DNS Domain Name System. Hostnames IP Addresses are great for computers – IP address includes...
-
Upload
hope-poole -
Category
Documents
-
view
218 -
download
0
Transcript of DNS Domain Name System. Hostnames IP Addresses are great for computers – IP address includes...
DNSDNS
Domain Name System
Hostnames
IP Addresses are great for computers– IP address includes information used for
routing.
IP addresses are tough for humans to remember.
IP addresses are impossible to guess.– ever guessed at the name of a WWW site?
The Domain Name System
The domain name system is usually used to translate a host name into an IP address .
Domain names comprise a hierarchy so that names are unique, yet easy to remember.
Name Space A name space that maps each address to an unique
name can be organized in two ways:
1. Flat Name Space : A name in this space is a sequence of characters without structure.
Disadvantage: Cannot be used in a large system. It must be centrally controlled to avoid ambiguity
and duplication.
2. Hierarchical Name Space: In this name space, each name is made of several parts.
The authority to assign and control the name space can be decentralized.
DNS Hierarchy
edu com org gov
gu msu
Domain Name Space To have a hierarchical name space, a domain name space
was designed, in which the names are defined in an inverted-tree structure with the root at the top.
The tree can have 128 levels. (0-root to 127) Each domain name is made up of a sequence of
labels separated by periods.– Each label can be up to 63 characters (string) [root
with null string]– The total name can be at most 255 characters.
Examples:– whitehouse.gov– barney.purple.dinosaur.com– monica.cs.msu.edu
Top level domains
edu, gov, com, net, org, mil, … Countries each have a top level domain (2
letter domain name). New top level domains include:
.aero .biz .coop .info .name .pro
DNS Organization
Distributed Database– The organization that owns a domain name is
responsible for running a DNS server that can provide the mapping between hostnames within the domain to IP addresses.
– Eg. - some machine run by MSU is responsible for everything within the msu.edu domain.
Distribution of Name Space
Information contained in the domain name space must be stored.
Inefficient and also not reliable to have just one computer to store such a huge amount of data.
Inefficient – Responding to the requests from all over the world places a heavy load on the system.
Not Reliable – Any failure makes the data inaccessible.
Solution:
– Distribute the information among many computers called DNS Server.
– Divide the whole space into many domains – let the root stand alone and create sub trees as there are first level nodes.
– We have a hierarchy of servers as we have a hierarchy of names.
Zone
Zone and Domain
Domain
com
Root
Servers Root Server: Does not store any
information about domains but delegates its authority to other servers, keeping reference to those servers.
Primary Server: Stores a file about the zone for which it is an authority.– It is responsible for creating, maintaining and
updating the zone file.
Secondary Server: Transfers the complete information from primary server and stores it on its local disk.
rpi.eduDNS DB
rpi.eduDNS DB
DNS Distributed Database There is one primary server for a domain,
and typically a number of secondary servers containing replicated databases.
msu.eduDNS DB
Authoritative
msu.eduDNS DB
Replicas
msu.edu DNS server
DNS Resolution Mapping a name to an address or an address to a
name is called name-address resolution. Resolver:
– A host that needs to map an address to name or a name to an address calls a DNS client called a Resolver.
Domain name resolution proceed top-down, starting with the root name server and proceeding to servers located at the leaves of the tree.
Two ways: (1) by contacting the name server one at a time, (Iterative resolution) (2) asking the name server system to perform the complete translation. (Recursive resolution)
Cont….
In either case, the client software forms a domain name query - that contains the name to be resolved, a declaration of the class of the name, the type of answer desired, and a code that specifies whether the name server should translate the name completely.
A domain name server receives a query, it checks to see if the name lies in the subdomain for which it is an authority.
If yes, - translate the name to an address according to its database, and appends an answer to the query before sending it back to the client.
If no, - checks the type of the iteration client specified. – two types (1) Recursive (2) Iterative.
Hierarchy of Name ServerRoot Server
org Server edu Server com Server us Server
fhda.edu bk.edu mcgraw.com irwin.com
Recursive Resolution
fhda.edu
edu com
mcgraw.com client
root server
1
2
3
4
56
78
9
10
Iterative Resolution
fhda.edu
edu
mcgraw.com client
root server
com
1
2
34
5 6
7
8
910
Efficient Translation Most name resolution refers to the local
names, so tracing a path through the hierarchy to contact the local authority would be inefficient.
If each name resolution always started by contacting the topmost level, the machine at that point would become overloaded.
Failure of machines at the topmost levels would prevent name resolution, even if the local authority can resolve the name.
Caching: The Key To Efficiency
Maintaining the lookup values for nonlocal names by the server is called caching.
Advantage: (1) Reducing the search cost (2) Increasing the efficiency.
Disadvantage:- Decreasing the accuracy. When a server asks for a mapping from
another server and receives the response, it stores the information in its cache memory before sending it to the client.
If the same or another client asks for the same mapping, it can check its cache memory and resolve the problem.
To inform the client that the response is coming from the cache and not from the authoritative source, the server marks the response as unauthoritative / nonauthoritative binding.
To keep the cache updated 2 techniques are use. (1) authoritative server addds TTL (Time To Live) information to the mapping
(2) Each server keeps a TTL counter for each mapping in the cache.
DNS Messages
Messages
Query Response
Header
Question Section
Header
Question Section
Answer Section
Authoritative Section
Additional Section
Header FormatIdentification (16 bits) Parameter (Flag) (16 bits)
Number of Question Records
No. Of Answer Records ( All 0’s in query message )
No. of Authoritative Records (all 0’s in q.m.)
