THE DOMAIN NAME SYSTEM DNS



Similar documents
Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

DNS : Domain Name System

Forouzan: Chapter 17. Domain Name System (DNS)

Domain Name System (DNS)

19 Domain Name System (DNS)

The Domain Name System

The Domain Name System (DNS)

DNS Domain Name System

Domain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Concept. DNS - Domain Name System

Application Protocols in the TCP/IP Reference Model

Lecture 2 CS An example of a middleware service: DNS Domain Name System

Domain Name System (DNS) Fundamentals

DNS Conformance Test Specification For Client

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

DNS at NLnet Labs. Matthijs Mekking

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS

ECE 4321 Computer Networks. Network Programming

Internet-Praktikum I Lab 3: DNS

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Introduction to DNS CHAPTER 5. In This Chapter

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

Internetworking with TCP/IP Unit 10. Domain Name System

Understanding DNS (the Domain Name System)

Domain Name Server. Training Division National Informatics Centre New Delhi

DNS. Computer Networks. Seminar 12

Hostnames. HOSTS.TXT was a bottleneck. Once there was HOSTS.TXT. CSCE515 Computer Network Programming. Hierarchical Organization of DNS

Computer Networks: Domain Name System

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

DNS. Computer networks - Administration 1DV202. fredag 30 mars 12

DNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)

Teldat Router. DNS Client

CS3250 Distributed Systems

3. The Domain Name Service

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

How to Add Domains and DNS Records

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Domain Name System

Table of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.

Networking Domain Name System

Understand Names Resolution

Networking Domain Name System

what s in a name? taking a deeper look at the domain name system mike boylan penn state mac admins conference

Coordinación. The background image of the cover is desgned by GUIDE TO DNS SECURITY 2

Networking Domain Name System

DNS Domain Name System

Applications and Services. DNS (Domain Name System)

Introduction to the Domain Name System

Domain Name System Richard T. B. Ma

DNS - Domain Name System

Chapter 23 The Domain Name System (DNS)

Basic DNS Course. Module 1. DNS Theory. Ron Aitchison ZYTRAX, Inc. Page 1 of 24

Copyright

- Domain Name System -

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, DNS & IPv6.

1 DNS Packet Structure

DNS and BIND. David White

Domain Name System (DNS) RFC 1034 RFC

Chapter 24 The Domain Name System (DNS)

Domain Name System. Heng Sovannarith

The Use of DNS Resource Records

NET0183 Networks and Communications

CS 348: Computer Networks. - DNS; 22 nd Oct Instructor: Sridhar Iyer IIT Bombay

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Some advanced topics. Karst Koymans. Friday, September 11, 2015

HTG XROADS NETWORKS. Network Appliance How To Guide: DNS Delegation. How To Guide

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Use Domain Name System and IP Version 6

The Application Layer: DNS

1. Domain Name System

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

API of DNS hosting. For DNS-master and Secondary services Table of contents

Domain Name System DNS

Domain Name Servers. Domain Types WWW host names. Internet Names. COMP476 Networked Computer Systems. Domain Name Servers

DNSSEC Applying cryptography to the Domain Name System

Enterprise Architecture Office Resource Document Design Note - Domain Name System (DNS)

DNS: Domain Name System

Computer Networks Prof. S. Ghosh Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture - 34 DNS & Directory

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide

Domain Name Service (DNS) Training Division, NIC New Delhi

Glossary of Technical Terms Related to IPv6

Outline. Definition. Name spaces Name resolution Example: The Domain Name System Example: X.500, LDAP. Names, Identifiers and Addresses

Tanenbaum, Computer Networks (extraits) Adaptation par J.Bétréma. DNS The Domain Name System

The Domain Name System

Section 1 Overview Section 2 Home... 5

Introduction to Network Operating Systems

The Domain Name System

FAQ (Frequently Asked Questions)

Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure

Configuring the BIND name server (named) Configuring the BIND resolver Constructing the name server database files

The Domain Name System (DNS)

