed to contain more than one element Synthesizes CNAME records for clients Wildcarded DNAME records should not be used Also called Delegation Name because of its use instead of NS records in certain cases (see RFC 6672, section 6.3) Example (assuming the $ORIGIN is nl.) ruu DNAME uu Karst Koymans (UvA) DNS Tuesday, September 13, / 68

40 Basic concepts MX record MX (Mail exchanger) record defines for a domain the mail servers for that domain and the order of their preference where lower precedence is more preferred MX must not point to a CNAME (or below a DNAME) Example (assuming the $ORIGIN is MX 0 MX 10 backup.somewhere.nl. Karst Koymans (UvA) DNS Tuesday, September 13, / 68

41 Basic concepts NS record NS (Name Server) record defines a cut (zone) Must list at least two name servers Makes DNS decentralized Delegates responsibility or authority NS record must not point to a CNAME (or below a DNAME) Example (assuming the $ORIGIN is NS NS NS ns1.zurich.surf.net. Karst Koymans (UvA) DNS Tuesday, September 13, / 68

42 Basic concepts PTR record A PTR (pointer) record literally points to a(n arbitrary) point in the DNS tree Mostly used for reverse lookup mail.serv.os3.nl. Lookup works via in-addr.arpa in-addr.arpa. (why not in-addr.arpa.?) Wasn t.arpa supposed to be temporary? Example (assuming the $ORIGIN is os3.nl.) in-addr.arpa. PTR mail.serv Karst Koymans (UvA) DNS Tuesday, September 13, / 68

43 Basic concepts SOA record An SOA (Start Of Authority) record administrates important zone parameters hostname of the (non-hidden) master server ns1.os3.nl. address (in dot form 5 ) of the person responsible hostmaster@os3.nl hostmaster.os3.nl. numerical parameters 5 Using an escaped dot if necessary: First\.Last.example.com. Karst Koymans (UvA) DNS Tuesday, September 13, / 68

44 Basic concepts Numerical SOA parameters ((former) recommended values) Parameter values (except Serial) are given in seconds Serial ( YYYYMMDDnn is a common convention) Refresh (86400 = 1 day) Retry (7200 = 2 hours) Expire ( = 1000 hours 40 days) Minimum ( = 2 days, historic... ) Properties of the SOA record as a whole The SOA record itself can have a low TTL Even 0 (don t cache) according to RFC 1035 Karst Koymans (UvA) DNS Tuesday, September 13, / 68

45 Basic concepts Numerical SOA params (OS3 example during IP migration) These values are quite low Serial ( ) Refresh (3600 = 1 hour) Retry (1800 = 30 minutes) Expire (21600 = 6 hours) Minimum (3600 = 1 hour, but... ) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

46 Basic concepts SOA example (with modern, normal values) cwi.nl. SOA ns1.cwi.nl. hostmaster.cwi.nl. ( ;serial (version) ;refresh period (8 hours) 7200 ;retry interval (2 hours) ;expire time (1 week) ;"minimum" (12 hours) ) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

47 Basic concepts Minimum Different interpretations Minimal TTL allowed (never used this way) Default TTL, if TTL not specified (BIND 8) TTL for caching negative replies (BIND 9) BIND 9 uses global $TTL for the default TTL Karst Koymans (UvA) DNS Tuesday, September 13, / 68

48 Basic concepts SRV record A SRV (service) record specifies the location of the services that a domain supports The format for the information about a certain Domainname uses Service. Proto.Domainname as the owner domain name Priority Weight Port Target as its resource data It is a typical generator of so-called empty non-terminals Like Proto.Domainname in the above case Example sip. tcp.example.com. SRV sip.example.com. Karst Koymans (UvA) DNS Tuesday, September 13, / 68

49 Basic concepts Resource Record sets (RRsets) An RRset is a grouping of a set of RRs with the same owner, class and type All RRs in an RRset must have the same TTL DNSSEC signs complete RRsets with RRSIG RRs Which might make the RRSIG RR an exception to the TTL rule :) But in fact the DNSSEC specification tells us they do not form a resource record set at all (RFC 4035, section 2.2) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

50 Delegation Outline.1 DNS: basic ideas and functionality.2 A short history of DNS.3 Basic concepts.4 Delegation.5 Root servers.6 Lookups Karst Koymans (UvA) DNS Tuesday, September 13, / 68

51 Delegation Name servers and zones Zones are created by cuts (delegations) Cuts are defined by NS records inside parent zone non-authoritative by definition best interpreted as the edge leading to the child zone Glue A records sometimes needed When name servers for the delegation are in bailiwick Or in the more general case when name servers have circular dependencies and create bailiwick loops Karst Koymans (UvA) DNS Tuesday, September 13, / 68

