The Domain Name System

Similar documents
DNS. Spring 2016 CS 438 Staff 1

Domain Name System DNS

Domain Name System Richard T. B. Ma

Domain Name System (or Service) (DNS) Computer Networks Term B10

DNS: Domain Name System

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

CMPE 80N: Introduction to Networking and the Internet

The Application Layer: DNS

The Domain Name System

How To Map Between Ip Address And Name On A Domain Name System (Dns)

Domain Name System (DNS) Reading: Section in Chapter 9

Domain Name System (DNS) RFC 1034 RFC

Names vs. Addresses. Flat vs. Hierarchical Space. Domain Name System (DNS) Computer Networks. Lecture 5: Domain Name System

Naming and the DNS. Focus. How do we name hosts etc.? Application Presentation Topics. Session Domain Name System (DNS) /URLs

CS 43: Computer Networks Naming and DNS. Kevin Webb Swarthmore College September 17, 2015

Chapter 2 Application Layer

Domain Name System (DNS)

FTP: the file transfer protocol

Internet-Praktikum I Lab 3: DNS

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

DNS and P2P File Sharing

C 1. Last Time. CSE 486/586 Distributed Systems Domain Name System. Review: Causal Ordering. Review: Causally Ordered Multicast.

Network programming, DNS, and NAT. Copyright University of Illinois CS 241 Staff 1

Domain Name System (DNS)

NET0183 Networks and Communications

DNS: Domain Name System

DNS Domain Name System

The Domain Name System

Lecture 2 CS An example of a middleware service: DNS Domain Name System

internet technologies and standards

Ch 6: Networking Services: NAT, DHCP, DNS, Multicasting

1 DNS Packet Structure

Ch 6: Networking Services: NAT, DHCP, DNS, Multicasting, NTP

DNS : Domain Name System

DATA COMMUNICATOIN NETWORKING

Domain Name System (DNS) Fundamentals

DNS at NLnet Labs. Matthijs Mekking

Forouzan: Chapter 17. Domain Name System (DNS)

Teldat Router. DNS Client

3. The Domain Name Service

THE DOMAIN NAME SYSTEM DNS

Computer Networks: Domain Name System

Introduction to Network Operating Systems

Domain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Table of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.

Internetworking with TCP/IP Unit 10. Domain Name System

Hostnames. HOSTS.TXT was a bottleneck. Once there was HOSTS.TXT. CSCE515 Computer Network Programming. Hierarchical Organization of DNS

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

19 Domain Name System (DNS)

Applications and Services. DNS (Domain Name System)

CS3600 SYSTEMS AND NETWORKS

Computer Networks Prof. S. Ghosh Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture - 34 DNS & Directory

2.5 DNS The Internet s Directory Service

Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer

CS3250 Distributed Systems

Chapter 23 The Domain Name System (DNS)

The Domain Name System (DNS)

CS 348: Computer Networks. - DNS; 22 nd Oct Instructor: Sridhar Iyer IIT Bombay

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

DNS Conformance Test Specification For Client

Resilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC.

The Domain Name System (DNS)

DNS Basics. DNS Basics

Some advanced topics. Karst Koymans. Friday, September 11, 2015

DNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)

The Domain Name System

Motivation. Users can t remember IP addresses. Implemented by library functions & servers. - Need to map symbolic names (

CS244A Review Session Routing and DNS

The Domain Name System from a security point of view

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

DNS Domain Name System

DNS. Computer networks - Administration 1DV202. fredag 30 mars 12

Coordinación. The background image of the cover is desgned by GUIDE TO DNS SECURITY 2

Network(Security(Protocols(

Introduction to DNS CHAPTER 5. In This Chapter

- Domain Name System -

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Concept. DNS - Domain Name System

Application Protocols in the TCP/IP Reference Model

1 Introduction: Network Applications

Names & Addresses. Names & Addresses. Names vs. Addresses. Identity. Names vs. Addresses. CS 194: Distributed Systems: Naming

