Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles of Computer Security

Published byRobyn Greene Modified over 6 years ago

Similar presentations

Presentation on theme: "Principles of Computer Security"— Presentation transcript:

1 Principles of Computer Security
Instructor: Haibin Zhang

2 DNS, DNSSEC, and Beyond Domain name system DNS security extension
Improving DNSSEC and issues

3 DNS Computer: good at numbers Human: prefer names
What’s IP address of Google.com? Acknowledgement: Part of the slides from David Conrad at nominum.com

4 DNS Computer: good at numbers Human: prefer names
What’s IP address of Google.com?

5 Where DNS Names Stored A huge database
200,000,000 + domain names; increased rapidly

6 The Name Space The structure of the DNS database Tree structure

7 Domain Names The structure of the DNS database Tree structure

8 Name Servers Name servers store information about the name space in units called “zones” The name servers that load a complete zone are said to “have authority for” or “be authoritative for” the zone Usually, more than one name server are authoritative for the same zone This ensures redundancy and spreads the load Also, a single name server may be authoritative for many zones

9 Name Server Types Two main types of servers
Authoritative – maintains the data Master – where the data is edited Slave – where data is replicated to Caching – stores data obtained from an authoritative server

10 Name Servers Name servers store information about the name space in units called “zones” The name servers that load a complete zone are said to “have authority for” or “be authoritative for” the zone Usually, more than one name server are authoritative for the same zone This ensures redundancy and spreads the load Also, a single name server may be authoritative for many zones

11 Name Server Architecture
You can think of a name server as part of: database server, answering queries about the parts of the name space it knows about (i.e., is authoritative for), cache, temporarily storing data it learns from other name servers, and agent, helping resolvers and other name servers find data Also, the caching resolver can insert data into the cache, and can "query" the cache and the database server.

12 Name Resolution Name resolution is the process by which resolvers and name servers cooperate to find data in the name space

13 The Resolution Process
Let’s look at the resolution process step-by-step: annie.west.sprockets.com ping

14 The Resolution Process
The workstation annie asks its configured name server, dakota, for address dakota.west.sprockets.com What’s the IP address of annie.west.sprockets.com ping

15 The Resolution Process
The name server dakota asks a root name server, m, for address m.root-servers.net dakota.west.sprockets.com What’s the IP address of annie.west.sprockets.com ping

16 The Resolution Process
The root server m refers dakota to the com name servers This type of response is called a “referral” m.root-servers.net Here’s a list of the com name servers. Ask one of them. dakota.west.sprockets.com annie.west.sprockets.com ping

17 The Resolution Process
The name server dakota asks a com name server, f, for address What’s the IP address of m.root-servers.net dakota.west.sprockets.com f.gtld-servers.net annie.west.sprockets.com ping

18 The Resolution Process
The com name server f refers dakota to the nominum.com name servers Here’s a list of the nominum.com name servers. Ask one of them. m.root-servers.net dakota.west.sprockets.com f.gtld-servers.net annie.west.sprockets.com ping

19 The Resolution Process
The name server dakota asks a nominum.com name server, ns1.sanjose, for address What’s the IP address of m.root-servers.net dakota.west.sprockets.com ns1.sanjose.nominum.net f.gtld-servers.net annie.west.sprockets.com ping

20 The Resolution Process
The nominum.com name server ns1.sanjose responds with address m.root-servers.net dakota.west.sprockets.com Here’s the IP address for ns1.sanjose.nominum.net f.gtld-servers.net annie.west.sprockets.com ping

21 The Resolution Process
The name server dakota responds to annie with address Here’s the IP address for m.root-servers.net dakota.west.sprockets.com ns1.sanjose.nominum.net f.gtld-servers.net annie.west.sprockets.com ping

22 Resolution Process (Caching)
After the previous query, the name server dakota now knows: The names and IP addresses of the com name servers The names and IP addresses of the nominum.com name servers The IP address of Let’s look at the resolution process again annie.west.sprockets.com ping ftp.nominum.com.

23 Resolution Process (Caching)
The workstation annie asks its configured name server, dakota, for ftp.nominum.com’s address m.root-servers.net dakota.west.sprockets.com What’s the IP address of ftp.nominum.com? ns1.sanjose.nominum.net f.gtld-servers.net annie.west.sprockets.com ping ftp.nominum.com.

24 Resolution Process (Caching)
dakota has cached a NS record indicating ns1.sanjose is an nominum.com name server, so it asks it for ftp.nominum.com’s address What’s the IP address of ftp.nominum.com? m.root-servers.net dakota.west.sprockets.com ns1.sanjose.nominum.net f.gtld-servers.net annie.west.sprockets.com ping ftp.nominum.com.

25 Resolution Process (Caching)
The nominum.com name server ns1.sanjose responds with ftp.nominum.com’s address m.root-servers.net dakota.west.sprockets.com Here’s the IP address for ftp.nominum.com ns1.sanjose.nominum.net f.gtld-servers.net annie.west.sprockets.com ping ftp.nominum.com.

