DOCSLIB.ORG

Domain Name System-Based Electronic Mail Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

NIST SPECIAL PUBLICATION 1800-6C Domain Name System-Based Electronic Mail Security Volume C: How-To Guides Scott Rose Information Technology Laboratory National Institute of Standards and Technology William Barker Dakota Consulting Silver Spring, MD Santos Jha Chinedum Irrechukwu The MITRE Corporation McLean, VA Karen Waltermire National Cybersecurity Center of Excellence National Institute of Standards and Technology January 2018 This publication and its additional content is available free of charge from: https://doi.org/10.6028/NIST.SP.1800-6 DISCLAIMER Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. This publication is availabl National Institute of Standards and Technology Special Publication 1800-6C, Natl. Inst. Stand. Technol. Spec. Publ. 1800-6C, 166 pages, (January 2018), CODEN: NSPUE2 e free e of charge from: https:// All comments are subject to release under the Freedom of Information Act (FOIA). doi.org/10.6028/NIST.SP.1800 - 6 . National Cybersecurity Center of Excellence National Institute of Standards and Technology 100 Bureau Drive Mailstop 2002 Gaithersburg, MD 20899 Email: [email protected] NIST SP 1800-6C: Domain Name System-Based Electronic Mail Security i NATIONAL CYBERSECURITY CENTER OF EXCELLENCE The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific This publication is availabl industries, as well as for broad, cross-sector technology challenges. Through consortia under Cooperative Research and Development Agreements (CRADAs), including technology partners—from Fortune 50 market leaders to smaller companies specializing in IT security—the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity solutions using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cyber Security Framework and details the steps needed for another entity to recreate the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Md. e free e of charge from: https:// To learn more about the NCCoE, visit https://nccoe.nist.gov. To learn more about NIST, visit https://www.nist.gov. NIST CYBERSECURITY PRACTICE GUIDES NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They show members of the information security community how to implement example solutions that help them align more easily with relevant standards and best practices and provide users with the materials lists, configuration files, and other doi.org/10.6028/NIST.SP.1800 information they need to implement a similar approach. The documents in this series describe example implementations of cybersecurity practices that businesses and other organizations may voluntarily adopt. These documents do not describe regulations or mandatory practices, nor do they carry statutory authority. ABSTRACT This document proposes a reference guide on how to architect, install, and configure a security platform for trustworthy email exchanges across organizational boundaries. The project includes reliable authentication of mail servers, digitally signing and encrypting email, and binding cryptographic key - 6 . certificates to sources and servers. The example solutions and architectures presented here are based upon standards-based and commercially available products. The example solutions presented here can be used by any organization implementing Domain Name System-based electronic mail security. KEYWORDS authentication; data integrity; digital signature; domain name system; electronic mail; encryption; internet addresses; internet protocols; named entities; privacy NIST SP 1800-6C: Domain Name System-Based Electronic Mail Security ii ACKNOWLEDGMENTS We are grateful to the following individuals for their generous contributions of expertise and time. Name Organization This publication is availabl Bud Bruegger Fraunhofer IAO Victoria Risk Internet Systems Consortium Eddy Winstead Internet Systems Consortium Paul Fox Microsoft Corporation e free e of charge from: https:// Janet Jones Microsoft Corporation Nate Lesser National Cybersecurity Center of Excellence Karen Waltermire National Cybersecurity Center of Excellence Doug Montgomery NIST ITL Advanced Networks Technologies Division Ralph Dolmans NLnet Labs doi.org/10.6028/NIST.SP.1800 Benno Overeinder NLnet Labs Joe Gersch Secure64 Saksham Manchanda Secure64 - 6 . NIST SP 1800-6C: Domain Name System-Based Electronic Mail Security iii The Technology Partners/Collaborators who participated in this build submitted their capabilities in response to a notice in the Federal Register. Respondents with relevant capabilities or product components were invited to sign a Cooperative Research and Development Agreement (CRADA) with NIST, allowing them to participate in a consortium to build this example solution. We worked with: Technology Partner/Collaborator Build Involvement This publication is available free of charge from: Fraunhofer IAO Configuration of DNS Services products and Mail Transfer Agent Internet Systems Consortium DNS Services software Microsoft Corporation Mail User Agent, Mail Transfer Agent, and DNS Services products NLNet Laboratories DNS Services products and configuration of Mail Transfer Agent Secure64 DNS Services and Mail User Agent products and configuration of Mail User Agent and Mail Transfer Agent https:// doi.org/10.6028/NIST.SP.1800 - 6 . NIST SP 1800-6C: Domain Name System-Based Electronic Mail Security v Contents 1 Introduction ................................................................................................ 1 1.1 Practice Guide Structure ................................................................................................ 1 1.2 Build Overview ............................................................................................................... 2 This publication is available free of charge from: 1.3 Typographical Conventions ............................................................................................ 6 2 How to Install and Configure DNS-Protected Email Security Components .... 7 2.1 Laboratory Set-up ........................................................................................................... 7 2.2 How to Install and Configure Microsoft Server-Based DNS-Protected Email Security Components .......................................................................................................................... 19 2.3 How to Install and Configure BIND............................................................................... 20 2.4 NSD4 Requirements, Installation, Setup, and Configuration Components ................. 26 2.5 How to Install and Configure OpenDNSSEC ................................................................. 31 2.6 Unbound ....................................................................................................................... 36 2.7 How to Install and Configure a DNS Signer Platform ................................................... 40 2.8 How to Install and Configure a DNS Authority Platform .............................................. 40 https:// 2.9 How to Install and Configure a DNS Cache .................................................................. 41 2.10 How to Install and Configure a Dovecot/Postfix Mail Transfer Agent ......................... 41 doi.org/10.6028/NIST.SP.1800 2.11 How to Install and Configure a Thunderbird Mail Client ............................................. 55 3 Device Configuration and Operating Recommendations ............................ 57 3.1 Using SSL for Cryptographic Certificate Generation .................................................... 58 3.2 Cryptographic Operations (User Actions) .................................................................... 64 3.3 Server-to-Server Encryption Activation and Use ......................................................... 73 3.4 Utilities and Useful Tools .............................................................................................. 73 - List of Acronyms ........................................................................ 76 6 . References ................................................................................ 78 Platform Operation and Observations ....................................... 82 Secure Domain Name System (DNS) Deployment Checklist ....... 99 Overview of Products Contributed by Collaborators ................105 NIST SP 1800-6C: Domain Name System-Based Electronic Mail Security vi Installation and Configuration Log for NSD4, Unbound, and OpenDNSSEC 119 Microsoft Installation for the NCCoE ........................................130
Recommended publications
  • Treasury X.509 Certificate Policy [TREASURYCP].” It Only Addresses Where an OLT PKI’S Requirements Differ from the Requirements for Basic Assurance in [TREASURYCP]

