Lesson 06 The Domain Name System julien.cervelle@polytechnique.edu Introduction What is the IP address of your casert s computer? Most geeks know What is the IP address of Frankiz? Some of the geeks know What is the IP address of Google? Dunno, chrome knows it What is the IP address of the rest of the world?
Dunno, Google knows it Regular people do not know the IP addresses of the server they are talking to One need to give names to IP addresses File /etc/hosts YP/NIS database Neither scalable nor up to date Functional specification: Goal of DNS From a name returns an IP address From a domain, returns the mail exchanger This specification has not been extended to other services for which canonical (but not normalized) server name are used (thus a A record): www, smtp, In Java:
InetAddress address = InetAddress.getByName("polytechnique.academy"); For lower level access, see JNDI/DNS: InitialDirContext context = new InitialDirContext(); Attributes att = context.getattributes( "dns:/polytechnique.fr"); DNS is worldwide so it is managed worldwide Relevance to business sphere The global entity responsible of DNS is the ICANN (Internet corporation for assigned names and numbers) Each gtld (global top-level domain, see below) is managed by an organization: o AFNIC for.fr
o EURID for.eu o icmregistry for.xxx o MuseDoma for.museum End users ask for a domain name to a registrar which acts as intermediary between them and the above mentioned organizations Usual policy for assigning domain if on a first come, first served basis When a new gtld opens, trademark holder can get priority Some gtld has requirements Assigning domains policy.ca requires to be Canadian or a Canadian company.fr was reserve for business (KBIS or trademark was required) and.nom.fr for people now freely opened and full
To get a domain corresponding to your business is of utmost importance Domain name for a company Which gtld?.fr,.eu,.com,.org, all? o Leaving a gtld can cause a problem if you extend your business to another country (dropbox.fr was not DropBox, cybersquaters ) o ICANN has offered companies to register from their own gtld, only general purpose names seems to be accepted What if someone already has it? o Usually, has to pay a lot for it How much did onedrive.com cost to Microsoft? Yet Blizzard (Activision) were offered diablo3.com o Can sometimes go into trial milka.fr once belonged to a couturière Trial gave it back to Kraft Food who owned the trade mark but only for classes 5, 29, 30 and 32 (not sewing). Judge spoke of a marque notoire
Fully Qualified Domain Names A name is a Fully Qualified Domain Name (FQDN): www.enseignement.polytechnique.fr. see the dot? FQDN forms a tree:
A FQDN targets a unique node of the tree Edges are dots (.) Paths written right to left from the root The last dot can be omitted but is the configuration files of DNS zones where no dot means append the current domain name
DNS assigns several data types to FQDN: For hosts o A = an IPv4 address of the host o AAAA = an IPv6 address of the host o CNAME = alias to another name For domains o NS = the name server in charge of the domain (see below) o MX = the mail server in charge of email addresses ending in @domain o SOA = information about the domain owner o DNAME = alias to another domain, applied to all the subtree Other o TXT = some text DNS records DNS protocol
Based on the design pattern Chain of responsibility if I do not know the answer to a question, I know someone else to ask Each node (but leaves) is managed by a server, the name server of the domain Such servers know: All about the records of the domain The name server for the sub-domains Domain. is managed by the root servers (see root-servers.org) To get record A of domain a.b.c.d: Ask the root-servers what is the NS record of d. o Answer = ns.d. of IP address xxx Ask ns.d what is the NS record of c.d. o Answer = ns2.c.d. of IP address yyy DNS chain of queries
Ask ns2.c.d. what is the NS record of b.c.d. o Answer = sdn.b.c.d. of IP address zzz Ask sdn.b.c.d. what is the A record of a.b.c.d. o Answer = a.b.c.d. is a CNAME for t.u.v.w.x.y.z. Arrrrghhhh Based on the design pattern Proxy Cache system To prevent overloading servers and for faster answer of common queries, end-users configure (often via dhcp) a DNS server Accepts answer to recursive queries Finds the answer, possibly asking to other servers Usually, only your DNS servers accept recursive queries 8.8.8.8 is Google s recursive DNS server (what privacy statement?)
TTL Primary servers give a hint to other server for the time to live of answers to queries Servers are supposed to drop the answer after the TTL expires Regular server s TTL is a few days Dyndns.org server s TTL is a minute The SOA records give a TTL for negative answers DNS offers a way to get a name from an IP address Reverse DNS A special PTR record is used For IPv4 address 1.2.3.4, request PTR record of 4.3.2.1.in-addr.arpa. For IPv6 address 1.2.3 d.e.f, request PTR record of f.e.d 3.2.1.ip6.arpa. Some mail servers require clients to have a reverse DNS
Queries are a Question section Answers are: The question section repeated (UDP you know) An answer section (the possible answers to your query) An authority section (who to ask for authoritative answer) An additional section (not the answer to the question yet useful) o For instance, NS answer is a string, the IP address is in the addition section o Of course, some hackers find interesting to add false answers here (cache poisoning) Some bits of control o Authoritative or not o Recursion possible or not o DNSSEC validation or not o A section is: A list of records
DNS sec provides a way to sign records The mechanism relies on the same chain of responsibility design pattern DNSSEC The root servers tells how to check the records sent by the gtld Each server tell how to check the records managed by their sub-domains This is achieved by a PKI (public key infrastructure) o A public key can check the validity of a record (given by a node to clients for verifying sub-nodes answers) o A private key, only owned by the domain owner, can create a verifiable record DNS is deeply installed in the system A standard libc call, gethostbyname, asks for a DNS resolution DNS System-wise
Cascade of libraries: libc uses NSS uses resolv+ uses DNS How-to get a domain name Go for your favorite registrar (see http://www.icann.org/registrar-reports/accredited-list.html) See if the domain you like is available (e.g. cave-k.es) See if you meet the domain requirement (E.g..ca is only available for Canadians) Pay the fee (6 for cave-k.es, some hundreds of $ for premium domains) Configure the DNS NS record and its IP address in the registrar Of course, most registrar offer services: DNS server Web hosting Mail hosting VoIP