techshristi.com€¦ · Web viewDNS NAME HIERARCHY 14 5. TYPES OF NAME SERVERS 16 6. ACCESSING A WEB PAGE 20 7. SENDING A EMAIL 26 8. TYPE OF DNS QUERIES 30 9. DNS CACHING 3 4 10.

For more project visit www.techshristi.com

PAGE INDEX

TOPIC PAGE NO.

1. INTRODUCTION 4

2. DNS HISTORY 9

3. DNS FEATURES 11

4. DNS NAME HIERARCHY 14

5. TYPES OF NAME SERVERS 16

6. ACCESSING A WEB PAGE 20

7. SENDING A EMAIL 26

8. TYPE OF DNS QUERIES 30

9. DNS CACHING 34

10. DOMAIN NAME REGISTRATION 35

11. SECURITY ISSUES 37

12. DNS RESOURCE RECORDS 42

13. DNS CONCERNS 46

14. CONCLUSION 49

15. REFERENCES 50

INTRODUCTION

ABSTRACT:

The Domain Name System (DNS) is a hierarchical naming system for computers,

services, or any resource connected to the Internet or a private network. It

associates various information with domain names assigned to each of the

participants. Most importantly, it translates domain names meaningful to humans

into the numerical (binary) identifiers associated with networking equipment for

the purpose of locating and addressing these devices worldwide. An often-used

analogy to explain the Domain Name System is that it serves as the "phone book"

for the Internet by translating human-friendly computer hostnames into IP

addresses. For example, www.example.com translates to 192.0.32.10.

The Domain Name System makes it possible to assign domain names to groups of

Internet users in a meaningful way, independent of each user's physical location.

Because of this, World Wide Web (WWW) hyperlinks and Internet contact

information can remain consistent and constant even if the current Internet routing

arrangements change or the participant uses a mobile device. Internet domain

names are easier to remember than IP addresses such as 208.77.188.166

(IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). People take

advantage of this when they recite meaningful URLs and e-mail addresses without

having to know how the machine will actually locate them.

2

The Domain Name System distributes the responsibility of assigning domain

names and mapping those names to IP addresses by designating authoritative name

servers for each domain. Authoritative name servers are assigned to be responsible

for their particular domains, and in turn can assign other authoritative name servers

for their sub-domains. This mechanism has made the DNS distributed and fault

tolerant and has helped avoid the need for a single central register to be continually

consulted and updated.

In general, the Domain Name System also stores other types of information, such

as the list of mail servers that accept email for a given Internet domain. By

providing a worldwide, distributed keyword-based redirection service, the Domain

Name System is an essential component of the functionality of the Internet.

Names versus Addresses

An address is how you get to an endpoint

o Often hierarchical, which helps with scaling

950 Charter Street, Redwood City CA, 94063

+1.650.381.6003

204.152.187.11

A name is how an endpoint is referenced

o Often with no structurally significant hierarchy

“David”, “Tokyo”, “itu.int”,”google.com”.

Names are more people-friendly.

3

An Analogy

Devices on the telephone network all have a number

People have a hard time remembering numbers, but…

The network needs the numbers to connect endpoints

So a directory provides association of names people know

with the numbers where they can be reached

Computers on the Internet all have a number

The DNS takes names people can relate to and converts

them into the numbers computers need to interact.

This analogy has a crucial flaw: the DNS is not a directory

service.

There is no way to search the data.

4

com netau

com netorg id

google yahoomicrosoft

C:

ProgramFiles TempWindows

System32 FontsCache Media

dllcache spooldrivers

DNS vs File System

COMPARISON BETWEEN DNS AND FILE SYSTEM

5

com netau

com netorg id

google yahoomicrosoft

C:

ProgramFiles TempWindows

System32 FontsCache Media

dllcache spooldrivers

Naming a Domain Naming a Directory

yahoo.com.au. C:\windows\system32\

drivers\

Start Here

Start Here

A “.” is used as separator

A “\” is used as separator

NAMING A DOMAIN:

6

DNS HISTORY

The practice of using a name as a humanly more meaningful abstraction of a host's

numerical address on the network dates back to the ARPANET era. Before the

DNS was invented in 1983, each computer on the network retrieved a file called

HOSTS.TXT from a computer at SRI (now SRI International). The HOSTS.TXT

file mapped names to numerical addresses. A hosts file still exists on most modern

operating systems, either by default or through explicit configuration. Many

operating systems use name resolution logic that allows the administrator to

configure selection priorities for available DNS resolution methods.

