DOCSLIB.ORG

Thesis That TW-OR Forwards All DNS Queries to a Resolver in China

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Thesis That TW-OR Forwards All DNS Queries to a Resolver in China The Impact of DNSSEC on the Internet Landscape Von der Fakult¨atf¨urIngenieurwissenschaften, Abteilung Informatik und Angewandte Kognitionswissenschaft der Universit¨atDuisburg-Essen zur Erlangung des akademischen Grades Doktor der Ingenieurwissenschaften genehmigte Dissertation von Matth¨ausWander aus Lubin (L¨uben) Gutachter: Prof. Dr.-Ing. Torben Weis Prof. Dr.-Ing. Felix Freiling Tag der m¨undlichen Pr¨ufung:19. Juni 2015 Abstract In this dissertation we investigate the security deficiencies of the Domain Name System (DNS) and assess the impact of the DNSSEC security extensions. DNS spoofing attacks divert an application to the wrong server, but are also used routinely for blocking access to websites. We provide evidence for systematic DNS spoofing in China and Iran with measurement-based analyses, which allow us to examine the DNS spoofing filters from van- tage points outside of the affected networks. Third-parties in other countries can be affected inadvertently by spoofing-based domain filtering, which could be averted with DNSSEC. The security goals of DNSSEC are data integrity and authenticity. A point solution called NSEC3 adds a privacy assertion to DNSSEC, which is supposed to prevent disclosure of the domain namespace as a whole. We present GPU-based attacks on the NSEC3 privacy assertion, which allow efficient recovery of the namespace contents. We demonstrate with active measurements that DNSSEC has found wide adoption after initial hesitation. At server-side, there are more than five million domains signed with DNSSEC. A portion of them is insecure due to insufficient cryptographic key lengths or broken due to maintenance failures. At client-side, we have observed a worldwide increase of DNSSEC validation over the last three years, though not necessarily on the last mile. Deployment of DNSSEC validation on end hosts is impaired by intermediate caching components, which degrade the availability of DNSSEC. However, intermediate caches con- tribute to the performance and scalability of the Domain Name System, as we show with trace-driven simulations. We suggest that validating end hosts utilize intermediate caches by default but fall back to autonomous name resolution in case of DNSSEC failures. Zusammenfassung In dieser Dissertation werden die Sicherheitsdefizite des Domain Name Systems (DNS) untersucht und die Auswirkungen der DNSSEC-Sicherheitserweiterungen bewertet. DNS- Spoofing hat den Zweck eine Anwendung zum falschen Server umzuleiten, wird aber auch regelm¨aßig eingesetzt, um den Zugang zu Websites zu sperren. Durch messbasierte Analy- sen wird in dieser Arbeit die systematische Durchfuhrung¨ von DNS-Spoofing-Angriffen in China und im Iran belegt, wobei sich die Messpunkte außerhalb der von den Sperrfiltern betroffenen Netzwerke befinden. Es wird gezeigt, dass Dritte in anderen L¨andern durch die Spoofing-basierten Sperrfilter unbeabsichtigt beeintr¨achtigt werden k¨onnen, was mit DNSSEC verhindert werden kann. Die Sicherheitsziele von DNSSEC sind Datenintegrit¨at und Authentizit¨at. Die NSEC3- Erweiterung sichert zudem die Privatheit des Domainnamensraums, damit die Inhalte eines DNSSEC-Servers nicht in G¨anze ausgelesen werden k¨onnen. In dieser Arbeit werden GPU- basierte Angriffsmethoden auf die von NSEC3 zugesicherte Privatheit vorgestellt, die eine effiziente Wiederherstellung des Domainnamensraums erm¨oglichen. Ferner wird mit aktiven Messmethoden die Verbreitung von DNSSEC untersucht, die nach anf¨anglicher Zuruckhaltung¨ deutlich zugenommen hat. Auf