1 / 29

DNS

DNS. Domain Name Systems In Practice. Domain Name Parts. Parts of a domain name. Domain name consists of two or more parts ( labels ), separated by periods Example: wikipedia.org wikipedia.org has the top-level domain org Rightmost label conveys the top-level domain A.K.A. TLD

ronny
Download Presentation

DNS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DNS Domain Name Systems In Practice

  2. Domain Name Parts

  3. Parts of a domain name • Domain name consists of two or more parts (labels), separated by periods • Example: wikipedia.org • wikipedia.org has the top-level domain org • Rightmost label conveys the top-level domain • A.K.A. TLD • en.wikipedia.org has the top-level domain org • Each label to the left specifies a subdivision or subdomain of the domain above it • Note: "subdomain" expresses relative dependence, not absolute dependence: • wikipedia.org comprises a subdomain of the org domain • en.wikipedia.org comprises a subdomain of the domain wikipedia.org • Note: The root “.” is always there. At times it may be implied, others it must be explicitly listed • e.g. wikipedia.org.

  4. Parts of a domain name • Domain name usually consists of two or more parts (labels), separated by dots • In theory: • Subdivisions can go 127 levels deep • Each label can contain up to 63 characters • Overall Limit: • Entire domain name cannot exceed a total length of 254 characters • In practice: • Some domain registries have shorter limits • Typically restricted by host OS

  5. Parts of a domain name • Hostname may refer to a domain name that has one or more associated IP addresses • For example, the en.wikipedia.org and wikipedia.org domains are both hostnames, but the org domain is not • Domain Name System consists of a hierarchical set of DNS servers • Each domain or subdomain has one or more authoritative DNS servers • Publish information about that domain and the name servers of any domains "beneath" it • Hierarchy of authoritative DNS servers matches the hierarchy of domains • At the top of the hierarchy stand the root name servers: • Servers to query when looking up (resolving) a top-level domain name (TLD)

  6. Parts of a domain name • Iterative and recursive queries: • Iterative query: the DNS server may provide a partial answer to the query (or give an error) • DNS servers must support non-recursive queries • Recursive query: the DNS server will fully answer the query (or give an error) • DNS servers are not required to support recursive queries • Resolvers (or another DNS acting recursively on behalf of another resolver) negotiate use of recursive service using bits in the query headers

  7. Address resolution mechanism

  8. Address resolution mechanism • A full host name may have several name segments • e.g. ahost.ofasubnet.ofabiggernet.inadomain.example • In practice full host names typically consist of three segments • ahost.inadomain.example • www.inadomain.example • Software interprets the name segment by segment, right to left • Uses an iterative search procedure • Each step along the way • Program queries a corresponding DNS server • Provides a pointer to the next server which it should consult • (This description deliberately uses the fictional .example TLD in accordance with the DNS guidelines themselves.)

  9. Address resolution mechanism • Example: • DNS recursor consults three nameservers to resolve the address www.wikipedia.org

  10. Resume 2/12

  11. Address resolution mechanism • As originally envisaged, the process was as simple as: • Local system is pre-configured with the known addresses of the root servers in a file of root hints • Needs to be updated periodically by the local administrator from a reliable source to be kept up to date with the changes which occur over time • Query one of the root servers to find the server authoritative for the next level down • Query this second server for the address of a DNS server with detailed knowledge of the second-level domain • Repeat the previous step to progress down the name, until the final step which would return the final address sought

  12. Address resolution mechanism • Search done in this simple form has a major problem: • Huge operating burden on the root servers • Each and every search for an address would be started by querying one of them • Root name servers are critical to the overall function of the system • Such a heavy use would create an insurmountable bottleneck for trillions of queries placed every day • In practice preemptive measures are taken

  13. Circular dependencies and glue records • Name servers in delegations appear listed by name, rather than by IP address • Means a resolving name server must issue another DNS request to find out the IP address of the server to which it has been referred • Could introduce a circular dependency if the name server referred to is under the domain that it is authoritative of • It is occasionally necessary for the name server providing the delegation to also provide the IP address of the next name server • This record is called a glue record

