CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.
Eda387 Lecture DNS (1)
-
Upload
shoga-zerihun -
Category
Documents
-
view
213 -
download
0
Transcript of Eda387 Lecture DNS (1)
-
7/27/2019 Eda387 Lecture DNS (1)
1/27
1
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Internet InterconnectionsThe Domain Name System
D N S
Ali Salehson
Computer Networks
-
7/27/2019 Eda387 Lecture DNS (1)
2/27
2
Internetworking with TCP/IPCh 2: Ethernet & MAC frame (review)
Ch 3: Internetworking Concept (review)Ch 4: IPv4 Addressing
Ch 5: ARP protocol & operationCh 6: IPv4 Protocol (self-study)
Ch 7: Forwarding IP DatagramsCh 8: ICMP and TCP/IP Utilities (self-study)
Ch 9: IPv4 CIDR
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
-
7/27/2019 Eda387 Lecture DNS (1)
3/27
3
Internetworking with TCP/IP
Ch 23: Domain Name System (DNS)
Ch 31: IPv6 & ICMPv6
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
-
7/27/2019 Eda387 Lecture DNS (1)
4/27
4
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Internet NamesIP 32-bit addresses used for specifying the
source and destination in datagrams.Humans prefer pronounceable, easilyremembered names rather than numericaddresses.Two possibilities for a name system:
Flat namespace (does not scale for Internet)Hierarchical namespace withorganizational structure
-
7/27/2019 Eda387 Lecture DNS (1)
5/27
5
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Internet Naming HierarchyDecentralizing the naming mechanism
Delegating authority for parts of thenamespace such that it:
supports efficient name mappingguarantees autonomous control of name assignment
Distributing the responsibility for themapping between names and addressesamong all the involved organizations.
-
7/27/2019 Eda387 Lecture DNS (1)
6/27
6
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Internet Naming HierarchyFlexible hierarchy
Universal naming schemeEach organization determines internal namingstructure
Each organization obtains authority for parts of the namespace
Names are assigned according to the structureof organization, not necessarily according tothe physical structure of its networks
-
7/27/2019 Eda387 Lecture DNS (1)
7/27
7
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Internet Domain Name SystemDomain Name System (DNS)
Provides mainly name to address mapping for hosts
It specifies:The name syntax
Rules for delegating authority over namesIt specifies:
The implementation of a distributed database system
in a hierarchy of many name servers (NS) .A core and necessary Internet service implemented asapplication-layer protocol used by hosts, routers, nameservers to resolve names (name-address translation).Keeping complexity at networks edge.
-
7/27/2019 Eda387 Lecture DNS (1)
8/27
8
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Domain Name SystemSet of labels separated by delimiter character (dot)
Example:cse.chalmers.se
Three labels: cse , chalmers and se
se is Top-level domainchalmers.se is domain of the Universitycse.chalmers.se is a subdomain for the CSEdepartment belonging to the UniversityOne computers host name and IP address:
www.cse.chalmers.se 129.16.221.33
-
7/27/2019 Eda387 Lecture DNS (1)
9/27
9
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
DNS Servers and ClientsDNS client software known as resolver
DNS server known as Name Server (NS)DNS relies on a large set of on-line NS s
Servers are arranged in treeGiven server can handle entire subtree
DNS servers are mainly Root , TLD or domain Authoritative serversRoot server handles all top-level domains
-
7/27/2019 Eda387 Lecture DNS (1)
10/27
10
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
13 global root name servers worldwide + replicas
( http://www.root-servers.org )
b USC-ISI Marina del Rey, CA
l ICANN Los Angeles, CA
e NASA Mt View, CAf Internet Sys. Consortium,
Palo Alto, CA
i Autonomica/NORDUNet, Stockholm
k RIPE London
m WIDE Tokyo
a Verisign, Dulles, VAc Cogent, Herndon, VA (also LA)d U Maryland College Park, MDg US DoD Vienna, VAh ARL Aberdeen, MD
j Verisign,
Global Root Name Servers
-
7/27/2019 Eda387 Lecture DNS (1)
11/27
11
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
;; QUESTION SECTION:;. IN NS ;; ANSWER SECTION:. 139826 IN NS e.root-servers.net.. 139826 IN NS k.root-servers.net.. 139826 IN NS j.root-servers.net.. 139826 IN NS a.root-servers.net.. 139826 IN NS h.root-servers.net.. 139826 IN NS i.root-servers.net.. 139826 IN NS g.root-servers.net.. 139826 IN NS m.root-servers.net.. 139826 IN NS b.root-servers.net.. 139826 IN NS l.root-servers.net.. 139826 IN NS f.root-servers.net.. 139826 IN NS c.root-servers.net.. 139826 IN NS d.root-servers.net.;; ADDITIONAL SECTION:a.root-servers.net. 337865 IN A 198.41.0.4a.root-servers.net. 3717 IN AAAA 2001:503:ba3e::2:30b.root-servers.net. 350299 IN A 192.228.79.201c.root-servers.net. 350299 IN A 192.33.4.12d.root-servers.net. 350299 IN A 128.8.10.90
d.root-servers.net. 3717 IN AAAA 2001:500:2d::d e.root-servers.net. 350299 IN A 192.203.230.10 f.root-servers.net. 350299 IN A 192.5.5.241 f.root-servers.net. 3717 IN AAAA 2001:500:2f::f g.root-servers.net. 350299 IN A 192.112.36.4h.root-servers.net. 350299 IN A 128.63.2.53h.root-servers.net. 3717 IN AAAA 2001:500:1::803f:235
i.root-servers.net. 350299 IN A 192.36.148.17 i.root-servers.net. 3717 IN AAAA 2001:7fe::53
-
7/27/2019 Eda387 Lecture DNS (1)
12/27
12
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
TLD and Authoritative ServersTop-Level Domain (TLD) servers:
Each of TLD-servers is responsible for domains;com, org, net, edu, , or each of the country codetop-level domains uk, fr, ca, jp, se, ...
