03/06/2019
INTERNET DOMAIN NAME SYSTEM
CS2520/TELCOM2321 Wide Area Network Spring Term, 2019
Prof. Taieb Znati Department Computer Science Telecommunication Program
IP Addresses
IP addresses are numerical address appreciated by Internet routers Fixed length, binary number Hierarchical, related to host location A name could map to multiple IP addresses www.cnn.com maps to multiple replicas of the Web site Replicas enable load-balancing, reduce latency by selecting nearby servers, and allow tailoring content to requesters location, identity, … Multiple names can map to the same address The names www.cnn.com and cnn.com are aliases and map to the same address
1 03/06/2019
Name To IP Address Mapping Originally, names to IP addresses mapping was achieved using per-host file – /etc/hosts Network administrators downloaded regularly a copy of the master file maintained by SRI Flat namespace Internet growth exposed the single server lack of scalability Traffic implosion – lookups and updates Single point of failure
Solution Distributed, Hierarchical Name Servers
Internet Domains
Main types of domain names Top-Level Domains, Second-Level Domains, Third-level Domains, and Country Domains
cs.pitt.edu ቐ
Top Level Domain ቐ
Second Level Domain ቐ Third Level Domain
2 03/06/2019
Domain Name System (DNS)
DNS is a hierarchical name space divided into zones Zones distributed over collection of DNS servers Hierarchy of DNS servers Root Servers Top-level domain (TLD) servers Authoritative DNS servers Address resolution – name to address mapping Local DNS servers Resolver software
DNS Root Zone
A DNS root zone is the top-level DNS zone in a Domain Name System (DNS) hierarchy. The zone's content is managed and processed by the Internet Assigned Numbers Authority (IANA) Functions Operator The zone file itself is physically maintained by a third party under contract – Root Zone Maintainer. The current IANA Functions Operator is the Internet Corporation for Assigned Names and Numbers (ICANN) The current Root Zone Maintainer is Verisign, Inc.
3 03/06/2019
Distributed Hierarchical Database
Unnamed Root
Generic Domains Country Domains com edu org ac us zw arpa
Top-Level Domains (TLDs) in- univ it addr
eng cs co
her my std
my.cs.univ.edu std.co.it.us
DNS Root Located in Virginia, USA How do we make the root scale?
Verisign, Dulles, VA
4 03/06/2019
DNS Root Servers 13 root servers (http://www.root-servers.org/) Labeled A through M
A Verisign, Dulles, VA C Cogent, Herndon, VA D U Maryland College Park, MD G US DoD Vienna, VA K RIPE London H ARL Aberdeen, MD J Verisign I Autonomica, Stockholm E NASA Mt View, CA F Internet Software Consortium M WIDE Tokyo Palo Alto, CA
B USC-ISI Marina del Rey, CA L ICANN Los Angeles, CA
DNS Root Servers Replication via any-casting Localized routing for addresses
A Verisign, Dulles, VA C Cogent, Herndon, VA (also Los Angeles, NY, Chicago) D U Maryland College Park, MD G US DoD Vienna, VA K RIPE London (plus 16 other locations) H ARL Aberdeen, MD J Verisign (21 locations) I Autonomica, Stockholm (plus 29 other locations) E NASA Mt View, CA F Internet Software Consortium, M WIDE Tokyo Palo Alto, CA plus Seoul, Paris, (and 37 other locations) San Francisco
B USC-ISI Marina del Rey, CA L ICANN Los Angeles, CA
5 03/06/2019
Top-Level Domain Servers
A Top-Level Domain (TLD) is at the highest level in the hierarchical Domain Name System of the Internet. TLD servers Generic domains (e.g., com, org, edu) Country domains (e.g., uk, fr, cn, jp) Special domains (e.g., arpa) Typically managed professionally Network Solutions maintains servers for “com” Educause maintains servers for “edu” Root servers hold the lists of names and addresses for the authoritative servers for all of the top-level domains.
Authoritative DNS Servers
An Authoritative Name Server (ANS) is a name server that gives answers in response to questions asked about names in one or more zones. An Authoritative Name Server only returns answers to queries about domain names that have been specifically configured by the administrator. Name servers can also be configured to give authoritative answers to queries in some zones, while acting as a caching name server for all other zones.
6 03/06/2019
Domain Registry and ANS
When a domain is registered with a domain name registrar, the zone administrator provides a list of authoritative name servers for the zone that contains the domain Typically, at least two, for redundancy The registrar provides the names of these servers to the domain registry for the TLD containing the zone. The domain registry in turn configures the authoritative name servers for that top level domain with delegations for each server for the zone.
DNS Initialization and Use
Root servers hold the lists of names and addresses for the authoritative servers for all of the top-level domains. Every name lookup must either start with a query to a root server or use information that was once obtained from a root server. The root servers have the official names
A.root-servers.net, B.root-servers.net, … to M.root- servers.net
To look up the IP address of a root server from these names, a DNS resolver must first be able to look up a root server to find the address of an authoritative server for the .net DNS zone. Clearly this creates a circular dependency, so the address of at least one root server must be known by a host in order to bootstrap access to the DNS.
7 03/06/2019
DNS Use – Breaking the Dependency
Breaking the circular dependency is usually done by shipping the addresses of all known DNS root servers as a file with the computer operating system The IP addresses of some root servers will change over the years, but only one correct address is needed for the resolver to obtain the current list of name servers. This file is called named.cache in BIND and a current version is officially distributed by ICANN's InterNIC. Once the address of a single functioning root server is known, all other DNS information can be discovered recursively, and the address of any domain name may be found.