Module 2. Configuring and Troubleshooting DNS. Contents:

Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer

Transcription:

Announcements THE DOMAIN NAME SYSTEM DNS Internet Protocols CSC / ECE 573 Fall, 2005 N. C. State University copyright 2005 Douglas S. Reeves 2 Today s Lecture I. Names vs. Addresses II. III. IV. The Namespace Hierarchy Management of the Namespace Contents of the DNS Database NAMES vs. ADDRESSES V. DNS Queries VI. DNS Messages VII. DNS Security copyright 2005 Douglas S. Reeves 3 www.ietf.org DNS How Do I Get to 132.152.6.21? www.ietf.org? 132.151.6.21 Routing and forwarding ( some hops omitted ) 24.93.64.53 66.15.132.33 66.185.152.29 66.185.139.129 66.185.145.6 152.63.43.178 152.63.41.138 152.63.39.254 152.63.39.97 157.130.44.142 132.151.6.21 Mapping of Names to Addresses Users refer to hosts by names, while IP addresses are binary numbers need a mapping of name(s) IP address(es) Approaches that will not scale to Internet size a single file per host, containing all mappings a flat name space with no structure centralized management of the entire name space copyright 2005 Douglas S. Reeves 5 copyright 2005 Douglas S. Reeves 6 1

The Domain Name System (RFCs 1034, 1035) A hierarchical naming scheme name syntax rules for delegating authority over names A distributed database system A protocol for requesting address bindings Main function is mapping names to IP addresses, but can be used for many other purposes as well Mapping Names to Addresses An application calls a library function, the resolver The resolver sends a UDP packet to a local DNS The DNS looks up the name (may need to contact other s to find the mapping) The DNS returns the IP address to the resolver, which passes it to the application copyright 2005 Douglas S. Reeves 7 copyright 2005 Douglas S. Reeves 8 The Naming Hierarchy THE NAMESPACE HIERARCHY DNS uses a hierarchical delegation of authority the name space is split at the top level topmost level is not concerned with name assignments/changes within a subdivision authority may be further subdivided at each level The name space hierarchy does not have to follow the routing hierarchy; they are independent! a domain a contiguous chunk of address space The name space (tree) is broad and flat, usually no more than 4-5 levels deep copyright 2005 Douglas S. Reeves 10 A Hierarchy Example Domain Name Space: Labels Each node in the tree has a label Generic TLDs? Country Code TLDs? a string of up to 63 characters no two children of a single node may have the same labels copyright 2005 Douglas S. Reeves 11 copyright 2005 Douglas S. Reeves 12 2

Domain: a subtree of the domain name space each domain covers many hosts Top-level domain (TLD): a domain starting just below root Domains Domain Name Space: Domain Names Each node in the tree has a domain name a sequence (from the node up to the root) of dotseparated labels (e.g., mulberry.csc.ncsu.edu.) max of 255 characters in a fully-qualified domain name (FQDN) Partially-qualified domain name (PQDN) (e.g., mulberry.csc) label not ending in a top-level domain DNS client must provide the missing suffix, e.g., csc.ncsu.edu, ncsu.edu copyright 2005 Douglas S. Reeves 13 copyright 2005 Douglas S. Reeves 14 Domain Names and Labels Hierarchy of Name Servers No single entity stores the entire database of resource records, for reasons of efficiency and scalability reliability security Information is distributed among DNS (name) s s are organized hierarchically each is responsible, or authoritative, for part of the name space database copyright 2005 Douglas S. Reeves 15 copyright 2005 Douglas S. Reeves 16 Example Name Server Hierarchy Zones Zone: the part of the tree for which a is responsible (over which it has authority) Zone Domain Zone file: database of resource records for each node in zone copyright 2005 Douglas S. Reeves 17 copyright 2005 Douglas S. Reeves 18 3

