CSEE W4140Networking Laboratory

Lecture 10: DNS

Jong Yul Kim04.12.2010

Domain Name System

Many RFCs describing the DNS

We’ll look at RFC 1034“Domain Concepts and Facilities”

DNS Design Goals “Consistent name space for referring to resources”

Distributed database, with local caching Data source is responsible for maintaining fresh,

accurate information

Must be generally useful Associate names to sets of data, such as

host addresses, mailbox data, host OS

Independent of communications system that carries the queries and responses

Elements of the DNS Domain name space and resource records

Specifications for a tree structured name space and data associated with the names.

Name servers Server programs which hold information about

the domain tree’s structure and associated data

Resolvers Client programs that extract information by

querying name servers

Domain name space A tree structure

Each node corresponds to a resource set

Each node has a label up to 63 octets in length (case-insensitive)

Domain name of the node is the list of labels on the path from the node to the root of the tree.

. (root)

edu

columbia

cs

www

ee cc

Resource records (RR) Resource information for a particular

domain name is written as resource records.

Elements of an RR are: Owner : domain name where RR is found Type : shows which resource to query Class : IN = Internet TTL : time-to-live in seconds for caches RDATA : the actual data

Resource records (RR)

RR Types A host address CNAME canonical name HINFO OS / CPU info MX mail server info NS authoritative name server PTR pointer to another node SOA start of authority

DNS message format

Queries and responses are sent using UDP port 53

Zones Domain database is

partitioned into zones.

Zones are formed by cutting the domain tree and then grouping the nodes that are still connected.

A zone is : Authoritative for all

nodes within the zone Usually managed by

one organization

. (root)

.virginia.edu

.edu

.uci.edu

cs.virginia.edumath.virginia.edu

DomainZone

anddomain

Zone

DNS Hierarchy Root and top-level

domains are administered by Internet central name registration authority (ICANN)

Below top-level domain, administration of name space is delegated to organizations

Each organization can delegate further

. (root)

com

toronto.edu

goveduorg

uci.edu

ece.toronto.edumath.toronto.edu

neon.ece.toronto.edu

Top-level Domains

Root servers Root zone is at the very top of the domain

tree The root servers are statically entered into

resolvers and name servers

13 logical root servers in the world Named with letters A ~ M

171 physical root servers

http://www.root-servers.org/

Root Servers Redundancy

Redundant hardware that takes over failed one with or without human intervention At least 3 recommended, with one in a remote site[3]

Backups of the zone file stored at off-site locations Connectivity to the internet

Diversity Geographically located in 130 places in 53 countries

Topological diversity matters more Hardware, software, operating system of servers Diverse organizations, personnel, operational

processes Distribution of zone files within root server operator

1 Bush et al. Root Name Server Operational Requirements. RFC 2870. IETF 2000.2 http://www.icann.org/en/committees/security/dns-security-update-1.htm3 Elz et al. Selection and Operation of Secondary DNS Servers. RFC 2182. IETF 1997.

The use of anycast Basic anycast

Announce identical IP address

Routing system takes client request to closest node

Hierarchical anycast Global vs. local nodes If any node fails, stop

announcement Global node takes

over automatically

1 Abley, Hierarchical Anycast for Global Service Distribution. ISC Technical Note 2003-1. 2003.

Is anycast good for everyone?[1]

Not really…

Packets for long sessions may go to another node if the routing dynamics change Service time and stability of routing

A lot of routing considerations Aggregated prefixes Multiple services from a prefix Consideration of route propagation radius

1 Abley and Lindqvist, Operation of Anycast Services. RFC 4786. IETF 2006.

Top Level Domain (TLD) Country code TLD (ccTLD)

TLDs with two letters .cn, .in, .kr

Each country manages their own TLD

Generic TLD (gTLD) TLDs with three or more letters

.com, .net, .org, .edu, .gov, .aero Management is delegated to organizations Sponsored gTLD is one where the domain is limited to

‘approved’ organizations. (.aero)

.arpa TLD Used to convert IP addresses to domain names

Registry Listings from ICANN

.com 1985 Unsponsored Unrestricted (but intended for commercial registrants)

