Lecture 9: Naming in IP - DNS

Transcription

1 DD2392/EP2120 p Lecture 9: Naming in IP - DNS The Domain Name System- DNS Olof Hagsand KTH CSC 1

2 Literature Forouzan Chapter 19 The book material is good but too high-level. You need more material to understand the subject (and the lab) Compression in Sec 19.7 can be skipped, Fig is not correct Lab 2/3: Domain Name System BIND 9 reference manual Intro Chapter 1 Zone files Chapter 3 RFC 1034 and RFC 1035 (Reference only) Liu and Albitz, DNS and BIND, O'Reilly (Reference) IANA Lots of web material 2

3 Name and address hierarchy in IP URL: Service: http Name: DNS Port: 80 Logical (IP) address: ARP Physical address: 00:11:11:9e:72:56 3

4 Why do we need names? In the underlying network and transport layers it is all about addresses. Interfaces, TCP, routing, etc. In IP, names are translated directly to addresses And then we deal with addresses only No names in the network Why don't we just stick with addresses? Names are better for humans fe80::216:d3ff:fecc:c00d Names add another abstraction layer One name can map to several logical addresses One logical address can map to several names Names can be used for other things than just addresses load balancing, mail direction, descriptions, finding services, 4

5 5

6 It started with a single file: HOSTS.TXT A single file maps between name and address Flat name space NCP had max 256 nodes TCP/IP has many more nodes,... In the mid-1980s it proved too difficult to distribute the HOSTS.TXT file. Something had to be done about names and name lookup structure Hierarchical name space The remnant of HOSTS.TXT is /etc/hosts: # Do not remove the following line, or various programs # that require network functionality will fail beethoven localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 6

7 Architecture DNS is based on a distributed database maybe largest and most distributed around It gives a general method to map structured names into records DNS uses both UDP and TCP DNS is an application layer protocol Structured data: Names Records: Addresses Text Info Names 7

8 Domain names Inverted tree with root at the top Name max 255 chars. Max 128 levels Each node max 63 characters Each node in the tree has a domain name A sequence of labels separated by dots Name consists of A-Z,a-z,0-9,'-' Other signs are constructed using International Domain Names rksmrgs-5wao1o.se The root label is null A full domain name always ends in a dot Fully Qualified Domain Name (FQDN) Most specific first IP (and file system) is least specific first The dots have nothing to do with dots in IPv4 addresses! Example xen.netlab.csc.kth.se cf

9 DNS tree. com edu se uk arpa kth co ac in-addr ip6 csc 192 netlab 71 xen 24 Generic domains Country domains 5 9

10 Top domains - TLDs Last label (except root) in a FQDN Generic domains (GTLD) aero, biz, com, edu, gov, mil, net, org,... Country Domains (cctld) fi, fr, dk, nu, cc, se, uk The rules of cctlds are very different depending on country Inverse domain addresses names 10

11 ARPA Inverse mapping ARPA - Address and Routing Parameter Area Domain (Used to be Advanced Research Projects Agency) Handles inverse mappings Mainly IPv4 addresses to names Also IPv6 addresses Telephone numbers (E164), etc. Structured data in DNS is most specific first Entry xen.netlab.csc.kth.se with address : in-addr.arpa Note: delegation can only be at nodes: only at /8, /16, /24, /32 See RFC2317 delegation for classless addresses IPv6: 2001:2040:3:a011:260:e0ff:fe43:c40a: a.0.4.c.3.4.e.f.f.f.0.e ip6.arpa 11

12 Organization International organization ICANN / IANA delegates to each TLD Some countries loose policies (eg.se) Other countries have stricter policies Swedish organization.se Björn Eriksen at KTHNOC managed the swedish top-domain until Internetstiftelsen (IIS) independently from the swedish government 12

13 Delegation Authority is delegated from the root downwards ICANN handles the root ICANN delegates SE to IIS IIS delegates KTH to the Royal Institute of Technology KTH delegates CSC to the school of computer science (KTH CSC) KTH CSC delegates netlab to us We delegate to you (when you lab) You can delegate at every point in the tree You dont have to delegate at every point Example: xen is not delegated from netlab Delegation is the primary way to distribute the DNS database 13

14 Zones Delegation requires administrative units ZONES Similar to autonomus systems in routing A zone is a domain minus everything that has been delegated The parent zone points to a nameserver of the delegated zone There should be more than one nameserver per zone The distribution of the DNS database is thus made by sequences of delegations from parent zone to child 14

