Domain Name System (DNS) Flashcards
1
Q
Naming & Addressing
A
- Names & Addresses
– To call someone, you need to ask for his/her phone number
– To mail someone, you need to get their address - How does naming and addressing work in the
Internet?
– If you need to reach Google do you need their IP
* Does anyone know Google’s IP?
– Problem:
* People can’t remember IP addresses
* Need human-readable names that map to IP addresses
2
Q
Internet Names & Addresses
A
- IP Addresses, e.g. 148.88.2.80
– Computer usable labels for machines
– Conform to structure of the network - Names, e.g. www.lancaster.ac.uk
– Human usable labels for machines
– Conform to organizational structure - How do you map from one to the other?
-> Domain Name System (DNS)
3
Q
Internet Names & Addresses
(Indirection)
A
- Indirection is the ability to reference objects (such as data) using a name (identity) instead of the value of the object (such as an address).
- Quite simply, it means not direct.
– If there is a direct connection between two things, indirection means that something is placed in the middle so that another level of indirection is created.
4
Q
History
A
- Before DNS, all mappings were in hosts.txt
- /etc/hosts on Linux
- C:\Windows\System32\drivers\etc\hosts on Windows
- Process
- Centralized, manual system
- Changes were submitted
- Machines periodically FTP new copies of hosts.txt
- Administrators could pick names at their discretion
- Any name was allowed
- You could name your server as:
- “best_server_in_the_world”
- You could name your server as:
5
Q
The Need for Something Better
A
- System administrators had to update hosts file on every machine to include every host their users might access
- Any machine not in hosts file could only be accessed using IP address
6
Q
Hosts Files Today
A
- Used mainly to bypass DNS
- … not suited to Internet scale
- Error prone
- No trigger for updates
- Name to IP mappings change
- No guarantee of network wide consistency
- No trigger for updates
- Can ‘guarantee’ access to important local servers
- Beware over use due to above problems
7
Q
From host.txt to DNS
A
- host.txt
- Not scalable
-> need for scalable system
- SRI cannot handle load - Hard to enforce uniqueness of names
-> need for unique naming system
- e.g. UCL
= University College London
= Universite Catholique de Louvain - Many machines had inaccurate copies of hosts.txt
-> need for real-time system
- Stanford-Research-Insitute: Network-Information-Center (NIC) updated hosts.txt periodically
- Not scalable
- Hence, DNS was born
- Paul Mockapteris released the first version in 1984
- RFCs 882 and 883
- Superseeded by 1034 and 1035
8
Q
DNS: domain name system
A
- People: many identifiers:
– Name, passport #, National Insurance Number, etc. - Internet hosts, routers:
– IP address (32 bit) - used for addressing datagrams
– “name”, e.g., www.yahoo.com - used by
humans
Q: how to map between IP address and name, and vice versa?
- Domain Name System:
– Distributed database implemented as a hierarchy of many name servers
– Application-layer protocol: hosts, name servers communicate to resolve names (address/name translation)- Note: core Internet function, implemented as application layer protocol
- Complexity at network’s “edge
9
Q
DNS: services, structure
A
- DNS services
– Hostname to IP address translation
– Host aliasing
* Alias namesècanonical
– Mail server aliasing
– Load distribution
* Replicated Web servers: many IP addresses correspond to one name - Why not centralize DNS?
– Single point of failure
– Traffic volume
– Distant centralized database
– Maintenance
Answer: it wouldn’t scale! DNS handles billions of queries per day!
- Host aliasing:
- www.lancaster.ac.uk -> www.lancs.ac.uk
10
Q
DNS: a distributed, hierarchical database
A
- Client wants IP for www.amazon.com; 1st approximation:
– Client queries root server to find com DNS server
– Client queries .com DNS server to get amazon.com DNS server
– Client queries amazon.com DNS server to get IP address for www.amazon.com
11
Q
Internet Domain Names
A
12
Q
Subdomains
A
One domain is a subdomain of another if
its domain name ends in the other’s domain name
– So comp.lancs.ac.uk is a subdomain of
* lancs.ac.uk
which is sub-domain of
* ac.uk
which is sub-domain of
* uk
13
Q
Fully Qualified Domain Names (FQDN)
A
- FQDNs end with a dot
– Implies rooted at top of DNS hierarchy
– No further resolution needed
– cs-lab.co.uk. - Names without a dot can be extended toward root
14
Q
DNS: root name servers
A
- Contacted by local name server that can not resolve name
- Root name server:
– Contacts authoritative name server if name mapping not known
– Gets mapping
– Returns mapping to local name server
15
Q
‘13’ Root Servers
A
- Updated twice a day from non-public registry file server*
- Each server has a redundant backup
- They are also replicated across globe
– More than 13 physical machines!