HW2 Grade. CS585: Applications. Traditional Applications SMTP SMTP HTTP 11/10/2009

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Transcription:

The Domain Name System Mark Handley) UCL Computer Science CS 3035/GZ01

Today 1. The Domain Name System (DNS) 2. A Brief Word on DNS Security

A name indicates what we seek. An address indicates where it is. A route indicates how we get there. Jon Postel 22/10/2015 3

Hostnames vs. IP Addresses Hostnames (e.g. www.bbc.co.uk) Mnemonic name used by humans Variable length, full alphabet of characters Provide little (if any) information about location Examples: www.cnn.com and bbc.co.uk IP addresses Numerical address used by routers Fixed length, binary number (e.g., 128.16.64.1) Hierarchical, related to host location 4

Looking Up IP Addresses Before the DNS Per-host file named hosts.txt Flat namespace: each line is an IP address and a name SRI (Menlo Park, California) kept the master copy Everyone else downloads regularly But a single server, manually updated, doesn t scale Always a little out of date name collisions! Traffic implosion (lookups and updates) Single point of failure Need a distributed and hierarchical collection of servers

DNS is a wide-area distributed database The biggest in the world! Goals: Scalability Decentralized maintenance Robustness Global scope Names mean the same thing everywhere Don t need all of ACID Atomicity Strong consistency Do need: distributed update/query & Performance

Default answer to all systems problems: If it doesn t go fast enough, add a cache. If it doesn t scale, add hierarchy. 22/10/2015 7

Domain Name System (DNS) Hierarchical name space divided into pieces called zones Zones distributed over a collection of DNS servers Hierarchy of DNS servers Root servers (identity hardwired into other servers) Top-level domain (TLD) servers Authoritative DNS servers To performing translations: Local DNS servers located near clients Resolver software running on clients

DNS Namespace Is Hierarchical Root:. Top-level Domains (TLDs): com. uk. edu. ac.uk. cmu.edu. mit.edu. ucl.ac.uk. Hierarchy of servers follows hierarchy of DNS zones Zone is contiguous section of namespace e.g., complete tree, single node, or subtree Set of nameservers answers queries for names within zone Nameservers must store names and links to other servers in tree

DNS has many uses Hostname to IP address translation IP address to hostname translation (reverse lookup) Host name aliasing allows other names for a host Can be arbitrarily many aliases Alias host names point to canonical hostname Mail server location Lookup zone s mail server based on zone name Content distribution networks Load balancing among many servers with different IP addresses Complex, hierarchical arrangements are possible

DNS Root Nameservers 13 root servers (see h4p://www.root- servers.org) Named A through M Does this scale? E NASA Mt View, CA F Internet SoPware ConsorQum, Palo Alto, CA (and 37 other locaqons) A Verisign, Dulles, VA C Cogent, Herndon, VA (also Los Angeles, NY, Chicago) D U Maryland College Park, MD K RIPE London (plus 16 other locaqons) G US DoD Vienna, VA H ARL Aberdeen, MD J Verisign (21 locaqons) I Autonomica, Stockholm (plus 29 other locaqons) M WIDE Tokyo plus Seoul, Paris, San Francisco B USC- ISI Marina del Rey, CA L ICANN Los Angeles, CA

DNS Root Nameservers 13 root servers (see h4p://www.root- servers.org) Named A through M Each server really cluster of servers (some geographically distributed), replication via IP anycast E NASA Mt View, CA F Internet SoPware ConsorQum, Palo Alto, CA (and 37 other locaqons) A Verisign, Dulles, VA C Cogent, Herndon, VA (also Los Angeles, NY, Chicago) D U Maryland College Park, MD K RIPE London (plus 16 other locaqons) G US DoD Vienna, VA H ARL Aberdeen, MD J Verisign (21 locaqons) I Autonomica, Stockholm (plus 29 other locaqons) M WIDE Tokyo plus Seoul, Paris, San Francisco B USC- ISI Marina del Rey, CA L ICANN Los Angeles, CA

