The Domain Name System a naming infrastructure for the Internet. Credits for some of this content: Hannes Lubich, Stefan Frei

Transcription

1 The Domain Name System a naming infrastructure for the Internet Credits for some of this content: Hannes Lubich, Stefan Frei November 2013

2 Outline Terminology Application scenario Domain Name System

3 What s in a name? What do names do? identify objects help locate objects define membership in a group specify a role Name space defines set and possibly structure of possible names Directory Service Defines and implements name to value bindings - The OSI Directory (X.500) LDAP, Light-weight Directory Access Protocol - The Domain Name System (DNS) - Name servers in many architectures

4 Design space Names versus addresses Location transparent versus location-dependent Flat versus hierarchical Global versus local Absolute versus relative Unique versus ambiguous

5 Naming and addressing in the Internet: e- mail as an example sender receiver SMTP server DNS server Address query client Mail-exchangequery Internet SMTP client POP DNS server SMTP: Simple Mail Transfer Protocol POP: Post Office Protocol SMTP server POP server

6 Goals of the Domain Name System Connection end-point is a pair (port, IP address) IP addresses are unique, but not very user friendly. DNS defines the implementation of a distributed system for mapping names onto addresses (main application of DNS). DNS allows user friendly naming of objects in the Internet, and can be used to "hide" address changes. DNS also allows different types of entries, supporting different applications DNS name space and implementation allows the hierarchical distribution of the naming authority. DNS defines the syntax and the rules for delegation of the naming authority

7 The Domain Name System is.. Commonly known.. A global, distributed, robust system for name to IP address resolution. Provides core functionality for the operation of the Internet. Less well known.. DNS helps cybercriminals to setup services that are hard to hunt/shut down. DNS helps building hidden channels (tunneling) Is a freely available distributed storage system. It can also be used to stream audio and video.

8 The DNS Name Space Hierarchical: An arbitrarily nested tree. Allows for delegation of the naming authority (to sub-tree) The naming structure is a logical view, and may not correspond to the actual network topology or organisation. The nesting can be arbitrarily deep, e.g. or host.university.country host.laboratory.department.university.country Formally, names don t carry semantics

9 The DNS Name Space Hierarchy root Top Level Dom edu com gov mil org net uk fr 2 nd Level Dom princeton mit cisco yahoo nasa nsf arpa navy acm ieee cs ee physics ux01 ux04 root Names - Relative: ux01.cs (relative to princeton.edu.) - Absolute or fully qualified: ux04.cs.princeton.edu.

10 Internet Domain Names "top level" domain names COM EDU GOV MIL NET ORG ARPA INT Commercial organisations Educational organisations Governmental organisations Military organisations Large network providers Other, mostly non-commercial organisations Original Internet "top level" Domain, now used for reverse lookups International organisations subdomains cc 2-Letter Country Code,. according to ISO 3166 (e.g. "CH" for Switzerland) biz, name, museum, aero, eu, info, new TLD tik.ee.ethz.ch second level domain top level domain

11 Names may refer to different types of objects Objects in DNS may be of different type, e.g. user names, IP addresses, mailboxes etc. Can t tell the type from the name could be a mail domain (it isn t) An entry "dns1.ethz.ch" can denominate a single host, while an entry ee.ethz.ch" can denominate a whole subdomain. Such differences can not be derived from the name. no semantics!

12 Mapping the name space to zones Zone: sub-tree of the name space which is managed as a unit, e.g. *.ethz.ch The DNS is implemented by a set of distributed, cooperating domain name servers. A name server holds the data associated to one or more zones root.edu.com.gov ucb dec nsf....ch ethz

13 Administration of the name space and operation of the DNS A primary name server is responsible for one or more zones, primary name servers are loaded from a (text/structured) database One or more secondary name servers increase availability. Secondary name servers are loaded from the primary (via zone transfer) Secondary name servers are compulsory for operators of a zone Root servers bind the top level of the DNS together; each name server must know the addresses of the root servers.

