dns tutorial ietf 63
play

DNS Tutorial @ IETF-63 lafur Gudmundsson OGUD consulting Peter - PowerPoint PPT Presentation

Jun 05, 2023 •182 likes •653 views

DNS Tutorial @ IETF-63 lafur Gudmundsson OGUD consulting Peter Koch DENIC 1 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de Tutorial Overview Goal: Give the audience basic understanding of DNS to be able to

  1. DNS Tutorial @ IETF-63 Ólafur Gudmundsson OGUD consulting Peter Koch DENIC 1 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  2. Tutorial Overview • Goal: – Give the audience basic understanding of DNS to be able to facilitate new uses of DNS • Tutorial Focus: Big picture - Not software help - DNS != BIND - No gory protocol details - Location of slides: http://www.techfak.net/DNStut.ppt 2 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  3. DNS Data Model DNS is global "loosely consistent" delegated database • delegated -> contents are under local control • loosely consistent -> shared information (within constraints) – does not need to match or be up-to date. – operation is global with owners of "names" responsible for serving up their own data. • Data on wire is binary • Domain names are case insensitive for [A-Z][a-z], – case sensitive for others • Hostname [A..Z0..9-] RFC952 – Restricts names that can be used – IDN provides standard encoding for names in non-US_ASCII 3 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  4. DNS tree “.” ORG COM DE IS UK XXX IETF ogud ISOC DENIC www EDU 4 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  5. DNS Terms • Domain name: any name represented in the DNS format – foo.bar.example. – \0231br.example . • DNS label: – each string between two "." unless the dot is prefixed by \ – ie foo.bar is 2 labels foo\.bar is 1 label • DNS zone: – a set of names that are under the same authority – example.com and ftp.example.com , www.example.net – Zone can be deeper than one label, example .us, ENUM • Delegation: – Transfer of authority for a domain • example.org is a delegation from org • the terms parent and child will be used. 5 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  6. More DNS terms • RR: a single Resource Record • RRset: all RRs of same type at a name – Minimum transmission unit • TTL: The time a RRset can be cached/reused by non authoritative server 6 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  7. DNS Elements • Resolver – stub: simple, only asks questions – recursive: takes simple query and makes all necessary steps to get the full answer, • Server – authoritative: the servers that contain the zone file for a zone, one Primary, one or more Secondaries, – Caching: A recursive resolver that stores prior results and reuses them – Some perform both roles at the same time. 7 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  8. DNS retrieval mode • DNS is a "lookup service" – Simple queries --> simple answers – No search – no 'best fit' answers – Limited data expansion capability • DNS reasons for success – Simple • "holy" Q-trinity: QNAME, QCLASS, QTYPE – Clean • Explicit transfer of authority – Parent is authoritative for existence of delegation, – Child is authoritative for contents. 8 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  9. DNS Protocol on the wire • Transport: 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 – UDP 512 bytes Payload, with +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | TCP fallback +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z|AD|CD| RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ – EDNS0 (OPT RR) expands | QDCOUNT == 1 | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ UDP payload size by mutual | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | agreement. +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ – TSIG hop by hop Query section contains: QNAME: <name in domain name format, variable length> authentication and integrity QCLASS: 2 bytes QTYPE: 2 bytes. • Retransmission: built in – Resends timed out query to a different server. 9 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  10. DNS RR wire format +------------------+-----+------+--------+----+-----------+ + Domain name |type | class| TTL | RL | RDATA | +------------------+-----+------+--------+----+-----------+ <variable> 2 2 4 2 <variable> • Owner name (domain name) – Encoded as sequence of labels • Each label contains – Length (1 byte) – Name (n bytes [1..63]) – ogud.com  04ogud03com00 • Type : MX, A, AAAA, NS … • CLASS: IN (other classes exist but not global) • TTL: Time To Live in a cache • RL: RD LENGTH: size of RDATA • RDATA: The contents of the RR – Binary blob, no TLV. 10 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  11. DNS query • QNAME: www.ietf.org Root Server • QCLASS: IN • QTYPE: A Ask org NS Org Server www.ietf.org Ask ietf.org NS Local Ietf.org Server www.ietf.org A Resolv 65.256.255.51 www.ietf.org A er 65.256.255.51 11 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  12. DNS Query Model: Question  Answer Stub_resolver -> Recursive_Resolver  Auth Server[1]  ……. Recurisive_Resolver  Auth Server[n]   Recursive_Resolver Stub_resolver has an answer and returns that to the application. 12 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  13. DNS Record Types: • DNS Internal types – NS, SOA, DS, DNSKEY, RRSIG, NSEC • Only used by DNS for its operation • Indirect RR: – CNAME, DNAME • Internal DNS RR cause Resolver to change direction of search – Server must have special processing code • Terminal RR: – Address records • A, AAAA, – Informational • TXT, HINFO, KEY, SSHFP – carry information to applications • Non Terminal RR: – MX, SRV, PTR, KX, A6, NAPTR, AFSDB • contain domain names that may lead to further queries. • META: – OPT, TSIG, TKEY, SIG(0) • Not stored in DNS zones, only appear on wire 13 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  14. DNS operation • DNS zone is loaded on authoritative servers, – servers keep in sync using information in SOA RR via AXFR, IXFR or other means. • DNS caches only store data for a “short” time – defined by TTL on RRset. • DNS Resolvers start at longest match on query name they have in cache when looking for data, and follow delegations until a answer or negative answer is received. – DNS packets are small – DNS transactions are fast if servers are reachable. – Tree climbing == BAD – Few applications have said that if RR does not exist at name then look for zone default at apex, • Zone cut is hard to find by stub resolvers, • hierarchy in naming does not necessarily imply hierarchy in network administration. • Although DNS name space is hierarchic, there's no inheritance zone wide defaults are also bad due to "apex overload" 14 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  15. DNS rough corners • Packet size: – 512 for standard DNS, 4K+ for EDNS0 – Keeping RRsets small is good practice. • Lame delegations: – Parent and children must stay in sync about name servers. – Secondary servers must keep up-to date with Primary. • problems areas: permissions, transfer protocol not getting through, clock synchronization, old/renumbered primary/secondary. • Data integrity: Cache Poisoning – DNS answer can be forged, in particular if query stream is visible – use protected channel to recursive resolvers. • Broken/old DNS Software: – Small percentage, but persistent base 15 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  16. DNS API issues • Whole or none of RRset will arrive, – in non determined order. • DNS Resolver API should – Return known weighed DNS RRset in weighed order – other RRsets in in random order. • DNS data should reside in one place and one place only – at name, or at <prefix>.name – zone wide defaults • there are no zone wide defaults, since the "zone" is an artificial boundary for management purpose 16 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  17. DNS Wildcards: The area of most confusion: FACTS • match ONLY non existing names • expansion is terminated by existing names – do not expand past zone boundaries 17 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  18. DNS wildcards: The area of most confusion: MYTHS • Record: *.example MX 10 mail.example – matches any name in example !! – supplies RR type to names present, missing MX RRs. • Is added to MX RRset at a name – expands only one level • www.*.example will expand 18 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