  14. Circular dependencies and glue records • For example, assume that the sub-domain en.wikipedia.org contains further sub-domains (such as something.en.wikipedia.org) and that the authoritative name server for these is at ns1.en.wikipedia.org • A computer trying to resolve something.en.wikipedia.org • Will have to resolve ns1.en.wikipedia.org • Since ns1 is also under the en.wikipedia.org subdomain • Resolving ns1.en.wikipedia.org requires resolving ns1.en.wikipedia.org • Which is exactly the circular dependency mentioned above • The dependency is broken by the glue record in the name server of wikipedia.org • Provides the IP address of ns1.en.wikipedia.org directly to the requestor • Enabling it to bootstrap the process by figuring out where ns1.en.wikipedia.org is located

  15. In Practice How DNS Works

  16. How DNS Works In Practice • When an application tries to find the IP address of a domain name • Doesn't necessarily follow all of the steps outlined in the Theory section • Uses caching

  17. How DNS works In practice • Caching and time to live • Huge volume of requests generated by a system like DNS • Need to provide a mechanism to reduce the load on individual DNS servers • DNS resolution process allows for caching for a given period of time after a successful answer • Caching: the local recording and subsequent consultation of the results of a DNS query • How long a resolver caches a DNS response is determined by a value called the time to live (TTL) • TTL is set by the administrator of the DNS server handing out the response • The period of validity may vary from just seconds to days or even weeks or years

  18. How DNS Works In Practice- Caching time • As a consequence of the distributed and caching architecture, changes to DNS do not always take effect immediately and globally • Example: • An administrator has set a TTL of 6 hours for the host www.wikipedia.org (valid at 12:00) • Then changes the IP address to which www.wikipedia.org resolves at 12:01pm • Administrator must consider that a person who cached a response with the old IP address at 12:00pm will not consult the DNS server again until 6:00pm. • The period between 12:01pm and 6:00pm in this example is called caching time • The period of time that begins when you make a change to a DNS record and ends after the maximum amount of time specified by the TTL expires • This essentially leads to an important logistical consideration when making changes to DNS: not everyone is necessarily seeing the same thing you're seeing. • RFC 1537 helps to convey basic rules for how to set the TTL

  19. How DNS Works In Practice- Caching time • Note that the term "propagation” does not describe the effects of caching well • Specifically, it implies that • [1] when you make a DNS change, it somehow spreads to all other DNS servers (instead, other DNS servers check in with yours as needed) • [2] that you do not have control over the amount of time the record is cached • you control the TTL values for all DNS records in your domain • except your NS records and any authoritative DNS servers that use your domain name

  20. How DNS Works In Practice- Caching time • Some resolvers may override TTL values • Protocol supports caching over vast periods • up to 68 years • no caching at all (0 seconds) • Negative caching (the non-existence of records) is determined by name servers authoritative for a zone which MUST include the SOA record (Start Of Authority) when reporting no data of the requested type exists. • The MINIMUM field of the SOA record and the TTL of the SOA itself is used to establish the TTL for the negative answer

  21. How DNS Works In Practice- In the Real World • DNS resolving from program to OS-resolver to ISP-resolver to greater system. • Users generally do not communicate directly with a DNS resolver • DNS-resolution takes place transparently in client-applications • Web-browsers • Mail-clients • Other Internet applications • When an application makes a request which necessitates a DNS lookup • Such programs send a resolution request to the local DNS resolver in the local operating system • Which in turn handles the communications required

  22. Security issues • DNS was not originally designed with security in mind • Has a number of security issues • DNS responses are traditionally not cryptographically signed, leading to many attack possibilities; • DNSSEC modifies DNS to add support for cryptographically signed responses • There are various extensions to support securing zone transfer information as well