Authoritative DNS servers:organizations DNS servers, mainly providingauthoritative hostname to IP mappings for the
organizations servers (e.g., web, mail) and other hosts.can be maintained by the organization or a service
provider (ISP).
-
7/27/2019 Eda387 Lecture DNS (1)
13/27
13
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Top-Level Domains (TLD)Domain Name Assigned To
arpa* (generic) Infrastructure domaincom Commercial organizations ( gTLD )net Major network support centers ( gTLD )org Organizations other than above ( gTLD )aero Air Transport Industry (sTLD)biz Businessedu Educational institutions (4-year)gov Government institutions (U.S.)
mil Military groups (U.S.)int International organizations. .
country code Each country (geographic ccTLD )
* Address and R outing Parameter Area
-
7/27/2019 Eda387 Lecture DNS (1)
14/27
14
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
;; QUESTION SECTION:
;com. IN NS ;; ANSWER SECTION:com. 3898 IN NS f.gtld-servers.net.com. 3898 IN NS c.gtld-servers.net.com. 3898 IN NS g.gtld-servers.net.com. 3898 IN NS m.gtld-servers.net.com. 3898 IN NS e.gtld-servers.net.
com. 3898 IN NS k.gtld-servers.net.com. 3898 IN NS j.gtld-servers.net.com. 3898 IN NS b.gtld-servers.net.com. 3898 IN NS i.gtld-servers.net.com. 3898 IN NS l.gtld-servers.net.com. 3898 IN NS d.gtld-servers.net.com. 3898 IN NS h.gtld-servers.net.com. 3898 IN NS a.gtld-servers.net.;; ADDITIONAL SECTION:a.gtld-servers.net. 83813 IN A 192.5.6.30a.gtld-servers.net. 26196 IN AAAA 2001:503:a83e::2:30b.gtld-servers.net. 83813 IN A 192.33.14.30b.gtld-servers.net. 26196 IN AAAA 2001:503:231d::2:30c.gtld-servers.net. 26196 IN A 192.26.92.30d.gtld-servers.net. 26196 IN A 192.31.80.30e.gtld-servers.net. 26196 IN A 192.12.94.30
f.gtld-servers.net. 83813 IN A 192.35.51.30g.gtld-servers.net. 26196 IN A 192.42.93.30h.gtld-servers.net. 64222 IN A 192.54.112.30i.gtld-servers.net. 26196 IN A 192.43.172.30
j.gtld-servers.net. 26196 IN A 192.48.79.30k.gtld-servers.net. 83813 IN A 192.52.178.30
l.gtld-servers.net. 37901 IN A 192.41.162.30m.gtld-servers.net. 26196 IN A 192.55.83.30
-
7/27/2019 Eda387 Lecture DNS (1)
15/27
15
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Domain Name ResolutionFor non-local lookups, resolver must search
from root of tree downward Every name server knows location (IP address) of a root server
Query root server for the name server of TLD and obtain answer containing also IP address.Query TLD server for the authoritative nameserver of the domain and obtain answer.Query the authoritative name server of the domainto obtain final answer about the mapping.
-
7/27/2019 Eda387 Lecture DNS (1)
16/27
16
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Root DNS Servers
com DNS servers org DNS servers edu DNS servers
poly.eduDNS servers
purdue.eduDNS serversyahoo.comDNS servers google.comDNS servers
pbs.orgDNS servers
Independent DNS client wants IP address for www.google.com:
client queries a root-server to find com TLD servers client queries com TLD-server to get google.com DNS servers client queries one authoritative DNS-server ns1.google.com to
get IP address for www.google.com
Top-LevelDomain (TLD)
Servers
Distributed Hierarchical DB
-
7/27/2019 Eda387 Lecture DNS (1)
17/27
17
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
DNS DatabaseResource Record (name, type)
Type specifies type of object Name is mapped to object
Object may be host, email exchanger,
A given name may map to more than one item inthe domain system. The client specifies the type of
object desired when resolving a name, and the
server returns objects of that type.