    Treasury X.509 Certificate Policy [TREASURYCP].” It Only Addresses Where an OLT PKI’S Requirements Differ from the Requirements for Basic Assurance in [TREASURYCP]

    UNCLASSIFIED UNITED STATES DEPARTMENT OF THE TREASURY DEPARTMENT OF THE TREASURY PUBLIC KEY INFRASTRUCTURE (PKI) X.509 CERTIFICATE POLICY VERSION 3.4 April 27, 2021 PKI Policy Management Authority (PMA) DATE DANIEL W. WOOD 1 UNCLASSIFIED DOCUMENT VERSION CONTROL Version Date Author(s) Description Reason For Change Bring the Treasury PKI Policy into Department of the compliance with FPKIPA change Treasury PKI Policy in 2.0 January 2008 James Schminky proposal requiring all cross certified RFC PKI Policies to be in RFC 3647 3647 format. format. As a result of mapping the Treasury Errata changes to sections PKI Policy to Federal Policy, a 2.2.1, 2.1 March 17, 2009 James Schminky number of minor changes and 4.8, 4.912, 5.5, and omissions where identified and 7.1.3. corrected. As a result of the PMA annual Errata changes to sections review a number of minor 5.6, and 6.3.2. Change corrections, Federal Bridge proposal changes to 2.4, 2.2 March 11, 2010 James Schminky Certification Authority (FBCA) 4.2.2, 5.1, 5.1.1 5.1.2.1, Policy Change Proposal Number: 5.4.4, 5.4.5, 6.1.6, 6.5.1, 2009-02 and 2010-01, and Treasury and 6.7. Change Proposal Change proposal changes As a result of FBCA Policy Change 2.3 April 15, 2010 James Schminky to 8.1 and 8.4. Proposal Number: 2010-02. Changes Proposal As a result of FBCA Policy Change Changes to 1.3.1.8, Proposal Numbers; 2010-3 thru 8 2.4 March 22, 2011 James Schminky 3.1.1&.2, 3.1.5, 3.2.3.1, and CPCA policy Change Proposal 4.7, 6.1.5, 8.1, and 9.4.3.
  • MASTERCLASS GNUPG MASTERCLASS You Wouldn’T Want Other People Opening Your Letters and BEN EVERARD Your Data Is No Different

