DOMAIN NAME SYSTEM
Prepared by:
Chinmay Joshi
ID: 12IT112
DOMAIN NAME SYSTEM
• What is DNS?• Internet Directory Service
• A client-server application that maps host names into theircorresponding IP addresses
• Mapping host names into their corresponding IP addresses is calledname resolution or name translation or name mapping or AddressResolution
• Why we need to use names instead of IPnumbers?• IP addresses are difficult to remember
• IP addresses can change
• Problem: Network only understands numeric addresses
• Solution:• Use alphanumeric names to refer to hosts
• Add a distributed, hierarchical protocol (called DNS) to map betweenalphanumeric host names and IP addresses
HISTORY
• Using a name as a more human-legible abstraction of a machine's numerical address on
the network predates even TCP/IP
• All the way to the ARPAnet era
• Back then however, a different system was used, as DNS was only invented in 1983, shortly
after TCP/IP was deployed.
• With the older system, each computer on the network retrieved a file called
HOSTS.TXT from a computer at SRI (now SRI International).
• The HOSTS.TXT file mapped numerical addresses to names.
• A hosts file still exists on most modern operating systems, either by default or
through configuration
• Allows users to specify an IP address (eg. 192.0.34.166) to use for a hostname (eg.
www.example.net) without checking DNS.
• Nowadays, the hosts file serves primarily for troubleshooting DNS errors or for mapping
local addresses to more organic names
• Systems based on a hosts file have inherent limitations
• The obvious requirement that every time a given computer's address changed, every
computer that seeks to communicate with it would need an update to its hosts file
On Windows: C:\WINDOWS\system32\drivers\etc>
NAME SPACE
• IP addresses are unique Host names must be unique
• How to manage this large number of names?
• Where ?
• Centralized? inefficient & unreliable why?
• Heavy traffic because of requests from all over the world
• Failure makes data not available
• Hard to maintain
• Thus, DNS record database is distributed.
NAME SPACE
• Solution:
• Each name is made of several parts (hierarchical)
• Each part is called a label
• Names are defined on tree structure with the root at the top
• This is called hierarchical name space
• Each node has a label
• DNS requires that children of a node (nodes that branch from the same
node) have different labels to guarantee uniqueness
• This will allow the control of names assignment to be decentralized
• A central authority IANA assigns the part of the name that defines the
nature of the organization (com, net, org, IN, …) and its name (IEEE, Intel,
Microsoft, Google…)
A portion of the Internet domain name space.
• The Internet is divided into more than 200 top-level domains
• Domain: It is sub tree of the domain name space and consists of group of hosts thatare under the administrative control of a single entity such as a company or agovernment agency.
• Each domain is subdivided into subdomains
• The leaves represent domains that have no subdomains
• A leaf domain may contain a single host, or represent a company with thousands ofhosts
inTop level domains
THE DNS NAME SPACE
Domain is a sub tree of domain name space
Root node is empty
Domain is divided into sub-domains
Domain name is the domain name of the node at the top of the sub tree
Sub-
Sub-
Sub-
DOMAIN
Knows about all
names below itKnows about all
names below it
• Where the information contained in the domain namespace is stored?
• DNS is a distributed database system
• Uses a large number of computers called name servers
• Organized in a hierarchical way and distributed all over the world
• No single host has all the exact mappings for all the hosts in the Internet
HIERARCHY OF NAME SERVERS
DNS QUERY
• DNS works on well known port 53 to serve requests and uses UDP
protocol or TCP protocol
• DNS Message
• Each message has the same generic format with 5 sections.
Section Meaning/Use
Section 1 Message Header
Section 2 The DNS question being asked
Section 3 The Resource Record(s) which answer
the question
Section 4 The Resource Record(s) which point to
the domain authority
Section 5 The Resource Record(s) which may hold
additional information
DNS RECORD TYPES:
•DNS Internal types• Authority: NS, SOA,
• List names of Name Servers and Start Of Authority/zone.
• DNSSEC: DS, DNSKEY, RRSIG, NSEC• Used for DNSSEC
• Meta types: OPT, TSIG, TKEY, SIG(0)• Meta Types: Not stored in DNS zones, transfer information between DNS nodes
• Indirect: CNAME, DNAME• Indirect types, cause Resolver to change direction of search
• Server must have special processing code
• Terminal RR:• Address records: A, AAAA,• Informational: TXT, HINFO, KEY, SSHFP …
• carry information to applications
• Non Terminal RR: MX, SRV, PTR, KX, A6, NAPTR, AFSDB• contain domain names that may lead to further queries.
The “A” Record
• The “Address” record
• One or more normally defines a host
• Contains an IPv4 Address (the address computers use to uniquely identify each otheron the internet)
• Eg. The record:
www A 127.0.0.1
In the example.com domain, defines the host uniquely identifiable as“www.example.com” to be reachable at the IPv4 Address 127.0.0.1
DNS RECORD TYPES:
The “CNAME” Record
• A CNAME defines an alias
• The alias will then be resolved, if another CNAME is encountered then the processcontinues until an A record is found
• Eg. The record:
mail CNAME ghs.google.com.
In the charusat.ac.in domain, defines the name uniquely identifiable as“mail.charusat.ac.in” to be and alias to “ghs.google.com”
DNS RECORD TYPES:
The “MX” Record
• An MX record defines the mail servers for a particular domain
• Mail exchange records hold the name of hosts, and their priorities, able to delivermail for the domain.
• Eg. The record:
mail.example.com MX 10 mail
In the example.com, defines the host mail to be the priority 10 mail server for the“example.com” domain
The “NS” Record
• An NS record defines the authoritative Name servers for the domain.
