Outline

15-441 Computer Networking • DNS Design

Lecture 13 – DNS Peter Steenkiste • DNS Today

Fall 2010 www.cs.cmu.edu/~prs/15-441-F10

2

Naming Obvious Solutions (1)

• How do we efficiently locate resources? Why not centralize DNS? • DNS: name  IP address • Single point of failure • Challenge • Traffic volume • How do we scale this to the wide area? • Distant centralized database • Single point of update

• Doesn’t scale!

3 4

1 Obvious Solutions (2) Goals

Why not use /etc/hosts? • Basically a wide-area distributed database • Original Name to Address Mapping • Scalability • Flat namespace • Decentralized maintenance • /etc/hosts • SRI kept main copy • Robustness • Downloaded regularly • Global scope • Count of hosts was increasing: machine per • Names mean the same thing everywhere didomain  machine per user • Don’t need • Many more downloads • Atomicity • Many more updates • Strong consistency

5 6

Programmer’s View of DNS DNS Message Format

• Conceptually, programmers can view the DNS Identification Flags database as a collection of millions of host entry structures: 12 bytes No. of Questions No. of Answer RRs

/* DNS host entry structure */ No. of Authority RRs No. of Additional RRs struct addrinfo { Name, type fields int ai_family; /* host address type (AF_INET) */ for a query Questions (variable number of answers) size_t ai_addrlen; /* length of an address, in bytes */ struct sockaddr *ai_addr; /* address! */ RRs in response char *ai_canonname; /* official domain name of host */ Answers (variable number of resource records) struct addrinfo *ai_next ; /* other entries for host */ to query }; Records for authoritative Authority (variable number of resource records) • Functions for retrieving host entries from DNS: servers query key is a DNS host name. Additional Additional Info (variable number of resource records) •getaddrinfo: “helpful info that •getnameinfo: query key is an IP address. may be used 7 8

2 DNS Message Format DNS Header Fields

Identification Flags • Identification

12 bytes No. of Questions No. of Answer RRs • Used to match up request/response • Flags No. of Authority RRs No. of Additional RRs Name, type fields • 1-bit to mark query or response for a query Questions (variable number of answers) • 1-bit to mark authoritative or not

RRs in response • 1-bit to request recursive resolution Answers (variable number of resource records) to query • 1-bit to indicate support for recursive resolution Records for authoritative Authority (variable number of resource records) servers

Additional Additional Info (variable number of resource records) “helpful info that may be used 9 10

DNS Records Properties of DNS Host Entries

RR format: (class, name, value, type, ttl) • Different kinds of mappings are possible:

• DB contains tuples called resource records (RRs) • Simple case: 1 -1 mapping between domain name and • Classes = (IN), Chaosnet (CH), etc. IP addr: • Each class defines value associated with type • kittyhawk.cmcl.cs.cmu.edu maps to 128.2.194.242 • Multiple domain names maps to the same IP address: FOR IN class: • eecs.mit.edu and cs.mit.edu both map to 18.62.1.6 • Type=A • Type=CNAME • Single domain name maps to multiple IP addresses: • name is hostname • name is an alias name for some • value iIPddis IP address “canonical” (the real) name • aol. com and www. aol. com map to multiple IP addrs. • Type=NS • value is canonical name • Some valid domain names don’t map to any IP • name is domain (e.g. foo.com) • Type=MX address: • value is name of authoritative name • value is hostname of mailserver server for this domain associated with name • for example: cmcl.cs.cmu.edu

11 12

3 DNS Design: Hierarchy Definitions DNS Design: Zone Definitions

• Each node in hierarchy • Zone = contiguous section stores a list of names that of name space end with same suffix • E.g., Complete tree, single root root node or subtree org • Suffix = path up tree org ca net edu com uk • E.g., given this tree, where net edu com uk • A zone has an associated would following be stored: set of name servers • Must store list of names and gwu ucb cmu bu mit • Fred.com gwu ucb cmu bu mit tree links • Fred.edu cs cs ece • FdFred.cmu.ed u ece SbtSubtree cmcl • Fred.cmcl.cs.cmu.edu cmcl Single node • Fred.cs.mit.edu Complete Tree

13 14

DNS Design: Cont. DNS: Root Name Servers

• Zones are created by convincing owner node to • Responsible for “root” create/delegate a subzone zone • Approx. 13 root name • Records within zone stored multiple redundant name servers worldwide servers • Currently {a-m}.root- • Primary/master updated manually servers.net • Secondary/redundant servers updated by zone transfer • Local name servers of name space contact root servers • Zone transfer is a bulk transfer of the “configuration” of a DNS when they cannot server – uses TCP to ensure re lia bility resolve a name • Configured with well- • Example: known root servers • CS.CMU.EDU created by CMU.EDU administrators • Newer picture  • Who creates CMU.EDU or .EDU? www.root-servers.org

