ilab
play

iLab DNS and DNSSEC Dominik Scholz Slides by Benjamin Hof ilab1 - PowerPoint PPT Presentation

Mar 17, 2023 •266 likes •853 views

iLab DNS and DNSSEC Dominik Scholz Slides by Benjamin Hof ilab1 @list.net.in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 5 17ws 1 / 32 Outline Domain Name System

  1. iLab DNS and DNSSEC Dominik Scholz Slides by Benjamin Hof ilab1 @list.net.in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 5 – 17ws 1 / 32

  2. Outline Domain Name System Authoritative name server Resolver Security 2 / 32

  3. Outline Domain Name System Authoritative name server Resolver Security 3 / 32

  4. The quest for memorable names ◮ IP addresses hard to remember for humans ◮ symbolic names mapped to addresses address resolution 1. host files ◮ file with mappings ◮ copy between all machines ◮ /etc/hosts 2. protocol: Domain Name System ◮ by Paul Mockapetris in 1983 ◮ wide deployment in 1988 4 / 32

  5. Domain Name System ◮ application layer protocol on UDP, TCP ◮ glibc call getaddrinfo(3) ◮ distributed name database ◮ deployed globally ◮ hierarchical structure ◮ extensible ◮ e.g. DNSSEC: security extensions inside the protocol itself 5 / 32

  6. Distributed hierarchical name space . net edu org lwn tum gnu debian cs ma ei mail Fully qualified domain name (FQDN) by label concatenation: mail.cs.tum.edu. 6 / 32

  7. Distributed hierarchical name space root zone (empty label) . top level domain net edu org second level domain lwn tum gnu debian cs ma ei mail Fully qualified domain name (FQDN) by label concatenation: mail.cs.tum.edu. 6 / 32

  8. Name server Name servers can fulfill different functions: 1. authoritative name servers ◮ operated by a site on the Internet 2. resolver ◮ asked to resolve names ◮ contacts authoritative name servers Example Knot and unbound 7 / 32

  9. Outline Domain Name System Authoritative name server Resolver Security 8 / 32

  10. Zone ◮ subtree of the global name space ◮ delegated by parent ◮ managed by one organization ◮ hosted on an authoritative name server Example tum.edu. delegated by edu., containing www.tum.edu. and mail.in.tum.edu. 9 / 32

  11. Authoritative name server ◮ only knows about its own part of the name space ◮ responsible, “authoritative”, for its zone ◮ may serve multiple zones ◮ usually primary and secondary servers exist for a zone ◮ synchronized with zone transfer ◮ avoid disappearance of the zone in case of outage ◮ load balancing 10 / 32

  12. Zones: example . net edu org lwn tum gnu debian cs ma ei mail 11 / 32

  13. Resource record ◮ zone contains resource records (RR) example.net. 3600 IN A 198.51.100.5 owner TTL class type RDATA domain name where RR is found 12 / 32

  14. Resource record ◮ zone contains resource records (RR) example.net. 3600 IN A 198.51.100.5 owner TTL class type RDATA validity period in seconds when cached 12 / 32

  15. Resource record ◮ zone contains resource records (RR) example.net. 3600 IN A 198.51.100.5 owner TTL class type RDATA only Internet is relevant for us 12 / 32

  16. Resource record ◮ zone contains resource records (RR) example.net. 3600 IN A 198.51.100.5 owner TTL class type RDATA record type, e.g. IPv4 address 12 / 32

  17. Resource record ◮ zone contains resource records (RR) example.net. 3600 IN A 198.51.100.5 owner TTL class type RDATA resource data: e.g. 32 bit IPv4 address 12 / 32

  18. Resource records owner TTL class type RDATA i.example.net. 3600 IN AAAA 2001:db8::1 like.example.net. 3600 IN AAAA 2001:db8:af23::eb2 dns.example.net. 3600 IN A 192.0.2.25 i.example.net. 3600 IN A 192.0.2.205 13 / 32

  19. Resource records owner type RDATA i.example.net. AAAA 2001:db8::1 like.example.net. AAAA 2001:db8:af23::eb2 dns.example.net. A 192.0.2.25 i.example.net. A 192.0.2.205 i.example.net. AAAA 2001:db8::2 ◮ RRset for i.example.net. type AAAA with more than one record! ◮ note: TTL and class usually omitted 13 / 32

  20. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later 14 / 32

  21. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] 14 / 32

  22. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] ; RRset with two records: NS example.net. NS ns1 ; primary authoritative NS example.net. NS ns2.registrar.example. ; secondary 14 / 32

  23. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] ; RRset with two records: NS example.net. NS ns1 ; primary authoritative NS example.net. NS ns2.registrar.example. ; secondary ns1 A 198.51.100.1 14 / 32