    MASTERCLASS GNUPG MASTERCLASS You Wouldn’T Want Other People Opening Your Letters and BEN EVERARD Your Data Is No Different

    MASTERCLASS GNUPG MASTERCLASS You wouldn’t want other people opening your letters and BEN EVERARD your data is no different. Encrypt it today! SECURE EMAIL WITH GNUPG AND ENIGMAIL Send encrypted emails from your favourite email client. our typical email is about as secure as a The first thing that you need to do is create a key to JOHN LANE postcard, which is good news if you’re a represent your identity in the OpenPGP world. You’d Ygovernment agency. But you wouldn’t use a typically create one key per identity that you have. postcard for most things sent in the post; you’d use a Most people would have one identity, being sealed envelope. Email is no different; you just need themselves as a person. However, some may find an envelope – and it’s called “Encryption”. having separate personal and professional identities Since the early 1990s, the main way to encrypt useful. It’s a personal choice, but starting with a single email has been PGP, which stands for “Pretty Good key will help while you’re learning. Privacy”. It’s a protocol for the secure encryption of Launch Seahorse and click on the large plus-sign email that has since evolved into an open standard icon that’s just below the menu. Select ‘PGP Key’ and called OpenPGP. work your way through the screens that follow to supply your name and email address and then My lovely horse generate the key. The GNU Privacy Guard (GnuPG), is a free, GPL-licensed You can, optionally, use the Advanced Key Options implementation of the OpenPGP standard (there are to add a comment that can help others identify your other implementations, both free and commercial – key and to select the cipher, its strength and set when the PGP name now refers to a commercial product the key should expire.
  • Using Frankencerts for Automated Adversarial Testing of Certificate

    Using Frankencerts for Automated Adversarial Testing of Certificate

    Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker ∗ y Suman Janay Baishakhi Rayz Sarfraz Khurshidy Vitaly Shmatikovy ∗Google yThe University of Texas at Austin zUniversity of California, Davis Abstract—Modern network security rests on the Secure Sock- many open-source implementations of SSL/TLS are available ets Layer (SSL) and Transport Layer Security (TLS) protocols. for developers who need to incorporate SSL/TLS into their Distributed systems, mobile and desktop applications, embedded software: OpenSSL, NSS, GnuTLS, CyaSSL, PolarSSL, Ma- devices, and all of secure Web rely on SSL/TLS for protection trixSSL, cryptlib, and several others. Several Web browsers against network attacks. This protection critically depends on include their own, proprietary implementations. whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. In this paper, we focus on server authentication, which We design, implement, and apply the first methodology for is the only protection against man-in-the-middle and other large-scale testing of certificate validation logic in SSL/TLS server impersonation attacks, and thus essential for HTTPS implementations. Our first ingredient is “frankencerts,” synthetic and virtually any other application of SSL/TLS. Server authen- certificates that are randomly mutated from parts of real cer- tication in SSL/TLS depends entirely on a single step in the tificates and thus include unusual combinations of extensions handshake protocol. As part of its “Server Hello” message, and constraints. Our second ingredient is differential testing: if the server presents an X.509 certificate with its public key.
  • Cyrus Mail Server 2 Table of Contents