Zones and Domains Example Primary and Secondary Zone Servers Primary or authoritative creates, stores, maintains, and updates zone file for its zone must know IP addresses of all root s may know parent (one level up) copyright 2005 Douglas S. Reeves 19 Secondary s serve as backups / alternates, and should not run on same host attach to same network obtain electrical power from same source etc. copyright 2005 Douglas S. Reeves 20 Zone Servers (cont d) Secondary obtains all information from primary (zone transfer) query primary every 3 hours secondary is also authoritative for zone it backs up Typical name is authoritative for hundreds of zones Root Servers Root is a whose zone contains the root of the DNS hierarchy Root usually does not store any information about domains delegates authority to other s for all second-level domains keeps pointer (name and IP address) to those s copyright 2005 Douglas S. Reeves 21 copyright 2005 Douglas S. Reeves 22 Root Servers (cont d) Currently, there are 13 root s around the world MANAGEMENT OF THE NAMESPACE copyright 2005 Douglas S. Reeves 23 4

The Original Top Level Domains The Original Generic TLDs TLDs come in two flavors one is based on function (generic), one is based on geographic location each organization is free to choose how/where to register Domain.com.net.edu.mil.org.gov.int Description Commercial organizations (global) Network service providers US higher education US military Nonprofit organizations (global) US government International organizations copyright 2005 Douglas S. Reeves 25 copyright 2005 Douglas S. Reeves 26 New Generic TLDs Country Code TLDs (243 of them!) Domain.biz.info.name.museum.aero.coop.jobs.travel.int.pro Description Businesses or firms Information service providers Personal nomenclatures Museums Air transport providers Cooperatives Human resources managers Travel industry Organizations established by international treaty For the professions copyright 2005 Douglas S. Reeves 27.ac Ascension Island.ad Andorra.ae United Arab Emirates.af Afghanistan.ag Antigua and Barbuda.ai Anguilla.al Albania.am Armenia.an Netherlands Antilles.ao Angola.aq Antarctica.ar Argentina.as American Samoa.at Austria.au Australia.aw Aruba.az Azerbaijan.ba Bosnia and Herzegovina.bb Barbados.bd Bangladesh.be Belgium.bf Burkina Faso.ua Ukraine.ug Uganda.uk United Kingdom.um US Minor Outlying Islands.us United States.uy Uruguay.uz Uzbekistan.va Holy See (City Vatican State).vc Saint Vincent and the Grenadines.ve Venezuela.vg Virgin Islands (British).vi Virgin Islands (USA).vn Vietnam.vu Vanuatu.wf Wallis and Futuna Islands.ws Western Samoa.ye Yemen.yt Mayotte.yu Yugoslavia.za South Africa.zm Zambia.zw Zimbabwe copyright 2005 Douglas S. Reeves 28 Management of Names and Numbers ICANN (Internet Corporation for Assigned Names and Numbers) manages the Domain Name System an international not-for-profit, non-governmental organization also coordinates the allocation of IP address space Registrars actually handle requests for name registration and assess fees commercially operated, competitive Management of Names and Numbers (cont d) IANA (Internet Assigned Numbers Authority) oversees registration for various IP parameters, such as port numbers protocol and enterprise numbers options codes types copyright 2005 Douglas S. Reeves 29 copyright 2005 Douglas S. Reeves 30 5

Why is Name Registration so Political? Whoever controls names controls access! one root, or many? who is allowed to provide name registry services? who is allowed to speak on behalf of a country or organization? e.g., does WWF = World Wildlife Foundation or World Wrestling Federation? CONTENTS OF THE DNS DATABASE What happens if ICANN loses control and there are independent DNS hierarchies? copyright 2005 Douglas S. Reeves 31 DNS Resource Records Domain name database consists of a set of records about each name in the domain distributed among DNS s by zone Resource records specifies one type of information about a domain name users must specify the type of information desired when querying a name DNS Resource Records (cont d) Contents 1.Time to live: indication of how long the information is valid 2.Type: what kind of information this is 3.Data or information copyright 2005 Douglas S. Reeves 33 copyright 2005 Douglas S. Reeves 34 Examples of Resource Record Types Some Other RRs Type A AAAA Meaning Host address Host address Data 32-bit IPv4 address 128-bit IPv6 address Service discovery Geographic location MX Mail exchanger Name of accepting email for this domain NS Name Name of authoritative for zone CNAME Canonical name Real domain name (for this alias) PTR Pointer Domain name (for IP address domain name mapping) HINFO Host description Type of CPU and O.S. for this host TXT Text Uninterpreted ASCII text SOA Start of authority Parameters specifying which part of the naming hierarchy implements copyright 2005 Douglas S. Reeves 36 6

