The Domain Name System (DNS) Jason Hermance Nerces Kazandjian - - PowerPoint PPT Presentation

The Domain Name System (DNS)

Jason Hermance Nerces Kazandjian Long-Quan Nguyen

Introduction

Machines find 32-bit IP addresses just peachy.

• Some Computer Science majors don’t seem to mind either…

Normal people prefer names in general.

• easier to remember
• possibly more coherent

So we need some sort of name-assigning scheme…

• IP

name

• geographical considerations

Names For Machines

Early naming conventions

• assigned based on machines’ purpose
• accounting, talent, shipping, sales

Low-level (IP) to High-level (name)

• A common concern in computer science.

By 1986, 3100 officially registered, 6500 official aliases By today, hundreds of millions (of hundreds?)

Flat Namespace

Just a sequence of characters Network Information Center (NIC)

• determined appropriate-ness of names (conflict, obscenity)

Pros of a flat namespace

• names are short and convenient

Cons of a flat namespace

• a single, predetermined (and thus finite) set of names
• a single site to handle all work and all traffic

Hierarchical Names & Delegation Of Authority

What exactly are we aiming for?

• efficient name mapping
• autonomous name assignment

Current system functions similar to a large corporation.

• split the responsibility
• autonomous operation

Possible namespace partition pattern: local.site

• site- authorized by central authority
• local- authorized by the site
• ex. msn.com, laccd.edu

Subset Authority

Keep subdividing to become manageable Let’s try something like group.local.site

• site- authorized by central authority
• local- authorized by the site
• group- subdivision of local
• eg. moneycentral.msn.com, research.laccd.edu

Not necessarily based on a physical mapping

Internet Domain Names

The Domain Name System (DNS)… we meet at last!

• Job 1: rules for syntax and authority
• Job 2: rules for implementing name-to-address mapping

Syntax rules

• local label first, top domain last
• scope goes from small to big

Let’s take research.laccd.edu for example.

• research.laccd.edu is the lowest-level domain
• laccd.edu is the second-level domain
• edu is the top-level domain

Some common top-level domain names

.com Commercial Organizations .edu Educational Institutions .gov US Government .net Major Network Support Centers .org Organizations Not Classified .us, .uk, .fr, .kz Country codes (geographic scheme) Have you been paying attention so far?

• If .us belongs to the USA, then it can delegate ca.us to California.

Top-Level Domains

Two hierarchies: geographical and organizational

• countries are assigned a two-letter top-level domain
• rganizations submit requests for registration

So what went into getting python.ecs.csun.edu?

• CSUN: “Hey, Internet. I want csun.edu.”
• Internet: “Okay, you got it.”
• ECS@CSUN: “Hey CSUN, I want ecs.csun.edu.”
• CSUN: “Okay, you got it.”
• Unnamed Python Admin: “Hey, ECS@CSUN. I want…”
• ECS@CSUN: “Yeah, yeah. You got it. Now go away.”

Name Syntax And Type

Houston, we have a problem.

• Multiple naming hierarchies leads to confusion. Confusion leads to
• anger. Anger leads to hate. Hate leads to suffering.
• mail.yahoo.com or nercesk.yahoo.com

Let’s introduce the idea of address type.

• The client specifies type in addition to the name to resolve.
• eg. machine, mailbox, user

Can’t determine type by syntax or number of labels alone.

• Hey, nercesk.yahoo.com could be a domain… maybe.

Mapping Domain Names To Addresses

Name server(s)

• program for name-to-address translation
• typically on a dedicated processor
• Name resolver: Client-side software for submitting requests

Back to the corporation model and python.ecs.csun.edu

• “root” server sends request to top-level server (edu)
• top-level server sends request to level 2 (csun.edu)
• level 2 server sends request to level 3 (ecs.csun.edu)
• level 3 server sends request to level 4 (python.ecs.csun.edu)
• level 4 sends a response back up

Mapping Domain Names To Addresses

Think of it as a tree structure.

• First level: root
• Second level: top-level domain
• Third level: local domain

But this does not imply a direct physical connection. In actuality, not quite this involved

• “root” server knows enough to contact csun.edu directly

Domain Name Resolution

Resolution query

• name to be resolved, class of the name, type of answer
• code for partial or complete translations

Partial translation

• contact name servers one at a time

Complete translation

• have name server system do the whole thing

You gotta have at least one connection, pal.

Efficient Translation

Do we have to go to “root” every single time?

• Think about dialing the area code each time, even for local calls.

Going through the whole process is inefficient.

• Most name resolution is local.
• “Root” level would be overloaded.
• Higher-level failure need not be fatal.

We can send the query locally first.

• If the current level can’t resolve it, move to the parent.

Caching: The Key To Efficiency

Why look the same thing up 100 times? Router : ARP Cache :: name server : DNS Cache DNS Cache entry

• domain name of server
• IP binding to that name

But can’t the IP binding change, you ask?

• Time To Live value given by authority
• depends on likelihood of change

Domain Name System Message Format

More message format diagrams! 3-for-1 deal!

Compressed Name Format

Domain names are stored as sequence of labels.

• Can be literal string or a pointer to a literal string.

Literal string

• 1st octet first 2 bits = 00, last 6 bits = length n
• next n octets label
• Rinse. Repeat. End with n = 0.

Pointer to a literal string

• 1st octet first 2 bits = 11, next 14 bits = integer pointer

Abbreviation Of Domain Names

Outside domain name system

• introduced by client software

List of possible suffixes to append to Possible uses include:

• convenient lookups
• restricted access

Inverse Mappings

Working backwards… like Jeopardy! Some problems with this

• Not every answer has a unique question.
• Even then, the server might not be able to provide one.
• We might have to search all the servers…yuck.

Implemented, but not really used

Pointer Queries

One form of inverse mapping that’s actually useful!

• Checks that the query is generated from an authorized domain.

Mapping a client’s IP to a domain name

• IP address aaa.bbb.ccc.ddd
• Pointer query ddd.ccc.bbb.aaa.in-addr.arpa

But what if the local server is not in-addr.arpa or .arpa?

• Internet root domain servers are left in charge to make things efficient.

Some common object types

A 32-bit IP address HINFO CPU & OS information MINFO Mailbox/Mail List information MX Mail exchanger information NS Name of authoritative server for domain TXT Uninterpreted string of ASCII text Let’s try to be a little efficient for a moment.

• Servers will return any additionally known bindings in responses.
• Additional Information Section of responses

Obtaining Authority For A Subdomain

In order to be granted authority for a second-level domain:

• agree to operate a domain name server that meets Internet standards
• know the addresses of subdomain servers and at least one root

Servers can typically handle concurrent requests

• Processing older requests while accepting new ones
• Recursive requests, remember?

There are more rules? Sheesh!

• All information must appear in at least two separate machines.
• Technically, the servers cannot have a single common point of failure.

Dynamic DNS Update And Notification

Dynamic DNS update

• DHCP (Dynamic Host Configuration Protocol) assigns host obtains IP
• Sends update notice to DNS server
• NAT (Network Address Translation) sits “before” name server
• Coordinates translation with DNS server
• Multiple parties share administration

Dynamic DNS notification

• DNS server propagates the update
• Sends notification to backup servers
• Backup servers request actual update

DNS Security Extensions (DNSSEC)

Digital signature mechanism to protect DNS

• Check message authenticity
• Check data integrity

Possible side effects include:

• No confidentiality from snooping
• (Deliberate-)Denial-Of-Service

Public key encryption

• Server contains keys for authority zones further down
• Must manually configure keys for root servers.