der Serverseite gibt es mehr als funf¨ Millionen mit DNSSEC signierte Domainnamen. Ein Teil davon ist aufgrund von unzureichenden kryptographischen Schlussell¨ ¨angen unsicher, ein weiterer Teil zudem aufgrund von Wartungsfehlern nicht mit DNSSEC erreichbar. Auf der Clientseite ist der Anteil der DNSSEC-Validierung in den letzten drei Jahren weltweit gestiegen. Allerdings ist hierbei offen, ob die Validierung nahe bei den Endger¨aten stattfindet, um unvertraute Kommunikationspfade vollst¨andig abzusichern. Der Einsatz von DNSSEC-Validierung auf Endger¨aten wird durch zwischengeschaltete DNS-Cache-Komponenten erschwert, da hierdurch die Verfugbarkeit¨ von DNSSEC beein- tr¨achtigt wird. Allerdings tragen zwischengeschaltete Caches zur Performance und Skalier- barkeit des Domain Name Systems bei, wie in dieser Arbeit mit messbasierten Simulationen gezeigt wird. Daher sollten Endger¨ate standardm¨aßig die vorhandene DNS-Infrastruktur nutzen, bei Validierungsfehlern jedoch selbst¨andig die DNSSEC-Zielserver anfragen, um im Cache gespeicherte, fehlerhafte DNS-Antworten zu umgehen. Contents List of Figures vii List of Tables xi List of Acronyms xiii I Fundamentals 1 1 Introduction 2 1.1 Outline . .3 1.2 Contributions . .4 2 Domain Name System 7 2.1 Namespace . .7 2.1.1 Record Types . .8 2.1.2 Lookup . .9 2.1.3 Wildcards . 10 2.2 Hierarchical Delegation . 10 2.3 System Architecture . 11 2.4 Server Redundancy . 13 2.5 Caching . 14 2.6 Network Protocol . 15 2.7 Root and Top-Level Domains . 16 2.7.1 Priming . 16 2.7.2 Root Zone Management . 17 2.7.3 TLD Management . 19 2.7.4 Alternative Roots . 20 2.8 Delegation Interdependency . 20 CONTENTS iii 3 DNSSEC 23 3.1 Design Goals . 23 3.2 Concept . 24 3.3 Network Protocol . 25 3.3.1 Signature . 26 3.3.2 Public Key . 27 3.3.3 Secure Delegation . 28 3.4 Algorithms . 29 3.5 Key Management . 30 3.5.1 Key Schemes . 30 3.5.2 Key Rollover . 30 3.5.3 Update of Authentication Chain . 31 3.5.4 Root Key Management . 31 3.6 Public-Key Infrastructure . 33 3.6.1 Trust Model . 33 3.6.2 DNS-based Authentication of Named Entities . 34 3.7 Authenticated Denial of Existence . 35 3.7.1 NSEC . 35 3.7.2 Zone Enumeration . 36 3.7.3 NSEC3 . 37 3.7.4 Opt-Out . 39 3.7.5 Wildcards . 40 3.7.6 Costs . 41 3.7.7 Minimally Covering Records . 42 II Security Analysis 43 4 Attacker Model 44 5 Attack Methods 46 5.1 Spoofing Attack . 46 5.2 Spoofing Attack with Multiple Queries . 48 5.2.1 Birthday Attack . 48 5.2.2 Courier Attack . 49 5.2.3 Evaluation . 50 5.3 Kaminsky Attack . 51 5.4 DNS Injection . 52 5.5 Capabilities of Resolver Operators . 54 iv CONTENTS 5.6 Capabilities of Authority Operators . 58 5.7 System Time . 59 5.8 Breaking DNSSEC Keys . 60 6 Measurement Study on DNS Injection 63 6.1 Probing for DNS Injectors . 63 6.1.1 Method . 64 6.1.2 Implementation . 65 6.1.3 Measurement Result . 66 6.2 Blacklist Testing . 71 6.2.1 Method . 71 6.2.2 Implementation . 71 6.2.3 Measurement Result . 72 6.3 Obtaining Bogus Addresses . 74 6.3.1 Method . 74 6.3.2 Implementation . 76 6.3.3 Measurement Result . 76 6.4 Impact on Resolvers . 77 6.4.1 Method . 79 6.4.2 Implementation . 80 6.4.3 Measurement Result . 80 6.5 Case Study: Unconditionally Affected Open Resolver . 85 6.6 Case Study: DNS Injection in Hong Kong . 88 6.6.1 Method . 89 6.6.2 Measurement Result . 89 6.7 Related Work . 90 6.8 Summary and Conclusion . 93 7 Attacking the NSEC3 Privacy Goal 96 7.1 Hash Crawling . 96 7.2 Hash Breaking . 98 7.2.1 Brute-Force Attack . 99 7.2.2 Dictionary Attack . 99 7.2.3 Markov Attack . 100 7.3 Implementation . 100 7.4 Evaluation . 102 7.4.1 Hash Crawling . 103 7.4.2 Hash Breaking . 104 7.5 Discussion . 107 CONTENTS v 7.6 Related Work . 108 7.7 Summary and Conclusion . 109 III Adoption of.
