Presentation on Domain Name System
Upcoming SlideShare
Loading in...5
×
 

Presentation on Domain Name System

on

  • 197 views

This is presentation on Domain Name System. This was originally created as seminar presentation.

This is presentation on Domain Name System. This was originally created as seminar presentation.

Statistics

Views

Total Views
197
Views on SlideShare
197
Embed Views
0

Actions

Likes
2
Downloads
27
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Presentation on Domain Name System Presentation on Domain Name System Presentation Transcript

    • DOMAIN NAME SYSTEM Prepared by: Chinmay Joshi ID: 12IT112
    • DOMAIN NAME SYSTEM • What is DNS? • Internet Directory Service • A client-server application that maps host names into their corresponding IP addresses • Mapping host names into their corresponding IP addresses is called name resolution or name translation or name mapping or Address Resolution • Why we need to use names instead of IP numbers? • IP addresses are difficult to remember • IP addresses can change • Problem: Network only understands numeric addresses • Solution: • Use alphanumeric names to refer to hosts • Add a distributed, hierarchical protocol (called DNS) to map between alphanumeric host names and IP addresses
    • HISTORY • Using a name as a more human-legible abstraction of a machine's numerical address on the network predates even TCP/IP • All the way to the ARPAnet era • Back then however, a different system was used, as DNS was only invented in 1983, shortly after TCP/IP was deployed. • With the older system, each computer on the network retrieved a file called HOSTS.TXT from a computer at SRI (now SRI International). • The HOSTS.TXT file mapped numerical addresses to names. • A hosts file still exists on most modern operating systems, either by default or through configuration • Allows users to specify an IP address (eg. 192.0.34.166) to use for a hostname (eg. www.example.net) without checking DNS. • Nowadays, the hosts file serves primarily for troubleshooting DNS errors or for mapping local addresses to more organic names • Systems based on a hosts file have inherent limitations • The obvious requirement that every time a given computer's address changed, every computer that seeks to communicate with it would need an update to its hosts file On Windows: C:WINDOWSsystem32driversetc>
    • NAME SPACE • IP addresses are unique Host names must be unique • How to manage this large number of names? • Where ? • Centralized?  inefficient & unreliable why? • Heavy traffic because of requests from all over the world • Failure makes data not available • Hard to maintain • Thus, DNS record database is distributed.
    • NAME SPACE • Solution: • Each name is made of several parts (hierarchical) • Each part is called a label • Names are defined on tree structure with the root at the top • This is called hierarchical name space • Each node has a label • DNS requires that children of a node (nodes that branch from the same node) have different labels to guarantee uniqueness • This will allow the control of names assignment to be decentralized • A central authority IANA assigns the part of the name that defines the nature of the organization (com, net, org, IN, …) and its name (IEEE, Intel, Microsoft, Google…)
    • THE DNS NAME SPACE • The Internet is divided into more than 200 top-level domains • Domain: It is sub tree of the domain name space and consists of group of hosts that are under the administrative control of a single entity such as a company or a government agency. • Each domain is subdivided into subdomains • The leaves represent domains that have no subdomains • A leaf domain may contain a single host, or represent a company with thousands of hosts in Top level domains A portion of the Internet domain name space.
    • DOMAIN  Domain is a sub tree of domain name space  Root node is empty  Domain is divided into sub-domains  Domain name is the domain name of the node at the top of the sub tree Sub- Sub- Sub-
    • HIERARCHY OF NAME SERVERS • Where the information contained in the domain name space is stored? • DNS is a distributed database system • • • Uses a large number of computers called name servers Organized in a hierarchical way and distributed all over the world No single host has all the exact mappings for all the hosts in the Internet Knows about all names below it Knows about all names below it
    • DNS QUERY • DNS works on well known port 53 to serve requests and uses UDP protocol or TCP protocol • DNS Message • Each message has the same generic format with 5 sections. Section Meaning/Use Section 1 Message Header Section 2 The DNS question being asked Section 3 The Resource Record(s) which answer the question Section 4 The Resource Record(s) which point to the domain authority Section 5 The Resource Record(s) which may hold additional information
    • DNS RECORD TYPES: • DNS Internal types • Authority: NS, SOA, • List names of Name Servers and Start Of Authority/zone. • DNSSEC: DS, DNSKEY, RRSIG, NSEC • Used for DNSSEC • Meta types: OPT, TSIG, TKEY, SIG(0) • Meta Types: Not stored in DNS zones, transfer information between DNS nodes • Indirect: CNAME, DNAME • Indirect types, cause Resolver to change direction of search • Server must have special processing code • Terminal RR: • Address records: A, AAAA, • Informational: TXT, HINFO, KEY, SSHFP … • carry information to applications • Non Terminal RR: MX, SRV, PTR, KX, A6, NAPTR, AFSDB • contain domain names that may lead to further queries.
    • DNS RECORD TYPES: The “A” Record • The “Address” record • One or more normally defines a host • Contains an IPv4 Address (the address computers use to uniquely identify each other on the internet) • Eg. The record: www In A 127.0.0.1 the example.com domain, defines the host uniquely “www.example.com” to be reachable at the IPv4 Address 127.0.0.1 identifiable as The “CNAME” Record • A CNAME defines an alias • The alias will then be resolved, if another CNAME is encountered then the process continues until an A record is found • Eg. The record: mail CNAME ghs.google.com. In the charusat.ac.in domain, defines the name uniquely “mail.charusat.ac.in” to be and alias to “ghs.google.com” identifiable as