VeriSign, Inc. Registry Customer ServiceVeriSign Naming Services 21345 Ridgetop CircleDulles, Virginia 20166United StatesTel : +1 703 925-6999Fax: +1 703 421-5828http://www.verisign-grs.com

.edu 1985 Sponsored United States educational institutions

EDUCAUSE Becky GrangerEDUCAUSE4772 Walnut Street, Suite 206Boulder, Colorado 80301United StatesTel: +1-303-939-0334Fax: +1-303-440-0461http://www.educause.edu/edudomain

TLD IntroducedSponsored/

UnsponsoredPurpose

Sponsor/Operator

Contact

.net 1985 Unsponsored Unrestricted (but intended for network providers, etc.)

VeriSign, Inc. Registry Customer ServiceVeriSign Naming Services21345 Ridgetop CircleDulles, Virginia 20166United StatesTel: +1 703 925-6999 Fax: +1 703 421-5828 http://www.verisign-grs.com

Recursive and Iterative Queries There are two types of queries:

Recursive queries Iterative (non-recursive) queries

The type of query is determined by a bit in the DNS query

Recursive query: When the name server of a host cannot resolve a query, the server issues a query to resolve the query

Iterative queries: When the name server of a host cannot resolve a query, it sends a referral to another server to the resolver.

Recursive Queries In a recursive query, the

resolver expects the response from the name server

If the server cannot supply the answer, it will send the query to the “closest known” authoritative name server (here: In the worst case, the closest known server is the root server)

The root sever sends a referral to the “edu” server. Querying this server yields a referral to the server of “virginia.edu”

… and so on

root server

edu server

virginia.edu server

cs.virginia.edu server

Resolver

Nameserver

quer

y

resp

onse

Referral to edu name server

1st query: neon.cs.virginia.edu

2nd query: neon.cs.virginia.edu

Referral to virginia.edu nameserver

3rd query:neon.cs.virginia.edu

Referral tocs.virginia.eduname server

4th query:neon.cs.virginia.edu

IP address ofneon.cs.virginia.edu

Iterative Queries In an iterative

query, the name server sends a closest known authoritative name server a referral to the root server.

This involves more work for the resolver

root server

edu server

virginia.edu server

cs.virginia.edu server

Resolver

Name server

quer

y

refe

rral

to r

oot s

erve

r

Referral to

edu name serve

r

1st query:

neon.cs.vi

rginia.edu

2nd query: neon.cs.virginia.edu

Referral to

virginia.edu name

server

3rd query: neon.cs.virginia.edu

Referral to cs.virginia.edu

name server

4th query: neon.cs.virginia.edu

IP address of neon.cs.virginia.edu

Caching To reduce DNS traffic, name servers caches

information on domain name/IP address mappings

When an entry for a query is in the cache, the server does not contact other servers

Note: If an entry is sent from a cache, the reply from the server is marked as “unauthoritative”

Authoritative servers can dictate how long the record is cached using the TTL value

Sample zone file

db.mylab.com $TTL 86400 mylab.com. IN SOA PC4.mylab.com. hostmaster.mylab.com. ( 1 ; serial 28800 ; refresh 7200 ; retry 604800 ; expire 86400 ; ttl ) ; mylab.com. IN NS PC4.mylab.com. ; localhost A 127.0.0.1 PC4.mylab.com. A 10.0.1.41 PC3.mylab.com. A 10.0.1.31 PC2.mylab.com. A 10.0.1.21 PC1.mylab.com. A 10.0.1.11

Max. age of cached data in seconds

* Start of authority (SOA) record. Means: “This name server is authoritative for the zoneMylab.com” * PC4.mylab.com is the name server* hostmaster@mylab.com is the email address of the person in charge

Name server (NS) record. One entry for each authoritative name server

Address (A) records. One entry for each hostaddress

Slave refresh timeSlave retry time

Slave expiration time

Cache time for RR

Main Points of Lab 8 DNS

Configuring a server Queries and responses Caching Hierarchy of the domain name system

Note: You need to download files from web and bring it to the labhttp://www.tcpip-lab.net/links/conf/lab8

Homework

Prelab 9 due this Friday Please write your own answers!

Lab report 8 due next week before labs