DNS Domain Name System

Hostnames  IP Addresses are great for computers – IP address includes information used for routing.  IP addresses are tough for humans to remember.  IP addresses are impossible to guess. – ever guessed at the name of a WWW site?

The Domain Name System  The domain name system is usually used to translate a host name into an IP address.  Domain names comprise a hierarchy so that names are unique, yet easy to remember.

Name Space  A name space that maps each address to an unique name can be organized in two ways: 1.Flat Name Space : A name in this space is a sequence of characters without structure. Disadvantage:  Cannot be used in a large system.  It must be centrally controlled to avoid ambiguity and duplication. 2.Hierarchical Name Space: In this name space, each name is made of several parts. The authority to assign and control the name space can be decentralized.

DNS Hierarchy educomorggov gu msu

Domain Name Space  To have a hierarchical name space, a domain name space was designed, in which the names are defined in an inverted-tree structure with the root at the top.  The tree can have 128 levels. (0-root to 127)  Each domain name is made up of a sequence of labels separated by periods. – Each label can be up to 63 characters (string) [root with null string] – The total name can be at most 255 characters.  Examples: – whitehouse.gov – barney.purple.dinosaur.com – monica.cs.msu.edu

Top level domains  edu, gov, com, net, org, mil, …  Countries each have a top level domain (2 letter domain name).  New top level domains include:.aero.biz.coop.info.name.pro

DNS Organization  Distributed Database – The organization that owns a domain name is responsible for running a DNS server that can provide the mapping between hostnames within the domain to IP addresses. – Eg. - some machine run by MSU is responsible for everything within the msu.edu domain.

Distribution of Name Space  Information contained in the domain name space must be stored.  Inefficient and also not reliable to have just one computer to store such a huge amount of data.  Inefficient – Responding to the requests from all over the world places a heavy load on the system.  Not Reliable – Any failure makes the data inaccessible.

 Solution: – Distribute the information among many computers called DNS Server. – Divide the whole space into many domains – let the root stand alone and create sub trees as there are first level nodes. – We have a hierarchy of servers as we have a hierarchy of names.

Zone Zone and Domain Domain com Root

Servers  Root Server: Does not store any information about domains but delegates its authority to other servers, keeping reference to those servers.  Primary Server: Stores a file about the zone for which it is an authority. – It is responsible for creating, maintaining and updating the zone file.  Secondary Server: Transfers the complete information from primary server and stores it on its local disk.

rpi.edu DNS DB rpi.edu DNS DB DNS Distributed Database  There is one primary server for a domain, and typically a number of secondary servers containing replicated databases. msu.edu DNS DB Authoritative msu.edu DNS DB Replicas msu.edu DNS server

DNS Resolution  Mapping a name to an address or an address to a name is called name-address resolution.  Resolver: – A host that needs to map an address to name or a name to an address calls a DNS client called a Resolver.  Domain name resolution proceed top-down, starting with the root name server and proceeding to servers located at the leaves of the tree.  Two ways: (1) by contacting the name server one at a time, (Iterative resolution) (2) asking the name server system to perform the complete translation. (Recursive resolution)

 Cont….  In either case, the client software forms a domain name query - that contains the name to be resolved, a declaration of the class of the name, the type of answer desired, and a code that specifies whether the name server should translate the name completely.  A domain name server receives a query, it checks to see if the name lies in the subdomain for which it is an authority.  If yes, - translate the name to an address according to its database, and appends an answer to the query before sending it back to the client.  If no, - checks the type of the iteration client specified. – two types (1) Recursive (2) Iterative.

Hierarchy of Name Server Root Server org Serveredu Server com Server us Server fhda.edubk.edumcgraw.comirwin.com

Recursive Resolution fhda.edu edu com mcgraw.com client root server

Iterative Resolution fhda.edu edu mcgraw.com client root server com

Efficient Translation  Most name resolution refers to the local names, so tracing a path through the hierarchy to contact the local authority would be inefficient.  If each name resolution always started by contacting the topmost level, the machine at that point would become overloaded.  Failure of machines at the topmost levels would prevent name resolution, even if the local authority can resolve the name.

Caching: The Key To Efficiency  Maintaining the lookup values for nonlocal names by the server is called caching.  Advantage: (1) Reducing the search cost (2) Increasing the efficiency.  Disadvantage:- Decreasing the accuracy.  When a server asks for a mapping from another server and receives the response, it stores the information in its cache memory before sending it to the client.

If the same or another client asks for the same mapping, it can check its cache memory and resolve the problem.  To inform the client that the response is coming from the cache and not from the authoritative source, the server marks the response as unauthoritative / nonauthoritative binding.  To keep the cache updated 2 techniques are use. (1) authoritative server addds TTL (Time To Live) information to the mapping (2) Each server keeps a TTL counter for each mapping in the cache.

DNS Messages Messages Query Response Header Question Section Header Question Section Answer Section Authoritative Section Additional Section

Header Format Identification (16 bits)Parameter (Flag) (16 bits) Number of Question Records No. Of Answer Records ( All 0’s in query message ) No. of Authoritative Records (all 0’s in q.m.) No. of Additional Records (all 0’s in query message) Flags Field OpCode Three 0’s rCode QR AATCRDRA Question Record Format Query Domain Name Query TypeQuery Class

ValuesMeaning 0No error 1Format error 2Problem at name server 3Domain Reference problem 4Query type not supported 5Administratively Prohibited Reserved Values of rCode Resource Record Format Resource Domain Name Domain TypeDomain Class Time To Live Resource Data Length Resource Data

Compression  Domain name must be replaced by an offset pointer if it is repeated.  In a resource record the domain name is the repetition of the same in the question record.  The 2-byte (16 bits) offset pointer points to the previous occurrence of the domain.  2 High order bits – 11 (to distinguish from length field)  14 bits – represents a number that points to the corresponding byte number in the message.

