The Domain Name System (DNS)

Transcription

1 D 1 The Domain Name System (D) Prof. Jean-Yves Le Boudec Prof. ndrzej Duda IC, EPFL CH-1015 Ecubens o o Domain Name System: D Objective of D support user friendy naming of resources: computers, printers, maiboxes, hide IP address changes distribute naming authority distribute the database used primariy for system names and emai Names and addresses domain name : high eve identifier; eg. rcsuns ssc.epf.ch IP address : ow eve identifier reated to routing, physica topoogy eve 2 addresses : ow eve identifiers MC address: seria number of communication interface TM address: combination of MC and route reated address emai address : high eve address used for emai eg. gwen.nedeeg@ssc.epf.ch emai addresses are mapped to domain names: gwen.nedeeg@ssc.epf.ch -> gwen\.nedeeg.ssc.epf.ch 2

2 D tenet disun3 1 rcsuns appication program name resover D Exampe IP dest addr protoco UDP source port 1267 dest port 53 stisun1 D message header query, question (QNME disun3.epf.ch. QTYPE) D query 2 3 D answer name server IP dest addr protoco UDP source port 53 dest port 1267 D message header response, question (QNME disun3.epf.ch. QTYPE) answer (disun3.epf.ch. TTL TYPE ) 3 resov.conf nameserver nameserver domain epf.ch RR type IPv4 addr IPv6 addr Resource Records (RRs) keyed by domain names zone data (authoritative data) disun3.epf.ch in-inr.epf.ch cached data (non-authoritative data) ezinfo.ethz.ch Domain Name Tree 4 generic domains root top eve domains country domains arpa int com edu gov mi net org firm store web arts rec info nom ch us za in-addr IP6 128 ibm 178 zurich 156 www in-addr.arpa 2nd eve domains ethz epf ee rcsuns ssc tik gwen\.nedeeg jachen\.carigiet rcsuns.epf.ch every node on the tree represents one or a set of resources every node on the tree has a abe (rcsuns) and a domain name (rcsuns.epf.ch) domain name sequence of abes, 64 bytes per abe exampes: rcsuns.epf.ch, ezinfo.ethz.ch, ee.ethz.ch names have the same syntax for subdomains or individua resources

3 D Name uthority 5 o hierarchica name authority o zones: top eve: Internic any organization can appy to become authority for a subdomain exampes: SWITCH for ch. and i. EPFL for epf.ch. any authority can create subdomains and deegate recursivey uniateray definition: zone a connected subset of nodes property: a zone has one singe node cosest to the root (top node, used to name the zone)) definition: zone Z1 is a subzone (or chid) of zone Z0 iff the top node of Z1 is connected to a node in Z0; name authority matches zone boundaries: names and subzones, can be created and deeted by the authority responsibe for a zone; exampes: zurich.ibm.com is a subzone of ibm.com zone zurich.ibm.com. has authority deegation from ibm.com. Fuy Quaified Domain Names 6 compete domain name fuy quaified domain name (FQDN) ends with a period (. ) traiing period usuay hidden by the user interface software incompete names are competed by oca resover add period: -> or add oca domain suffix: rcsuns -> rcsuns.epf.ch.

4 D The D distributed database 7 o D offers one distributed word-wide database distributed according to the zone concept: every zone has a master fie describing a records under the zone s authority name servers hod their part of the database for one zone, at east two name servers have the zone information, copied from master fie exampe: stisun1.epf.ch, stisun2.epf.ch; dns1.ethz.ch, dns2.ethz.ch zone information hed by the name server is caed authoritative data one name server may hod zone data for one or more zones zone data contains pointers to name servers hoding authoritative data for subzones a name servers know IP addresses of root servers (name servers for the top eve zones) Query Processing and Cached Data 8 o query processing resover associated with an appication sends a query to a name server name server responds with answer or with pointer to another server exampe: question from a node at EPFL; response is a pointer to a name server responsibe for zone ibm.com. o query processing can be iterative recursive: server responds with fina answer server acts as an intermediate resover recursive operation ony if requested in query and server accepts it root servers never support recursive operation o name servers usuay cache some information for nodes outside their zones recenty obtained informationis cached when acting recursivey every record has a TTL fied (ex: 1 day) used for cache management cached data is not authoritative