Load more

Recommended publications
  • Internet Governance Project
    International internet Policy Priorities United States Department of Commerce, National Telecommunications and Information Administration (NTIA) [Docket No. 180124068–8068–01] RIN 0660–XC041 The Internet Governance Project (IGP) is a group of professors, postdoctoral researchers and students hosted at the Georgia Institute of Technology’s School of Public Policy. We conduct scholarly research, produce policy analyses and commentary on events in Internet governance, and bring our ideas and proposals directly into Internet governance processes. We also educate professionals and young people about Internet governance in various world regions. IGP welcomes NTIA’s broadly focused NOI on “International Internet Policy Priorities.” We believe that agency is asking many of the right questions and appreciate its desire to look for guidance from the public. Our response will follow the template of the NOI. I. THE FREE FLOW OF INFORMATION AND JURISDICTION A. What are the challenges to the free flow of information online? ​ There are two distinct challenges to the free flow of information. The biggest and most fundamental is alignment,1 which is related to the issue of jurisdiction. Alignment refers to the ​ ​ ​ attempt by national governments to assert sovereignty over cyberspace, by imposing exclusive territorial jurisdiction and national controls in a globally interoperable cyberspace. Data localization is one obvious example of a policy that seeks to achieve alignment, but the process is evident in multiple domains of Internet governance: in cybersecurity policy, trade policy, intellectual property protection and content regulation. In each case states erect barriers that 1 The concept of alignment was described in the book Will the Internet Fragment? (Polity Press, 2017).
    [Show full text]
  • DNS Spoofing 2
    Professor Vahab COMP 424 13 November 2016 DNS Spoofing DNS spoofing, also known as DNS Cache Poisoning, is one of the most widely used man-in-the-middle attacks that capitalizes on vulnerabilities in the domain name system that returns a false IP address and routes the user to a malicious domain. Whenever a machine contacts a domain name such as www.bankofamerica.com, it must first contact its DNS server which responds with multiple IP addresses where your machine can reach the website. Your computer is then able to connect directly to one of the IP addresses and the DNS is able to convert the IP addresses into a human-readable domain name. If an attacker is able to gain control of a DNS server and change some of its properties such as routing Bank of America’s website to an attacker’s IP address. At that location, the attacker is then able to unsuspectingly steal the user’s credentials and account information. Attackers use spam and other forms of attack to deliver malware that changes DNS settings and installs a rogue Certificate Authority. The DNS changes point to the hacker's secret DNS name server so that when the users access the web they are directed to proxy servers instead of authorized sites. They can also start to blacklist domains and frustrate the user with their day to day activities. All blacklisted domains would have their traffic dropped instead of forwarded to their intended destination. Based on the rogue Certificate Authority the system has no sign that an attack is taking place or ever took place.