– Get records for closest servers
– Addresses for one of each server hard-coded into resolvers etc
16
Q
‘13’ Root Servers (The magical few)
A
17
Q
TLD, authoritative servers
A
- Top-level domain (TLD) servers:
– Responsible for com, org, net, edu, aero, jobs, museums, and all top-level country domains, e.g.: uk, fr, ca, jp
* Network Solutions maintains servers for .com TLD
* Educause for .eduTLD - Authoritative DNS servers:
– Organization’s own DNS server(s), providing authoritative hostname to IP mappings for organization’s named hosts
– Can be maintained by organization or service provider
18
Q
Local DNS name server
A
- Does not strictly belong to hierarchy
- Each ISP (residential ISP, company, university) has one
– Also called “default name server” - When host makes DNS query, query is sent to its local DNS server
– Has local cache of recent name-to-address translation pairs (but may be out of date!)
– Acts as proxy, forwards query into hierarchy
19
Q
DNS name resolution example
A
- Host as cis.poly.edu wants IP address for gaia.cs.umass.edu
- Iterative query:
- Contacted server replies with name of server to contact
- “I don’t know this name, but ask this server”
20
Q
DNS name resolution example
A
- Recursive query:
– Puts burden of name resolution on contacted name server
– Heavy load at upper levels of hierarchy?
21
Q
DNS: caching, updating records
A
- Once (any) name server learns mapping, it caches mapping
– Cache entries timeout (disappear) after some time (TTL)
– TLD servers typically cached in local name servers
* Thus root name servers not often visited - Cached entries may be out-of-date (best effort name-to-address translation!)
– If name host changes IP address, may not be known Internet-wide until all TTLs expire - Update/notify mechanisms proposed IETF standard
– RFC 2136
22
Q
DNS records
A
DNS: distributed database storing resource records (RR)
type=A
- name is hostname
- value is IP address
type=NS
– name is domain (e.g., foo.com)
– value is hostname of authoritative name server for this domain
type=CNAME
- name is alias name for some “canonical” (the real) name
- www.lancaster.ac.uk is really www.lancs.ac.uk
- value is canonical name
type=MX
- value is name of mailserver associated with name
23
Q
DNS protocol, messages
A
- Query and reply messages, both with same message format
24
Q
Life of a DNS Registration
A
25
Q
Inserting records into DNS
A
- Example: new startup “Network Utopia”
- Register name networkuptopia.com at DNS registrar (e.g., Network Solutions)
– Provide names, IP addresses of authoritative name server (primary and secondary)
– Registrar inserts two RRs into .com TLD server: (networkutopia.com, dns1.networkutopia.com, NS (dns1.networkutopia.com, 212.212.212.1, A) - Create authoritative server and insert:
– type A record for www.networkuptopia.com
– type MX record for networkutopia.com
26
Q
What happens if DNS is slow or
unreliable?
A
- Really depends…
- Can induce significantly delay to a request
– Already 1 RTT
– Usually ms (could be longer depending on resolution and local DNS state)
– A blocking operation! - If the record is cached at the host, then we don’t need to look up
– Valid until the cache expires
27
Q
Attacking DNS
A
DDoS attacks
– Bombard root servers with traffic
* Not successful to date
– October 2002: massive DDoS against the root name servers
– What was the effect?
» … users didn’t even notice
– Root zone file is cached almost everywhere
* Traffic filtering
* Local DNS servers cache IPs of TLD servers, allowing root server bypass
- Bombard TLD servers
– Potentially more dangerous - Redirect attacks
– Man-in-middle
* Intercept queries
– DNS poisoning
* Send bogus relies to DNS server, which caches - Exploit DNS for DDoS
– Send queries with spoofed source address: target IP
– Requires amplification
28
Q
DNS Hijacking
A
- Infect OS or browser with a virus/trojan
– e.g. Many trojans change entries in /etc/hosts
– *.bankofamerica.com à evilbank.com - Response Spoofing
– Eavesdrop on requests
– Outrace the servers response
29
Q
DNS Hijacks: ID Prediction
A
- Requester will believe first response it sees
– Dangerous if query for server A record
– Disaster if query for Name Server (use this for subsequent queries)
– Response must
* Have correct query ID
* Be to requester’s port number
– On many early systems these could be predicted - We now randomise
– Query IDs
– Source ports for queries
30
Q
Solution: DNSSEC
A
- Cryptographically sign critical resource records
– Resolver can verify the cryptographic signature - Two new resource types
– Type = DNSKEY
* Name = Zone domain name
* Value = Public key for the zone
– Type = RRSIG
* Name = (type, name) tuple, i.e. the query itself
* Value = Cryptographic signature of the query results - Deployment
– On the roots since July 2010
– Verisign enabled it on .com and .net in January 2011
– Comcast is the first major ISP to support it (January 2012)
