Domain Name System DPNM Lab. Seongho Cho

Contents Introduction Background  History  Terminology  Types of Name Servers  The Domain Namespace  Root Name Server Worldwide DNS Basics Resource Records How DNS Works DNS Message Format Caching UDP or TCP DNS Backbone DDoS Attacks Q&A

Introduction DNS is a distributed database used by application  distributed: no single site on the Internet knows all the information  map between hostnames and IP addresses  provide electronic mail routing information application access to the DNS through a resolver  resolver is part of the application  gethostbyname(): takes a hostname, returns an IP address  gethostbyaddr(): takes an IP address, looks up a hostname resolvers communicate with name servers using the TCP/IP protocols.

History DNS was invented only in 1983, shortly after TCP/IP was deployed.  With the older system, each computer on the network retrieved a file called HOSTS.TXT  The HOSTS.TXT file mapped numerical addresses to names. The growth of networking called for a more scalable system:  One that recorded a change in a host's address in one place only.  Other hosts would learn about the change dynamically.  At the request of ‘Jon Postel’, ‘Paul Mockapetris’ invented the Domain Name System in 1983 and wrote the first implementation.  RFC 1034 specifies the concepts and facilities provided by the DNS  RFC 1035 details the implementation and specification. The most commonly used implementation of the DNS, both resolver and name server, is called BIND – the Berkeley Internet Domain server.

Terminology Forward DNS - Mapping of hostnames to IP addresses. Reverse DNS  The opposite of forward DNS; mapping of IP addresses to hostnames. Origin  Refers to the domain covered in a particular zone file. named, BIND, name server  Common names for the BIND name server. Resolver  A system process through which a machine queries a name server for zone information. Root zone  The beginning of the Internet zone hierarchy. All zones fall under the root zone, similar to how all files in a file system fall under the root directory Zone  An individual domain, subdomain, or portion of the DNS administered by the same authority.  Examples of zones: . is the root zone.  org. is a Top Level Domain (TLD) under the root zone.  example.org. is a zone under the org. TLD.  in-addr.arpa is a zone referencing all IP addresses which fall under the * IP space.

Types of Name Servers Name servers usually come in two forms: an authoritative name server, and a caching name server. An authoritative name server is needed when:  One wants to serve DNS information to the world, replying authoritatively to queries.  A domain, such as example.org, is registered and IP addresses need to be assigned to hostnames under it.  An IP address block requires reverse DNS entries (IP to hostname).  A backup or secondary name server, called a slave, will reply to queries. A caching name server is needed when:  A local DNS server may cache and respond more quickly than querying an outside name server.

The Domain Namespace A hierarchical tree structure is called the domain namespace.  The DNS is implemented as a hierarchical and distributed database.  DNS Domain Name Hierarchy

The Domain Namespace How the DNS Domain Namespace Is Organized  Types of DNS Domain Names Name TypeExample Root domainA single period (.) or a period used at the end of a name, such as “example.microsoft.com.” Top level domain“.com”, which indicates a name registered to a business for commercial use on the Internet. Second level domain “microsoft.com. ”, which is the second-level domain name registered to Microsoft by the Internet DNS domain name registrar. Subdomain“example.microsoft.com. ”, which is a fictitious subdomain assigned by Microsoft for use in documentation example names. Host or resource name “host-a.example.microsoft.com.”, where the first label (“host-a”) is the DNS host name for a specific computer on the network.

Root Name Server Worldwide 13 root name server worldwide  currently consisting of 13 nominal root name servers working in agreement with ICANN (Internet Corporation for Assigned Names and Numbers )

Root Name Server Worldwide 13 root name server worldwide  The C, F, I, J, K and M servers now exist in multiple locations on different continents, using anycast announcements to provide a decentralized service.

DNS Basics A zone is a subtree of the DNS tree that is administered separately the authority for a zone is up to the person  allocates a name and an IP address for the new system  enters these into the name server’s database  provide a primary name server and one or more secondary name servers for a zone  independent, redundant  the primary : loads all the information for the zone from disk file  the secondary : obtain from the primary (zone transfer) When a new host is added to a zone  adds the appropriate information to a disk file  notify primary name server to reread its configuration file  the secondary queries (every 3 hours), obtains the new data using a zone transfer when name server doesn’t contain the information requested  contact the root name server  the primary contains the IP address of each root server  root server tells the requesting server to contact another server