  23. Security issues • Even with encryption it still doesn't prevent the possibility that a DNS server could become infected with a virus (or for that matter a disgruntled employee) that would cause IP addresses of that server to be redirected to a malicious address with a long TTL • Could have far reaching impact to potentially millions of internet users if busy DNS servers cache the bad IP data • Would require manual purging of all affected DNS caches as required by the long TTL (up to 68 years)

  24. Security issues • Some domain names can spoof other, similar-looking domain names • For example, "paypal.com" and "paypa1.com" are different names • Users may be unable to tell the difference when the user's typeface (font) does not clearly differentiate the letter l and the number 1. • Problem is much more serious in systems that support internationalized domain names • Many characters that are different, from the point of view of ISO 10646, appear identical on typical computer screens

  25. Legal users of domains • Registrant • Most of the NICs in the world receive an annual fee from a legal user in order for the legal user to utilize the domain name (i.e. a sort of a leasing agreement exists, subject to the registry's terms and conditions) • Depending on the various naming convention of the registries, legal users become commonly known as "registrants" or as "domain holders" • ICANN holds a complete list of domain registries in the world • One can find the legal user of a domain name by looking in the WHOIS database held by most domain registries • For most of the more than 240 country code top-level domains (ccTLDs), the domain registries hold the authoritative WHOIS (Registrant, name servers, expiry dates, etc.). • For instance, DENIC, Germany NIC, holds the authoritative WHOIS to a .DE domain name • However, some domain registries, such as for .COM, .ORG, .INFO, etc., use a registry-registrar model • There are hundreds of Domain Name Registrars that actually perform the domain name registration with the end user (see lists at ICANN or VeriSign) • By using this method of distribution, the registry only has to manage the relationship with the registrar, and the registrar maintains the relationship with the end users, or 'registrants' • For .COM, .NET domain names, the domain registries, VeriSign holds a basic WHOIS (registrar and name servers, etc.) • One can find the detailed WHOIS (registrant, name servers, expiry dates, etc.) at the registrars • Since about 2001, most gTLD registries (generic: .ORG, .BIZ, .INFO) have adopted a so-called "thick" registry approach, i.e. keeping the authoritative WHOIS with the various registries instead of the registrars

  26. Legal users of domains • Administrative contact • A registrant usually designates an administrative contact to manage the domain name • The administrative contact usually has the most immediate power over a domain • Management functions delegated to the administrative contacts may include: • the obligation to conform to the requirements of the domain registry in order to retain the right to use a domain name • authorization to update the physical address, e-mail address and telephone number etc. in WHOIS • Technical contact • A technical contact manages the name servers of a domain name • The many functions of a technical contact include: • making sure the configurations of the domain name conforms to the requirements of the domain registry • updating the domain zone • providing the 24×7 functionality of the name servers • allows accessibility of the domain name • Billing contact • The party whom a NIC invoices • Name servers • Namely the authoritative name servers that host the domain name zone of a domain name

  27. Politics • Many investigators have voiced criticism of the methods currently used to control ownership of domains • Critics commonly claim abuse by monopolies or near-monopolies, such as VeriSign, Inc • Particularly noteworthy was the VeriSign Site Finder system which redirected all unregistered .com and .net domains to a VeriSign webpage • Despite widespread criticism, VeriSign only reluctantly removed it after the Internet Corporation for Assigned Names and Numbers (ICANN) threatened to revoke its contract to administer the root name servers • There is also significant disquiet regarding the United States' political influence over ICANN • Was a significant issue in the attempt to create a .xxx top-level domain • Sparked greater interest in alternative DNS roots that would be beyond the control of any single country • Truth in Domain Names Act • Main article: Anticybersquatting Consumer Protection Act • In the United States, the "Truth in Domain Names Act" (actually the "Anticybersquatting Consumer Protection Act"), in combination with the PROTECT Act, forbids the use of a misleading domain name with the intention of attracting people into viewing a visual depiction of sexually explicit conduct on the Internet

  28. Resolvers • Serve DNS names • Always returns an IP address • Request an IP address • Are recursive

  29. Other Internet Resources • See also • Dynamic DNS • Alternative DNS root • Comparison of DNS server software

More Related