    Cyrus Mail Server 2 Table of Contents

    Univention Corporate Server Cyrus mail server 2 Table of Contents 1. Introduction ........................................................................................................................ 4 2. Installation ......................................................................................................................... 5 3. Management of the mail server data ....................................................................................... 6 3.1. Management of mail domains ..................................................................................... 6 3.2. Assignment of e-mail addresses to users ........................................................................ 6 3.3. Management of mailing lists ....................................................................................... 7 3.4. Management of mail groups ........................................................................................ 7 3.5. Management of shared IMAP folders ........................................................................... 8 3.6. Mail quota ............................................................................................................... 9 4. Spam detection and filtering ................................................................................................ 10 5. Identification of viruses and malware .................................................................................... 11 6. Identification of Spam sources with DNS-based Blackhole Lists (DNSBL) ...................................
  • Securing Email Through Online Social Networks

    Securing Email Through Online Social Networks

    SECURING EMAIL THROUGH ONLINE SOCIAL NETWORKS Atieh Saberi Pirouz A thesis in The Department of Concordia Institute for Information Systems Engineering (CIISE) Presented in Partial Fulfillment of the Requirements For the Degree of Master of Applied Science (Information Systems Security) at Concordia University Montreal,´ Quebec,´ Canada August 2013 © Atieh Saberi Pirouz, 2013 Concordia University School of Graduate Studies This is to certify that the thesis prepared By: Atieh Saberi Pirouz Entitled: Securing Email Through Online Social Networks and submitted in partial fulfillment of the requirements for the degree of Master of Applied Science (Information Systems Security) complies with the regulations of this University and meets the accepted standards with respect to originality and quality. Signed by the final examining commitee: Dr. Benjamin C. M. Fung Chair Dr. Lingyu Wang Examiner Dr. Zhenhua Zhu Examiner Dr. Mohammad Mannan Supervisor Approved Chair of Department or Graduate Program Director 20 Dr. Christopher Trueman, Dean Faculty of Engineering and Computer Science Abstract Securing Email Through Online Social Networks Atieh Saberi Pirouz Despite being one of the most basic and popular Internet applications, email still largely lacks user-to-user cryptographic protections. From a research perspective, designing privacy preserving techniques for email services is complicated by the re- quirement of balancing security and ease-of-use needs of everyday users. For example, users cannot be expected to manage long-term keys (e.g., PGP key-pair), or under- stand crypto primitives. To enable intuitive email protections for a large number of users, we design Friend- lyMail by leveraging existing pre-authenticated relationships between a sender and receiver on an Online Social Networking (OSN) site, so that users can send secure emails without requiring direct key exchange with the receiver in advance.
  • Release Notes for Debian 7.0 (Wheezy), Kfreebsd 64-Bits PC

    Release Notes for Debian 7.0 (Wheezy), Kfreebsd 64-Bits PC

    Release Notes for Debian 7.0 (wheezy), kFreeBSD 64-bits PC The Debian Documentation Project (http://www.debian.org/doc/) November 20, 2018 Release Notes for Debian 7.0 (wheezy), kFreeBSD 64-bits PC This document is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License, version 2, as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. The license text can also be found at http://www.gnu.org/licenses/gpl-2.0.html and /usr/ share/common-licenses/GPL-2 on Debian. ii Contents 1 Introduction 1 1.1 Reporting bugs on this document . 1 1.2 Contributing upgrade reports . 1 1.3 Sources for this document . 2 2 What’s new in Debian 7.0 3 2.1 Supported architectures . 3 2.2 What’s new for kFreeBSD? . 4 2.3 What’s new in the distribution? . 4 2.3.1 CDs, DVDs and BDs . 5 2.3.2 Multiarch . 5 2.3.3 Dependency booting . 5 2.3.4 systemd . 5 2.3.5 Multimedia . 5 2.3.6 Hardened security . 6 2.3.7 AppArmor .
  • Implementing PKI Services on Z/OS