5 D Exampe: Query Processing 1 2,4 3 rcsuns resover 1 2 stisun1 3 name server 4 6 query, RDyes question query, RDno question answer question answer autority ibm.com. watson.ibm.com. ns.austin.ibm.com. ns.amaden.ibm.com. additiona watson.ibm.com ns.austin.ibm.com ns.amaden.ibm.com root name server watson ibm.com. 9 5,6 answer question answer Repication 10 o zone data is repicated in severa servers responsibe for the zone primary server hods master fie on disk secondary servers po primary servers (ex: every 3 hours) using the SERIL fied in zone data copying is caed zone transfer; uses TCP (queries usuay use UDP) changes in zone data by system manager: update master fie signa primary name server to reoad; new vaue of SERIL fied automaticay created secondary servers wi discover the change automaticay zone data in secondary servers is authoritative exampe: in which name servers can these RRs appear as zone or cache data: disun3.epf.ch

6 D Resource Record Types and Message Formats TYPE CNME SO PTR HINFO MINFO MX TXT vaue and meaning 1 Ipv4 address 2 an authoritative name server 5 the canonica name for an aias 6 marks the start of a zone of authority 12 a domain name pointer 13 host information 14 maibox or mai ist information 15 mai exchange 16 text strings 28 IPv6 address Header Question the question for the name server nswer RRs answering the question uthority RRs pointing toward an authority dditiona RRs hoding additiona information 11 Exampes of Records 12 o MX records: used by emai appication exampe: possibe use :? di.epf.ch. MX 10 dimai.epf.ch. di.epf.ch. MX 20 disunmm2.epf.ch. o PTR records: inverse mapping IP addr -> domain name exampe: in-addr.arpa PTR in-inr in-addr.arpa PTR in-inr e.a.4.0 PTR rcpc3 used for verifying names zone date shoud contain PTR records for a systems in the zone o other records: ISDN number, TM address (proposed)

7 D Exampes: Queries/ nswers 1 2 $ nsookup Server: stisun1.epf.ch ddress: Non-authoritative answer: Name: ddress: $ nsookup -querytype zurich.ibm.com Server: watson.ibm.com ddress: zurich.ibm.com nameserver ns1.zurich.ibm.ch zurich.ibm.com nameserver watson.ibm.com ns1.zurich.ibm.ch internet address watson.ibm.com internet address $ nsookup -querytypeptr Server: stisun1.epf.ch ddress: in-addr.arpa name uetiberg.zurich.ibm.ch in-addr.arpa nameserver ns1.zurich.ibm.ch in-addr.arpa nameserver scsnms.switch.ch in-addr.arpa nameserver swidir.switch.ch ns1.zurich.ibm.ch internet address scsnms.switch.ch internet address scsnms.switch.ch internet address swidir.switch.ch internet address Exampe of Zone Data (ch.) SO SO scsnms.switch.ch, scsnms.switch.ch, ch-zonecontact.switch.ch ch-zonecontact.switch.ch (seria (seria refresh refresh ;(12 ;(12 hours) hours) retry retry ;(2 ;(2 hours) hours) expire expire ;(30 ;(30 days) days) minimum ch minimum tt tt ); ); (4 (4 days) days) scsnms.switch.ch scsnms.switch.ch swidir.switch.ch swidir.switch.ch epf ethz switch dxmon.cern.ch dxmon.cern.ch ns.eu.net ns.eu.net Ns Ns ns.uu.net ns.uu.net exercice: princeton.edu princeton.edu epf.ch. where are the servers epf.ch. stisun1.epf.ch stisun1.epf.ch stisun2.epf.ch stisun2.epf.ch responsibe for that zone? ethz.ch. ethz.ch. dns1.ethz.ch dns1.ethz.ch what are the data indicating bernina.ethz.ch bernina.ethz.ch switch.ch authority deegation? switch.ch scsnms.switch.ch scsnms.switch.ch swidir.switch.ch swidir.switch.ch what records are authoritative? stisun1.epf.ch. stisun1.epf.ch what woud change if ch. and stisun2.epf.ch. switch.ch. were in the stisun2.epf.ch same zone? bernina.ethz.ch. bernina.ethz.ch what is the answer to a query scsnms.switch.ch. scsnms.ethz.ch scsnms.switch.ch scsnms.switch.ch. scsnms.switch.ch

