DNSDNS

Domain Name System

Hostnames

IP Addresses are great for computers– IP address includes information used for

routing.

IP addresses are tough for humans to remember.

IP addresses are impossible to guess.– ever guessed at the name of a WWW site?

The Domain Name System

The domain name system is usually used to translate a host name into an IP address .

Domain names comprise a hierarchy so that names are unique, yet easy to remember.

Name Space A name space that maps each address to an unique

name can be organized in two ways:

1. Flat Name Space : A name in this space is a sequence of characters without structure.

Disadvantage: Cannot be used in a large system. It must be centrally controlled to avoid ambiguity

and duplication.

2. Hierarchical Name Space: In this name space, each name is made of several parts.

The authority to assign and control the name space can be decentralized.

DNS Hierarchy

edu com org gov

gu msu

Domain Name Space To have a hierarchical name space, a domain name space

was designed, in which the names are defined in an inverted-tree structure with the root at the top.

The tree can have 128 levels. (0-root to 127) Each domain name is made up of a sequence of

labels separated by periods.– Each label can be up to 63 characters (string) [root

with null string]– The total name can be at most 255 characters.

Examples:– whitehouse.gov– barney.purple.dinosaur.com– monica.cs.msu.edu

Top level domains

edu, gov, com, net, org, mil, … Countries each have a top level domain (2

letter domain name). New top level domains include:

.aero .biz .coop .info .name .pro

DNS Organization

Distributed Database– The organization that owns a domain name is

responsible for running a DNS server that can provide the mapping between hostnames within the domain to IP addresses.

– Eg. - some machine run by MSU is responsible for everything within the msu.edu domain.

Distribution of Name Space

Information contained in the domain name space must be stored.

Inefficient and also not reliable to have just one computer to store such a huge amount of data.

Inefficient – Responding to the requests from all over the world places a heavy load on the system.

Not Reliable – Any failure makes the data inaccessible.

Solution:

– Distribute the information among many computers called DNS Server.

– Divide the whole space into many domains – let the root stand alone and create sub trees as there are first level nodes.

– We have a hierarchy of servers as we have a hierarchy of names.

Zone

Zone and Domain

Domain

com

Root

Servers Root Server: Does not store any

information about domains but delegates its authority to other servers, keeping reference to those servers.

Primary Server: Stores a file about the zone for which it is an authority.– It is responsible for creating, maintaining and

updating the zone file.

Secondary Server: Transfers the complete information from primary server and stores it on its local disk.

rpi.eduDNS DB

rpi.eduDNS DB

DNS Distributed Database There is one primary server for a domain,

and typically a number of secondary servers containing replicated databases.

msu.eduDNS DB

Authoritative

msu.eduDNS DB

Replicas

msu.edu DNS server

DNS Resolution Mapping a name to an address or an address to a

name is called name-address resolution. Resolver:

– A host that needs to map an address to name or a name to an address calls a DNS client called a Resolver.

Domain name resolution proceed top-down, starting with the root name server and proceeding to servers located at the leaves of the tree.

Two ways: (1) by contacting the name server one at a time, (Iterative resolution) (2) asking the name server system to perform the complete translation. (Recursive resolution)

Cont….

In either case, the client software forms a domain name query - that contains the name to be resolved, a declaration of the class of the name, the type of answer desired, and a code that specifies whether the name server should translate the name completely.

A domain name server receives a query, it checks to see if the name lies in the subdomain for which it is an authority.

If yes, - translate the name to an address according to its database, and appends an answer to the query before sending it back to the client.

If no, - checks the type of the iteration client specified. – two types (1) Recursive (2) Iterative.

Hierarchy of Name ServerRoot Server

org Server edu Server com Server us Server

fhda.edu bk.edu mcgraw.com irwin.com

Recursive Resolution

fhda.edu

edu com

mcgraw.com client

root server

1

2

3

4

56

78

9

10

Iterative Resolution

fhda.edu

edu

mcgraw.com client

root server

com

1

2

34

5 6

7

8

910

Efficient Translation Most name resolution refers to the local

names, so tracing a path through the hierarchy to contact the local authority would be inefficient.

If each name resolution always started by contacting the topmost level, the machine at that point would become overloaded.

Failure of machines at the topmost levels would prevent name resolution, even if the local authority can resolve the name.

Caching: The Key To Efficiency

Maintaining the lookup values for nonlocal names by the server is called caching.

Advantage: (1) Reducing the search cost (2) Increasing the efficiency.

Disadvantage:- Decreasing the accuracy. When a server asks for a mapping from

another server and receives the response, it stores the information in its cache memory before sending it to the client.

If the same or another client asks for the same mapping, it can check its cache memory and resolve the problem.

To inform the client that the response is coming from the cache and not from the authoritative source, the server marks the response as unauthoritative / nonauthoritative binding.

To keep the cache updated 2 techniques are use. (1) authoritative server addds TTL (Time To Live) information to the mapping

(2) Each server keeps a TTL counter for each mapping in the cache.

DNS Messages

Messages

Query Response

Header

Question Section

Header

Question Section

Answer Section

Authoritative Section

Additional Section

Header FormatIdentification (16 bits) Parameter (Flag) (16 bits)

Number of Question Records

No. Of Answer Records ( All 0’s in query message )

No. of Authoritative Records (all 0’s in q.m.)