14 Domain name resolution Name resolution logically starts at the root of the name tree, and then works downwards. Name resolution is initiated by a DNS client (DNS stub resolver) which is usually part of the operating system The DNS resolver is configured with the address of at least one DNS server, typically a DNS resolver Queries: Issued by the DNS client to a DNS resolver Issued by the DNS resolver to single DNS servers

15 DNS Hierarchy Top Level Domains (TLD) Root Servers Root Name Servers, controlled by IANA (and US Department of Commerce) Domain name Registrations gtld Generic TLD cctld Country TLD TLD Name Servers, managed special organizations (selected by IANA) Authoritative Name Server Authoritative Name Server, managed by private entities

16 DNS Recursive Resolution A 1 Root Server stub resolver Question Answer Query: A 2001:67c:10ec:4380:: Caching Forwarder Recursive Resolver Hint: ask.ch name server A Hint: ask ethz.ch name server A TLD Server ETH Server :67c:10ec:4380::

17 DNS Root Servers Root Servers.. only know who you need to ask next. are strategically placed DNS server. Resolvers use hard-coded IP lookup tables for root servers. How many root servers? 13 nominal root servers {a-m}.root-servers.net - DNS limitation because all have to fit within a single UDP/IP packet (DNS response) Hundreds of physical root servers at over 130 physical locations in many different countries.

18 List of root servers /netinfo/root-servers.txt Sep 97 The following hosts are functioning as root domain name servers for the Internet: HOSTNAME NET ADDRESSES SERVER PROGRAM A.ROOT-SERVERS.NET BIND (UNIX) B.ROOT-SERVERS.NET BIND (UNIX) C.ROOT-SERVERS.NET BIND (UNIX) D.ROOT-SERVERS.NET BIND (UNIX) E.ROOT-SERVERS.NET BIND (UNIX) F.ROOT-SERVERS.NET BIND (UNIX) G.ROOT-SERVERS.NET BIND (UNIX) H.ROOT-SERVERS.NET BIND (UNIX) I.ROOT-SERVERS.NET BIND (UNIX) J.ROOT-SERVERS.NET BIND (UNIX) K.ROOT-SERVERS.NET BIND (UNIX) L.ROOT-SERVERS.NET BIND (UNIX) M.ROOT-SERVERS.NET BIND (UNIX) Up-to-date information see

19 DNS Root Server Security Major operational threat is DDoS Defense Anycast, overprovisioning Anycast Setting up identical copies of existing servers (same data) Standard Internet routing will bring the queries to the nearest server (e.g. 42 servers behind the f-root)

20 DNS Root Server Locations Source:

21 Locality of reference Since many queries are for local entities, locality of reference may be used to increase performance (bottom up queries). Resolver often directs query to local name server. DNS servers maintain a cache of recently used names. Answers taken from a cache are non-authoritative. Answers from a primary oder secondary server are authoritative.

22 Format of DNS messages Identical formats are used for queries and responses: Identification Number of Questions Number of Authority Question Section Answer Section Authority Section Additional Information Section Parameter Number of Answers Number of Additional Inform.

23 DNS Root Server Query Request from: a.root-servers.net note: TTL: sec = 48 h 1 Name: A.ROOT-SERVERS.NET, Address: #53 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1940 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 11 ;; QUESTION SECTION: ; IN A ;; AUTHORITY SECTION: ch IN NS DOMREG.NIC.ch. ch IN NS MERAPI.SWITCH.ch. ch IN NS RIP.PSG.COM. ch IN NS TULKU.NIC.AR. ch IN NS CCTLD.TIX.ch. ch IN NS SEC3.APNIC.NET. ch IN NS DNS.PRINCETON.EDU. ch IN NS CH1.DNSNODE.NET. Source: host vv a.root-servers.net

24 DNS Top Level Domain Server Role Point DNS resolvers to the Authoritative Domain Server. Two classes: Generic gtld, Country Code cctld. History Until mid 2000, root servers also handled requests for gtlds. Responsibility removed from Root Servers, creation of the TLD Servers (after a number of DoS attacks).

