DOMAIN NAME SYSTEM

Prepared by:

Chinmay Joshi

ID: 12IT112

DOMAIN NAME SYSTEM

• What is DNS?• Internet Directory Service

• A client-server application that maps host names into theircorresponding IP addresses

• Mapping host names into their corresponding IP addresses is calledname resolution or name translation or name mapping or AddressResolution

• Why we need to use names instead of IPnumbers?• IP addresses are difficult to remember

• IP addresses can change

• Problem: Network only understands numeric addresses

• Solution:• Use alphanumeric names to refer to hosts

• Add a distributed, hierarchical protocol (called DNS) to map betweenalphanumeric host names and IP addresses

HISTORY

• Using a name as a more human-legible abstraction of a machine's numerical address on

the network predates even TCP/IP

• All the way to the ARPAnet era

• Back then however, a different system was used, as DNS was only invented in 1983, shortly

after TCP/IP was deployed.

• With the older system, each computer on the network retrieved a file called

HOSTS.TXT from a computer at SRI (now SRI International).

• The HOSTS.TXT file mapped numerical addresses to names.

• A hosts file still exists on most modern operating systems, either by default or

through configuration

• Allows users to specify an IP address (eg. 192.0.34.166) to use for a hostname (eg.

www.example.net) without checking DNS.

• Nowadays, the hosts file serves primarily for troubleshooting DNS errors or for mapping

local addresses to more organic names

• Systems based on a hosts file have inherent limitations

• The obvious requirement that every time a given computer's address changed, every

computer that seeks to communicate with it would need an update to its hosts file

On Windows: C:\WINDOWS\system32\drivers\etc>

NAME SPACE

• IP addresses are unique Host names must be unique

• How to manage this large number of names?

• Where ?

• Centralized? inefficient & unreliable why?

• Heavy traffic because of requests from all over the world

• Failure makes data not available

• Hard to maintain

• Thus, DNS record database is distributed.

NAME SPACE

• Solution:

• Each name is made of several parts (hierarchical)

• Each part is called a label

• Names are defined on tree structure with the root at the top

• This is called hierarchical name space

• Each node has a label

• DNS requires that children of a node (nodes that branch from the same

node) have different labels to guarantee uniqueness

• This will allow the control of names assignment to be decentralized

• A central authority IANA assigns the part of the name that defines the

nature of the organization (com, net, org, IN, …) and its name (IEEE, Intel,

Microsoft, Google…)

A portion of the Internet domain name space.

• The Internet is divided into more than 200 top-level domains

• Domain: It is sub tree of the domain name space and consists of group of hosts thatare under the administrative control of a single entity such as a company or agovernment agency.

• Each domain is subdivided into subdomains

• The leaves represent domains that have no subdomains

• A leaf domain may contain a single host, or represent a company with thousands ofhosts

inTop level domains

THE DNS NAME SPACE

Domain is a sub tree of domain name space

Root node is empty

Domain is divided into sub-domains

Domain name is the domain name of the node at the top of the sub tree

Sub-

Sub-

Sub-

DOMAIN

Knows about all

names below itKnows about all

names below it

• Where the information contained in the domain namespace is stored?

• DNS is a distributed database system

• Uses a large number of computers called name servers

• Organized in a hierarchical way and distributed all over the world

• No single host has all the exact mappings for all the hosts in the Internet

HIERARCHY OF NAME SERVERS

DNS QUERY

• DNS works on well known port 53 to serve requests and uses UDP

protocol or TCP protocol

• DNS Message

• Each message has the same generic format with 5 sections.

Section Meaning/Use

Section 1 Message Header

Section 2 The DNS question being asked

Section 3 The Resource Record(s) which answer

the question

Section 4 The Resource Record(s) which point to

the domain authority

Section 5 The Resource Record(s) which may hold

additional information

DNS RECORD TYPES:

•DNS Internal types• Authority: NS, SOA,

• List names of Name Servers and Start Of Authority/zone.

• DNSSEC: DS, DNSKEY, RRSIG, NSEC• Used for DNSSEC

• Meta types: OPT, TSIG, TKEY, SIG(0)• Meta Types: Not stored in DNS zones, transfer information between DNS nodes

• Indirect: CNAME, DNAME• Indirect types, cause Resolver to change direction of search

• Server must have special processing code

• Terminal RR:• Address records: A, AAAA,• Informational: TXT, HINFO, KEY, SSHFP …

• carry information to applications

• Non Terminal RR: MX, SRV, PTR, KX, A6, NAPTR, AFSDB• contain domain names that may lead to further queries.

The “A” Record

• The “Address” record

• One or more normally defines a host

• Contains an IPv4 Address (the address computers use to uniquely identify each otheron the internet)

• Eg. The record:

www A 127.0.0.1

In the example.com domain, defines the host uniquely identifiable as“www.example.com” to be reachable at the IPv4 Address 127.0.0.1

DNS RECORD TYPES:

The “CNAME” Record

• A CNAME defines an alias

• The alias will then be resolved, if another CNAME is encountered then the processcontinues until an A record is found

• Eg. The record:

mail CNAME ghs.google.com.

In the charusat.ac.in domain, defines the name uniquely identifiable as“mail.charusat.ac.in” to be and alias to “ghs.google.com”

DNS RECORD TYPES:

The “MX” Record

• An MX record defines the mail servers for a particular domain

• Mail exchange records hold the name of hosts, and their priorities, able to delivermail for the domain.

• Eg. The record:

mail.example.com MX 10 mail

In the example.com, defines the host mail to be the priority 10 mail server for the“example.com” domain

The “NS” Record

• An NS record defines the authoritative Name servers for the domain.

