Network Applications: DNS, UDP Socket Y. Richard Yang 9/12/2013
2 Outline Admin and recap r DNS r Network application programming: UDP
3 Admin r 72 discretionary late hours for assignments across the semester
4 Recap: The Big Picture of the Internet r Hosts and routers: m ~ 1 bill. hosts (2013) m organized into ~45K networks m backbone links 100 Gbps r Software: m datagram switching with virtual circuit support m layered network architecture use end-to-end arguments to determine the services provided by each layer m the hourglass architecture of the Internet IP EthernetCable/DSLWireless TCP UDP Telnet FTPWWW SSL
5 Protocol Formats
6 Recap: Client-Server Paradigm application transport network data link physical application transport network data link physical request reply r The basic paradigm of network applications is the client-server (C-S) paradigm r Some key design questions to ask about a C-S application: m extensibility m scalability m robustness m security
7 Recap: App mail server user agent user agent user agent mail server user agent user agent mail server user agent SMTP POP3 or IMAP SMTP Some nice protocol extensibility design features separate protocols for different functions simple/basic (smtp) requests to implement basic control; fine- grain control through ASCII header and message body status code in response makes message easy to parse
8 Recap: A Major Challenge to r Spam (Google)
9 Recap: Spam Detection Methods by GMail r Known phishing scams r Message from unconfirmed sender identity r Message you sent to Spam/similarity to suspicious messages r Administrator-set policies r Empty message content
10 Confirming Sender Identity r Ideal case: m RFC 822 From: Header Field Content author r Other identifies m Peer MTA Host IP Address Neighbor SMTP client host m SMTP EHLO Command Neighbor SMTP client organization m SMTP MAIL FROM Command Notification return address m RFC 822 Sender: Header Field Message posting agent
11 Current Authentication Approaches Sender Policy Frame (SPF) DomainKeys Identified Mail (DKIM)
12 Sender Policy Framework (SPF RFC4408) MUA MTA Border Outbound MTA m Border Inbound MTA MUA smtp/submission smtp pop/imap neighbor MTA validating MTA Is my neighbor m a permitted sender for the domain?
13 SPF Example
14 DomainKeys Identified Mail (DKIM; RFC 5585) r A domain-level digital signature authentication framework for , using public key crypto m E.g., gmail.com signs that the message is sent by gmail server r Basic idea of public key signature m Owner has both public and private keys m Owner uses private key to sign a message to generate a signature m Others with public key can verify signature
15 Example: RSA 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e < n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d).
16 RSA: Signing/Verification 0. Given (n,e) and (n,d) as computed above 1. To sign message, m, compute h = hash(m), then sign with private key s = h mod n d (i.e., remainder when h is divided by n) d 2. To verify signature s, compute h’ = s mod n e (i.e., remainder when s is divided by n) e h = (h mod n) d mod n e Magic happens! The magic is a simple application of Euler’s generalization of Fermat’s little theorem
17 DomainKeys Identified Mail (DKIM) MUA Signing MTA MTA Verifying MTA MUA smtp/submission smtp pop/imap ? Is the message signed by the private key of the signing domain?
18 DKIM Architecture
Remaining Questions? r How does SPF know if its neighbor MTA is a permitted sender of the domain? r How does DKIM retrieve the public key of the author domain? 19
20 Recall: Client-Server Paradigm application transport network data link physical application transport network data link physical request reply r The basic paradigm of network applications is the client-server (C-S) paradigm r Some key design questions to ask about a C-S application: extensibility m scalability m robustness security
Scalability/Robustness r High scalability and robustness fundamentally require that multiple servers serve the same address 21 client need an server’s IP address mail server mail server mail server yale.edu mapping
22 Mapping Functions Design Alternatives r Map from an address server name to IP address of server mapping name (e.g., yale.edu) 1 IP mapping multiple IPs mapping multiple IPs name (e.g., yale.edu)
23 Mapping Functions Design Alternatives load balancer (routing) switch mapping name (e.g., yale.edu) 1 IP mapping name (e.g., yale.edu) 1 IP
24 DNS: Domain Name System r Function m map between (domain name, service) to value, e.g., ( Addr) -> (cs.yale.edu, ) -> netra.cs.yale.edu routers DNS Hostname, Service Address servers clients
25 DNS Records DNS: stores resource records (RR) r Type=NS name is domain (e.g. yale.edu) value is the name of the authoritative name server for this domain RR format: (name, type, value, ttl) r Type=A name is hostname value is IP address r Type=CNAME name is an alias name for some “canonical” (the real) name value is canonical name r Type=MX value is hostname of mail server associated with name r Type=SRV m general extension for services r Type=TXT m general txt
26 DNS Examples r nslookup r set type= m type =MX cs.yale.edu m type=TXT yale.edu gmail.com _domainkey.gmail.com
27 DNS Design: Dummy Design r DNS itself can be considered as a client-server system as well r How about a dummy design: introducing one super Internet DNS server? THE DNS server of the Internet register resolve OK/used already IP address
28 Problems of a Single DNS Server r Scalability and robustness bottleneck r Administrative bottleneck
29 DNS: Distributed Management of the Domain Name Space r A distributed database managed by authoritative name servers m divided into zones, where each zone is a sub-tree of the global tree m each zone has its own authoritative name servers m an authoritative name server of a zone may delegate a subset (i.e. a sub-tree) of its zone to another name server called a zone
30 Architecture + DNS mail server user agent user agent user agent mail server user agent user agent mail server user agent SMTP POP3 or IMAP SMTP DNS
31 Root Zone and Root Servers r The root zone is managed by the root name servers m 13 root name server IPs worldwide See for more detailshttp://root-servers.org/
32 Linking the Name Servers r Each name server knows the addresses of the root servers r Each name server knows the addresses of its immediate children (i.e., those it delegates) Top level domain (TLD) Q: how to query a hierarchy?