  24. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] ; RRset with two records: NS example.net. NS ns1 ; primary authoritative NS example.net. NS ns2.registrar.example. ; secondary ns1 A 198.51.100.1 example.net. MX 10 mail ; priority to order multiple MX RRs 14 / 32

  25. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] ; RRset with two records: NS example.net. NS ns1 ; primary authoritative NS example.net. NS ns2.registrar.example. ; secondary ns1 A 198.51.100.1 example.net. MX 10 mail ; priority to order multiple MX RRs mail AAAA 2001:db8::1 A 198.51.100.2 14 / 32

  26. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] ; RRset with two records: NS example.net. NS ns1 ; primary authoritative NS example.net. NS ns2.registrar.example. ; secondary ns1 A 198.51.100.1 example.net. MX 10 mail ; priority to order multiple MX RRs mail AAAA 2001:db8::1 A 198.51.100.2 webmail CNAME mail ; alias for a canonical name 14 / 32

  27. Delegation sub.example.net. NS ns.sub.example.net. ns.sub.example.net. A 198.51.100.3 ◮ make ns.sub.example.net. responsible for the sub.example.net. zone ◮ glue record to make the new name server findable ◮ possible misconfigurations 1. missing glue records 2. delegation loops 15 / 32

  28. Outline Domain Name System Authoritative name server Resolver Security 16 / 32

  29. Resolving name server tasks ◮ query: owner, class, type ◮ resolve a query from the root downwards ◮ cache responses based on TTL ◮ changes might only be visible after days Allow access only from your network, never open for everybody 17 / 32

  30. DNS packet layout IP UDP DNS header query answer authoritative additional ID, flags, records number of RRs header c,s QR query or response s AA authoritative answer s TC truncation (TCP as fallback) c RD recursion desired s RA recursion available s 4 bit response code: no error, name error, server failure, refused ◮ number of resource records in each section 18 / 32

  31. DNS packet layout IP UDP DNS header query answer authoritative additional ID, flags, records number of RRs record sections ◮ query: only one record with owner, type, class ◮ answer: answer RRs ◮ authoritative section: name server delegation ◮ additional section: glue records, EDNS pseudo record packet size limited to 512 octets 18 / 32

  32. Lookup stub forwarder recursor IP? in.tum.de. ◮ recursive queries 19 / 32

  33. Lookup k.root-servers.net. 2001:7fd::1 in.tum.de. A de. NS a.nic.de. a.nic.de. A 194.0.0.53 stub forwarder recursor in.tum.de. ◮ recursive queries ◮ iterative queries ◮ glue 19 / 32

  34. Lookup k.root-servers.net. a.nic.de. in.tum.de. A tum.de. NS dns1.lrz.de. stub forwarder recursor dns1.lrz.de A 129.187.19.183 in.tum.de. ◮ recursive queries ◮ iterative queries ◮ glue 19 / 32

  35. Lookup k.root-servers.net. a.nic.de. in.tum.de. A stub forwarder recursor dns1.lrz.de. in.tum.de. A 131.159.0.35 in.tum.de. ◮ recursive queries ◮ iterative queries ◮ glue 19 / 32

  36. Lookup k.root-servers.net. a.nic.de. stub forwarder recursor dns1.lrz.de. in.tum.de. ◮ recursive queries ◮ iterative queries ◮ glue 19 / 32

  37. Lookup k.root-servers.net. a.nic.de. stub forwarder recursor dns1.lrz.de. 131.159.0.35 in.tum.de. ◮ recursive queries ◮ iterative queries ◮ glue 19 / 32

  38. Reverse lookup IPv4 ◮ PTR record type ◮ special domain in-addr.arpa. ◮ 198.51.100.5 → 5.100.51.198.in-addr.arpa. ◮ small subnets require lots of CNAMEs IPv6 ◮ ip6.arpa. ◮ can be delegated per nibble ◮ 2001:db8::1 is: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 20 / 32

  39. Outline Domain Name System Authoritative name server Resolver Security 21 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

your exercise iLab 1+2 info event online Tell your friends!

your exercise iLab 1+2 info event online Tell your friends!

The iLab Experience a blended learning hands-on course concept you set the focus Final Lecture Marc-Oliver Pahl, Jul 25, 2017 your exercise iLab 1+2 info event online Tell your friends!

