1 CMPT 471 Networking II DNS © Janice Regan,

2 Host names  In addition to identifying a host by the IP address of a connected interface we also identify the interface by an hostname  Hostnames are easier for a human to use and remember that the IP address  In the early Internet names were recorded at a central registry at the Network Information Center (NIC).  New hosts/names were submitted to the central registry and added to the hosts file  The hosts file was available for distribution to all other sites.  Flat naming structure

© Janice Regan, Hierarchical name space  The central naming system worked well until the Internet grew larger than it could handle (soon after TCP/IP was adopted)  The central servers could no longer deal with the volume of traffic  The manual updating of names was slow, and maintaining network wide consistency was difficult  Enforcing the use of unique names became more difficult (then impossible)

© Janice Regan, DNS  The primary use of DNS is to answer queries requesting the IP address that corresponds to a given host name.  DNS uses a hierarchical classification system for domain names (domains are groups of hosts and networks)  Responsibilities for administering the DNS namespace are distributed  DNS domain names may represent a network a subnetwork or even a host

© Janice Regan, Hierarchical name space  A hierarchical system was designed to replace this original flat namespace  Administration was decentralized using a distributed database  Local administrators were given responsibility for building and maintaining a database relating IP address and name for their designated local networks

© Janice Regan, DNS Name Tree cs arpa com edu gov us uk ca fr bc sfu fraser In-addr ny ca sun nasa jpl. hp Labels may have up to 63 characters fraser Labels (names) may refer to domains (hosts +nets) hosts or networks

© Janice Regan, DNS Name Tree cs arpa com edu gov us uk ca fr bc sfu fraser In-addr ny ca sun nasa jpl. hp All children of a given parent must have unique names fraser fred hp1 NO!

© Janice Regan, Constructing names: name tree  Start at the leaves of the tree  The domain for the chosen leaf will be the first part of the name.  Add a period to the first part of the name  Check the domain name of the root of the current position in the tree.  If it is not the root of the tree  The domain name of the root of the current position in the tree is added after the period  If it is the root of the tree the name is complete  Repeat steps 3 and 4 until the name is complete

© Janice Regan, jpl.nasa.gov.. cs arpa com edu gov us uk ca fr bc sfu fraser In-addr ny ca sun nasa jpl hp fraser

© Janice Regan, Fully Qualified Domain Name  DNS uses fully qualified domain names  FQDNs are complete domain names including all parts of the domain name from the domain of interest up to the root  Ends in a. to indicate root. For example fraser.sfu.ca.  The terminating. Indicates that the name is absolute ( relative to root, not to any other position in the DNS tree)  Domain names that are not fully qualified (do not end at root, like fraser.sfu) may be interpreted by some software as relative to some particular location (other than root) in the DNS tree. (more later)

© Janice Regan, Authority for the DNS namespace  The central internet authority was ICANN (Internet corporation for assigned numbers and names) and is now IANA (Internet assigned numbers authority).  Responsibility for the root level. domain rests with IANA  TLDs, top level directories for the internet namespace include generic TLDs (gTLDs) like.com or.org for classification of domain names by type of use include country code TLDs (ccTLDs) like.ca or.us for geographical classification of domain names  Responsibility for administering the TLDs has been delegated to other contractors by IANA

© Janice Regan, DNS Name Tree: Domains “” Root domain arpa com edu gov us uk ca fr bc sfu cs fraser In-addr ny ca nasa jpl hp Generic Top level domains gTLDS Country code Top level domains ccTLDS

© Janice Regan, Authority for the DNS namespace  Any organization to which responsibility for a DNS domain is delegated  must provide at least two independent DNS servers to service that domain These DNS servers must be geographically separated These servers must be configured to provide continuous service  may delegate authority for parts of the DNS domain for which they are responsible to other organizations.

© Janice Regan, Authority for the DNS namespace  Responsibility for the.ca TLD has been delegated to CIRA (Canadian Internet Registration Authority) by the contractor to IANA  The.ca TLD is administered by CIRA  Similarly CIRA has delegated authority for the sfu.ca domain to SFU  SFU provides three DNS servers, two at SFU (whistler and seymour), and an independent server located at UBC.  SFU also runs an independent server for UBC

© Janice Regan, Authority for the DNS namespace  Each DNS server must know the name/address of the servers it has delegated responsibility to. .ca (CIRA) has delegated responsibility for sfu.ca to SFU  The delegated authority has a responsibility to inform the delegator if address or name of the DNS name server changes. This is necessary to guarantee that address queries can be passed down the tree.  The delegator of authority need not inform all organizations it delegates to of changes made by other such organizations. This is an unreasonable load in a rapidly growing/changing internet.