Start of Authority (SOA) Parameters Primary DNS Server for the domain Email Address for an administrator for the domain Sequence # SOA Parameters (cont d) Retry Interval = minimum time before retrying the request, if no answer Validity Interval = max time before zone records must be refreshed by the primary Cache Interval = minimum TTL (validity interval) that should be exported with any RR for this zone Timers Refresh Interval = minimum time between successive requests for zone records from the primary copyright 2005 Douglas S. Reeves 37 copyright 2005 Douglas S. Reeves 38 The nslookup, dig, and host commands Examples Programs to query Internet name s interactively available for both Unix and Windows can specify what information you want, for what host, and what (s) you want to check can turn recursion on or off copyright 2005 Douglas S. Reeves 39 > csc.ncsu.edu Server: ns4.ncsu.edu Address: 152.1.1.161 csc.ncsu.edu MX preference = 10, mail exchanger = celestial-switchboard.csc.ncsu.edu csc.ncsu.edu primary name = ns1.ncsu.edu responsible mail addr = hostmaster.ncsu.edu serial = 8484 refresh = 28800 (8 hours) retry = 3600 (1 hour) expire = 2678400 (31 days) default TTL = 3600 (1 hour) csc.ncsu.edu name = ns6.ncsu.edu csc.ncsu.edu name = ns1.ncsu.edu celestial-switchboard.csc.ncsu.edu internet address = 152.1.61.45 ns6.ncsu.edu internet address = 152.1.2.22 ns1.ncsu.edu internet address = 152.1.1.22 copyright 2005 Douglas S. Reeves 40 Name Resolution Features distributed: multiple s cooperate DNS QUERIES efficient: most mappings are done locally reliable: no single point of failure Search for name executes from bottom upwards most searches are answered locally Queries may be recursive or iterative copyright 2005 Douglas S. Reeves 42 7

Name Resolution (cont d) Response is either a complete answer or, the identity of the next to contact if response comes from authority managing the record, it is marked as authoritative DNS over UDP or TCP? Normally, uses UDP as transport protocol if the Response is truncated, client issues the Request again, this time using TCP TCP returns the entire Response without truncation zone transfers (between primary and secondary s) only use TCP copyright 2005 Douglas S. Reeves 43 copyright 2005 Douglas S. Reeves 44 Recursive Resolution (caching not shown) Iterative Resolution (caching not shown) In a recursive query, the resolver expects a response from the local name If the local cannot supply the answer, it will send the query to the closest known authoritative name The root sends a referral to the edu. Querying this yields a referral to the of ncsu.edu etc. response 1 st query: mulberry.csc.ncsu.edu Name query Resolver Referral to edu name 2nd query: mulberry.csc.ncsu.edu Referral to ncsu.edu name root edu 3rd query: mulberry.csc.ncsu.edu Referral to csc.ncsu.edu name 4 th query: mulberry.csc.ncsu.edu IP address of mulberry.csc.ncsu.edu ncsu.edu csc.ncsu.edu copyright 2005 Douglas S. Reeves 45 In an iterative query, the name sends a closest known authoritative name This involves more work for the resolver referral to root Name query Resolver 1 st query: mulberry.csc.ncsu.edu referral to edu name 2 nd query: mulberry.csc.ncsu.edu referral to ncsu.edu name 3 rd query: mulberry.csc.ncsu.edu referral to csc.ncsu.edu name 4 th query: mulberry.csc.ncsu.edu root edu ncsu.edu csc.ncsu.edu copyright 2005 Douglas S. Reeves 46 IP address of mulberry.csc.ncsu.edu Reverse Mappings and Pointer Queries Reverse Mapping How map IP address to domain name? have to start at top of DNS tree and try every top-level domain?! in-addr.arpa domain contains domain names which are the inverse of IP addresses of hosts Ex.: host with IP address 152.1.54.48 is represented by the domain name 48.54.1.152.in-addr.arpa note reversal of order returns PTR Resource Record (i.e., domain name) copyright 2005 Douglas S. Reeves 47 copyright 2005 Douglas S. Reeves 48 8