    • DNS RECORD TYPES: The “MX” Record • An MX record defines the mail servers for a particular domain • Mail exchange records hold the name of hosts, and their priorities, able to deliver mail for the domain. • Eg. The record: mail.example.com MX 10 mail In the example.com, defines the host mail to be the priority 10 mail server for the “example.com” domain The “NS” Record • An NS record defines the authoritative Name servers for the domain. • The “Name Server” records also define the name servers of children domains • Eg. The record: internal NS ns1.example.com In the google.com, defines the host “ns1.example.com” to be a name sever for the “internal.example.com” sub-domain
    • LEGAL USERS OF DOMAINS • Registrant • Depending on the various naming convention of the registries, legal users become commonly known as "registrants" or as "domain holders" • ICANN holds a complete list of domain registries in the world • For most of the more than 240 country code top-level domains (ccTLDs), the domain registries hold the authoritative WHOIS (Registrant, name servers, expiry dates, etc.). • However, some domain registries, such as for .COM, .ORG, .INFO, etc., use a registry-registrar model • Since about 2001, most gTLD registries (.ORG, .BIZ, .INFO) have adopted a so-called "thick" registry approach, i.e. keeping the authoritative WHOIS with the various registries instead of the registrars
    • RECURSIVE AND ITERATIVE QUERIES • There are two types of queries: • Recursive queries • Iterative (non-recursive) queries • The type of query is determined by a bit in the DNS query • Recursive query: When the name server of a host cannot resolve a query, the server issues a query to resolve the query • Iterative queries: When the name server of a host cannot resolve a query, it sends a referral to another server to the resolver
    • LOOKUP METHODS Recursive query: • Server goes out and searches for more info (recursive) root name server 2 • Only returns final answer or “not found” iterated query 3 Iterative query: • Server responds with as much as it knows (iterative) • “I don’t know this name, but ask this server” 7 local dns server 1 typically name server Intermediate Server 5 8 Workload impact on choice? • Local server recursive 4 6 authoritative name server Dns.Google.com does • Root/distant server does iterative requesting host Mail.google.com
    • DNS QUERY • QNAME: mail.Google.com • QCLASS: IN • QTYPE: A. Root Server Ask com NS mail.Google.com Com Server Ask google.com NS Google.com Server Stub resolver Mail.Google.com A 173.194.115.22 Recursive Resolver Mail.Google.com A 173.194.115.22
    • 1- RECURSIVE RESOLUTION – EXAMPLE (CONTINUED) In the previous example, the mapping will be done as follows: Host contacts the local name server to query for the IP address of host mail.Google.com 1. If local name server does not have the answer in its cache or in its database, it will contact the root name server to query for the IP address of host mail.Google.com 2. If the root name server does not have the answer in its cache or in its database, it will contact the name server responsible for the .com domain (DNS.com) to query for the IP address of host mail.Google.com 3. If (DNS.com) does not have the answer in its cache or in its database, it will contact (DNS.Google.com) which has the IP address for host (mail.Google.com) 4. (DNS.Google.com) will return the answer to (DNS.com) 5. (DNS.com) will return the answer to the root name server 6. The root name server will return the answer to local DNS server. 7. Local DNS server will return the answer to Host.
    • 2- ITERATIVE RESOLUTION – EXAMPLE (CONTINUED) 1- Host contacts the local name server to query for the IP address of mail.Google.com host 2- If local name server does not have the answer in its cache or in its database, it will reply to host with the IP address of the root name server 3- Host will contact the root name server to query for the IP address of mail.Google.com host 4- If the root name server does not have the answer in its cache or in its database, it will reply to host with the IP address of the name server for the (.com) domain which is (DNS.com) 5- Host will contact the name server (DNS.com) to query for the IP address of host mail.Google.com 6- If (DNS.com) does not have the answer in its cache or in its database, it will reply to host with the IP address of the name server DNS.Google.com which is the local name server for domain Google.com 7- Host will contact the name server (DNS.Google.com) to query for the IP address of host mail.Google.com 8- Since name server DNS.Google.com is the local name server for Google.com domain it will reply to host with the IP address for host mail.Google.com
    • HOW DNS WORKS • A network host is configured with an initial cache (so called hints) of the known addresses of the root name servers. Such a hint file is updated periodically by an administrator from a reliable source. • DNS zone is loaded on authoritative servers, • servers keep in sync using information in SOA RR via AXFR, IXFR or other means. • DNS caches only store data for a “short” time • defined by TTL. • DNS Recursive Resolvers start at “longest match” on query name they have when looking for data, and follow delegations until an answer or a negative answer is received. • DNS transactions are fast if servers are reachable.
    • SECURITY ISSUES • Some domain names can spoof other, similar-looking domain names. • For example, "paypal.com" and "paypa1.com" are different names, yet users may be unable to tell the difference when the user's typeface(font) does not clearly differentiate the letter l and the number 1. • DNS responses are traditionally not cryptographically signed, leading to many attack possibilities; • Cache Poisoning • Denial of Service (DoS) • Masquerading • Client Flooding • Information Leakage • Compromise of DNS server’s authoritative data
    • DNSSEC • DNSSEC works by digitally signing records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party. • DNSSEC modifies DNS to add support for cryptographically signed responses • There are various extensions to support securing zone transfer information as well • From the results of a DNS lookup, a security-aware DNS resolver can determine whether the authoritative name server for the domain being queried supports DNSSEC, whether the answer it receives is secure, and whether there is some sort of error. The lookup procedure is different for recursive name servers such as those of many ISPs, and for stub resolvers such as those included by default in mainstream operating systems.