  19. Wildcard Match • Contents of a zone: *.example. TXT "this is a wildcard" example www.example. A 127.0.0.1 jon.doe.example. A 127.0.0.2 • Name “ doe.example ” exists w/o any RRtypes  empty non- terminal • Name “ tina.doe.example .” will not be expanded from wildcard • Name: “ tina.eod.example .” Matched. 19 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com & pk@denic.de

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNS (Domain Name System) Tutorial @ IETF-70 (DNS for protocol designers) lafur Gumundsson

DNS (Domain Name System) Tutorial @ IETF-70 (DNS for protocol designers) lafur Gumundsson

DNS (Domain Name System) Tutorial @ IETF-70 (DNS for protocol designers) lafur Gumundsson OGUD consulting Peter Koch DENIC eG 2007-12-02 DNS Tutorial @ IETF-70 1 ogud@ogud.com &amp; pk@denic.de Tutorial Overview Goal: Give

736 views • 54 slides
IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF Security Tutorial? Security is important in all protocols; not just protocols in the security area IETF specs mandated to have a security

1.29k views • 95 slides
IETF Security Tutorial Radia Perlman November 2006 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman November 2006 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman November 2006 (radia.perlman@sun.com) 1 Why an IETF Security Tutorial? Security is important in all protocols; not just protocols in the security area IETF specs mandated to have a security

1.1k views • 80 slides
WG Leadership Tutorial IETF 86: Orlando March 10, 2012 Margaret Wasserman

WG Leadership Tutorial IETF 86: Orlando March 10, 2012 Margaret Wasserman

WG Leadership Tutorial IETF 86: Orlando March 10, 2012 Margaret Wasserman mrw@painless-security.com Agenda 1. Introduction 2. Getting a WG started 3. Making WGs work for everyone 4. Steps in the WG process 5. Complex Situations 6.