-
7/27/2019 Eda387 Lecture DNS (1)
18/27
18
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
DNS Resource RecordsDNS: distributed database storing resource records (RR)
Type = NS ( Name Server) name is domain name (e.g.
cisco.com) value is hostname of
authoritative name server responsible for this domain
RR format: (name, type, TTL, value)
Type = A (IP Address)name is hostname
value is IP Address
Type = CNAME ( C anonical)name is alias name for some
canonical (the real) namewww.ibm.com is really named aswww.ibm.com.cs186.net
value is canonical name
Type = MX ( M ail eXchanger)name is domain namevalue is name of mail server
associated with domain name
-
7/27/2019 Eda387 Lecture DNS (1)
19/27
19
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Efficient ResolutionMost lookups refer to local domain names
Name-to-Address bindings (A-type) do notchange frequentlyUser is likely to repeat same lookupMany local users may query same lookupsTo increase efficiency:
Initial contact begins with local name server (host can learn address of DNS server from DHCP)Local server caches answers (owner specifiescache timeout by including TTL in answer)
-
7/27/2019 Eda387 Lecture DNS (1)
20/27
20
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
DNS Queries and Answers
requesting hostJu-020-11.studat.chalmers.se
www.google.com
Root NSserver
Local DNS server res1.chalmers.se
Authoritative DNS server ns1.google.com
Top-Level Domain (TLD)NS server ( com )
Host in chalmers.se
wants IP address for www.google.com
A local name server acts as proxy for clients often cache-only server
normally owned by ISPor organization
sends questions to other NSs in hierarchy
1
23
4
5
678
-
7/27/2019 Eda387 Lecture DNS (1)
21/27
21
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
DNS Queries and Answers
recursive answer:Puts burden of nameresolution on contacted
local name server
iterative answer:Contacted server replieswith name of server tofurther contactOfficial DNS servers
iterative answers
recursive answer
requesting hostJu-020-11.studat.chalmers.se
www.google.com
Root NSserver
Local DNS server res1.chalmers.se
1
23
4
5
6
Authoritative DNS server ns1.google.com
78
Top-Level Domain (TLD)NS server ( com )
Queries
Normal operation is asshown in figure
(queries , iterative + recursive )
-
7/27/2019 Eda387 Lecture DNS (1)
22/27
22
DNS Message Format
Computer Networks
2011 Ali Salehson, Chalmers, CSE Networks and Systems
DNS protocol: query and reply messages, same message format
Message Header includes
identification:16-bit # for query,reply uses same #
Parameter: 16 bits1 bit: query or response4 bits: Opcode standard
7 bits: flags e.g.answer authoritativerecursion desired recursion available
4 bits: reply code (errors)
-
7/27/2019 Eda387 Lecture DNS (1)
23/27
23
Computer Networks
2011 Ali Salehson, Chalmers, CSE Networks and Systems
DNS Message Sections
Name, type, classfields for a query
RRs in response
to query
records for authoritative servers
additional helpfulinfo that may be used
-
7/27/2019 Eda387 Lecture DNS (1)
24/27
24
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Inserting Records into DNSexample: new startup company Network Engineeringregister name neteng.se at DNS registrar
Need to provide registrar with names and IP addresses of your authoritative name servers (primary and secondary)Registrars can be found, for example at iis.se web siteiis.se lists more than 50 registrars for .se and other domainsCost depends on domain and registrar, typically $20-100
Registrar inserts two RRs into the .se TLD server:(neteng.se, NS , dns1.neteng.se)(dns1.neteng.se, A, 212.212.212.1)
How do people get IP address of the companys Web site?The administrator places in the companys authoritative server:
Type A record for www.neteng.se
and may be also good to have type MX record for neteng.se, and so on .
-
7/27/2019 Eda387 Lecture DNS (1)
25/27
25
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
More about DNSInverse mappings e.g. PTR records (in lab)
Dynamic DNS updates and notificationsInteraction with DHCP serversConsistency with replicas (backup)
DNS security and load distributionCompressed name format in messagesLookup with name abbreviationIPv6 Resource Records type AAAA
-
7/27/2019 Eda387 Lecture DNS (1)
26/27
26
SummaryDomain Name System provides mapping from
pronounceable names to IP addressesDomain names are hierarchical:
Top-Level Domains are controlled by acentral authority
Organizations can choose how to structure
their domain namesDNS uses on-line servers to answer queriesLookup begins with local caching server
Computer Networks
2011 Ali Salehson, Chalmers, CSE Networks and Systems
-
7/27/2019 Eda387 Lecture DNS (1)
27/27
27
Computer Networks
2012 Ali Salehson, Chalmers, CSE Networks and Systems
Questions?
Thank You!