25 Domain Registration Domain registration entry for domain ethz.ch Domain name: ethz.ch Holder of domain name: ETHZ KOMID Sektionsleiter/in ID-Kommunikation, RZ Clausiusstrasse 59 CH-8006 ZA¼rich Switzerland Contractual Language: English Name servers: dns1.ethz.ch [ ] dns3.ethz.ch [ ] scsnms.switch.ch [ ] scsnms.switch.ch [ ] scsnms.switch.ch [2001:620::1] Source: whois ethz.ch

26 TLD Server Query Request from: domreg.nic.ch, TTL: sec = 12 h Note the Additional Section 2 Name: domreg.nic.ch, Address: #53 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 538 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 5 ;; QUESTION SECTION: ; IN A ;; AUTHORITY SECTION: ethz.ch IN NS dns3.ethz.ch. ethz.ch IN NS scsnms.switch.ch. ethz.ch IN NS dns1.ethz.ch. ;; ADDITIONAL SECTION: dns1.ethz.ch IN A dns3.ethz.ch IN A scsnms.switch.ch IN A Source: host vv domreg.nic.ch

27 Authoritative Domain Servers Role Manage a zone. Provide lookup information or delegate to DNS servers of sub-zones. DNS Servers Controlled by private entities. Resolution of IP addresses and other resource records. Primary and secondary DNS servers for a zone.

28 Authoritative Server Query Request from: dns1.ethz.ch, TTL: sec = 24 h. IP: Name: dns1.ethz.ch, Address: #53 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 785 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5 ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: IN CNAME www-css.ethz.ch. www-css.ethz.ch IN A ;; AUTHORITY SECTION: ethz.ch IN NS scsnms.switch.ch. ethz.ch IN NS dns1.ethz.ch. ethz.ch IN NS dns3.ethz.ch. Source: host vv dns1.ethz.ch

29 Recursive DNS Resolver Problem It is inefficient for every computer to carry out its own DNS lookup procedure every time. We want increase speed and decrease network traffic. Recursive Resolvers Software application to access name servers. Usually transparent. Functionality Querying of name servers. Interpretation of results. Returning gathered information to client.

30 Caching Temporarily store information found out. Reducing lookup overhead. Balance between consistency and efficiency. Controlled by TTL: time to live. Local cache (win): ipconfig /displaydns

31 DNS Server Roles DNS Server Roles Comparison of core functionality between an Authoritative DNS server and a Caching DNS server Availability Types of query that it should answer Records that it should attempt to resolve Authoritative Server Should be able to respond to lookup queries from any computer on the Internet Non-recursive queries Should only respond with data it is authoritative about DNS Cache/Resolver Should only respond to lookup queries that originate from a local network Recursive queries Should attempt to resolve any legitimate request ETH: and Must not be configured in a client! ETH: and To be configured in a client

32 Inverse queries ( pointer queries ) Inverse query: given an IP address, provide the corresponding domain name (if it exists). E.g. used for plausibility tests of addresses rlogin bases its authorization on a list of accepted domain names Problem: the DNS name resolution infrastructure is organized according to the structure of the name space a search for a specific IP address may have to be conducted on all name servers! Solution: A special second level domain in-addr.arpa. contains a hierarchy which is organized along the assignment structure of IP addresses. in-addr.arpa. is an index for a search for a specific address.

33 Name space for inverse queries root arpa edu com ch net top level in-addr second level in-addr.arpa

34 Object types and resource record contents A Host Address 32-bit IP address AAAA IPv6 Host Address 128-bit IPv6 address CNAME Canonical Name Canonical Domain Name for an alias HINFO CPU and OS Name of CPU and operating system MINFO Mailbox Information Information about a mailbox or mail list MX Mail Exchanger 16-bit preference and name of host that acts as mail exchanger for the domain NS Name Server Name of authoritative server for domain PTR Pointer Domain name (like a symbolic link) SOA Start of Authority Multiple fields that specify which parts of the naming hierarchy a server implements TXT Arbitrary Text Uninterpretedstring of ASCII text SRV Service information Server host name and port

35 SRV records _Service._Proto.Name TTL Class SRV Priority Weight Port Target Used to convey information about services Service: the symbolic name of the desired service. Protocol: this is usually either TCP or UDP. Domain name: the domain for which this record is valid. TTL: standard DNS time to live field. Class: standard DNS class field (this is always IN). Priority: the priority of the target host. Weight: A relative weight for records with the same priority. Port: the TCP or UDP port on which the service is to be found. Target: the hostname of the machine providing the service Example: _sip._tcp.example.com IN SRV sipserver.example.com.