    [Show full text]
  • Ethereum Based Domain Name System Using Smart Contracts
    ETHEREUM BASED DOMAIN NAME SYSTEM USING SMART CONTRACTS (BC-DNS) A Project Presented to the faculty of the Department of Computer Science California State University, Sacramento Submitted in partial satisfaction of the requirements for the degree of MASTER OF SCIENCE in Computer Science by Rodney Pinto SPRING 2019 © 2019 Rodney Pinto ALL RIGHTS RESERVED ii ETHEREUM BASED DOMAIN NAME SYSTEM USING SMART CONTRACTS (BC-DNS) A Project by Rodney Pinto Approved by: __________________________________, Committee Chair Dr. Jun Dai. __________________________________, Second Reader Dr. Xuyu Wang. ____________________________ Date iii Student: Rodney Pinto I certify that this student has met the requirements for format contained in the university format manual, and that this project is suitable for shelving in the library and credit is to be awarded for the project. __________________________, Graduate Coordinator ____________________ Dr. Jinsong Ouyang, Ph.D. Date Department of Computer Science iv Abstract of ETHEREUM BASED DOMAIN NAME SYSTEM USING SMART CONTRACTS (BC-DNS) by Rodney Pinto One of the most critical resources that ensure the current working of the internet is the domain name system (DNS). It is a decentralized, hierarchical naming system that is responsible for translating the human-readable domain name to its associated IP address. The use of DNS thus eliminates the need for humans to remember the IP address of all their favorite websites (such as 172.217.6.68 an IPV4 address for google.com). Despite its widespread use, DNS is vulnerable to various security issues. This project focuses on replicating the basic functionality of the existing DNS on the blockchain and deploying it on a peer to peer network making it completely decentralized and, in the process, make it a bit more secure and reliable by addressing few of the security vulnerabilities of the existing system.
    [Show full text]
  • Secure Shell- Its Significance in Networking (Ssh)
    International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: [email protected] Volume 4, Issue 3, March 2015 ISSN 2319 - 4847 SECURE SHELL- ITS SIGNIFICANCE IN NETWORKING (SSH) ANOOSHA GARIMELLA , D.RAKESH KUMAR 1. B. TECH, COMPUTER SCIENCE AND ENGINEERING Student, 3rd year-2nd Semester GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India 2.Assistant Professor Computer Science and Engineering GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India ABSTRACT This paper is focused on the evolution of SSH, the need for SSH, working of SSH, its major components and features of SSH. As the number of users over the Internet is increasing, there is a greater threat of your data being vulnerable. Secure Shell (SSH) Protocol provides a secure method for remote login and other secure network services over an insecure network. The SSH protocol has been designed to support many features along with proper security. This architecture with the help of its inbuilt layers which are independent of each other provides user authentication, integrity, and confidentiality, connection- oriented end to end delivery, multiplexes encrypted tunnel into several logical channels, provides datagram delivery across multiple networks and may optionally provide compression. Here, we have also described in detail what every layer of the architecture does along with the connection establishment. Some of the threats which Ssh can encounter, applications, advantages and disadvantages have also been mentioned in this document. Keywords: SSH, Cryptography, Port Forwarding, Secure SSH Tunnel, Key Exchange, IP spoofing, Connection- Hijacking. 1. INTRODUCTION SSH Secure Shell was first created in 1995 by Tatu Ylonen with the release of version 1.0 of SSH Secure Shell and the Internet Draft “The SSH Secure Shell Remote Login Protocol”.
