Computer Networks: Domain Name System



Similar documents
Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Related Chapters. Firewalls: CHAPTER 29, Firewalls

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

DNS and BIND. David White

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Introduction to the Domain Name System

FAQ (Frequently Asked Questions)

Lecture 2 CS An example of a middleware service: DNS Domain Name System

NET0183 Networks and Communications

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

3. The Domain Name Service

DNS Domain Name System

Secure Domain Name System (DNS) Deployment Guide

THE DOMAIN NAME SYSTEM DNS

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

CS 348: Computer Networks. - DNS; 22 nd Oct Instructor: Sridhar Iyer IIT Bombay

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

Understand Names Resolution

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

Domain Name System (DNS) RFC 1034 RFC

Internetworking with TCP/IP Unit 10. Domain Name System

Domain Name System Richard T. B. Ma

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

Basic DNS Course. Module 1. DNS Theory. Ron Aitchison ZYTRAX, Inc. Page 1 of 24

HTG XROADS NETWORKS. Network Appliance How To Guide: DNS Delegation. How To Guide

DNS Domain Name System

Secure Domain Name System (DNS) Deployment Guide

Internet-Praktikum I Lab 3: DNS

Naming and the DNS. Focus. How do we name hosts etc.? Application Presentation Topics. Session Domain Name System (DNS) /URLs

The Application Layer: DNS

Understanding DNS (the Domain Name System)

Use Domain Name System and IP Version 6

Remote DNS Cache Poisoning Attack Lab

The Domain Name System

Introduction to DNS CHAPTER 5. In This Chapter

Domain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin

Deploying DNSSEC: From End-Customer To Content

Domain Name System DNS

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

The Domain Name System

Glossary of Technical Terms Related to IPv6

DNS security: poisoning, attacks and mitigation

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide

INTERNET DOMAIN NAME SYSTEM

Securing DNS Infrastructure Using DNSSEC

Names vs. Addresses. Flat vs. Hierarchical Space. Domain Name System (DNS) Computer Networks. Lecture 5: Domain Name System

The Domain Name System from a security point of view

DNS + DHCP. Michael Tsai 2015/04/27

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

Domain Name System (DNS)

Chapter 23 The Domain Name System (DNS)

CS3250 Distributed Systems

Domain Name Service (DNS) Training Division, NIC New Delhi

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS

DNS Basics. DNS Basics

Domain Name System (or Service) (DNS) Computer Networks Term B10

The Domain Name System (DNS)

Wireshark DNS. Introduction. nslookup

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

Application Layer. CMPT Application Layer 1. Required Reading: Chapter 2 of the text book. Outline of Chapter 2

The Domain Name System (DNS)

Names & Addresses. Names & Addresses. Names vs. Addresses. Identity. Names vs. Addresses. CS 194: Distributed Systems: Naming

what s in a name? taking a deeper look at the domain name system mike boylan penn state mac admins conference

Introduction to Network Operating Systems

Windows 2008 Server. Domain Name System Administración SSII

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

The Domain Name System

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

DNS: Domain Name System

Module 5: Planning a DNS Strategy

CS 43: Computer Networks Naming and DNS. Kevin Webb Swarthmore College September 17, 2015

Coordinación. The background image of the cover is desgned by GUIDE TO DNS SECURITY 2

DNS. Spring 2016 CS 438 Staff 1

Domain Name Servers. Domain Types WWW host names. Internet Names. COMP476 Networked Computer Systems. Domain Name Servers

DNS based Load Balancing with Fault Tolerance

How To Map Between Ip Address And Name On A Domain Name System (Dns)

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. and 8 Feb 2006 Stichting NLnet Labs

DNS at NLnet Labs. Matthijs Mekking

DNS Root NameServers

Domain Name System Security

DNS and BIND Primer. Pete Nesbitt linux1.ca. April 2012

The Graph Name System: pathnames and petnames in a rootless DNS

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

INFORMATION SECURITY REVIEW

EECS 489 Winter 2010 Midterm Exam

Transcription:

Computer Networks: Domain Name System Domain Name System The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses DNS www.example.com 208.77.188.166 http://www.example.com My Example Blog Spot http://208.77.188.166 My Example Blog Spot Vacation Savings Vacation Savings