Name to Address Resolution
Local DNS server (“default name server”) Usually near the endhosts that use it Local hosts configured with local server (e.g., /etc/resolv.conf) or learn server via DHCP Client application Extract server name (e.g., from the URL) Do gethostbyname() to trigger resolver code Server application Extract client IP address from socket Optional gethostbyaddr() to translate into name
8 03/06/2019
DNS Name Resolution Iterative Query Root DNS server Host at cs.pitt.edu seeks to obtain IP address for host.cs.univ.edu 2 3 4 Local DNS Server TLD DNS server dns.cs.pitt.edu 5
7 6 1 8
Authoritative DNS Server dns.cs.univ.edu Requesting Host u at cs.pitt.edu host.cs.univ.edu No Caching
DNS Name Resolution root DNS server Recursive Query
2 3 The burden of name resolution is on the 7 6 contacted name server TLD DNS server Heavy load? Stateful Servers? Local DNS server dns.cs.pitt.edu 5 4
1 8
Authoritative DNS Server dns.cs.univ.edu requesting host Host.cs.univ.edu
host.cs.univ.edu
9 03/06/2019
DNS Caching and updating records Once (any) name server learns mapping, it caches mapping Cache entries are associated with timers Timers are reset when entries are refreshed Cache entries are expelled from the cache when their associated timers expire TLD servers typically cached in local name servers Thus root name servers not often visited
Reverse Mapping (Address Host)
How do we go the other direction, from an IP address to the corresponding hostname? Addresses already have natural “quad” hierarchy: 12.34.56.78 But: quad notation has most-significant hierarchy element on left, while www.cnn.com has it on the right Idea: reverse the quads = 78.56.34.12 … … and look that up in the DNS Under what TLD? Convention: in-addr.arpa So lookup is for 78.56.34.12.in-addr.arpa
10 03/06/2019
21 Distributed Hierarchical Database
Unnamed Root
Generic Domains Country Domains com edu org ac us zw arpa
in- univ Top-Level Domains (TLDs) it addr
12 eng cs co
34 her my std 56 my.cs.univ.edu std.co.it.us 12.34.56.0/24
DNS Caching
Name to Address resolution is time consuming Must be performed before actual communication takes place e.g., 1-second latency before starting Web download Caching can greatly reduce overhead The top-level servers very rarely change Popular sites (e.g., www.cnn.com) visited often Local DNS server often has the information cached How DNS caching works DNS servers cache responses to queries Responses include a “time to live” (TTL) field Server deletes cached entry after TTL expires
11 03/06/2019
Negative Caching
Remember things that don’t work Misspellings like www.cnn.comm and www.cnnn.com These can take a long time to fail the first time Good to remember that they don’t work … so the failure takes less time the next time around
But: negative caching is optional And not widely implemented
DNS Resource Records DNS: distributed DB storing resource records (RR)
RR format: (name, value, type, ttl)
• Type=A • Type=CNAME – name is hostname – Name is alias name for some – value is IP address “canonical” name e.g., elements.cs.pitt.edu is really Type=NS name is domain (e.g. foo.com) oxygen.cs.pitt.edu value is hostname of authoritative name – value is canonical name server for this domain Type=PTR • Type=MX name is reversed IP quads e.g. 78.56.34.12.in-addr.arpa – value is name of mailserver value is corresponding associated with name hostname – Also includes a weight/preference
12 03/06/2019
DNS Protocol DNS protocol: query and reply messages, both with same message format
Message header: 16 bits 16 bits Identification Flags • Identification: 16 bit # for # Questions # Answer RRs query, reply to query uses same # # Authority RRs # Additional RRs Questions • Flags: (variable # of resource records) – Query or reply Answers – Recursion desired (variable # of resource records) Authority – Recursion available (variable # of resource records) – Reply is authoritative Additional information • Plus fields indicating size (variable # of resource records) (0 or more) of optional header elements
Reliability
DNS servers are replicated Name service available if at least one replica is up Queries can be load-balanced between replicas Usually, UDP used for queries Need reliability: must implement this on top of UDP Spec supports TCP too, but not always implemented Try alternate servers on timeout Exponential backoff when retrying same server Same identifier for all queries Don’t care which server responds
13 03/06/2019
Inserting Resource Records into DNS
Example: just created startup “FooBar” Get a block of address space from ISP Assuming allocated space is: 212.44.9.128/25 Register foobar.com at NamesRUs.com(e.g.,) Provide registrar with names and IP addresses of your authoritative name server (primary and secondary) Registrar inserts RR pairs into the com TLD server: (foobar.com, dns1.foobar.com, NS) (dns1.foobar.com, 212.44.9.129, A) Put in your (authoritative) server dns1.foobar.com: Type A record for www.foobar.com Type MX record for foobar.com
DNS Summary (I)
The DNS is a distributed database Containing information about names in the domain name space ! Realized by name servers ! Maintaining a many-to-many mapping between domain name space and IP address space ! Allowing clients to query for information about a domain name ! (Partially) allowing reverse query (IP-to-name) too ! Providing mail server aliasing service
14 03/06/2019
Summary (II)
Original DNS implementation lacks authentication Can’t tell if reply comes from the correct source Can’t tell if correct source tells the truth Malicious source can insert extra (mis)information Malicious bystander can spoof (mis)information Playing with caching lifetimes adds extra power to attacks To protect DNS, IETF has devised a technology named DNS Security (DNSSEC) that provides the message origin authentication and message integrity using a security service called digital signature
Conclusion
Internet Application Design Principles Client-Server Model Sockets Stream sockets and connectionless sockets Domain Name System Commonly Used Application HTTP, FTP, SMTP
15