Inverse Queries E.g., ask for the IP addresses for domain csc.ncsu.edu Good? Bad? DNS Caching Not feasible to contact root for every DNS query Each must maintain a cache of recent bindings hosts may do so Benefits less network traffic less load on name s more robust / better fault tolerance copyright 2005 Douglas S. Reeves 49 copyright 2005 Douglas S. Reeves 50 DNS Caching (cont d) Answers from authoritative include a TTL value specifies how long the authority guarantees the binding will remain valid cache entries are purged (timed out) when TTL expires DNS MESSAGES If has a cached copy of a mapping, it returns a non-authoritative binding the source of information (the authoritative name that provided this binding) the IP address of this authoritative name copyright 2005 Douglas S. Reeves 51 Message Formats DNS Header Format Identification field is set by client for matching Responses to Requests copyright 2005 Douglas S. Reeves 53 copyright 2005 Douglas S. Reeves 54 9

Flags Compressed Name Format QR: query or response? OpCode: standard or reverse query? AA: authoritative answer? TC: answer truncated (UDP used, only first 512 bytes returned) RD: recursion desired? RA: recursion available? rcode (return code): no error, query error, Query Name can be arbitrary length but each part no more than 63 bytes long Query Type = type of Resource Record desired failure, name not found, copyright 2005 Douglas S. Reeves 55 copyright 2005 Douglas S. Reeves 56 Resource Records (in Response Messages) Each of Answer, Authority, and Additional Info Sections consist of a set of Resource Records Domain Name, Type, Class same as in Query Message DNS and Security TTL in seconds; usually = 2 days may be 0 to prevent caching copyright 2005 Douglas S. Reeves 57 DNS The Security KEY Resource (RFC 2535) Record (cont d) A resource record format defined to associate keys with DNS names permits DNS to be used as a public key distribution mechanism in support of DNS and other protocols a resolver can learn a public key of a zone either by reading it from DNS, or by having it statically configured Flags Protocol The KEY Resource Record 1 = TLS, 2 = email, 3 = DNSSEC, 4 = IPSEC Type 1 RSA/MD5 [RFC 2537] - recommended 2 Diffie-Hellman [RFC 2539] - optional, key only 3 DSA [RFC 2536] - MANDATORY 4 reserved for elliptic curve cryptography copyright 2005 Douglas S. Reeves 59 Key Value copyright 2005 Douglas S. Reeves 60 10

The SIG Resource Record Authentication of Resource Records cryptographically-generated digital signatures Contents Type of RRs covered by this signature Algorithm Type At least one SIG Resource Record for each resource type under that name a security aware will attempt to return with Resource Records the corresponding SIGs The SIG Resource Record (cont d) Inception Date and Expiration Date of signature Domain Name of the Signer generating the signature Signature copyright 2005 Douglas S. Reeves 61 copyright 2005 Douglas S. Reeves 62 DNS consists of a protocol a distributed database a naming scheme Summary The namespace is hierarchical Name allocation is profitable and politically charged Summary (cont d) DNS uses a distributed database of name address mappings DNS uses caching to speed up performance DNS is vital to the Internet security is critical issue Highly robust copyright 2005 Douglas S. Reeves 63 copyright 2005 Douglas S. Reeves 64 Security and IPSec Next Lecture copyright 2005 Douglas S. Reeves 65 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information