Domain Name System DNS provides a distributed database over the internet that stores various resource records, including: Address (A) record: IP address associated with a host name Mail exchange(mx) record: mail server of a domain Name server (NS) record: authoritative server for a domain Example DNS entries from http://www.maradns.org/tutorial/recordtypes.html Name Servers Domain names: Two or more labels, separated by dots (e.g., cs166.net) Rightmost label is the top-level domain (TLD) Hierarchy of authoritative name servers Information about root domain Information about its subdomains (A records) or references to other name servers (NS records) The authoritative name server hierarchy matches the domain hierarchy: root servers point to DNS servers for TLDs, etc. Root servers, and servers for TLDs change infrequently DNS servers refer to other DNS servers by name, not by IP: sometimes must bootstrap by providing an IP along with a name, called a glue record

com DNS Tree edu... google.com A google.com 66.249.91.104 microsoft.com Amicrosoft.com 207.46.232.182... stanford.edu brown.edu... A stanford.edu 171.67.216.18 A brown.edu 128.148.128.180 cs.brown.edu A cs.brown.edu 128.148.32.110 resource records Namespace Management ICANN: Internet Corporation for Assigned Names and Numbers ICANN has the overall responsibility for managing DNS. It controls the root domain, delegating control over each top-level domain to a domain name registry Along with a small set of general TLDs, every country has its own TLD -- (ctlds) controlled by the government. ICANN is the governing body for all general TLDs Until 1999 all.com,.net and.org registries were handled by Network Solutions Incorporated. After November, 1999, ICANN and NSI had to allow for a shared registration system and there are currently over 500 registrars in the market Also since 1999, ICANN has created additional gtlds including some which are sponsored by consortiums or groups of companies.

Top Level Domains Started in 1984 Originally supposed to be named by function.com for commercial websites,.mil for military Eventually agreed upon unrestricted TLDs for.com,.net,.org,.info In 1994 started allowing country TLDs such as.it,.us Tried to move back to hierarchy of purpose in 2000 with creation of.aero,.museum, etc. Name Resolution Zone: collection of connected nodes with the same authoritative DNS server Resolution method when not in : ISP DNS Server Where is www.example.com? Try com nameserver root name server Client Where is www.example.com? Where is www.example.com? com name server Try example.com nameserver 208.77.188.166 Where is www.example.com? 208.77.188.166 example.com name server

Recursive Name Resolution Server B Server A referral Local Machine Iterative Name Resolution. (root) 1.com Local Name Server 2 3 google.com

Authoritative Name Servers Control distributed among authoritative name servers (ANSs) Responsible for specific domains Can designate other ANS for subdomains ANS can be master or slave Master contains original zone table Slaves are replicas, automatically updating Makes DNS fault tolerant, automatically distributes load ANS must be installed as a NS in parents' zone Dynamic Resolution Many large providers have more than one authoritative name server for a domain Problem: need to locate the instance of domain geographically closest to user Proposed solution: include first 3 octets of requester's IP in recursive requests to allow better service Content distribution networks already do adaptive DNS routing

DNS Caching There would be too much network traffic if a path in the DNS tree would be traversed for each Root zone would be rapidly overloaded DNS servers results for a specified amount of time Specified by ANS reply's time-to-live field Operating systems and browsers also maintain resolvers and DNS s View in Windows with command ipconfig /displaydns Associated privacy issues DNS queries are typically issued over UDP on port 53 16-bit request identifier in payload DNS Caching Step 1: yourdomain.org Local Machine Local NS Authoritative Name Server Step 2: receive reply and at local NS and host Local Machine Local NS Authoritative Name Server

DNS Caching (con'd) Step 3: use d results rather than ing the ANS Local Machine 1 Local NS Local Machine 2 Step 4: Evict entries upon ttl expiration Pharming: DNS Hijacking Changing IP associated with a server maliciously: Normal DNS 208.77.188.166 Pharming attack 74.208.31.63 www.example.com www.example.com http://www.example.com My Premium Blog Spot http://www.example.com My Premium Blog Spot userid: password: userid: password: Phishing: the different web sites look the same.

DNS Cache Poisoning Basic idea: give DNS servers false records and get it d DNS uses a 16-bit request identifier to pair queries with s Cache may be poisoned when a name server: Disregards identifiers Has predictable ids Accepts unsolicited DNS records DNS Cache Poisoning Prevention Use random identifiers for queries Always check identifiers Port randomization for DNS requests Deploy DNSSEC Challenging because it is still being deployed and requires reciprocity

Guarantees: DNSSEC Authenticity of DNS origin Integrity of reply Authenticity of denial of existence Accomplishes this by signing DNS replies at each step of the way Uses public-key cryptography to sign responses Typically use trust anchors, entries in the OS to bootstrap the process DNS Signing

DNSSEC Deployment As the internet becomes regarded as critical infrastructure there is a push to secure DNS NIST is in the process of deploying it on root servers now May add considerable load to dns servers with packet sizes considerably larger than 512 byte size of UDP packets There are political concerns with the US controlling the root level of DNS

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information