15 16

4 Servers/Resolvers Typical Resolution

• Each host has a resolver • Typically a library that applications can link to • Local name servers hand-configured (e.g. root & edu DNS server /etc/resolv.conf) www.cs.cmu.edu • Name servers • Either responsible for some zone or… ns1.cmu.edu Local DNS server Client • Local servers DNS server • Do lookup of distant host names for local hosts ns1.cs.cmu.edu • Typically answer queries about local zone DNS server

17 18

Typical Resolution DNS Hack #1

• Steps for resolving www.cmu.edu • Can return multiple A records  what does this • Application calls ggyethostbyname() ( RESOLVER) mean? • Resolver contacts local name server (S1)

• S1 queries root server (S2) for (www.cmu.edu)

• S2 returns NS record for cmu.edu (S3) • What about A record for S3? • Load Balance • This is what the additional information section is for (PREFETCHING) • Server sends out multiple A records • S1 queries S3 for www.cmu.edu

• S3 returns A record for www.cmu.edu • OdOrder o fthf these record s c hanges per-clien t

19 20

5 Lookup Methods Workload and Caching

Recursive query: root name server • Server goes out and • Are all servers/names likely to be equally popular? searches for more info 2 • Whyyg might this be a problem? How can we solve this problem? (recursive) iterated query • Only returns final answer • DNS responses are cached or “not found” 3 • Quick response for repeated translations Iterative query: 4 • Other queries may reuse some parts of lookup • Server responds with as much as it knows 7 • NS records for domains (iterative) local name server intermediate name server • “I don’t know this name, • DNS negative queries are cached dns.eurecom.fr dns.umass.edu but ask this server” • Don’t have to repppeat past mistakes 5 6 1 8 authoritative name Workload impact on choice? server • E.g. misspellings, search strings in resolv.conf • Local server typically does dns.cs.umass.edu • Cached data periodically times out recursive • Root/distant server does • Lifetime (TTL) of data controlled by owner of data iterative requesting host gaia.cs.umass.edu • TTL passed with every record surf.eurecom.fr

21 22

Typical Resolution Subsequent Lookup Example

root & edu root & edu DNS server DNS server www.cs.cmu.edu ftp.cs.cmu.edu

ns1.cmu.edu cmu.edu Local DNS server Local DNS server Client Client DNS server DNS server ns1.cs.cmu.edu cs.cmu.edu DNS DNS server server

23 24

6 Reliability Reverse DNS

• DNS servers are replicated unnamed root • Task • Name service available if ≥ one reppplica is up • Given IP address, find its name • Queries can be load balanced between replicas arpa edu • Method • UDP used for queries • Maintain separate hierarchy based • Need reliability  must implement this on top of UDP! on IP names in-addr cmu • Why not just use TCP? • Write 128.2.194.242 as 242.194.128.2.in-addr.arpa • Try alternate servers on timeout • Why is the address reversed? 128 cs • Exponential backoff when retrying same server • Managing • Same identifier for all queries • Authority manages IP addresses 2 • Don’t care which server responds cmcl assigned to it • E.g., CMU manages name space 194 128.2.in-addr.arpa kittyhawk 242 128.2.194.242 25 26

.arpa Name Server Hierarchy Prefetching

in-addr.arpa a.root-servers.net • • • m.root-servers.net • Name servers can add additional data to response chia.arin.net • Typically used for prefetching 128 (dill, henna, indigo, epazote, figwort, ginseng) • CNAME/MX/NS typically point to another host name cucumber.srv.cs.cmu.edu, 2 t-ns1.net.cmu.edu • Responses include address of host referred to in t-ns2.net.cmu.edu “additional section”

mango. srv. cs. cmu. edu 194 (peach, banana, blueberry)

• At each level of hierarchy, have group kittyhawk 128.2.194.242 of servers that are authorized to handle that region of hierarchy

27 28

7 Mail Addresses Outline

• MX records point to mail exchanger for a name • E. g. mail. acm. org is MX for acm. org • Addition of MX record type proved to be a • DNS Design challenge • How to get mail programs to lookup MX record for mail delivery? • Needed critical mass of such mailers • DNS Today