TLD and Authoritative Servers Top-level domain (TLD) servers Responsible for com, org, net, edu, etc, and all toplevel country domains: uk, fr, ca, jp Network Solutions maintains servers for com TLD Educause for edu TLD Authoritative DNS servers An organization s DNS servers, providing authoritative information for organization s servers Can be maintained by organization or service provider

Local Name Servers Do not strictly belong to hierarchy Each ISP (company, university) has one Also called default or caching name server When host makes DNS query, query is sent to its local DNS server Acts as proxy, forwards query into hierarchy Does work for the client

DNS in Operation Most queries and responses are UDP datagrams Two types of queries: www.scholarly.edu? Recursive: Client NS server may ask other servers if it doesn t know the answer Answer: www.scholarly.edu A 10.0.0.1 Iterative: Client www.scholarly.edu? NS server will reply with what it does know Referral:.edu NS 10.2.3.1

Local NS Does Clients Work Root NS TLD NS 1. Client s resolver makes recursive query to local NS 2. Local NS processing: Local NS Clients Authorita9ve NS Local NS sends iterative queries to other NS s or finds answer in cache 3. Local NS responds with answer to client s request

Recursive vs. Iterative Queries Recursive query Less burden on client More burden on nameserver has to return answer to query Iterative query More burden on client Less burden on nameserver simply refers query to another server Most root and TLD servers will not answer Local name server answers recursive query 17

DNS is a distributed database storing resource records RR includes: (name, type, value, time-to-live) Type = A (address) name is hostname value is IP address Type = NS (name server) name is domain (e.g. cs.ucl.ac.uk) value is hostname of authoritative name server for this domain Type = CNAME name is an alias for some canonical (real) name e.g. www.cs.ucl.ac.uk is really cms.cs.ucl.ac.uk value is canonical name Type = MX (mail exchange) value is name of mail server associated with domain name pref field discriminates between multiple MX records 18

Example: Recursive DNS Lookup Client. (root) authority 198.41.0.4 edu.: NS 192.5.6.30 no.: NS 158.38.8.133 uk.: NS 156.154.100.3 www.scholarly.edu? Contact 192.5.6.30 for edu. www.scholarly.edu? www.scholarly.edu? edu. authority 192.5.6.30 scholarly.edu.: NS 12.35.1.1 pedanqc.edu.: NS 19.31.1.1 Contact 12.35.1.1 for scholarly.edu. Local NS. (root): NS 198.41.0.4 edu.: NS 192.5.6.30 scholarly.edu.: NS 12.35.1.1 scholarly.edu. authority 12.35.1.1 www.scholarly.edu.: A 12.35.2.30 imap.scholarly.edu.: A 12.35.2.31 www.scholarly.edu.: A 12.35.51.30

Example: Recursive Query, Step 1 Glue record

Example: Recursive Query, Step 2 Glue record

Example: Recursive Query, Step 3

DNS Caching Performing all these queries takes time And all this before actual communication takes place e.g., one-second latency before starting Web download Caching can greatly reduce overhead The top-level servers very rarely change Popular sites (e.g., news.bbc.co.uk) visited often Local DNS server often has the information cached How DNS caching works DNS servers cache responses to queries Responses include a time-to-live (TTL) field Server deletes cached entry after TTL expires

Reverse Mapping (IP to Hostname) How do we go the other direction, from an IP address to the corresponding hostname? Why do we care to? Troubleshooting, security, spam IP address already has natural quad hierarchy: 12.34.56.78 But: IP address has most significant hierarchy element on the left, while www.cnn.com has it on the right Idea: reverse the quads = 78.56.34.12, and look that up in the DNS Under what top-level domain? Convention: in- addr.arpa So lookup is for 78.56.34.12.in-addr.arpa