52 Delegation Bootstrap issues Hint file for root server s A and AAAA RRs Glue for child zones Glue NS records Stub server automates this Glue A records (only for servers inside the child zone) Glue data is not authoritative unless the parent is also a (slave) server for the child zone Non-authoritative data should be replaced by authoritative data as soon as the latter becomes available Karst Koymans (UvA) DNS Tuesday, September 13, / 68

53 Delegation Name server types Master (primary) Slave (secondary) Stub (limited secondary) Stealth (secondary that is not listed) Lame (listed but not operating as secondary) Caching-only (never authoritative) Forward-only (using forwarders) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

54 Root servers Outline.1 DNS: basic ideas and functionality.2 A short history of DNS.3 Basic concepts.4 Delegation.5 Root servers.6 Lookups Karst Koymans (UvA) DNS Tuesday, September 13, / 68

55 Root servers DNS structure Hierarchical tree its root is unnamed (unlabeled) in fact the root uses the empty label: Top Level Domains (TLDs) generic TLDs (gtlds) country code TLDs (cctlds)... TLDs Decentralized database Karst Koymans (UvA) DNS Tuesday, September 13, / 68

56 Root servers Root servers Status in 2001, according to ICANN official Michael Roberts 13 root servers Most of them located in the US (10) Nowadays there is a complete infrastructure with both global and local servers Karst Koymans (UvA) DNS Tuesday, September 13, / 68

57 Root servers Root servers map Source: ICANN Karst Koymans (UvA) DNS Tuesday, September 13, / 68

58 Root servers Root server list (part 1) Name Org Where Globals Locals A Verisign Los Angeles, CA, US 8 0 B USC-ISI Marina del Rey, CA, US 0 1 C Cogent Communications Herndon, VA, US 8 0 D University of Maryland College Park, MD, US 1 0 E NASA (Ames) Mountain View, CA, US 1 11 F ISC (Internet Software Consortium) Palo Alto, CA, US 5 51 G US DOD NIC Columbus, OH, US 6 0 Source: (retrieved ) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

59 Root servers Root server list (part 2) Name Org Where Globals Locals H US Army Research Lab (ARL) Aberdeen, MD, US 2 0 I Netnod (NORDUnet) Stockholm, SE 0 43 J Verisign Dulles, VA, US 63 5 K RIPE NCC London, UK 5 12 L ICANN Los Angeles, CA, US M WIDE Tokyo, JP 5 1 Source: (retrieved ) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

60 Root servers Anycast Overloading of an IP address Route to nearest instance (BGP metric) Global or local significance Live data for k root can be found at Research exercise: Find two documented ways for finding out which specific server from the anycasted set of servers answers your query. Karst Koymans (UvA) DNS Tuesday, September 13, / 68

61 Root servers k root server presence (2006 snapshot) Source: (RIPE NCC) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

62 Root servers Anycasted root servers map (snapshot ) Source: (retrieved ) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

63 Lookups Outline.1 DNS: basic ideas and functionality.2 A short history of DNS.3 Basic concepts.4 Delegation.5 Root servers.6 Lookups Karst Koymans (UvA) DNS Tuesday, September 13, / 68

64 Lookups Recursive and iterative queries Recursive queries In this case the server follows referrals itself on behalf of its clients often doesn t have authoritative data at all (almost) should build up a cache Iterative queries In this case the server either answers with authoritative data or passes referrals back to clients often has only authoritative data and no cache Karst Koymans (UvA) DNS Tuesday, September 13, / 68

65 Lookups Resolvers Stub resolver Library doing domain name lookup Uses /etc/resolv.conf Contacts a recursive (allowing recursion) name server Does not follow referrals itself Resolving nameserver Runs name server software Recursive (sets RA, allowing recursive queries as server) Caching (remembers outcome of iterative queries made as client) Karst Koymans (UvA) DNS Tuesday, September 13, / 68

66 Lookups Caching Necessary for performance Negative caching adds more functionality See RFC 2308 Lots of subtleties Karst Koymans (UvA) DNS Tuesday, September 13, / 68

67 Lookups IETF WG dprive (DNS PRIVate Exchange) Usually a client sends the complete query name in a DNS request Query minimisation DNS Query Name Minimisation to Improve Privacy (RFC 7816) Only send the relevant suffix to find the needed NS delegations Patented by Verisign?!? dns-query/index.xhtml Karst Koymans (UvA) DNS Tuesday, September 13, / 68

68 Lookups Common mistakes See RFC 1912 and also RFCs 2181 and 4697 Using CNAMEs in MX and NS records Forgetting the final. Lame delegation Lack of human coordination New efforts on its way (CSYNC RRs), see Child-to-Parent Synchronization in DNS (RFC 7477) Karst Koymans (UvA) DNS Tuesday, September 13, / 68