Abbreviation of Domain Name  Provides a method of shorting names when the resolving process can supply part of the name automatically.  Resolving process can assume it lies in the same local authority.  eg. Omit the area code while dialing a local telephone number.  When a resolver encounters a name, it steps through the list, appending each suffix and trying to lookup the resulting name.

 Cont….  Managers can use the suffix list to make abbreviation convenient or to restrict application programs to local names.  The domain name system only maps full domain names into address; abbreviations are not part of the DNS itself, but introduced by the client software to make local names convenient for users.

Inverse Mapping  Inverse Query allow the client to ask a server to map “back-wards” by taking an answer and generating the question that would produce that answer.  Inverse queries have been part of the domain system, but they are generally not used because there is no way to find the server that can resolve the query without searching the entire set of answer.  It is used as an authentication mechanism that a server uses to verify that a client is authorized to access the service.

Pointer Queries  A pointer query requests the name server to return the correct domain name for the machine with the specified IP address.  eg. Think of an IP address written in dotted decimal aaa.bbb.ccc.ddd  For pointer query client rearrange the address as ddd.ccc.bbb.aaa.in-addr.arpa  New form is the name in the special domain called in-addr.arpa  Internet root domain servers maintains a database of valid IP addresses along with information about domain name servers that can resolve each address groups.

Object Types and Resource Record Content  DNS can be used for translating a host name to an IP address as for translating a domain name to a mail exchanger address.  When sending a request a client must specify the type in it’s query; server specifies the data type in all resource records they return.  To make lookup more efficient, a server always returns additional bindings that is known in the ADDITIONAL INFORMATION SECTION of a response.

Resource Record Type TypeMeaningContents AHost Address32 bit IP Address CNAMECanonical NameCanonical name for an alias HINFOCPU & OSName of CPU and OS MINFOMailbox InfoInformation about a mailbox or mail list MXMail Exchanger16 bit preference and name of host that acts as mail exchanger for the domain NSName ServerName of authoritative server for domain PTRPointerDomain Name (like a symbolic name) SOAStart of AuthorityWhich part of the naming hierarchy a server implements. TXTArbitrary textUninterpreted string of ASCII text

Authority For A Sub Domain  Before an institution is granted authority for an official second –level domain, it must agree to operate a domain name server that meets internet standards.  It must obey the protocol standards that specifies message formats and the rules for responding to the requests.  The server must know the address of servers that handles each sub domain as well as the address of at least one root server.  A subtree of names managed by a given name server forms a zone of authority.

 Cont…  Servers must be able to handle many requests, even though some requests take a long time to resolve.  Internet authority requires that the information in every domain name server be replicated.  Servers must have no single point of failure.  At any point in the tree of servers, a server must know how to locate both the primary and the backup name servers for subdomains, and it must direct queries to a backup server if the primary server is unavailable.

Dynamic DNS Update And Notification  NAT – Network Address Translation and DHCP – Dynamic Host Configuration Protocol. Both mention the need for interaction with DNS.  NAT box obtains a dynamic address from an ISP, so there must be coordination between DNS and NAT System.  Using DHCP the host obtains a dynamic address, the DNS server for the host must be updated with the host’s current address

 Cont…  To permit multiple parties to share administration, the IETF developed a technology known as Dynamic DNS.  Two aspects of Dynamic DNS are : Update and Notification  Update permits changes to be made dynamically to the information that a server stores.  DNS uses a backup server, changes made in primary server must be propagated to each backup, So when the dynamic change occur, the primary server sends a notification to the backup servers.

DNS Security Extensions - DNSSEC  IETF has invented a technology DNSSEC  Primary services provided by DNSSEC are message origin and integrity of the data.  By using DNSSEC the host can verify the DNS message did indeed originate at the authoritative DNS server and that the data in the message arrived without being changed.  DNSSEC does not provide confidentiality, nor does it fend off denial-of-service attacks.- means that even if a host and server both use DNSSEC, there is no guarantee that message sent between them will be received.

 Cont….  To provide authentication and data integrity, DNSSEC uses a digital signature mechanism, that allows the receiver to verify that the contents of the message were not changed.  DNSSEC mechanism uses public key (PK) encryption technology.  To distribute public keys, DNSSEC uses DNS.  A server contains the public keys for zones.  To guarantee security for the entire system, the PK for the top level of the hierarchy must be manually configured into a resolver.

Review Questions 1.What are the disadvantages of the Flat Namespace? 2.Explain Hierarchical namespace. 3.What are the different naming hierarchies in Top- Level. Give some examples of Top-Level domains with meaning. 4.Which are the two methods for Domain Name Resolution? Explain in detail. 5.What do you mean by efficient translation? 6.What is caching? Give its advantages and disadvantages. 7.Which method is used to keep the cache correct? How? 8.Explain the format of Query Message. 9.Explain the format of Resource Record. 10.How to conserve space in the reply packet? 11.What is the use of resource record type? Explain using example. 12.What is DNSSEC? Explain in brief.