The rapid growth of the network required a scalable system that recorded a change

in a host's address in one place only. Other hosts would learn about the change

dynamically through a notification system, thus completing a globally accessible

network of all hosts' names and their associated IP addresses.

At the request of Jon Postel, Paul Mockapetris invented the Domain Name System

in 1983 and wrote the first implementation. The original specifications appeared in

RFC 882 and RFC 883 which were superseded in November 1987 by RFC 1034

and RFC 1035. Several additional Request for Comments have proposed various

extensions to the core DNS protocols.

7

In 1984, four Berkeley students—Douglas Terry, Mark Painter, David Riggle and

Songnian Zhou—wrote the first UNIX implementation, which was maintained by

Ralph Campbell thereafter. In 1985, Kevin Dunlap of DEC significantly re-wrote

the DNS implementation and renamed it BIND—Berkeley Internet Name Domain.

Mike Karels, Phil Almquist and Paul Vixie have maintained BIND since then.

BIND was ported to the Windows NT platform in the early 1990s.

BIND was widely distributed, especially on Unix systems, and is the dominant

DNS software in use on the Internet. With the heavy use and resulting scrutiny of

its open-source code, as well as increasingly more sophisticated attack methods,

many security flaws were discovered in BIND. This contributed to the

development of a number of alternative nameserver and resolver programs. BIND

itself was re-written from scratch in version 9, which has a security record

comparable to other modern Internet software.

The DNS protocol was developed and defined in the early 1980s and published by

the Internet Engineering Task Force.

8

DNS FEATURES

I. DNS is a Database:

Keys to the database are “domain names”

o www.foo.com, 18.in-addr.arpa, 6.4.e164.arpa

Over 100,000,000 domain names are now stored.

Each domain name contains one or more attributes, known as resource

records.

o Each attribute is individually retrievable.

II. Global Distribution:

Data is maintained locally, but retrievable globally

No single computer has all DNS data

DNS lookups can be performed by any Internet-connected device

Remote DNS data is locally cacheable to improve performance

9

III. Loose Coherency:

The database is always internally consistent

o Each version of a subset of the database (a zone) has a serial number

o The serial number is incremented on each database change

Changes to the master copy of the database are replicated according to

timing set by the zone administrator

Cached data expires according to timeout set by zone administrator.

IV. Scalability: No intrinsic limit to the size of the database

Some servers have over 20,000,000 names

Not a particularly good idea

No limit to the number of queries

80,000 queries per second handled regularly

Queries distributed among many different servers

10

V. Reliability:

Data is replicated

o Data from master source is copied to multiple slave servers

o Clients can query master server or slave servers

DNS protocols can use either UDP or TCP

o UDP is inherently unreliable, but the DNS protocol handles

retransmission (perhaps with TCP), sequencing, et cetera.

VI. Dynamic Updates:

Database can be updated dynamically

o Master server accepts update from over the network

o Add/delete/modify any record

Modification of the master database triggers replication

o Only master can be dynamically updated

o Dynamic updates create a single point of failure

11

Managed

by UofTManaged

by ECE

Dept.

