Internet-Praktikum I Lab 3: DNS



Similar documents
Domain Name System (or Service) (DNS) Computer Networks Term B10

Domain Name System Richard T. B. Ma

DNS: Domain Name System

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

Domain Name System (DNS)

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

CMPE 80N: Introduction to Networking and the Internet

NET0183 Networks and Communications

Lecture 2 CS An example of a middleware service: DNS Domain Name System

Domain Name System (DNS) Fundamentals

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

Chapter 2 Application Layer

Domain Name System (DNS) RFC 1034 RFC

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

Domain Name System (DNS) Reading: Section in Chapter 9

DATA COMMUNICATOIN NETWORKING

Names vs. Addresses. Flat vs. Hierarchical Space. Domain Name System (DNS) Computer Networks. Lecture 5: Domain Name System

Domain Name System (DNS)

The Application Layer: DNS

DNS at NLnet Labs. Matthijs Mekking

Domain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin

DNS : Domain Name System

DNS. Spring 2016 CS 438 Staff 1

DNS Domain Name System

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Concept. DNS - Domain Name System

Application Protocols in the TCP/IP Reference Model

CS 43: Computer Networks Naming and DNS. Kevin Webb Swarthmore College September 17, 2015

DNS: Domain Name System

The Domain Name System

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

How To Map Between Ip Address And Name On A Domain Name System (Dns)

THE DOMAIN NAME SYSTEM DNS

C 1. Last Time. CSE 486/586 Distributed Systems Domain Name System. Review: Causal Ordering. Review: Causally Ordered Multicast.

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Chapter 23 The Domain Name System (DNS)

The Domain Name System from a security point of view

DNSSEC Applying cryptography to the Domain Name System

DNS and P2P File Sharing

Naming and the DNS. Focus. How do we name hosts etc.? Application Presentation Topics. Session Domain Name System (DNS) /URLs

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

Use Domain Name System and IP Version 6

Domain Name System Security

Computer Networks & Security 2014/2015

Domain Name System DNS

CS 348: Computer Networks. - DNS; 22 nd Oct Instructor: Sridhar Iyer IIT Bombay

The Domain Name System

How to Add Domains and DNS Records

3. The Domain Name Service

- Domain Name System -

The Domain Name System (DNS)

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, DNS & IPv6.

Copyright

what s in a name? taking a deeper look at the domain name system mike boylan penn state mac admins conference

ECE 4321 Computer Networks. Network Programming

DNS. Computer networks - Administration 1DV202. fredag 30 mars 12

Networking Domain Name System

DNS Resolving using nslookup

Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer

Introduction to Network Operating Systems

How-to: DNS Enumeration

CS3250 Distributed Systems

Hostnames. HOSTS.TXT was a bottleneck. Once there was HOSTS.TXT. CSCE515 Computer Network Programming. Hierarchical Organization of DNS

DNS. Computer Networks. Seminar 12

Introduction to the Domain Name System

Security of IPv6 and DNSSEC for penetration testers

Understanding DNS (the Domain Name System)

CS3600 SYSTEMS AND NETWORKS

IPv6 support in the DNS

The Domain Name System

internet technologies and standards

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Domain Name System

Resilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC.

19 Domain Name System (DNS)

The Domain Name System (DNS)

FAQ (Frequently Asked Questions)

2.5 DNS The Internet s Directory Service

DNS SECURITY TROUBLESHOOTING GUIDE

Names & Addresses. Names & Addresses. Names vs. Addresses. Identity. Names vs. Addresses. CS 194: Distributed Systems: Naming

Applications and Services. DNS (Domain Name System)

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Forouzan: Chapter 17. Domain Name System (DNS)

Domain Name System (DNS)

Ch 6: Networking Services: NAT, DHCP, DNS, Multicasting

Understand Names Resolution

The Domain Name System: An Integral Part of the Internet. By Keiko Ishioka

Computer Networks: Domain Name System

Computer Networks Prof. S. Ghosh Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture - 34 DNS & Directory

KAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10

IPv6 Support in the DNS. Workshop Name Workshop Location, Date

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS

Transcription:

Kommunikationsnetze Internet-Praktikum I Lab 3: DNS Mark Schmidt, Andreas Stockmayer Sommersemester 2015 kn.inf.uni-tuebingen.de

Motivation for the DNS Problem IP addresses hard to remember for humans Idea Replace IP address by a hostname But IP address is necessary to contact server Translation required Hostname IP address IP address hostname Requirements Unique hostnames Scalable resolution system In 1980ies hosts file stored on any computer Stores names and IP addresses for all nodes in the Internet Not scalable for millions of nodes Why not centralized name server? Single point of failure Traffic volume Distant centralized database Maintenance Doesn t scale! M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 2