© Janice Regan, Domain Name System  A DNS domain is a subtree  The name of the domain is the domain name of the node at the root of the subtree  The domain includes all domains and hosts contained within itself.us domain, includes.ca domain and.ny domain.mycomp domain include.mynet domain and host.myhost  The administrative responsibility for the domain and its subdomains may be arranged in different ways

© Janice Regan, DNS Name Tree: sub-trees cs arpa com edu gov us ca fr bc sfu fraser ny ca nasa jpl. mycomp fraser myhost mynet us domain mycomp domain

© Janice Regan, How many DNS servers?  Extrapolating this model we discussed before would have a DNS server for each domain  What is the smallest domain?  1 host, host name = domain name Clearly this makes too many servers  1 local network = 2 DNS servers Still too many (lots of small networks)  At some reasonable point we need to stop delegating authority

© Janice Regan, Dividing Authority  What about domains that include both hosts and multiple sub-domains?  Can delegate the sub-domains, what about the hosts?  What if you want to delegate only some of the sub-domains?  Need some more flexible administrative unit, the zone

© Janice Regan, Zone  An administrative division of the domain name tree  Each zone is the responsibility of one administrative authority  A zone may include hosts and sub-domains  Sub domains in a zone may or may not have authority delegated to other administrative authorities. Any subset of sub-domains may be delegated  The domain name of the zone is the domain name of domain with the same root domain name

© Janice Regan, Domain Name System  A DNS zone is a subtree  Any delegated subtree  The administrative authority for the zone must maintain at least two completely independent DNS servers for the zone  A given zone will have a corresponding zone in the arpa subtree to be used for inverse queries  A zone may delegate some of its sub domains and not others

© Janice Regan, DNS Name Tree: zones bc ab on qc.ca.ca domain sk sk.ca zone qc.ca zone.ca zone

© Janice Regan, Authority for the DNS namespace  A particular DNS name server will service a zone. Its database of name information will contain  entries for any hosts in the zone  delegation information for domains or zones that have been delegated to other authorities Includes the address of (pointer to) the DNS servers for the delegated domains or zones excludes information about further delegation of authority in delegated zones or hosts in delegated domains  Root servers contain the delegation information for all TLDs

© Janice Regan, Inverse Queries  Given an IP address what is the name of the host  Uses the in-addr.arpa portion of the address tree  The IP address is used as the ‘name’ in this portion of the tree. The four dot separated fields are used in reverse order  For example if the IP address is then the address read from the tree would be

© Janice Regan, The in-addr.arpa domain … 0 … … … … 0 … … 0 …

In-addr.arpa, structure  On the surface is seems it would be easier to put the IP address parts (each number between the.’s in the dotted decimal notation) in the opposite order  However, to enable delegation of smaller networks (longer masks) from larger networks (shorter masks) requires that the part of the IP address that is most specific be placed at the bottom of the in-addr.arpa tree © Janice Regan,

© Janice Regan, DNS  The primary use of DNS is to answer queries requesting the IP address that corresponds to a given host name.  There are two approaches to answering a query  Iterative: the name server receiving the query responds with either the IP address of the host or the name of the next server it would consult (next higher server in the tree)  Recursive: the name server will, if necessary, directly query the next name server, and will return the final answer

© Janice Regan, Caching  Each time a DNS query is made by the DNS server, the information in the response is cached  This cached information can be used to improve the efficiency of later queries to the DNS server

© Janice Regan, Common DNS implementations  Reference implementation DNS: BIND (Berkeley Internet Name Daemon) managed by ISC  Current release BIND 9  2010, 1st year of 5 year building of BIND 10  Using a recent release is important. Bind 8.2 and 9 include more extensive security features. incremental updates of slave servers (before a full retransmission of the DNS database was necessary for updates). New configuration syntax

© Janice Regan, BIND  Bind has two major components  The resolver is a subroutine library that is used by DNS clients to make and interpret queries  The name server daemon named (listens port 53 for UDP and TCP)

© Janice Regan, BIND  BIND usually uses UDP to transfer data.  If a response contains more data than will fit in the allowed UDP packet (512 octets) the it will be truncated and flagged. The resolver will then request to have the full response sent using TCP  TCP is also used for transferring or updating the contents of DNS databases from one DNS server to another (master to slave)

© Janice Regan, Operation of a DNS server  A DNS name server is initialized, knowing the addresses of the root servers, knowing the addresses of some other servers, or with the zone data files for one or more zones.  As queries are made the information received from the queries is added to a cache.  Entries generally have a long (hours to days) lifetime.  Lifetime (TTL) is set by administrator when configuring the server, or reset by the administrator at a later time Shorter lifetime keeps information up to date but causes increased load of queries to the DNS server  When further queries are made the cache is checked before queries are transmitted

© Janice Regan, Types of DNS servers  Primary Master or Master Server:  Each domain has at lease one.  Initializes from a series of files (zone data files) maintained by a system manager.  Authoritative for zone.

© Janice Regan, Types of DNS servers  Secondary Master or Slave Server:  Initializes from the master server.  Authoritative for zone.  If a slave server reboots it will first load the DNS data that it had before the server went down. It will then contact the master server and update information as necessary from the current zone data files.

DNS Servers  A DNS server may service more than one zone  A DNS server may be Master server for one zone and Slave server for another zone © Janice Regan,

© Janice Regan, Types of DNS servers  Cache Only Server: Begins with the addresses of the root servers or with the names of a few local name servers to which to forward all queries.  Not Authoritative for any zone..  When the requested information is returned it is cached  When the server replies that the requested information is not available this information is also saved (negative caching)  Must ask primary server in its zone to do lookups for its local zone

© Janice Regan, References DNS and DHCP  If you want to know more than we covered in this class I suggest these books as excellent references  The DHCP Handbook (second edition 2002) by Ralph Droms and Ted Lemon  DNS and BIND (4 th edition 2001) by Paul Albitz and Cricket Liu