Resource Records A DNS database consists of resource records (RRs).  Common DNS Resource Records TypeDescriptionData “SOA” Start of Authority The SOA RR identifies a primary DNS name server for the zone as the best source of information for the data within that zone and as an entity processing the updates for the zone. Owner Name Primary Name Server DNS Name, Serial Number Refresh Interval, Retry Interval Expire Time, Minimum TTL “A” HOST An A record defines an IP address. It is stored as a 32-bit binary value. Owner Name (Host DNS Name) Host IP Address “NS” Name Server This record specifies the authoritative name server for a domain.Owner Name Name Server DNS name “MX” Mail Exchanger For mapping a DNS domain name to the name of a computer that exc hanges or forwards mail. Owner Name Mail Exchange Server DNS Name, Preference Number “CNAME” Canonical Name It is represented as a domain name. The domain name that has a canonical name is open called an alias. Owner Name (Alias Name) Host DNS Name “PTR” Pointer For mapping a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of that computer.

Resource Records Zone Files  An example master zone file for example.org the domain name, also the origin for this zone file. the primary/authoritative name server for this zone. the responsible person for this zone, address with replaced. the serial number of the file. This must be incremented each ti me the zone file is modified. This is an NS entry. Every name server that is going to reply authoritatively for the zone must have one of these entries. The A record indicates machine names. As seen above, ns1.example.org would resolve to This line assigns IP address to the current origin, in this case example.org. The canonical name record is usually used for giving aliases to a ma chine. In the example, www is aliased to the “master” machine which name equals to domain name example.org ( ). The MX record indicates which mail servers are responsible for handling incoming mail for the zone. mai l.example.org is the hostname of the mail server, and 1 0 being the priority of that mail server.

How DNS Works DNS Query Types 1. Recursive query for (A resource record) 2. Iterative query for (A resource record)3. Referral to the.gov name server (NS resource records, for.gov); for simplicity, iterative A queries by the DNS server (on the left) to resolve th e IP addresses of the Host names of the name server’s returned by othe r DNS servers have been omitted. 4. Iterative query for (A resource record) 5. Referral to the whitehouse.gov name server (NS resource record, for whitehouse.gov) 6. Iterative query for (A resource record) 7. Answer to the interative query from server ( IP address) 8. Answer to the original recuesive query from local DNS server to Resolver ( ’s IP address) DNS clients (resolvers) typically make r ecursive queries. With a recursive query, the DNS server must contact any other DNS servers it needs to resolve the request. An iterative query is one in which the DNS server is expected to respond with the best local information it has, based on what the DNS server knows from local zone files or from caching. It may have to query a number of outside DNS servers in an attempt to resolve the name.

DNS Message Format General format of DNS queries and responses

DNS Message Format flags field in DNS header.  QR: 0(query), 1(response)  opcode: 0(standard query), 1(inverse query), 2(server status request)  AA: authoritative answer  TC: truncated  RD: recursive desired  recursive query  iterative query  RA: recursion available  rcode: 0(no error), 3(name error)

DNS Message Format Format of question portion of DNS query message  query name : sequence of one or more labels (no padding)  query type  A : IP address for the query name  PTR : the names corresponding to an IP address  query class : 1(Internet address)  Representation of the domain name.

DNS Message Format Format of DNS resource record.  domain name : name to which the following resource data  type : one of the RR type codes  class : 1(Internet data)  time-to-live : the number of seconds that the RR can be cached (2 days)  resource data length : depends on the type (A type : 4-byte IP address)

DNS Message Format A Simple Example

Caching when a name server receives information about a mapping, it caches that information  later query for the same mapping can use the cached result  not result in additional queries to other servers all name servers employ a cache  the cache available to any applications that use the server  share the server’s cache

UDP or TCP The well-known port numbers for DNS name server are UDP port 53 and TCP port 53. the DNS primarily uses UDP TCP  when the response comes back with the TC bit set  when a zone transfer is performed

DNS Backbone DDoS Attacks February 6, 2007  The attack began at 10:30 UTC, and lasted about five hours.  Although none of the servers crashed, two of the root servers reportedly "suffered badly", while others saw "heavy traffic".  The botnet responsible for the attack has reportedly been traced to South Korea. October 22, 2002  The first attack occurred on October 22, 2002, and lasted for approximately one hour.  Of the thirteen servers, nine were disabled but the remaining four were able to cope.

References Wikipedia Microsoft b39c4d51cb mspx?mfr=true b39c4d51cb mspx?mfr=true FreeBSD Handbook Powered by DNS The Domain Name answers.com TCP/IP Illustrated, Volume 1.

Questions ?