Inserting Resource Records into DNS Example: just created startup FooBar Get a block of address space from ISP, say 212.44.9.128/25 Register foobar.com at Network Solutions (say) Provide registrar with names and IP addresses of your authoritative name server (primary and secondary) Registrar inserts RR pairs into the com TLD server: (foobar.com, dns1.foobar.com, NS) (dns1.foobar.com, 212.44.9.129, A) Put in your (authoritative) server dns1.foobar.com: Type A record for www.foobar.com Type MX record for foobar.com

Setting Up foobar.com (cont d) In addition, need to provide reverse PTR bindings e.g., 212.44.9.129 dns1.foobar.com Normally, these would go in 9.44.212.in- addr.arpa Problem: you can t run the name server for that domain. Why not? Because your block is 212.44.9.128/25, not 212.44.9.0/24 And whoever has 212.44.9.0/25 won t be happy with you owning their PTR records Solution: ISP runs it for you, but it s more of a headache to keep it up-to-date.

DNS protocol operation Most queries and responses via UDP, server port 53 Source port UDP length Query ID Source IP DesQnaQon IP Dest port UDP cksum Q A T R R R opcode A C D A Z rcode IP header UDP header DNS payload

DNS Server State UDP socket listening on port 53 Client 10.0.0.1 10.0.0.1 10.0.0.3 11001 53 UDP length 11 UDP cksum QopcoATRR R de A C D A Z rcod e TLD NS 10.1.0.1 Client 10.0.0.2 10.0.0.2 10.0.0.3 22002 53 UDP length 22 UDP cksum QopcoATRR R de A C D A Z rcod e Local NS 10.0.0.3 TLD NS 10.2.0.1 Local NS at least needs to keep state associating Query ID which query (if any)

DNS Server State UDP socket listening on port 53 Client 10.0.0.1 10.0.0.1 10.0.0.3 11001 53 UDP length 11 UDP cksum QopcoATRR R de A C D A Z rcod e 10.0.0.3 10.1.0.1 10.1.0.1 3300110.0.0.3 53 53 33001 UDP length UDP cksum UDP length UDP cksum Q 23001 R 23001 opcoatrr de C Z rcod A D A QopcoATRR e R de A C D A Z rcod e TLD NS 10.1.0.1 Client 10.0.0.2 10.0.0.2 10.0.0.3 22002 53 UDP length 22 UDP cksum QopcoATRR R de A C D A Z rcod e Local NS 10.0.0.3 10.2.0.1 10.0.0.3 53 10.2.0.1 33002 33002 UDP length 53 QopcoATRR 23002 UDP R de cksum A C D A QopcoATRR 23002 de C Z rcod R A D A e UDP length UDP cksum Z rcod e TLD NS 10.2.0.1 Local NS at least needs to keep state associating Query ID which query (if any)

DNS Resource Record (RR) in Detail type: determines the meaning of rdata class: always IN (Internet) rdata: data associated with the RR 0 1 2 3 4 5 6 7 8 9 1 0 1 2 3 4 5 name (variable length) type class 4l rdlength rdata (variable length)

DNS Protocol Message Query and reply messages have identical format Question section: query for name server Answer section: RRs answering the question Authority section: RRs that point to an authoritative NS Additional section: glue RRs Header QuesQon secqon Answer secqon Authority secqon AddiQonal secqon RR RR RR RR RR RR

DNS Protocol Header Query ID: 16-bit identifier shared between query, reply Flags word QR: query (0) or response (1) opcode: standard query (0) AA: authoritative answer TC: truncation RD: Recursion desired RA: Recursion available Z: (reserved and zeroed) rcode: response code; ok (0) 0 1 2 3 4 5 6 7 8 9 1 2 3 4 5 Q R Query ID A T R R opcode A C D A Z rcode qdcount 1 ancount 0 nscount arcount qdcount: number of question entries (QEs) in message ancount: number of RRs in the answer section nscount: number of RRs in the authority section arcount: number of RRs in the additional section