36 nslookup - UI for DNS #pragma ident "@(#)nslookup.help /09/12 SMI" Commands: (identifiers are shown in uppercase, [] means optional) NAME - print info about the host/domain NAME using default server NAME1 NAME2 - as above, but use NAME2 as server help or? - print info on common commands; see nslookup(1) for details set OPTION - set an option all - print options, current server and host [no]debug - print debugging information [no]d2 - print exhaustive debugging information [no]defname - append domain name to each query [no]recurse - ask for recursive answer to query [no]vc - always use a virtual circuit domain=name - set default domain name to NAME srchlist=n1[/n2/.../n6] - set domain to N1 and search list to N1,N2, etc. root=name - set root server to NAME retry=x - set number of retries to X timeout=x - set initial time-out interval to X seconds querytype=x - set query type, e.g., A,ANY,CNAME,HINFO,MX,PX,NS,PTR,SOA,TXT,WKS port=x - set port number to send query on type=x - synonym for querytype class=x - set query class to one of IN (Internet), CHAOS, HESIOD or ANY server NAME - set default server to NAME, using current default server lserver NAME - set default server to NAME, using initial server finger [USER] - finger the optional USER at the current default host root - set current default server to the root ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE) -a - list canonical names and aliases -h - list HINFO (CPU type and operating system) -s - list well-known services -d - list all records -t TYPE - list records of the given type (e.g., A,CNAME,MX, etc.) view FILE - sort an 'ls' output file and view it with more exit - exit the program, ^D also exits

37 Some DNS queries using nslookup > set querytype=a > Server: dns2.ethz.ch Address: Name: w3.ethz.ch Address: Aliases: > set querytype=mx > ethz.ch Server: dns2.ethz.ch Address: ethz.ch preference = 10, mail exchanger = bernina.ethz.ch ethz.ch nameserver = dns1.ethz.ch ethz.ch nameserver = dns2.ethz.ch ethz.ch nameserver = dns3.ethz.ch bernina.ethz.ch internet address = bernina.ethz.ch internet address = dns1.ethz.ch internet address = ( ) > Server: dns2.ethz.ch Address: canonical name = w3.ethz.ch ethz.ch origin = baloo.ethz.ch mail addr = brunner@kom.id.ethz.ch serial = refresh = (8 hours) retry = 7200 (2 hours) expire = (7 days) minimum ttl = (1 day) > ee.ethz.ch Server: dns2.ethz.ch Address: ee.ethz.ch preference = 10, mail exchanger = ee00.ethz.ch ee.ethz.ch preference = 20, mail exchanger = bernina.ethz.ch ethz.ch nameserver = dns1.ethz.ch ethz.ch nameserver = dns2.ethz.ch ethz.ch nameserver = dns3.ethz.ch ee00.ethz.ch internet address = bernina.ethz.ch internet address = ( ) > tik.ee.ethz.ch Server: dns2.ethz.ch Address: tik.ee.ethz.ch preference = 20, mail exchanger = bernina.ethz.ch tik.ee.ethz.ch preference = 10, mail exchanger = tik2.ethz.ch ethz.ch nameserver = dns1.ethz.ch ethz.ch nameserver = dns2.ethz.ch ethz.ch nameserver = dns3.ethz.ch bernina.ethz.ch internet address = tik2.ethz.ch internet address = ( ) > set querytype=ptr > Server: dns2.ethz.ch Address: in-addr.arpa name = eth-net.ethz.ch in-addr.arpa nameserver = bernina.ethz.ch in-addr.arpa nameserver = dns1.ethz.ch bernina.ethz.ch internet address = dns1.ethz.ch internet address =

38 Comments The DNS is a central, crucial element of the Internet infrastructure Target of attacks: DDoS on root servers, cache poisoning, etc. Unauthenticated requests and responses allow spoofing Rather static, long TTL implies long cache residence Not suitable for dynamic mappings on a large scale (no architectural support for dynamically assigned IP addresses) Not suitable for user-related data (change management, access authorization not present) Transition towards a more secure DNS is in progress: DNSSEC, see also

39 Literature RFC 1035: Mockapetris, P.V., "Domain names - implementation and specification", November 1987 RFC 1034: Mockapetris, P.V., "Domain names - concepts and facilities", November 1987 RFC 920: Postel, J.B.; Reynolds, J.K., "Domain requirements", October 1984 X.500: a recommendation for directory services, book chapter in Plattner et. al., X.400 Message Handling, Addison Wesley, 1991, ISBN X "man" nslookup, dig, resolver, resolve.conf, named