• The “Name Server” records also define the name servers of children domains
• Eg. The record:
internal NS ns1.example.com
In the google.com, defines the host “ns1.example.com” to be a name sever for the“internal.example.com” sub-domain
LEGAL USERS OF DOMAINS
• Registrant• Depending on the various naming convention of the
registries, legal users become commonly known as"registrants" or as "domain holders"
• ICANN holds a complete list of domain registries in the world
• For most of the more than 240 country code top-level domains(ccTLDs), the domain registries hold the authoritative WHOIS(Registrant, name servers, expiry dates, etc.).
• However, some domain registries, such as for .COM, .ORG,.INFO, etc., use a registry-registrar model
• Since about 2001, most gTLD registries (.ORG, .BIZ, .INFO) haveadopted a so-called "thick" registry approach, i.e. keeping theauthoritative WHOIS with the various registries instead of theregistrars
RECURSIVE AND ITERATIVE QUERIES
• There are two types of queries:• Recursive queries
• Iterative (non-recursive) queries
• The type of query is determined by a bit in the DNS query
• Recursive query: When the name server of a host cannotresolve a query, the server issues a query to resolve the query
• Iterative queries: When the name server of a host cannotresolve a query, it sends a referral to another server to theresolver
LOOKUP METHODS
Recursive query:
• Server goes out and searches formore info (recursive)
• Only returns final answer or “notfound”
Iterative query:
• Server responds with as much as itknows (iterative)
• “I don’t know this name, but askthis server”
Workload impact on choice?
• Local server typically doesrecursive
• Root/distant server does iterativerequesting host Mail.google.com
root name server
local dns server
1
2
34
5 6authoritative name
server
Dns.Google.com
name server
Intermediate Server
7
8
iterated query
DNS QUERY
• QNAME: mail.Google.com
• QCLASS: IN
• QTYPE: A. Root Server
Google.com Server
Com Server
Ask com NS
Ask google.com NS
Mail.Google.com A 173.194.115.22
Mail.Google.com
A 173.194.115.22
Recursive Resolver
mail.Google.com
Stub resolver
In the previous example, the mapping will be done as follows:
Host contacts the local name server to query for the IP address of host mail.Google.com
1. If local name server does not have the answer in its cache or in its database, it willcontact the root name server to query for the IP address of host mail.Google.com
2. If the root name server does not have the answer in its cache or in its database, it willcontact the name server responsible for the .com domain (DNS.com) to query for the IPaddress of host mail.Google.com
3. If (DNS.com) does not have the answer in its cache or in its database, it will contact(DNS.Google.com) which has the IP address for host (mail.Google.com)
4. (DNS.Google.com) will return the answer to (DNS.com)
5. (DNS.com) will return the answer to the root name server
6. The root name server will return the answer to local DNS server.
7. Local DNS server will return the answer to Host.
1- RECURSIVE RESOLUTION – EXAMPLE (CONTINUED)
1- Host contacts the local name server to query for the IP address of hostmail.Google.com
2- If local name server does not have the answer in its cache or in its database, it willreply to host with the IP address of the root name server
3- Host will contact the root name server to query for the IP address of hostmail.Google.com
4- If the root name server does not have the answer in its cache or in its database, it willreply to host with the IP address of the name server for the (.com) domain which is(DNS.com)
5- Host will contact the name server (DNS.com) to query for the IP address of hostmail.Google.com
6- If (DNS.com) does not have the answer in its cache or in its database, it will reply tohost with the IP address of the name server DNS.Google.com which is the local nameserver for domain Google.com
7- Host will contact the name server (DNS.Google.com) to query for the IP address ofhost mail.Google.com
8- Since name server DNS.Google.com is the local name server for Google.com domain itwill reply to host with the IP address for host mail.Google.com
2- ITERATIVE RESOLUTION – EXAMPLE (CONTINUED)
HOW DNS WORKS
• A network host is configured with an initial cache (so called hints) of
the known addresses of the root name servers. Such a hint file is
updated periodically by an administrator from a reliable source.
• DNS zone is loaded on authoritative servers,
• servers keep in sync using information in SOA RR via AXFR, IXFR or other
means.
• DNS caches only store data for a “short” time
• defined by TTL.
• DNS Recursive Resolvers start at “longest match” on query name they
have when looking for data, and follow delegations until an answer or a
negative answer is received.
• DNS transactions are fast if servers are reachable.
SECURITY ISSUES
• Some domain names can spoof other, similar-looking domain names.
• For example, "paypal.com" and "paypa1.com" are different names, yet users may
be unable to tell the difference when the user's typeface(font) does not clearly
differentiate the letter l and the number 1.
• DNS responses are traditionally not cryptographically signed, leading to many
attack possibilities;
• Cache Poisoning
• Denial of Service (DoS)
• Masquerading
• Client Flooding
• Information Leakage
• Compromise of DNS server’s authoritative data
DNSSEC
• DNSSEC works by digitally signing records for DNS lookup using public-key
cryptography. The correct DNSKEY record is authenticated via a chain of
trust, starting with a set of verified public keys for the DNS root zone which is
the trusted third party.
• DNSSEC modifies DNS to add support for cryptographically signed responses
• There are various extensions to support securing zone transfer information as well
• From the results of a DNS lookup, a security-aware DNS resolver can
determine whether the authoritative name server for the domain being queried
supports DNSSEC, whether the answer it receives is secure, and whether there
is some sort of error. The lookup procedure is different for recursive name
servers such as those of many ISPs, and for stub resolvers such as those
included by default in mainstream operating systems.
Top Related