1.81k views • 96 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Surveillance and operational security 14ws 1 lecture evaluation oral

916 views • 30 slides
ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP addresses. Human beings do not memorize IP

779 views • 23 slides
ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to applications application application 4

647 views • 26 slides
iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 7 17ws 1 / 41 Outline Trust Transport Layer Security Packet filter

1.19k views • 43 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 18ss 1 / 36 Outline Introduction Trust architecture Protocols Attacks

663 views • 45 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 16ss 1 / 38 Outline Introduction Trust architecture Protocols Attacks

879 views • 47 slides
iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 16ss 1 / 34 Motivation: IPv4 Address Scarcity source:

784 views • 54 slides
course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance, operational security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt

986 views • 47 slides
iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 4 14ws 1 Outline Transport Layer UDP TCP MTCP / SCTP 2 Outline

720 views • 32 slides
ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) /

812 views • 25 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen October 18, 2017 Based on slides of Lukas Schwaighofer 1

678 views • 46 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen April 25, 2017 Based on slides of Lukas Schwaighofer 1

471 views • 10 slides
iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 2 17ws 1 / 21 Outline Meta

540 views • 27 slides
The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself - Hardware YE - Topic Outline May 29, 2018 10.4. Kick Off, IPv6 1 IPv6 BGP 17.4. 2 Minilab 1 2 mini labs Advanced Wireless Playground BGP

1.64k views • 125 slides
} { 64 MB Server Server 64 bit unique handle Many Client Many Triple

} { 64 MB Server Server 64 bit unique handle Many Client Many Triple

The Need Component failures normal Due to clustered computing Files are huge Google File System By traditional standards (many TB) Most mutations are mutations Not random access overwrite CSE 454 Co-Designing

321 views • 5 slides
Collaborative Systems of Support Garth L. Larson @LarsonGarth #CSSMN 1 2 Collaborative

Collaborative Systems of Support Garth L. Larson @LarsonGarth #CSSMN 1 2 Collaborative

Collaborative Systems of Support Garth L. Larson @LarsonGarth #CSSMN 1 2 Collaborative Systems of Support represent the logical connection between Professional Learning Communities, Response to Intervention and Multi-Tiered Systems of

1.04k views • 102 slides
Value-Ordering and Discrepancies Ciaran McCreesh and Patrick Prosser Maintaining Arc Consistency

Value-Ordering and Discrepancies Ciaran McCreesh and Patrick Prosser Maintaining Arc Consistency

Value-Ordering and Discrepancies Ciaran McCreesh and Patrick Prosser Maintaining Arc Consistency (MAC) Achieve (generalised) arc consistency (AC3, etc). If we have a domain wipeout, backtrack. If all domains have one value, were done. Pick a

661 views • 30 slides
Wilson Elementary / WSTEM Neighborhood Design Meeting 3 project approach Tonights Topics: 1.

Wilson Elementary / WSTEM Neighborhood Design Meeting 3 project approach Tonights Topics: 1.

Wilson Elementary / WSTEM Neighborhood Design Meeting 3 project approach Tonights Topics: 1. Recap Project Approach What has been done to date? 10 Mins. 2. Options Development 20 Mins. 3. Neighborhood Thoughts 20 Mins.

524 views • 18 slides
J ob Monitoring MIB Need for monitoring print jobs in devices and servers Proposal for a new

J ob Monitoring MIB Need for monitoring print jobs in devices and servers Proposal for a new

Problem Statement J ob Monitoring MIB Need for monitoring print jobs in devices and servers Proposal for a new standards track status of print jobs project progress of print jobs Developed by Printer MIB participants accounting

187 views • 4 slides
High Availability using virtualization Federico Calzolari Scuola Normale Superiore - INFN Pisa

High Availability using virtualization Federico Calzolari Scuola Normale Superiore - INFN Pisa

High Availability using virtualization Federico Calzolari Scuola Normale Superiore - INFN Pisa Aims and Requirements Aims zero cost High availability service 3RC - High Availability Project Requirements full exploitation of virtual

404 views • 29 slides
It Isn't Just a Video Game: Second Life for Events Bryan Person http://www.bryper.com/ Jay Moonah

It Isn't Just a Video Game: Second Life for Events Bryan Person http://www.bryper.com/ Jay Moonah

It Isn't Just a Video Game: Second Life for Events Bryan Person http://www.bryper.com/ Jay Moonah http://jaymoonah.com/ Two geeks, two countries, no waiting. Second Life is NOT a video game SL is NOT a replacement for RL meetings Is it

220 views • 10 slides
Avatar Mobility in Wei Tsang Ooi Mehul Motani Huiguang Liang Ian Tay Ming Feng Neo National

Avatar Mobility in Wei Tsang Ooi Mehul Motani Huiguang Liang Ian Tay Ming Feng Neo National

Avatar Mobility in Wei Tsang Ooi Mehul Motani Huiguang Liang Ian Tay Ming Feng Neo National University of Singapore avatar mobility: who is where, when why do we care? research in systems support for NVE how to partition a world into

621 views • 47 slides

More recommend