26 Resolution Process (Caching)
The name server dakota responds to annie with ftp.nominum.com’s address Here’s the IP address for ftp.nominum.com m.root-servers.net dakota.west.sprockets.com ns1.sanjose.nominum.net f.gtld-servers.net annie.west.sprockets.com ping ftp.nominum.com.

27 Iterative Name Resolution
The principle of iterative name resolution.

28 Recursive Name Resolution
The principle of recursive name resolution.

29 Iterative versus Recursive Resolution

30 Iterative versus Recursive Resolution
Performance-wise, which is better? Recursive method puts higher performance demand on each name server Which works better with caching? Recursive method works better with caching How about communication cost? Recursive method can reduce communication cost

31 The Current TLDs ARPA: originally was the acronym for the Advanced Research Projects Agency (ARPA), the funding organization in the United States that developed the precursor of the Internet (ARPANET), it now stands for Address and Routing Parameter Area.

32 Internet Corporation for Assigned Names and Numbers (ICANN)
ICANN’s role: to oversee the management of Internet resources including Addresses Delegating blocks of addresses to the regional registries Protocol identifiers and parameters Allocating port numbers, etc. Names Administration of the root zone file Oversee the operation of the root name servers Root zone file lists the names and numeric IP addresses of the authoritative DNS servers for all top-level domains (TLDs)

33 The Root Nameservers The root zone file lists the names and IP addresses of the authoritative DNS servers for all top-level domains (TLDs) The root zone file is published on 13 servers, “A” through “M”, around the Internet Root name server operations currently provided by volunteer efforts by a very diverse set of organizations

34 Root Name Server Operators
Operated by: A Verisign (US East Coast) B University of S. California –Information Sciences Institute (US West Coast) C Cogent Communications (US East Coast) D University of Maryland (US East Coast) E NASA (Ames) (US West Coast) F Internet Software Consortium (US West Coast) G U. S. Dept. of Defense (ARL) (US East Coast) H U. S. Dept. of Defense (DISA) (US East Coast) I Autonomica (SE) J K RIPE-NCC (UK) L ICANN (US West Coast) M WIDE (JP)

35 Registries, Registrars, and Registrants
A classification of roles in the operation of a domain name space Registry the name space’s database the organization which has edit control of that database the organization which runs the authoritative name servers for that name space Registrar the agent which submits change requests to the registry on behalf of the registrant Registrant the entity which makes use of the domain name

36 Registries, Registrars, and Registrants
Registry updates zone Master updated Zone DB Registry Slaves updated Registrar submits add/modify/delete to registry Registrar End user requests add/modify/delete Registrants

37 Verisign: the registry and registrar for gTLDs
.COM, .NET, and .ORG By far the largest top level domains on the Internet today Verisign received the contract for the registry for .COM, .NET, and .ORG also a registrar for these TLDs

38 Security Concerns Base DNS protocol (RFC 1034, 1035) is insecure
DNS spoofing (cache poisoning) attacks are possible DNS Security Enhancements (DNSSEC, RFC 2565) remedies this flaw

Download ppt "Principles of Computer Security"

Similar presentations

Structured Naming Internet Naming Service: DNS* Chapter 5 *referred to slides by David Conrad at nominum.com.

Structured Naming Internet Naming Service: DNS* Chapter 5 *referred to slides by David Conrad at nominum.com.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Yerevan, July 11, 20121 Armenian edition of Jovan Kurbalija’s book “Internet Governance” I.Mkrtumyan, ISOC AM H.Baghyan, MediaEducation Center.

Yerevan, July 11, Armenian edition of Jovan Kurbalija’s book “Internet Governance” I.Mkrtumyan, ISOC AM H.Baghyan, MediaEducation Center.
DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.

DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Domain Name System. Domain names and IP addresses People prefer to use easy-to-remember names instead of IP addresses Domain names are alphanumeric.

DNS Domain Name System. Domain names and IP addresses People prefer to use easy-to-remember names instead of IP addresses Domain names are alphanumeric.
Domain Name System (or Service) (DNS) Computer Networks Computer Networks Term B10.

Domain Name System (or Service) (DNS) Computer Networks Computer Networks Term B10.
Application Layer12-1 2010 session 1 TELE3118: Network Technologies Week 12: DNS Some slides have been taken from: r Computer Networking: A Top Down Approach.

Application Layer session 1 TELE3118: Network Technologies Week 12: DNS Some slides have been taken from: r Computer Networking: A Top Down Approach.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.

DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.
Name Resolution and DNS. Domain names and IP addresses r People prefer to use easy-to-remember names instead of IP addresses r Domain names are alphanumeric.

Name Resolution and DNS. Domain names and IP addresses r People prefer to use easy-to-remember names instead of IP addresses r Domain names are alphanumeric.
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.

NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.

Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.
CS 4396 Computer Networks Lab

CS 4396 Computer Networks Lab
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Domain Names System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the.

Domain Names System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the.

Similar presentations

Ads by Google