Domain Names Root org edu com net gov mil de fr be ieee kit oracle apple fbi whitehouse uni-tuebingen ccc inria Example: java mail www informatik zdv fsi www.informatik.uni-tuebingen.de Hierarchical name space www bib thallo atlas www Entirety of all names can be represented as a tree Divided into several levels of domains and subdomains Domain contains all names in the subtree Uniqueness of names Each domain can delegate subdomains or machine names Names for subdomains or machine names unique M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 3

Structure of the Domain Name System (DNS) Name server resolves domain names into values (e.g. IP numbers) DNS relies on the hierarchy of domain names Zone Domain subtree (connected, but not necessarily complete) which a server keeps own data for Multiple name servers may keep data for the same zone (robustness!) Not equivalent to domain! Name servers know for all subdomains or host names Desired values or Other name server that knows more Root servers Know all name servers for all top-level domains Have well-known IP addresses M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 4

Location of the 13 Root Name Servers Many multiply mirrored and accessible via anycast Actually more than 13 name servers See: http://en.wikipedia.org/wiki/root_nameserver M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 5

Control of the Internet Internet Corporation for Assigned Names and Numbers (ICANN) Used to be part of the US Department of Commerce Independent since 2009 Location still in US depends on US law Government of the Internet Manages root name servers Internet Assigned Numbers Authority (IANA) Subdivision of ICANN Controls assignment of Top-level domains IP addresses IP protocol numbers Port numbers M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 6

TLD and Authoritative Servers Root servers Know all name servers for all top-level domains Top-level domain (TLD) servers Responsible for com, org, net, edu, etc, and all top-level country domains uk, fr, ca, jp, de. VeriSign maintains servers for com TLD Educause for edu TLD Authoritative DNS servers Name servers providing authoritative information from their own databases Usually maintained by organization or service provider M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 7

DNS Resolvers and Local Name Servers DNS resolver Software module implementing DNS protocol Resolves DNS names to IP addresses Used by hosts and name servers Endhosts DNS resolver configured with local name server(s) Performs recursive queries Local (caching) name server Name resolution requires IP address list of current root servers Maintenance overhead, should be avoided on endhosts Does not strictly belong to hierarchy Each ISP (residential ISP, company, university) has one Accepts recursive queries and performs iterative queries M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 8

Recursive Queries Puts burden of name resolution on contacted name server Requires state in servers Heavy load? 2 root DNS server 7 6 3 TLD DNS server local DNS server dns.poly.edu 5 4 1 8 requesting host cis.poly.edu authoritative DNS server dns.cs.umass.edu gaia.cs.umass.edu M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 9

Iterative Queries Host at cis.poly.edu wants IP address for gaia.cs.umass.edu Contacted server replies with name of server to contact I don t know this name, but ask this server Local DNS server performs iterative query to process recursive query issued by host local DNS server dns.poly.edu 1 2 8 requesting host cis.poly.edu root DNS server 3 4 5 7 TLD DNS server 6 authoritative DNS server dns.cs.umass.edu gaia.cs.umass.edu M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 10

Recursive and Iterative Queries Pure recursive queries do not exist in reality In the query chain usually only the first step is a recursive query Name servers accepting recursive queries perform iterative queries Exception: DNS-Proxies like Dnsmasq or builtin DNS servers of consumer DSL routers both accept and perform recursive queries 2 recursive steps in those cases DNS Root-Servers or TLD Servers never accept recursive queries Authoritative name servers usually do not allow recursive queries or only accept them from selected clients Authoritative-Only name servers do not process queries for names outside their own zones M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 11

DNS: Caching and Updating Records Once (any) name server learns mapping, it caches mapping Cache entries timeout (disappear) after some time TLD servers typically cached in local name servers Root name servers not often visited DNS intended for static mappings Dynamic DNS (DynDNS, DDNS) for dynamic mappings Short timeouts ( TTL =60 s) Useful when IP address frequently changes DynDNS client requires to update authoritative name server May be done by DHCP Heart beat mechanism needed to detect when host is down M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 12

Paketformat DNS is mostly UDP based (Port 53) More efficient, no handshake/teardown required DNS-Header: Query ID, number of entries in the following fields, additional control information (recursion, authority, truncated payload, error codes, etc.) Queries: Consists of DNS-names (e.g. www.wikipedia.org) and record type of the query (e.g. A, MX, PTR) Answer- / Authority- / Additional-Resource Records (RRs) One or more RRs containing the requested DNS information Names of the authoritative (responsible) name servers Additional RRs not explicitly requested (e.g. matching A- or AAAA-RRs for queried NS- or MX-RRs) M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 13

Resource Records (RR) Format: Resource Record A (Address) AAAA NS MX (Mail Exchanger) CNAME (Canonical Name) PTR (Pointer) TXT (Text) SRV (Service) Description IPv4 address for a name IPv6 address for a name Responsible name server (Incoming) email-server for a domain Alias name Name for an IP address Text (used for SPF) Name and port number of server responsible for a service M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 14