1.1k views • 55 slides
NETCONF and YANG Status, Tutorial, Demo J urgen Sch onw alder 75th IETF 2009,

NETCONF and YANG Status, Tutorial, Demo J urgen Sch onw alder 75th IETF 2009,

NETCONF and YANG Status, Tutorial, Demo J urgen Sch onw alder 75th IETF 2009, Stockholm, 2009-07-30 This tutorial was supported in part by the EC IST-EMANICS Network of Excellence (#26854). 1 / 40 What is NETCONF? NETCONF is a

1.06k views • 40 slides
TLS 1.3 Tutorial IETF 100 - Singapore 20171112 Sean Turner | sn3rd Joe Salowey | Tableau

TLS 1.3 Tutorial IETF 100 - Singapore 20171112 Sean Turner | sn3rd Joe Salowey | Tableau

TLS 1.3 Tutorial IETF 100 - Singapore 20171112 Sean Turner | sn3rd Joe Salowey | Tableau software Whats Will address TLS 1.3s: Wheres Hows 2 Not too Technical We promise: Lots o Links Lame Nerd Humor 3 Whence does it come? 4

305 views • 26 slides
lafur Gu mundsson Shinkuro, Inc. Peter Koch DENIC eG 1 DNS Tutorial @ IETF-80

lafur Gu mundsson Shinkuro, Inc. Peter Koch DENIC eG 1 DNS Tutorial @ IETF-80

lafur Gu mundsson Shinkuro, Inc. Peter Koch DENIC eG 1 DNS Tutorial @ IETF-80 ogud@ogud.com &amp; pk@denic.de 2011-03-27 Goal: Give the audience basic understanding of DNS to be able to facilitate new uses of DNS and take

921 views • 50 slides
DNS Privacy EDU Tutorial dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com IETF 99

DNS Privacy EDU Tutorial dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com IETF 99

DNS Privacy EDU Tutorial dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com IETF 99 Prague, July 2017 Overview The problem: Why Internet privacy and DNS Privacy are important (DNS

916 views • 89 slides
EMU IETF 74 Note Well Any submission to the IETF intended by the Contributor for publication as

EMU IETF 74 Note Well Any submission to the IETF intended by the Contributor for publication as

EMU IETF 74 Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an &quot;IETF

940 views • 7 slides
Tutorial: Traffic of Online Games Jose Saldana &amp; Mirko Suznjevic IETF 87, Berlin, August 1 st

Tutorial: Traffic of Online Games Jose Saldana &amp; Mirko Suznjevic IETF 87, Berlin, August 1 st

Tutorial: Traffic of Online Games Jose Saldana &amp; Mirko Suznjevic IETF 87, Berlin, August 1 st , 2013 Transport Area Open Meeting 1.8.2013. 1 Goals of this presentation Information about current practices in online games industry

866 views • 31 slides
IETF Status at IETF 85 Russ Housley IETF Chair 1 IETF 85 Participants l 1098 people l 195

IETF Status at IETF 85 Russ Housley IETF Chair 1 IETF 85 Participants l 1098 people l 195

IETF Status at IETF 85 Russ Housley IETF Chair 1 IETF 85 Participants l 1098 people l 195 newcomers l IETF 82 was 948 people l 55 countries l IETF 82 was 48 countries IETF 82 was held in US JP CN FR UK Taipei, Taiwan DE

327 views • 8 slides
One Data Model SDF: A brief tutorial and status T2TRG summary meeting @ IETF 107+, April 14, 2020

One Data Model SDF: A brief tutorial and status T2TRG summary meeting @ IETF 107+, April 14, 2020

One Data Model SDF: A brief tutorial and status T2TRG summary meeting @ IETF 107+, April 14, 2020 Carsten Bormann 1 The need for One Data Model IoT standardization is dominated by ecosystem -specific SDOs Each ecosystem has their own

294 views • 14 slides
Welcome to the IETF! Would you like instructions? Mike StJohns IETF 97 Seoul, South Korea 1