29 30

Root Zone gTLDs

• Unsponsored • Generic Top Level Domains (gTLD) = .com, .net, • .com, .edu, .gov, .mil, .net, .org .org, etc… • .biz  businesses • .info  general info • Country Code Top Level Domain (ccTLD) = .us, • .name  individuals • Sponsored (controlled by a particular association) .ca, .fi, .uk, etc… • .aero  air-transport industry • Root server ({a-m}.root-servers.net) also used to • .cat  catalan related • .coop  business cooperatives cover gTLD domains • .jobs  job announcements • .museum  museums • Load on root servers was growing quickly! • .pro  accountants, lawyers, and physicians • MiMoving .com, .ne t, .org o fftff root servers was cl earl y • .tltravel  tlidttravel industry • Starting up necessary to reduce load  done Aug 2000 • .mobi  mobile phone targeted domains • .post  postal • .tel  telephone related • Proposed • .asia, .cym, .geo, .kid, .mail, .sco, .web, .xxx

31 32

8 New Registrars Tracing Hierarchy (1)

• Network Solutions (NSI) used to handle all • Program • Allows querying of DNS system registrations, root servers , etc … • Use flags to find name server (NS) • Clearly not the democratic (Internet) way • Disable recursion so that operates one step at a time • Large number of registrars that can create new unix> dig +norecurse @a.root-servers.net NS kittyhawk.cmcl.cs.cmu.edu domains  However NSI still handles A root server ;; AUTHORITY SECTION: edu. 172800 IN NS L3.NSTLD.COM. edu. 172800 IN NS D3.NSTLD.COM. edu. 172800 IN NS A3.NSTLD.COM. edu. 172800 IN NS E3.NSTLD.COM. edu. 172800 IN NS C3.NSTLD.COM. edu. 172800 IN NS F3.NSTLD.COM. edu. 172800 IN NS G3.NSTLD.COM. edu. 172800 IN NS B3.NSTLD.COM. edu. 172800 IN NS M3.NSTLD.COM. • All .edu names handled by set of servers 33 34

Tracing Hierarchy (2) Tracing Hierarchy (3 & 4)

• 3 servers handle CMU names • 4 servers handle CMU CS names

unix> dig +norecurse @e3.nstld.com NS kittyhawk.cmcl.cs.cmu.edu unix> dig +norecurse @t-ns1.net.cmu.edu NS kittyhawk.cmcl.cs.cmu.edu

;; AUTHORITY SECTION: ;; AUTHORITY SECTION: cmu.edu. 172800 IN NS CUCUMBER.SRV.cs.cmu.edu. cs.cmu.edu. 86400 IN NS MANGO.SRV.cs.cmu.edu. cs.cmu.edu. 86400 IN NS PEACH.SRV.cs.cmu.edu. cmu.edu. 172800 IN NS T-NS1.NET.cmu.edu. cs.cmu.edu. 86400 IN NS BANANA.SRV.cs.cmu.edu. cmu.edu. 172800 IN NS T-NS2.NET.cmu.edu. cs.cmu.edu. 86400 IN NS BLUEBERRY.SRV.cs.cmu.edu.

• Quasar is master NS for this zone unix>dig +norecurse @blueberry.srv.cs.cmu.edu NS kittyhawk.cmcl.cs.cmu.edu

;; AUTHORITY SECTION: cs.cmu.edu. 300 IN SOA QUASAR.FAC.cs.cmu.edu.

35 36

9 Protecting the Root Nameservers Defense: Replication and Caching

Defense Mechanisms

• Redundancy: 13 root nameservers • IP for root DNS servers {c,f,i,j,k}.root-servers.net • RFC 3258 source: wikipedia • Most physical nameservers lie outside of the US 37 38

DNS Hack #2: Blackhole Lists DNS (Summary)

• First: Mail Abuse Prevention System (MAPS) • Motivations  large distributed database • , 1997 • Scal abili ty • Today: Spamhaus, spamcop, dnsrbl.org, etc. • Independent update • Robustness Different addresses refer to • Hierarchical database structure different reasons for blocking • Zones % dig 91.53.195.211.bl.spamcop.net • How is a lookup done ;; ANSWER SECTION: • Chi/Caching/prefthifetching andTTLd TTLs 91.53.195.211.bl.spamcop.net. 2100 IN A 127.0.0.2 • Reverse name lookup

;; ANSWER SECTION: • What are the steps to creating your own domain? 91.53.195.211.bl.spamcop.net. 1799 IN TXT "Blocked - see http://www.spamcop.net/bl.shtml?211.195.53.91" 39 40

10