DNS Example: A and MX Records 1. http://www.uni-tuebingen.de/ 6 http 134.2.2.29 2. IP address for www.uni-tuebingen.de? (local name server) 5. www.uni-tuebingen.de A 134.2.2.29 dns1.uni-tuebingen.de (authoritative name server) Root name server 3. de NS a.nic.de a.nic.de A 194.0.0.53 4. uni-tuebingen.de NS dns1.uni-tuebingen.de dns1.uni-tuebingen.de A 134.2.200.1.de TLD name server 1. mail to: menth@uni-tuebingen.de 2. MX for uni-tuebingen.de? dns1.uni-tuebingen.de (authoritative name server) 4. smtp 134.2.3.13 3. uni-tuebingen.de MX 500 mx03.uni-tuebingen.de mx03.uni-tuebingen.de A 134.2.3.13 M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 15

DNS: Reverse Lookup Objective: get name for IP address Operation Special subtree in DNS in-addr.arpa Used for mapping IP-address-to-name Every IP address corresponds to entry below in-addr.arpa Hierarchical structure Every part of IP address corresponds to a node in the tree DNS query Uses PTR record Contains reversed IP address arpa in-addr 207 171 168 16 M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 16

DNS: Example IPv4 address 207.171.168.16 DNS name in query 16.168.171.207.in-addr.arpa Result (Answer RR) www.amazon.de IPv6 address 2a02:2e0:3fe:100::6 DNS name in query 6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.e.f.3.0.0.e.2.0.2.0.a.2.ip6.arpa Result (Answer RR) www.six.heise.de Useful Tool: http://www.lookupserver.com M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 17

Examples dig +norecurse www.wikipedia.org ; <<>> DiG 9.8.4 <<>> +norecurse www.wikipedia.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60908 ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;www.wikipedia.org. IN A ;; ANSWER SECTION: www.wikipedia.org. 1946 IN CNAME text.wikimedia.org. ;; AUTHORITY SECTION: wikimedia.org. 75383 IN NS ns0.wikimedia.org. wikimedia.org. 75383 IN NS ns1.wikimedia.org. wikimedia.org. 75383 IN NS ns2.wikimedia.org. ;; ADDITIONAL SECTION: ns1.wikimedia.org. 3248 IN A 208.80.152.142 ns2.wikimedia.org. 3248 IN A 91.198.174.4 ns0.wikimedia.org. 3248 IN A 208.80.152.130 ;; Query time: 2 msec ;; SERVER: 134.2.14.4#53(134.2.14.4) ;; WHEN: Thu Nov 18 18:48:17 2010 ;; MSG SIZE rcvd: 166 M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 18

Examples dig wikipedia.org mx ; <<>> DiG 9.8.4 <<>> wikipedia.org mx ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54355 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;wikipedia.org. IN MX ;; ANSWER SECTION: wikipedia.org. 3317 IN MX 50 lists.wikimedia.org. wikipedia.org. 3317 IN MX 10 mchenry.wikimedia.org. ;; AUTHORITY SECTION: wikipedia.org. 47834 IN NS ns1.wikimedia.org. wikipedia.org. 47834 IN NS ns2.wikimedia.org. wikipedia.org. 47834 IN NS ns0.wikimedia.org. ;; ADDITIONAL SECTION: ns0.wikimedia.org. 3304 IN A 208.80.152.130 ns2.wikimedia.org. 3304 IN A 91.198.174.4 ns1.wikimedia.org. 3304 IN A 208.80.152.142 ;; Query time: 3 msec ;; SERVER: 134.2.14.4#53(134.2.14.4) ;; WHEN: Thu Nov 18 18:47:21 2010 ;; MSG SIZE rcvd: 189 M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 19

Security DNS was originally designed at a time, when security considerations were of low priority due to the small number of users DNS messages are do not contain digital signatures Recipients can not verify authenticity The hierarchical structure of DNS leads to a massive impact when a name server in one of the top levels is compromised Political problem: Who controls the root servers/zone M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 20

Security: Examples DNS spoofing Rogue name server sends forged reply (faster than the real name server) DNS cache poisoning Exploiting vulnerabilities in DNS software, to inject manipulated non-authoritative data in caching name servers Google: Dan Kaminsky + DNS + Exploit/Bug M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 21

DNSSEC DNSSEC: Security-Extensions (RFC 4033) Introduces cryptographic mechanisms in DNS Public-Key hierarchy alongside the DNS hierarchy Root-Zone signed since 2010 New RRs for DNSSEC: Name DS Content Hash of the key for a zone DNSKEY Public key of a zone RRSIG NSEC NSEC3 Digital signature of another RR Pointer to the next signed RR (to proof non-existence of RRs in between) Replacement for NSEC, using a hashes instead of names, to prevent zone walking M. Schmidt, A. Stockmayer: Internet-Praktikum I, SS 2015 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information