No. of Additional Records (all 0’s in query message)
Flags Field
OpCode Three 0’s rCodeQR AA TC RD RA
Question Record Format
Query Domain Name
Query Type Query Class
Values Meaning0 No error1 Format error2 Problem at name server3 Domain Reference problem4 Query type not supported5 Administratively Prohibited
6 - 15 Reserved
Values of rCode
Resource Record Format
Resource Domain Name
Domain Type Domain Class
Time To Live
Resource Data Length
Resource Data
Compression Domain name must be replaced by an
offset pointer if it is repeated. In a resource record the domain name is
the repetition of the same in the question record.
The 2-byte (16 bits) offset pointer points to the previous occurrence of the domain.
2 High order bits – 11 (to distinguish from length field)
14 bits – represents a number that points to the corresponding byte number in the message.
Abbreviation of Domain Name Provides a method of shorting names when
the resolving process can supply part of the name automatically.
Resolving process can assume it lies in the same local authority.
eg. Omit the area code while dialing a local telephone number.
When a resolver encounters a name, it steps through the list, appending each suffix and trying to lookup the resulting name.
Cont….
Managers can use the suffix list to make abbreviation convenient or to restrict application programs to local names.
The domain name system only maps full domain names into address; abbreviations are not part of the DNS itself, but introduced by the client software to make local names convenient for users.
Inverse Mapping Inverse Query allow the client to ask a
server to map “back-wards” by taking an answer and generating the question that would produce that answer.
Inverse queries have been part of the domain system, but they are generally not used because there is no way to find the server that can resolve the query without searching the entire set of answer.
It is used as an authentication mechanism that a server uses to verify that a client is authorized to access the service.
Pointer Queries A pointer query requests the name server to
return the correct domain name for the machine with the specified IP address.
eg. Think of an IP address written in dotted decimal aaa.bbb.ccc.ddd
For pointer query client rearrange the address as ddd.ccc.bbb.aaa.in-addr.arpa
New form is the name in the special domain called in-addr.arpa
Internet root domain servers maintains a database of valid IP addresses along with information about domain name servers that can resolve each address groups.
Object Types and Resource Record Content
DNS can be used for translating a host name to an IP address as for translating a domain name to a mail exchanger address.
When sending a request a client must specify the type in it’s query; server specifies the data type in all resource records they return.
To make lookup more efficient, a server always returns additional bindings that is known in the ADDITIONAL INFORMATION
SECTION of a response.
Resource Record TypeType Meaning Contents
A Host Address 32 bit IP Address
CNAME Canonical Name Canonical name for an alias
HINFO CPU & OS Name of CPU and OS
MINFO Mailbox Info Information about a mailbox or mail list
MX Mail Exchanger 16 bit preference and name of host that acts as mail exchanger for the domain
NS Name Server Name of authoritative server for domain
PTR Pointer Domain Name (like a symbolic name)
SOA Start of Authority Which part of the naming hierarchy a server implements.
TXT Arbitrary text Uninterpreted string of ASCII text
Authority For A Sub Domain Before an institution is granted authority for an
official second –level domain, it must agree to operate a domain name server that meets internet standards.
It must obey the protocol standards that specifies message formats and the rules for responding to the requests.
The server must know the address of servers that handles each sub domain as well as the address of at least one root server.
A subtree of names managed by a given name server forms a zone of authority.
Cont… Servers must be able to handle many requests,
even though some requests take a long time to resolve.
Internet authority requires that the information in every domain name server be replicated.
Servers must have no single point of failure. At any point in the tree of servers, a server
must know how to locate both the primary and the backup name servers for subdomains, and it must direct queries to a backup server if the primary server is unavailable.
Dynamic DNS Update And Notification
NAT – Network Address Translation and
DHCP – Dynamic Host Configuration Protocol. Both mention the need for interaction with DNS.
NAT box obtains a dynamic address from an ISP, so there must be coordination between DNS and NAT System.
Using DHCP the host obtains a dynamic address, the DNS server for the host must be updated with the host’s current address
Cont… To permit multiple parties to share
administration, the IETF developed a technology known as Dynamic DNS.
Two aspects of Dynamic DNS are : Update and Notification
Update permits changes to be made dynamically to the information that a server stores.
DNS uses a backup server, changes made in primary server must be propagated to each backup, So when the dynamic change occur, the primary server sends a notification to the backup servers.
DNS Security Extensions - DNSSEC
IETF has invented a technology DNSSEC Primary services provided by DNSSEC are
message origin and integrity of the data. By using DNSSEC the host can verify the DNS
message did indeed originate at the authoritative DNS server and that the data in the message arrived without being changed.
DNSSEC does not provide confidentiality, nor does it fend off denial-of-service attacks.- means that even if a host and server both use DNSSEC, there is no guarantee that message sent between them will be received.
Cont…. To provide authentication and data integrity,
DNSSEC uses a digital signature mechanism, that allows the receiver to verify that the contents of the message were not changed.
DNSSEC mechanism uses public key (PK) encryption technology.
To distribute public keys, DNSSEC uses DNS. A server contains the public keys for zones. To guarantee security for the entire system, the
PK for the top level of the hierarchy must be manually configured into a resolver.
Review Questions1. What are the disadvantages of the Flat Namespace?
2. Explain Hierarchical namespace.
3. What are the different naming hierarchies in Top- Level. Give some examples of Top-Level domains with meaning.
4. Which are the two methods for Domain Name Resolution? Explain in detail.
5. What do you mean by efficient translation?
6. What is caching? Give its advantages and disadvantages.
7. Which method is used to keep the cache correct? How?
8. Explain the format of Query Message.
9. Explain the format of Resource Record.
10. How to conserve space in the reply packet?
11. What is the use of resource record type? Explain using example.
12. What is DNSSEC? Explain in brief.