• The “Name Server” records also define the name servers of children domains

• Eg. The record:

internal NS ns1.example.com

In the google.com, defines the host “ns1.example.com” to be a name sever for the“internal.example.com” sub-domain

LEGAL USERS OF DOMAINS

• Registrant• Depending on the various naming convention of the

registries, legal users become commonly known as"registrants" or as "domain holders"

• ICANN holds a complete list of domain registries in the world

• For most of the more than 240 country code top-level domains(ccTLDs), the domain registries hold the authoritative WHOIS(Registrant, name servers, expiry dates, etc.).

• However, some domain registries, such as for .COM, .ORG,.INFO, etc., use a registry-registrar model

• Since about 2001, most gTLD registries (.ORG, .BIZ, .INFO) haveadopted a so-called "thick" registry approach, i.e. keeping theauthoritative WHOIS with the various registries instead of theregistrars

RECURSIVE AND ITERATIVE QUERIES

• There are two types of queries:• Recursive queries

• Iterative (non-recursive) queries

• The type of query is determined by a bit in the DNS query

• Recursive query: When the name server of a host cannotresolve a query, the server issues a query to resolve the query

• Iterative queries: When the name server of a host cannotresolve a query, it sends a referral to another server to theresolver

LOOKUP METHODS

Recursive query:

• Server goes out and searches formore info (recursive)

• Only returns final answer or “notfound”

Iterative query:

• Server responds with as much as itknows (iterative)

• “I don’t know this name, but askthis server”

Workload impact on choice?

• Local server typically doesrecursive

• Root/distant server does iterativerequesting host Mail.google.com

root name server

local dns server

1

2

34

5 6authoritative name

server

Dns.Google.com

name server

Intermediate Server

7

8

iterated query

DNS QUERY

• QNAME: mail.Google.com

• QCLASS: IN

• QTYPE: A. Root Server

Google.com Server

Com Server

Ask com NS

Ask google.com NS

Mail.Google.com A 173.194.115.22

Mail.Google.com

A 173.194.115.22

Recursive Resolver

mail.Google.com

Stub resolver

In the previous example, the mapping will be done as follows:

Host contacts the local name server to query for the IP address of host mail.Google.com

1. If local name server does not have the answer in its cache or in its database, it willcontact the root name server to query for the IP address of host mail.Google.com

2. If the root name server does not have the answer in its cache or in its database, it willcontact the name server responsible for the .com domain (DNS.com) to query for the IPaddress of host mail.Google.com

3. If (DNS.com) does not have the answer in its cache or in its database, it will contact(DNS.Google.com) which has the IP address for host (mail.Google.com)

4. (DNS.Google.com) will return the answer to (DNS.com)

5. (DNS.com) will return the answer to the root name server

6. The root name server will return the answer to local DNS server.

7. Local DNS server will return the answer to Host.

1- RECURSIVE RESOLUTION – EXAMPLE (CONTINUED)

1- Host contacts the local name server to query for the IP address of hostmail.Google.com

2- If local name server does not have the answer in its cache or in its database, it willreply to host with the IP address of the root name server

3- Host will contact the root name server to query for the IP address of hostmail.Google.com

4- If the root name server does not have the answer in its cache or in its database, it willreply to host with the IP address of the name server for the (.com) domain which is(DNS.com)

5- Host will contact the name server (DNS.com) to query for the IP address of hostmail.Google.com

6- If (DNS.com) does not have the answer in its cache or in its database, it will reply tohost with the IP address of the name server DNS.Google.com which is the local nameserver for domain Google.com

7- Host will contact the name server (DNS.Google.com) to query for the IP address ofhost mail.Google.com

8- Since name server DNS.Google.com is the local name server for Google.com domain itwill reply to host with the IP address for host mail.Google.com

2- ITERATIVE RESOLUTION – EXAMPLE (CONTINUED)

HOW DNS WORKS

• A network host is configured with an initial cache (so called hints) of

the known addresses of the root name servers. Such a hint file is

updated periodically by an administrator from a reliable source.

• DNS zone is loaded on authoritative servers,

• servers keep in sync using information in SOA RR via AXFR, IXFR or other

means.

• DNS caches only store data for a “short” time

• defined by TTL.

• DNS Recursive Resolvers start at “longest match” on query name they

have when looking for data, and follow delegations until an answer or a

negative answer is received.

• DNS transactions are fast if servers are reachable.

SECURITY ISSUES

• Some domain names can spoof other, similar-looking domain names.

• For example, "paypal.com" and "paypa1.com" are different names, yet users may

be unable to tell the difference when the user's typeface(font) does not clearly

differentiate the letter l and the number 1.

• DNS responses are traditionally not cryptographically signed, leading to many

attack possibilities;

• Cache Poisoning

• Denial of Service (DoS)

• Masquerading

• Client Flooding

• Information Leakage

• Compromise of DNS server’s authoritative data

DNSSEC

• DNSSEC works by digitally signing records for DNS lookup using public-key

cryptography. The correct DNSKEY record is authenticated via a chain of

trust, starting with a set of verified public keys for the DNS root zone which is

the trusted third party.

• DNSSEC modifies DNS to add support for cryptographically signed responses

• There are various extensions to support securing zone transfer information as well

• From the results of a DNS lookup, a security-aware DNS resolver can

determine whether the authoritative name server for the domain being queried

supports DNSSEC, whether the answer it receives is secure, and whether there

is some sort of error. The lookup procedure is different for recursive name

servers such as those of many ISPs, and for stub resolvers such as those

included by default in mainstream operating systems.