15 DNS zones and delegations com edu se uk arpa. zones kth csc netlab delegations xen 15

16 Master and slaves One or several nameservers are authoritive for a zone They are responsible for their part of the namespace A nameserver need not be dedicated to a single zone A server may handle several zones (or none) One server is master (primary server) Other servers are slaves (secondary servers) A single server can be master for some domains and slave for others Slaves are for redundancy Changes are made by administrator on the master by editing the zone file Changes are distributed to slaves: Zone transfer over TCP Zone file Master Zone transfer Slave 1 Slave n 16

17 Zone transfers AXFR Full zone transfer Master modifies serial number on every change Slaves query master periodically If changed, slave requests full zone transfer Master sends the complete zone information IXFR Incremental zone transfer Master sends delta between slave's and master's zone data Master must keep record of incremental changes DNS Notify (Zone change notification) RFC 1996 Master sends notifications to slaves when changed Slave can then make zone transfer query And master perform zone transfer Database backends One can also keep all authoritative nameservers updated using an out-of-band mechanism Outside the DNS protocol 17

18 Dynamic DNS Traditionally, a DNS zone is managed by editing a file This is what you will do in the lab But many records may change often, For example, if DHCP is used Then you need a dynamic mechanism: DDNS (RFC 2136) You can communicate with the master using messages You can add or delete individual or sets of records Slaves are kept consistent using zone transfer mechanism Client Update Request Master Zone transfer Slave 1 Slave n 18

19 DNS data records Data records are written in a zone file as follows: name TTL Class Type Rdata TTL How long entries are valid (for cache) Often skipped, default TTL used Class IN (Internet class) Type Resource record type Rdata Type specific data 19

20 DNS resource record types Type Description A IPv4 address AAAA IPv6 address PTR Pointer: Address to name MX To where mail should be sent SOA Data about the zone CNAME Canonical name. Name of host that should be used HINFO Host information TXT General free text SRV Service 20

21 SOA and the start of a zone file The SOA record defines a zone. Always first record in a zone file Default caching Default nameserver Mail to administrator (@ -->.) $TTL IN SOA toystory.movie.edu. al.movie.edu. ( ; Serial 8H ; Refresh after 8 hours 1h ; Retry after 1 hour 1w ; Expire after 1 week 60 ) ; negative caching TTL 1 min Zone: Expanded to zone name (movie.edu) Class Type Zone transfer settings Alternative: 1,2,.. Example from DNS and BIND, ed 5 21

22 A - AAAA A - IPv4 address AAAA - IPv6 address Blank means repeat violin IN A guitar IN A harp IN A IN A piano IN A IN AAAA 2001:db80:1:2:3:4:567:891b One name can map to several addresses Eg multi-homed hosts Double-stack Ipv4, IPv6 Several names can map to same address 22

23 CNAME - Canonical name Aliases - Several names to same address If CNAME is used, name cannot be re-used for other record piano IN CNAME guitar guitar IN A flute IN CNAME oboe oboe IN A IN A What address does flute resolve to? 23

24 NS - Nameserver There must be at least one nameserver per zone There must also be A records somewhere kth.se IN NS nic.lth.se. kth.se IN NS b.ns.kth.se. kth.se IN NS ns2.chalmers.se. kth.se IN NS a.ns.kth.se. You cannot see which is primary and which is secondary It should not matter for a resolving server A parent zone must include NS records for child zones! This is how delegation works But there may be more NS records than visible in parent Example A records associated with the NS entries above: a.ns.kth.se IN A a.ns.kth.se IN AAAA 2001:6b0:1::246 b.ns.kth.se IN A nic.lth.se IN A ns2.chalmers.se IN A ns2.chalmers.se IN AAAA 2001:6b0:2:20::1 24

25 MX - Mail exchanger MX is used for mail routing Where to send mail to a node or zone A preference value (lower is better) Example # dig kth.se MX kth.se. 7 IN MX 10 mx.kth.se. kth.se. 7 IN MX 20 mx2.kth.se. Mails to kth.se. are sent to mx.kth.se If mx is unaccessible, then try mx2. But the kth domain is actually declared as follows (do you see the difference?): # dig kth.se MX kth.se. 7 IN MX 10 mx.kth.se. mx.kth.se IN A mx.kth.se IN A mx.kth.se IN A mx.kth.se IN AAAA 2001:6b0:1:1300:20e:7fff:fef0:f8bb mx.kth.se IN AAAA 2001:6b0:1:1300:20e:7fff:fe26:4fe1 25