    [Show full text]
  • Threat Modeling and Circumvention of Internet Censorship by David Fifield
    Threat modeling and circumvention of Internet censorship By David Fifield A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor J.D. Tygar, Chair Professor Deirdre Mulligan Professor Vern Paxson Fall 2017 1 Abstract Threat modeling and circumvention of Internet censorship by David Fifield Doctor of Philosophy in Computer Science University of California, Berkeley Professor J.D. Tygar, Chair Research on Internet censorship is hampered by poor models of censor behavior. Censor models guide the development of circumvention systems, so it is important to get them right. A censor model should be understood not just as a set of capabilities|such as the ability to monitor network traffic—but as a set of priorities constrained by resource limitations. My research addresses the twin themes of modeling and circumvention. With a grounding in empirical research, I build up an abstract model of the circumvention problem and examine how to adapt it to concrete censorship challenges. I describe the results of experiments on censors that probe their strengths and weaknesses; specifically, on the subject of active probing to discover proxy servers, and on delays in their reaction to changes in circumvention. I present two circumvention designs: domain fronting, which derives its resistance to blocking from the censor's reluctance to block other useful services; and Snowflake, based on quickly changing peer-to-peer proxy servers. I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements.
    [Show full text]
  • L-Root and Internet in LAC Mauricio Vergara Ereche | Qos Internet CEPAL | Oct 2015 Agenda
    L-Root and Internet in LAC Mauricio Vergara Ereche | QoS Internet CEPAL | Oct 2015 Agenda 1 2 3 What is L-Root LAC ICANN? Connectivity 4 5 Our model for Recommend deployment ations | 2 What is ICANN? What is a resilient and secure Internet? Quick Look at ICANN Overview ICANN is a global multi-stakeholder, private sector organization that manages Internet resources for the public benefit. It is best known for its role as technical coordinator of the Internet’s Domain Name System Mission To coordinate, at the overall level, the global Internet’s system of unique identifiers, and in particular to ensure the stable and secure operation of the Internet’s unique identifier system | 4 Supporting A Healthy, Resilient Internet | 5 SSR: Security, Stability and Resiliency Secure 1 Capacity to protect and prevent misuse of Internet Unique identifiers Stable Capacity to ensure that the system operates as expected, 2 and that users of the unique identifiers have confidence that the system operates as expected Resilient Capacity of the unique identifier system to effectively 3 withstand/tolerate/survive malicious attacks and other disruptive events without disruption or cessation of service | 6 L-Root DNS and Anycasting How DNS Works? Root Server 2 www.icann.org ? 1 3 4 8 .ORG Server 5 DNS Resolver (ISP) 6 9 7 www.icann.org ICANN.ORG Server | 8 What is L-Root? “L” is one of 13 independently operated root servers serving the DNS root zone ICANN DNS Engineering team operates L under the Autonomous System Number (ASN) AS20144 using the following
    [Show full text]
  • Domain Name System 1 Domain Name System
    Domain Name System 1 Domain Name System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. A Domain Name Service translates queries for domain names (which are easier to understand and utilize when accessing the internet) into IP addresses for the purpose of locating computer services and devices worldwide. An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 192.0.43.10 (IPv4) and 2620:0:2d0:200::10 (IPv6). The Domain Name System makes it possible to assign domain names to groups of Internet resources and users in a meaningful way, independent of each entity's physical location. Because of this, World Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 208.77.188.166 (IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). Users take advantage of this when they recite meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates them. The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain.
    [Show full text]
  • Identifier System Attack Mitigation Methodology DATE: 13 February 2017 Identifier System Attack Mitigation Methodology
    Identifier System Attack Mitigation Methodology DATE: 13 February 2017 Identifier System Attack Mitigation Methodology Introduction This document is part of ICANN’s effort to contribute to enhancing the Stability, Security, and Resiliency (SSR) of the Internet’s system of unique identifiers (“Internet Identifiers”) by working with the Community to identify and increase awareness of related attacks and to promote broader adoption of attack mitigation practices. This effort also addresses Recommendation #12 of the Security, Stability & Resiliency (SSR) Review Team (SSR-RT) by creating an Identifier System Attack Mitigation Methodology. Specifically, this document identifies and prioritizes types of attacks against the Identifier System, providing a stepping-off point for ICANN to coordinate with the Community to develop a series of short technical documents (“Tech Notes”) on actual high-impact attacks and emerging high-risk vulnerabilities. This document will be periodically updated to reflect evolution of both the Identifier System and the cybercrime landscape, supporting on-going efforts within both ICANN and the Community to mitigate attacks that pose the greatest risk to Identifier System SSR. Authors: Lisa Phifer and David Piscitello Page 1 Identifier System Attack Mitigation Methodology DATE: 13 February 2017 Attack Mitigation Methodology ICANN is proposing a new Identifier System Attack Mitigation Methodology to: • Identify, prioritize, and periodically refresh a list of top Identifier System attacks; • Develop guidance on actual high-impact attacks and emerging high-risk vulnerabilities; • Describe corresponding attack mitigation practices that are commonly considered useful; and • Encourage broader adoption of those practices via contracts, agreements, incentives, etc. This document represents the first component of this methodology.