33 DNS Message Flow: Two Types of Queries Recursive query: The contacted name server resolves the name completely Iterated query: r Contacted server replies with name of server to contact m “I don’t know this name, but ask this server”
34 Two Extreme DNS Message Flows client cicada.cs.yale.edu root name server authoritative name server 5 6 TLD name server 4 client cicada.cs.yale.edu root name server authoritative name server 4 3 TLD name server 5 Issues of the two approaches?
35 Typical DNS Message Flow: The Hybrid Case requesting host cyndra.cs.yale.edu gaia.cs.umass.edu root name server authoritative name server dns.cs.umass.edu 5 6 TLD name server 7 8 iterated query local name server Host knows only local name server Local name server is learned from DHCP, or configured, e.g. /etc/resolv.conf Local DNS server helps clients resolve DNS names
36 Typical DNS Message Flow: The Hybrid Case requesting host cyndra.cs.yale.edu gaia.cs.umass.edu root name server authoritative name server dns.cs.umass.edu 5 6 TLD name server 7 8 iterated query local name server Host knows only local name server Local name server is learned from DHCP, or configured, e.g. /etc/resolv.conf Local DNS server helps clients resolve DNS names Benefits of local name servers simplifies client Caches/reuses results
37 DNS Protocol, Messages DNS protocol : typically over UDP (can use TCP); query and reply messages, both with the same message format DNS Msg header: r identification: 16 bit # for query, the reply to a query uses the same # r flags: m query or reply m recursion desired m recursion available m reply is authoritative
38 Observing DNS r Use the command dig: force iterated query to see the trace: %dig +trace see the manual for more details r Capture the messages m DNS server is at port 53
39 Evaluation of DNS Key questions to ask about a C-S application - extensible? - scalable? - robust? - security?
40 What DNS did Right? r Hierarchical delegation avoids central control, improving manageability and scalability r Redundant servers improve robustness m see news/article.php/ for DDoS attack on root servers in Oct (9 of the 13 root servers were crippled, but only slowed the network) news/article.php/ r Caching reduces workload and improve robustness
41 Problems of DNS r Domain names may not be the best way to name other resources, e.g. files r Relatively static resource types make it hard to introduce new services or handle mobility r Although theoretically you can update the values of the records, it is rarely enabled r Simple query model makes it hard to implement advanced query r Early binding (separation of DNS query from application query) does not work well in mobile, dynamic environments m e.g., load balancing, locate the nearest printer
Outline r Recap r r DNS r Network application programming 42
43 Socket Programming Socket API r introduced in BSD4.1 UNIX, 1981 r Two types of sockets m Connectionless (UDP) m connection-oriented (TCP) an interface (a “door”) into which one application process can both send and receive messages to/from another (remote or local) application process socket
44 Services Provided by Transport r Transmission control protocol (TCP) m multiplexing/demultiplexing m reliable data transfer m rate control: flow control and congestion control r User data protocol (UDP) m multiplexing/demultiplexing Host A Hello Host B I am ready DATA ACK
45 Big Picture: Socket buffers, states buffers, states
46 UDP Java API buffers, states buffers, states
47 DatagramSocket(Java) r DatagramSocket() constructs a datagram socket and binds it to any available port on the local host r DatagramSocket(int lport) constructs a datagram socket and binds it to the specified port on the local host machine. r DatagramSocket(int lport, InetAddress laddr) creates a datagram socket and binds to the specified local port and laddress. r DatagramSocket(SocketAddress bindaddr) creates a datagram socket and binds to the specified local socket address. r DatagramPacket(byte[] buf, int length) constructs a DatagramPacket for receiving packets of length length. r DatagramPacket(byte[] buf, int length, InetAddress address, int port) constructs a datagram packet for sending packets of length length to the specified port number on the specified host. r receive(DatagramPacket p) receives a datagram packet from this socket. r send(DatagramPacket p) sends a datagram packet from this socket. r close() closes this datagram socket.
Connectionless UDP: Big Picture (Java version) close clientSocket Server (running on serv ) read reply from clientSocket create socket, clientSocket = DatagramSocket() Client Create datagram using ( serv, x) as (dest addr. port), send request using clientSocket create socket, port= x, for incoming request: serverSocket = DatagramSocket( x ) read request from serverSocket write reply to serverSocket generate reply, create datagram using client host address, port number r Create socket with port number: DatagramSocket sSock = new DatagramSocket(9876); r If no port number is specified, the OS will pick one
49 Example: UDPServer.java r A simple UDP server which changes any received sentence to upper case.
50 Java Server (UDP): Create Socket import java.io.*; import java.net.*; class UDPServer { public static void main(String args[]) throws Exception { DatagramSocket serverSocket = new DatagramSocket(9876); Create datagram socket bind at port 9876 Check socket state: %netstat –p udp –n
51 System State after the Call server UDP socket space address: {*:9876} snd/recv buf: address: { :53} snd/recv buf: “*” indicates that the socket binds to all IP addresses of the machine: % ifconfig -a local address why shown as “*”? local port