    Implementing PKI Services on Z/OS

    Front cover Implementing PKI Services on z/OS Installation of PKI and all of its prerequistes on z/OS An example of the PKI Exit PKI’s use of ICSF to store Master Key Chris Rayns Theo Antoff Jack Jones Patrick Kappeler Vicente Ranieri Roland Trauner ibm.com/redbooks International Technical Support Organization Implementing PKI Services on z/OS February 2004 SG24-6968-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (February 2004) This edition applies to z/OS Version 1, Release 3. © Copyright International Business Machines Corporation 2004. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix The team that wrote this redbook. ix Become a published author . x Comments welcome. xi Chapter 1. Security Server PKI Services. 1 1.1 Overview of digital certificate. 2 1.2 The PKIX standards . 4 1.2.1 CA hierarchy . 6 1.2.2 The X.509 certificate and Certificate Revocation List . 9 1.2.3 The x.509 v3 certificate extension fields . 14 1.2.4 Certificate and CRL appearance. 17 1.3 The z/OS PKI Services . 21 1.3.1 Security Server PKI Services in z/OS . 21 1.3.2 Prerequisite products . 22 1.3.3 Requests supported by z/OS PKI Services. 23 1.3.4 Browser and server certificates. 24 1.3.5 The z/OS PKI Services architecture . 26 1.4 Security Server PKI Services enhancement in z/OS V1R4.
  • Ispmail Tutorial for Debian Lenny

    Ispmail Tutorial for Debian Lenny

    6.10.2015 ISPmail tutorial for Debian Lenny ISPmail tutorial for Debian Lenny Add new comment 223533 reads This tutorial is for the former stable version "Debian Lenny". If you are using "Debian Squeeze" then please follow the new tutorial. A spanish translation of this tutorial is also available ­ courtesy of José Ramón Magán Iglesias. What this tutorial is about You surely know the internet service providers that allow you to rent a domain and use it to receive emails. If you have a computer running Debian which is connected to the internet permanently you can do that yourself. You do not even need to have a fixed IP address thanks to dynamic DNS services like dyndns.org. All you need is this document, a cup of tea and a little time. When you are done your server will be able to... receive and store emails for your users from other mail servers let your users retrieve the email through IMAP and POP3 ­ even with SSL to encrypt to connection receive and forward ("relay") email for your users if they are authenticated offer a webmail interface to read emails in a web browser detect most spam emails and filter them out or tag them License/Copyright This tutorial book is copyrighted 2009 Christoph Haas (email@christoph­haas.de). It can be used freely under the terms of the GNU General Public License. Don't forget to refer to this URL when using it. Thank you. Changelog 17.6.09: Lenny tutorial gets published. 19.6.09: The page on SPF checks is temporarily offline.
  • Comodo Antispam Gateway Software Version 1.5

    Comodo Antispam Gateway Software Version 1.5

    Comodo Antispam Gateway Software Version 1.5 Administrator Guide Guide Version 1.5.082412 Comodo Security Solutions 525 Washington Blvd. Jersey City, NJ 07310 Comodo Antispam Gateway - Administrator Guide Table of Contents 1 Introduction to Comodo Antispam Gateway........................................................................................................................... 4 1.1 Release Notes............................................................................................................................................................. 5 1.2 Purchasing License .................................................................................................................................................... 6 1.3 Adding more Users, Domains or Time to your Account .................................................................................................6 1.4 License Information................................................................................................................................................... 10 2 Getting Started................................................................................................................................................................... 13 2.1 Incoming Filtering Configuration ................................................................................................................................ 13 2.1.1 Configuring Your Mail Server..................................................................................................................................
  • Digital Security for Activists

    Digital Security for Activists

    Training the Motivated: Digital Security for Activists Glencora Borradaile Kelsy Kretschmer Abstract School of Electrical Engineering School of Public Policy The state of global surveillance and the political and Computer Science Sociology Program environment has many activists caring more about their Oregon State University Oregon State University online security culture. We report on the initiation of a Corvallis, OR 97331, USA Corvallis, OR 97331, USA Digital Security for Activists program and a pilot study of an [email protected] [email protected] introductory seminar. Pre- and post-surveys of the seminar will form an initial assessment of what kind of intervention might increase the security practices of activists and to inform the design of program offerings. We report on the pre-surveys from three offerings of the seminar. Introduction In collaboration with the Civil Liberties Defense Center (CLDC), the first author had been offering informal digital security trainings for activists and their lawyers. After the fall elections in the U.S., requests for these trainings increased dramatically and shortly thereafter we launched a Digital Security for Activists (DSA) program. The DSA program’s intent is to align with the CLDC mission (“to defend and uphold civil liberties through education, outreach, litigation, legal support, and assistance”) and enable citizen activists to assert their constitutional rights while organizing online. Copyright is held by the author/owner. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee. Poster In order to provide trainings that are useful and effective, we presented at the 13th Symposium on Usable Privacy and Security (SOUPS 2017).
  • DNS Manager User Guide VF