    [Show full text]
  • CS4700/CS5700 Fundamentals of Computer Networks
    CS4700/CS5700 Fundamentals of Computer Networks Lecture 17: Domain Name System Slides used with permissions from Edward W. Knightly, T. S. Eugene Ng, Ion Stoica, Hui Zhang Alan Mislove amislove at ccs.neu.edu Northeastern1 University Human Involvement • Just like your friend needs to tell you his phone number for you to call him • Somehow, an application needs to know the IP address of the communication peer • There is no magic, some out-of-band mechanism is needed – Word of mouth – Read it in the advertisement in the paper – Etc. • But IP addresses are bad for humans to remember and tell each other • So need names that makes some sense to humans Alan Mislove amislove at ccs.neu.edu Northeastern2 University Internet Names & Addresses • Names: e.g. www.rice.edu – human-usable labels for machines – conforms to “organizational” structure • Addresses: e.g. 128.42.247.150 – router-usable labels for machines – conforms to “network” structure • How do you map from one to another? – Domain Name System (DNS) Alan Mislove amislove at ccs.neu.edu Northeastern3 University DNS: History • Initially all host-addess mappings were in a file called hosts.txt (in /etc/hosts) – Changes were submitted to SRI by email – New versions of hosts.txt ftp’d periodically from SRI – An administrator could pick names at their discretion – Any name is allowed: eugenesdesktopatrice • As the Internet grew this system broke down because: – SRI couldn’t handled the load – Hard to enforce uniqueness of names – Many hosts had inaccurate copies of hosts.txt • Domain Name System (DNS) was born Alan Mislove amislove at ccs.neu.edu Northeastern4 University Basic DNS Features • Hierarchical namespace – as opposed to original flat namespace • Distributed storage architecture – as opposed to centralized storage (plus replication) • Client--server interaction on UDP Port 53 – but can use TCP if desired Alan Mislove amislove at ccs.neu.edu Northeastern5 University Naming Hierarchy root edu com gov mil org net uk fr etc.
    [Show full text]
  • DNS Performance – a Study of Free, Public and Popular DNS Servers in 2019
    Linköping University | Department of Computer and Information Science Bachelor’s thesis, 16 ECTS | Informationsteknologi 2019 | LIU-IDA/LITH-EX-G--19/037--SE DNS Performance – A study of free, public and popular DNS servers in 2019 DNS prestanda – En studie av gratis, publika och populära DNS servrar år 2019 Filip Ström Felix Zedén Yverås Supervisor : Niklas Carlsson Examiner : Marcus Bendtsen Linköpings universitet SE–581 83 Linköping +46 13 28 10 00 , www.liu.se Upphovsrätt Detta dokument hålls tillgängligt på Internet - eller dess framtida ersättare - under 25 år från publicer- ingsdatum under förutsättning att inga extraordinära omständigheter uppstår. Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner, skriva ut enstaka ko- pior för enskilt bruk och att använda det oförändrat för ickekommersiell forskning och för undervis- ning. Överföring av upphovsrätten vid en senare tidpunkt kan inte upphäva detta tillstånd. All annan användning av dokumentet kräver upphovsmannens medgivande. För att garantera äktheten, säker- heten och tillgängligheten finns lösningar av teknisk och administrativ art. Upphovsmannens ideella rätt innefattar rätt att bli nämnd som upphovsman i den omfattning som god sed kräver vid användning av dokumentet på ovan beskrivna sätt samt skydd mot att dok- umentet ändras eller presenteras i sådan form eller i sådant sammanhang som är kränkande för up- phovsmannens litterära eller konstnärliga anseende eller egenart. För ytterligare information om Linköping University Electronic Press se förlagets hemsida http://www.ep.liu.se/. Copyright The publishers will keep this document online on the Internet - or its possible replacement - for a period of 25 years starting from the date of publication barring exceptional circumstances.