No. of Additional Records (all 0’s in query message)

Flags Field

OpCode Three 0’s rCodeQR AA TC RD RA

Question Record Format

Query Domain Name

Query Type Query Class

Values Meaning0 No error1 Format error2 Problem at name server3 Domain Reference problem4 Query type not supported5 Administratively Prohibited

6 - 15 Reserved

Values of rCode

Resource Record Format

Resource Domain Name

Domain Type Domain Class

Time To Live

Resource Data Length

Resource Data

Compression Domain name must be replaced by an

offset pointer if it is repeated. In a resource record the domain name is

the repetition of the same in the question record.

The 2-byte (16 bits) offset pointer points to the previous occurrence of the domain.

2 High order bits – 11 (to distinguish from length field)

14 bits – represents a number that points to the corresponding byte number in the message.

Abbreviation of Domain Name Provides a method of shorting names when

the resolving process can supply part of the name automatically.

Resolving process can assume it lies in the same local authority.

eg. Omit the area code while dialing a local telephone number.

When a resolver encounters a name, it steps through the list, appending each suffix and trying to lookup the resulting name.

Cont….

Managers can use the suffix list to make abbreviation convenient or to restrict application programs to local names.

The domain name system only maps full domain names into address; abbreviations are not part of the DNS itself, but introduced by the client software to make local names convenient for users.

Inverse Mapping Inverse Query allow the client to ask a

server to map “back-wards” by taking an answer and generating the question that would produce that answer.

Inverse queries have been part of the domain system, but they are generally not used because there is no way to find the server that can resolve the query without searching the entire set of answer.

It is used as an authentication mechanism that a server uses to verify that a client is authorized to access the service.

Pointer Queries A pointer query requests the name server to

return the correct domain name for the machine with the specified IP address.

eg. Think of an IP address written in dotted decimal aaa.bbb.ccc.ddd

For pointer query client rearrange the address as ddd.ccc.bbb.aaa.in-addr.arpa

New form is the name in the special domain called in-addr.arpa

Internet root domain servers maintains a database of valid IP addresses along with information about domain name servers that can resolve each address groups.

Object Types and Resource Record Content

DNS can be used for translating a host name to an IP address as for translating a domain name to a mail exchanger address.

When sending a request a client must specify the type in it’s query; server specifies the data type in all resource records they return.

To make lookup more efficient, a server always returns additional bindings that is known in the ADDITIONAL INFORMATION

SECTION of a response.

Resource Record TypeType Meaning Contents

A Host Address 32 bit IP Address

CNAME Canonical Name Canonical name for an alias

HINFO CPU & OS Name of CPU and OS

MINFO Mailbox Info Information about a mailbox or mail list

MX Mail Exchanger 16 bit preference and name of host that acts as mail exchanger for the domain

NS Name Server Name of authoritative server for domain

PTR Pointer Domain Name (like a symbolic name)

SOA Start of Authority Which part of the naming hierarchy a server implements.

TXT Arbitrary text Uninterpreted string of ASCII text

Authority For A Sub Domain Before an institution is granted authority for an

official second –level domain, it must agree to operate a domain name server that meets internet standards.

It must obey the protocol standards that specifies message formats and the rules for responding to the requests.

The server must know the address of servers that handles each sub domain as well as the address of at least one root server.

A subtree of names managed by a given name server forms a zone of authority.

Cont… Servers must be able to handle many requests,

even though some requests take a long time to resolve.

Internet authority requires that the information in every domain name server be replicated.

Servers must have no single point of failure. At any point in the tree of servers, a server

must know how to locate both the primary and the backup name servers for subdomains, and it must direct queries to a backup server if the primary server is unavailable.

Dynamic DNS Update And Notification

NAT – Network Address Translation and

DHCP – Dynamic Host Configuration Protocol. Both mention the need for interaction with DNS.

NAT box obtains a dynamic address from an ISP, so there must be coordination between DNS and NAT System.

Using DHCP the host obtains a dynamic address, the DNS server for the host must be updated with the host’s current address

Cont… To permit multiple parties to share

administration, the IETF developed a technology known as Dynamic DNS.

Two aspects of Dynamic DNS are : Update and Notification

Update permits changes to be made dynamically to the information that a server stores.

DNS uses a backup server, changes made in primary server must be propagated to each backup, So when the dynamic change occur, the primary server sends a notification to the backup servers.

DNS Security Extensions - DNSSEC

IETF has invented a technology DNSSEC Primary services provided by DNSSEC are

message origin and integrity of the data. By using DNSSEC the host can verify the DNS

message did indeed originate at the authoritative DNS server and that the data in the message arrived without being changed.

DNSSEC does not provide confidentiality, nor does it fend off denial-of-service attacks.- means that even if a host and server both use DNSSEC, there is no guarantee that message sent between them will be received.

Cont…. To provide authentication and data integrity,

DNSSEC uses a digital signature mechanism, that allows the receiver to verify that the contents of the message were not changed.

DNSSEC mechanism uses public key (PK) encryption technology.

To distribute public keys, DNSSEC uses DNS. A server contains the public keys for zones. To guarantee security for the entire system, the

PK for the top level of the hierarchy must be manually configured into a resolver.

Review Questions1. What are the disadvantages of the Flat Namespace?

2. Explain Hierarchical namespace.

3. What are the different naming hierarchies in Top- Level. Give some examples of Top-Level domains with meaning.

4. Which are the two methods for Domain Name Resolution? Explain in detail.

5. What do you mean by efficient translation?

6. What is caching? Give its advantages and disadvantages.

7. Which method is used to keep the cache correct? How?

8. Explain the format of Query Message.

9. Explain the format of Resource Record.

10. How to conserve space in the reply packet?

11. What is the use of resource record type? Explain using example.

12. What is DNSSEC? Explain in brief.