All problems in computer science can be solved by another level of indirection... Except for the problem of too many layers of indirection. David Wheeler 22/10/2015 33

DNS Load Balancing Big companies want to load balance requests across many servers or datacentres. Can reply with lots of IP addresses in one A record. Only gets you so far. DNS is not required to be globally consistent! Give different answers depending on who asks. Ugly hack, but very widely used. Essentially DNS is the internet s indirection infrastructure. 22/10/2015 34

Today 1. The Domain Name System (DNS) 2. A Brief Word on DNS Security

Open recursive servers DNS servers should not recurse except for local clients. used to not be a problem. got misused DNS amplification attack Attacker sends small query to DNS server: Spoofs source address of request to be that of intended victim DNS server recurses, builds big response packet, sends it to victim repeat from many bots, thousands of times per second 22/10/2015 36

Implications of Subverting DNS 1. Redirect victim s web traffic to rogue servers 2. Redirect victim s email to rogue email servers (MX records in DNS)

Security Problem #1: Coffee Shop As you sip your latte and surf the Web, how does your laptop find google.com? Answer: it asks the local DNS nameserver Which is run by the coffee shop or their contractor And can return to you any answer they please Including a man in the middle site that forwards your query to Google, gets the reply to forward back to you, yet can change anything they wish in either direction How can you know you re getting correct data?

Security Problem #1: Coffee Shop As you sip your latte and surf the Web, how does your laptop find google.com? Answer: it asks the local DNS nameserver Which is run by the coffee shop or their contractor And can return to you any answer they please Including a man in the middle site that forwards your query to Google, gets the reply to forward back to you, yet can change anything they wish in either direction How can you know you re getting correct data?

Security Problem #1: Coffee Shop As you sip your latte and surf the Web, how does your laptop find google.com? Answer: it asks the local DNS nameserver Which is run by the coffee shop or their contractor And can return to you any answer they please Including a man in the middle site that forwards your query How to can Google, you know gets you re the reply getting to forward correct back data? to you, yet can change anything they wish in either direction Today, you can t (though if site is HTTPS, that helps). One day, hopefully: DNSSEC extensions to DNS How can you know you re getting correct data?

Security Problem #2: Cache Poisoning Suppose you are evil and you control the name server for foobar.com. You receive a request to resolve www.foobar.com and reply: ;; QUESTION SECTION:! ;www.foobar.com. IN A!! ;; ANSWER SECTION:! www.foobar.com. 300 IN A 212.44.9.144!! ;; AUTHORITY SECTION:! foobar.com. 600 IN NS dns1.foobar.com.! foobar.com. 600 IN NS google.com.!! ;; ADDITIONAL SECTION:! google.com. 5 IN A 212.44.9.155!! Evidence of the asack disappears 5 seconds later! A foobar.com machine, not google.com

DNS Cache Poisoning (cont d) OK, but how do you get the victim to look up www.foobar.com in the first place? Perhaps you connect to their mail server and send HELO www.foobar.com Which their mail server then looks up to see if it corresponds to your source address (anti-spam measure) Note, with compromised name server we can also lie about PTR records (address name mapping) e.g., for 212.44.9.155 = 155.44.9.212.in- addr.arpa return google.com (or whitehouse.gov, or whatever) If our ISP lets us manage those records as we see fit, or we happen to directly manage them

(Partial) Fix: Bailiwick Checking DNS resolver ignores all RRs not in or under the same zone as the question Widely deployed since ca. 1997 Other attacks remain (e.g., Kaminsky poisoning) ;; QUESTION SECTION:! ;www.foobar.com. IN A!! ;; ANSWER SECTION:! www.foobar.com. 300 IN A 212.44.9.144!! ;; AUTHORITY SECTION:! foobar.com. 600 IN NS dns1.foobar.com.! foobar.com. 600 IN NS google.com.!! ;; ADDITIONAL SECTION:! google.com. 5 IN A 212.44.9.155!!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information