    DNS Manager User Guide VF

    Vodafone Hosted Services: DNS Manager User Guide DNS Manager User Guide 1 Vodafone Hosted Services: DNS Manager User Guide DNS Manager What is DNS Manager ? DNS Manager allows the end-user to edit their domain’s zone file, including A (address) records, CNAME (canonical name) records and MX (mail exchange) records. What is the Default Zone File ? If the end-user selects “Edit Zone File” and clicks “Next”, their current zone file will be displayed at the top of the screen. By default, their zone file will contain several important records. Any changes to these records may cause serious problems with their website and email performance. What is DNS ? DNS (Domain Name System or Domain Name Service) catalogs and updates information in regards to domain names. DNS converts domain names into IP addresses. DNS usually contains a set of zone files that lists the types of redirection that will be done. 2 Vodafone Hosted Services: DNS Manager User Guide What are Zone Files ? Four types of records are important in a zone file: • A records • CNAME records • MX records • Start of Authority (SOA) domain.com points to 216.251.43.17 mail.domain.com points to 69.49.123.241 mail will be delivered to 10 mx1c1.megamailservers.com first mail will be delivered to 100 mx2c1.megamailservers.com second mail will be delivered to 110 Resource Record Abbreviations The end-users domain name is called their “origin”. The origin is appended to all names in the zone file that do not end in a dot. For example, if their domain is yourname.com, the entry “www” in the zone file is equal to www.yourname.com.
  • DNS / DNSSEC Workshop

    DNS / DNSSEC Workshop

    1/22/18 DNS / DNSSEC Workshop Hong Kong 22-24 January 2018 Issue Date: Revision: Overview • DNS Overview • BIND DNS Configuration • Recursive and Forward DNS • Reverse DNS • Troubleshooting • DNS Security Overview • DNS Transactions • DNS Security Extensions (DNSSec) • DNSSec Key Management and Automation 2 1 1/22/18 Overview • DNS Overview • BIND DNS Configuration • Recursive and Forward DNS • Reverse DNS • Troubleshooting • DNS Security Overview • DNS Transactions • DNS Security Extensions (DNSSec) • DNSSec Key Management and Automation 3 Domain Name System • A lookup mechanism for translating objects into otHer objects – Mapping names to numbers and vice versa • A globally distributed, loosely coHerent, scalable, reliable, dynamic database • Comprised of tHree components – A “name space” – Servers making tHat name space available – Resolvers (clients) query tHe servers about tHe name space • A critical piece of tHe Internet infrastructure 4 2 1/22/18 IP Addresses vs Domain Names The Internet DNS www.apnic.net202.112.0.46 2001:0400:: 2001:0C00:8888::My Computer www.apnic.net2001:0400:: 5 Old Solution: hosts.txt • A centrally-maintained file, distributed to all Hosts on tHe Internet • Issues witH Having just one file – Becomes Huge after some time – Needs frequent copying to ALL Hosts – Consistency // hosts.txt – Always out-of-date SERVER1 128.4.13.9 WEBMAIL 4.98.133.7 – Name uniqueness FTPHOST 200.10.194.33 – Single point of administration THis feature still exists: [Unix] /etc/Hosts [Windows] c:\windows\Hosts 6 3 1/22/18 DNS Features • Global distribution – SHares tHe load and administration • Loose CoHerency – GeograpHically distributed, but still coHerent • Scalability – can add DNS servers witHout affecting tHe entire DNS • Reliability • Dynamicity – Modify and update data dynamically 7 DNS Features • DNS is a client-server application • Requests and responses are normally sent in UDP packets, port 53 • Occasionally uses TCP, port 53 – for very large requests, e.g.