8 D Exampe of Zone Data (epf.ch.) epf ch ethz switch exercice: where are the servers responsibe for that zone? what are the data indicating authority deegation? what records are authoritative? what is the answer to a query rcwww.epf.ch SO SO stisun1.epf.ch stisun1.epf.ch () () epf.ch. epf.ch. stisun1.epf.ch. stisun1.epf.ch. stisun2.epf.ch stisun2.epf.ch stisun1.epf.ch. stisun1.epf.ch stisun2.epf.ch. stisun2.epf.ch rcsuns.epf.ch rcsuns.epf.ch rcwww.epf.ch rcwww.epf.ch CNME CNME rcsuns.epf.ch rcsuns.epf.ch rcftp.epf.ch rcftp.epf.ch CNME CNME rcsuns.epf.ch rcsuns.epf.ch ssc.epf.ch ssc.epf.ch MX MX sicmai.epf.ch sicmai.epf.ch *.di.epf.ch *.di.epf.ch MX MX sicmai.epf.ch sicmai.epf.ch in-addr.arpa in-addr.arpa PTR PTR rcsuns.epf.ch rcsuns.epf.ch (other (other records records ) ) 15 Name Server gorithm (1) RFC 1034 says: 1. Set or cear the vaue of recursion avaiabe in the response depending on whether the name server is wiing to provide recursive service. If recursive service is avaiabe and requested via the RD bit in the query, go to step 5, otherwise step Search the avaiabe zones for the zone which is the nearest ancestor to QNME. If such a zone is found, go to step 3, otherwise step Start matching down, abe by abe, in the zone. The matching process can terminate severa ways: a. If the whoe of QNME is matched, we have found the node. If the data at the node is a CNME, and QTYPE doesn't match CNME, copy the CNME RR into the answer section of the response, change QNME to the canonica name in the CNME RR, and go back to step 1. Otherwise, copy a RRs which match QTYPE into the answer section and go to step 6. b. If a match woud take us out of the authoritative data, we have a referra. This happens when we encounter a node with RRs marking cuts aong the bottom of a zone. Copy the RRs for the subzone into the authority section of the repy. Put whatever addresses are avaiabe into the additiona section, using gue RRs if the addresses are not avaiabe from authoritative data or the cache. Go to step 4. 16

9 D Name Server gorithm (2) c. If at some abe, a match is impossibe (i.e., the corresponding abe does not exist), ook to see if a the "*" abe exists. If the "*" abe does not exist, check whether the name we are ooking for is the origina QNME in the query or a name we have foowed due to a CNME. If the name is origina, set an authoritative name error in the response and exit. Otherwise just exit. If the "*" abe does exist, match RRs at that node against QTYPE. If any match, copy them into the answer section, but set the owner of the RR to be QNME, and not the node with the "*" abe. Go to step Start matching down in the cache. If QNME is found in the cache, copy a RRs attached to it that match QTYPE into the answer section. If there was no deegation from authoritative data, ook for the best one from the cache, and put it in the authority section. Go to step Using the oca resover or a copy of its agorithm (see resover section of this memo) to answer the query. Store the resuts, incuding any intermediate CNMEs, in the answer section of the response. 6. Using oca data ony, attempt to add other RRs which may be usefu to the additiona section of the query. Exit. Name Resoution 18 o ppication requests name resoution on oca host resover sends query to name server /etc/resov.conf on many systems points to the name server if no pointer, then oca host activates its own name server resover usuay requests recursive query response is processed unti an answer is found name server acting recursivey pays the roe of a resover for that query host resovers usuay do not cache responses (stub resovers), but name servers do (fu resovers)

10 D D Components Overview 19 stisun1 query query Foreign Name Server User Program resp. Fu Resover response rcsuns Stub Resover disun3 Stub Resover recursive query response recursive query response Master Fie cache addition reference Name Server Shared Database reference refresh query maintenance query/response response stisun2 Foreign Resover Other Name Server for same zone(s) References : D 20 o Hasa, chapter 13.2 o RFCs: 1032, 1033, 1034, 1035, 1591 o nsookup, host, resover, named

11 D NetBIOS 21 o Windows uses NetBIOS for transactions and distributed fie system o NetBIOS is a programming interface (as Sockets is) which uses NetBIOS names instead of (IP address, port number) exampe: ICRE, IC118PC29 o name resoution was done originay by LN broadcast o in modern instaations, done by NetBIOS name server WI D: Concusion 22 o high eve names goba word-wide decoupe names used by humans from IP addresses names not reated to routing decoupe ogica names from machine names o distributed database with simpe database mechanisms oose consistency in records strict hierarchica database with zone concept high survivabiity thanks to repication within one zone caching to improve performance o D has become a key component of the Internet survivabiity and security are key issues