Welcome to the IETF! Would you like instructions? Mike StJohns IETF 97 Seoul, South Korea 1

Welcome to the IETF! Would you like instructions? Mike StJohns IETF 97 Seoul, South Korea 1 IETF Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any

637 views • 29 slides
Welcome to the IETF! You are standing at the end of the road before a small brick building

Welcome to the IETF! You are standing at the end of the road before a small brick building

Welcome to the IETF! You are standing at the end of the road before a small brick building Mike StJohns IETF 99 Prague, CZ IETF Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF

582 views • 29 slides
Non-Congestion Robustness (NCR) for TCP draft-ietf-tcpm-draft-ietf-tcpm-tcp-dcr-03.txt IETF 62 -

Non-Congestion Robustness (NCR) for TCP draft-ietf-tcpm-draft-ietf-tcpm-tcp-dcr-03.txt IETF 62 -

Non-Congestion Robustness (NCR) for TCP draft-ietf-tcpm-draft-ietf-tcpm-tcp-dcr-03.txt IETF 62 - March 2005 Sumitha Bhandarkar, A. L. Narasimha Reddy, Mark Allman, Ethan Blanton &quot;Hit our satellite with feeling, Give the people what they

363 views • 8 slides
BFD IETF 68 David Ward Note Well Any submission to the IETF intended by the Contributor

BFD IETF 68 David Ward Note Well Any submission to the IETF intended by the Contributor

BFD IETF 68 David Ward Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an

399 views • 22 slides
Background Concepts Review Some of this material is covered in a MasteringAstronomy practice

Background Concepts Review Some of this material is covered in a MasteringAstronomy practice

Background Concepts Review Some of this material is covered in a MasteringAstronomy practice assignment called Math Review. The Metric System We will use the metric system almost exclusively. (English units are entirely evil.) Mass unit:

732 views • 29 slides
Midterm review CSCI 466: Networks Keith Vertanen

Midterm review CSCI 466: Networks Keith Vertanen

Midterm review CSCI 466: Networks Keith Vertanen Network architecture 2 Encapsula8on High-level messages encapsulated in low-level messages

1.25k views • 111 slides
Cloudifornication Indiscriminate Information Intercourse Involving Internet Infrastructure Hoff

Cloudifornication Indiscriminate Information Intercourse Involving Internet Infrastructure Hoff

Cloudifornication Indiscriminate Information Intercourse Involving Internet Infrastructure Hoff (@Beaker) - FIRST 2010 Cloud Security Doesnt Matter When Is NetWareCloud Shipping? ::Setting Some Context The Internet is a remarkably frail

1.35k views • 100 slides
CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits British Airw rways Hack 2 BA last week admitted that personal and payment card info for 380,000 customers had been swiped from

840 views • 61 slides
Linux File Systems Adrien schischi Schildknecht July 18, 2014 Why FS matters Linux File

Linux File Systems Adrien schischi Schildknecht July 18, 2014 Why FS matters Linux File

Linux File Systems Adrien schischi Schildknecht Linux File Systems Adrien schischi Schildknecht July 18, 2014 Why FS matters Linux File Systems Adrien schischi Schildknecht Overhead: non-volatile memory is often the

621 views • 42 slides
CMPS 111: Introduction to Operating Systems Professor Scott A. Brandt sb rand t@cs .ucsc

CMPS 111: Introduction to Operating Systems Professor Scott A. Brandt sb rand t@cs .ucsc

CMPS 111: Introduction to Operating Systems Professor Scott A. Brandt sb rand t@cs .ucsc .edu h t tp : / /www.cse .ucsc .edu /~sb randt / 111 Chapter 1 Class outline Introduction, concepts, review &amp; historical

490 views • 33 slides
L5 June 14, 2017 1 Lecture 5: Advanced Data Structures CSCI 1360E: Foundations for Informatics

L5 June 14, 2017 1 Lecture 5: Advanced Data Structures CSCI 1360E: Foundations for Informatics

L5 June 14, 2017 1 Lecture 5: Advanced Data Structures CSCI 1360E: Foundations for Informatics and Analytics 1.1 Overview and Objectives Weve covered list, tuples, sets, and dictionaries. These are the foundational data structures in

376 views • 9 slides
Prr s Prrs

Prr s Prrs

Prr s Prrs tt r t t tr tst

1.84k views • 159 slides

More recommend