26 PTR - POINTER Appears in arpa zones Maps address to names in-addr.arpa. IN PTR xen.netlab.csc.kth.se a.0.4.c.3.4.e.f.f.f.0.e ip6.arpa \ IN PTR xen.netlab.csc.kth.se 26

27 DNS Messages Query and Response messages Either TCP or UDP Except AXBR which is always TCP (why?) Header Question section Header Question section Answer section Authority section Additional section Forouzan Section 19.6 and

28 Header fields Query identification - for matching query and response Flags QR - Query / Response OpCode AA - Authoritative answer TC - Truncated RD - recursion desired RA - recursion available rcode - Response error status Number of question records Number of answer records Number of authoritative records Number of additional records 28

29 Resolving process Iterative query Resolving server Query Referral to se root nameserver. Query Referral to kth se nameserver se Query xen.netlab.csc.kth.se Query Referral to csc kth nameserver kth Client Stub-Resolver Response: Recursive query Query Referral to netlab Query Response: Forouzan fig is not the way it is done csc nameserver netlab nameserver csc netlab xen 29

30 Name-address resolution: stub-resolver When a client requests a NAME -> ADDRESS resolution, it invokes a stub-resolver in the client getaddrinfo() (old: gethostbyname) getnameinfo() (old: gethostbyaddr) The application may specify AF_INET, AF_INET6, or AF_UNSPEC. If unspec, the resolver requests both A and AAAA. The stub-resolver is typically linked into the client program Configured using /etc/resolv.conf /etc/resolv.conf can be generated by DHCP Typically configured to look in /etc/hosts first, then DNS The stub resolver formulates one (or several) query, sends it to a resolving server (local nameserver), waits for a reply and presents the result to the application 30

31 Resolving server and Nameservers A local nameserver that acts on behalf of a client stub resolver It asks the nameservers to get the reply How does it know where to start? Root servers are pre-configured in a hint file:. IN NS A.ROOT-SERVERS.NET. IN NS B.ROOT-SERVERS.NET. IN NS C.ROOT-SERVERS.NET. IN NS D.ROOT-SERVERS.NET A.ROOT-SERVERS.NET. IN A B.ROOT-SERVERS.NET. IN A C.ROOT-SERVERS.NET. IN A D.ROOT-SERVERS.NET. IN A There are 13 root nameservers (you can fit 13 ns in 536 bytes which is the guaranteed non-fragmentable UDP msg) A resolving server uses iterative calls to nameservers to get the authorattive results. Note that a single DNS server is usually both a resolving server and name server!! 31

32 Caching A resolving nameserver caches the results. Decrements the TTL obtained from the authorative nameserver Later queries will use the cached results But they will have lower TTL Queries may result in caching of other results than the queried data Eg Authorative nameserver posts Lowers burden on root servers High TTL --> stable and less communication Low TTL --> More dynamic: data can change faster Client Client Response TTL = 8000 Response TTL = 5753 Caching Nameserver Query Response TTL = 8000 Authorative (Master/Slave) 32

33 Glue records and delegation When you delegate a query from a parent zone to a child zone child IN NS ns.child But how does the resolving server know the IP address of ns.child? The mother zone must include an A record of the child NS: child IN NS ns.child ns.child IN A glue record But parent is not authorative of the child's result records But necessary for delegation to work The A record is called a glue record 33

34 Tools dig Preferred tool. dig <post> <type> (+trace) Read the man page! host simpler tool nslookup traditionally used but dig is better 34

35 Using dig > dig xen.netlab.csc.kth.se A ; <<>> DiG P2 <<>> xen.netlab.csc.kth.se A ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;xen.netlab.csc.kth.se. IN A ;; ANSWER SECTION: xen.netlab.csc.kth.se. 60 IN A ;; AUTHORITY SECTION: xen.netlab.csc.kth.se. 60 IN NS ns2.nada.kth.se. xen.netlab.csc.kth.se. 60 IN NS ns1.nada.kth.se. xen.netlab.csc.kth.se. 60 IN NS ns.xen.netlab.csc.kth.se. ;; ADDITIONAL SECTION: ns2.nada.kth.se IN A ns1.nada.kth.se IN A ns.xen.netlab.csc.kth.se. 60 IN A ;; Query time: 232 msec ;; SERVER: #53( ) ;; WHEN: Sun Feb 8 19:32: ;; MSG SIZE rcvd:

36 Using dig +trace > dig xen.netlab.csc.kth.se A +trace ; <<>> DiG P2 <<>> xen.netlab.csc.kth.se A +trace ;; global options: printcmd IN NS F.ROOT-SERVERS.NET IN NS M.ROOT-SERVERS.NET IN NS I.ROOT-SERVERS.NET. ;; Received 500 bytes from #53( ) in 2 ms se IN NS C.NS.se. se IN NS A.NS.se.... se IN NS G.NS.se. ;; Received 446 bytes from #53(G.ROOT-SERVERS.NET) in 320 ms kth.se IN NS a.ns.kth.se. kth.se IN NS nic.lth.se. kth.se IN NS b.ns.kth.se. ;; Received 144 bytes from #53(E.NS.se) in 145 ms netlab.csc.kth.se IN NS ns2.nada.kth.se. netlab.csc.kth.se IN NS ns.netlab.csc.kth.se. netlab.csc.kth.se IN NS ns1.nada.kth.se. ;; Received 145 bytes from #53(b.ns.kth.se) in 170 ms xen.netlab.csc.kth.se. 60 IN A xen.netlab.csc.kth.se. 60 IN NS ns2.nada.kth.se. xen.netlab.csc.kth.se. 60 IN NS ns1.nada.kth.se. xen.netlab.csc.kth.se. 60 IN NS ns.xen.netlab.csc.kth.se. ;; Received 161 bytes from #53(ns2.nada.kth.se) in 237 ms 36

37 DNS Security DNS is an open protocol It is also very tolerant to failures But there are many ways to attack DNS, or use DNS in attacks DNSSEC is currently being deployed for this purpose Not covered in this course Application-layer security (eg SSL/HTTPS) ensures authenticity of the information on the application layer Some common attacks: DNS cache poisoning Contaminate DNS cache with wrong A entries Resolves will be re-directed to other IP address Using DNS in DDOS attacks Send many queries for '.' and spoofed source address Will result in large UDP replies DOS of DNS servers Make many recursive lookups 37

38 DNS Lab Create zone files (11, 12, 21,... f1, f2) under experiment.xen.netlab.csc.kth.se Edit files and test with dig In groups of two There are a lot about syntax in zone files and how to use dig You must make preparation questions in advance! experiment.xen.netlab.csc.kth.se. experiment.xen.netlab.csc.kth.se. x x experiment.xen.netlab.csc.kth.se. sub x y sub y x sub 38

39 DNS Lab: what should you do? Delegate experiment.xen.netlab.csc.kth.se. x Sub-zone experiment.xen.netlab.csc.kth.se. x sub Delegate sub-zone experiment.xen.netlab.csc.kth.se. x y sub y x sub 39

40 DNS Lab: what should you do? PTR records. Must be done with IPv6 since you do not have /24:s Secondary nameservers a1.experiment.xen.netlab.csc.kth.se. a2.experiment.xen.netlab.csc.kth.se. Verify your domain on 40

41 Recitation material (answers after lecture) 41

42 Resolving server vs advertizing nameserver Suppose you have a combined resolving server and advertising nameserver (most are). You therefore have a zone for which you are authorative, and a number of clients that you serve. a)when should the server accept recursive queries and when should it accept iterative queries? Motivate your answer. b)how can you protect against external recursive queries? c)can this affect which nameservers you register in your parent zone? If so how? 42

43 Forwarders In certain situations, a set of resolving nameservers can use a forwarder to increase the cache-effectiveness. The resolving nameservers then forward their requests (recursive query) for external queries to the forwarder instead of iterative quering the advertizing nameservers. In what networking situations would a forwarder make sense? 43

44 DNS cache poisoning DNS cache poisoning is an attack where the DNS cache is contaminated with illegal entries. a)what can the effects be of a DNS poisoning attack? b)how is it detectable by an end user? c)there are several ways to cause a cache poisoning. Here is a zone file of a DNS server that has been taken over by an attacker. How can this cause a DNS cache poisoning? rouge.com IN SOA... NS ns1.google.com ns1.google.com A d)what effects may this have? What scope: who may be affected? 44

45 Blocking traffic with DNS Suppose you wish to block traffic from web-cites x,com Easiest is to add an entry in your hosts file: localhost x.com Can you also do this on an organisational level? How would you do it? Are there any loopholes? Are there ethical aspects? 45

46 IPv6 Suppose you wish to communicate with host piano in a remote domain. The nameserver entries of piano are shown below: piano IN A IN AAAA 2001:db80:1:2:3:4:567:891b How do you think your host (application/stub resolver) selects between the two addresses? Note that this differs between different operating systems and applications. 46