    [Show full text]
  • DNS: Domain Name System a Scalable Naming System for the Internet
    Introduction Queries and Caching Protocol History and Growth DNS: Domain Name System A Scalable Naming System for the Internet Daniel Zappala Brigham Young University Computer Science Department 1/26 Introduction Introduction Queries and Caching Protocol History and Growth Domain Name System • people like to use names for computers (www.byu.edu), but computers need to use numbers (128.187.22.132) • the Domain Name System (DNS) is a distributed database providing this service • a program send a query a local name server • the local name server contacts other servers as needed • many DNS services • host name to IP address translation • host aliasing (canonical name versus alias names) • lookup mail server for a host • load distribution - can provide a set of IP addresses for one canonical name Demonstration: dig 3/26 Introduction Queries and Caching Protocol History and Growth Names • domain name: top-level domain (TLD) + one or more subdomains • example: cs.byu.edu • host name: a domain name with one or more IP addresses associated with it • TLDs • ccTLD: country codes (.us, .uk, .tv) • gTLD: generic (.com, .edu, .org, .net, .gov, .mil) { see full list at Wikipedia • iTLD: infrastructure (.arpa) • may be 127 levels deep, 63 characters per label, 255 characters per name 4/26 Introduction Queries and Caching Protocol History and Growth DNS Hierarchy • root, top-level domain (TLD), and local name servers • each level represents a zone • what zone is BYU in charge of? 5/26 Introduction Queries and Caching Protocol History and Growth Root Name
    [Show full text]
  • Blockchain, Iot and DNS
    Domain Name Registrar Blockchain, IoT and DNS ICANN64 Tech Day Kobe, Japan Tom Barrett EnCirca President About EnCirca Domain Name Registrar • Formed in 2001 in Boston, USA • ICANN Accredited Registrar • Specialty: Partnering with TLD Registries • Restricted and regulated TLDs • White-labelled Storefronts for DotBrand and regulated registries • Validation Provider for .BANK and six other TLDs • Blockchain integration with .LUXE, XYZ Why Do We Care? Domain Name Registrar The blockchain and the Internet of Things (IoT) are two of the most transformative technologies in the world today. “Blockchain technology is probably the best invention since the internet itself” IoT Investments Domain Name Registrar Blockchain Investments Domain Name Registrar Blockchain and IoT Domain Name Registrar • Both need DNS to work. • Both need features not present in today’s DNS • Alternative frameworks and protocols are emerging to address the limitations of the DNS • Will DNS advance to meet this challenge? • What role will ICANN play in this space? A World Exploding with Devices Domain Name Registrar IoT Defined Domain Name Registrar Connect physical things to communication networks with a special focus on: • Existing infrastructure (buildings, roads, vehicles, factory equipment, etc.) and • Constrained devices with extremely limited computing resources (switches, valves, sensors, actuators, thermostats, etc.) Blockchain Defined Domain Name Registrar • An open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way • A growing list of records, called blocks, are linked using cryptography • Typically managed by a peer-to-peer network • Data in any block cannot be altered retroactively without alteration of all subsequent blocks Blockchain Benefits Domain Name Registrar • You have complete control of the value you own; there is no third party that holds your value or can limit your access to it.
    [Show full text]