. (root)

com

toronto.edu

goveduorg

uci.edu

ece.toronto.edumath.toronto.edu

neon.ece.toronto.edu

Top-level Domains

DNS Name Hierarchy

• DNS hierarchy can be represented by a tree

• Root and top-level domains are administered by an Internet central name

registration authority (ICANN)

• Below top-level domain, administration of name space is delegated to

organizations

• Each organization can delegate further

12

com net au info biz

com net

org

org

OtherccTLDs

id

internal prosrs

google yahoo theagemicrosoftausregistry

“root” zone

TLDs & ccTLDs

2lds

3lds

4lds

MODAL FOR HIERARCHY OF NAME SERVERS:

13

13 root name servers worldwide

b USC-ISI Marina del Rey, CAl ICANN Los Angeles, CA

e NASA Mt View, CAf Internet Software C. Palo Alto, CA (and 36 other locations)

i Autonomica, Stockholm (plus 28

other locations)

k RIPE London (also 16 other locations)

m WIDE Tokyo (also Seoul, Paris, SF)

a Verisign, Dulles, VAc Cogent, Herndon, VA (also LA)d U Maryland College Park, MDg US DoD Vienna, VAh ARL Aberdeen, MDj Verisign, ( 21 locations)

TYPES OF NAME SERVERS

I. ROOT NAME SERVERS: contacted by local name server that can not resolve name

root name server:

o contacts authoritative name server if name mapping not

known

o gets mapping

o returns mapping to local name server

14

Addresses of root servers:

A.ROOT-SERVERS.EDU. (formerly NS.INTERNIC.NET) 10.0.2.32

A.ROOT-SERVERS.NET. (formerly NS1.ISI.EDU) 198.41.0.4

B.ROOT-SERVERS.NET. (formerly C.PSI.NET) 128.9.0.107

C.ROOT-SERVERS.NET. (TERP.UMD.EDU) 192.33.4.12

D.ROOT-SERVERS.NET. (NS.NASA.GOV) 128.8.10.90

E.ROOT-SERVERS.NET. (NS.ISC.ORG) 192.203.23

F.ROOT-SERVERS.NET. (NS.NIC.DDN.MIL) 192.5.5.241

G.ROOT-SERVERS.NET. (AOS.ARL.ARMY.MIL) 192.112.36.4

H.ROOT-SERVERS.NET. (NIC.NORDU.NET) 128.63.2.53

I.ROOT-SERVERS.NET. (at NSI (InterNIC)) 192.36.148.17

J.ROOT-SERVERS.NET. (operated by RIPE NCC) 198.41.0.10

K.ROOT-SERVERS.NET. (at ISI (IANA)) 193.0.14.129

L.ROOT-SERVERS.NET. (operated by WIDE, Japan) 198.32.64

M.ROOT-SERVERS.NET. 202.12.27.33

15

II. Top-level domain (TLD) servers : responsible for com, org, net, edu, etc, and all top-level

country domains uk, fr, ca, jp.

Network solutions maintains servers for com TLD

Educause for edu TLD

16

com Commercial organizations

edu Educational institutions

gov Government institutions

int International organizations

mil U.S. military institutions

net Networking organizations

org Non-profit organizations

III. Authoritative DNS servers : organization’s DNS servers, providing authoritative

hostname to IP mappings for organization’s servers (e.g.,

Web and mail).

Can be maintained by organization or service provider.

IV. Local Name Server: Each ISP (residential ISP, company, university) has one.

Also called “default name server”

When a host makes a DNS query, query is sent to its local

DNS server

Acts as a proxy, forwards query into hierarchy.

Reduces lookup latency for commonly searched hostnames

17

Your PCISP “Recursive” DNS server

Tell me the Address of “www.google.com”

Accessing a web page When You type http://www.google.com into your web browser and hit enter.

What happens now?

Step 1: Your PC sends a resolution request to its configured DNS

Server, typically at your ISP.

18

ISP “Recursive” DNS serverRoot Servers

Step 2: Your ISPs recursive name server

starts by asking one of the root servers predefined in

its “hints” file.

Tell me the Address of “www.google.com”

I don’t know the address but I know who’s

authoritative for the ”com” domain ask them

Step 2: Your ISPs recursive name server starts by asking one of the root servers predefined in its “hints” file.

19

ISP “Recursive” DNS server“com” DNS servers

Step 3: Your ISPs recursive name server then

asks one of the “com” name servers as directed.Tell me the Address of “www.google.com”

I don’t know the address but I know who’s

authoritative for the ”google.com” domain

ask them

Step 3: Your ISPs recursive name server then asks one of the “com” name servers as directed.

20

ISP “Recursive” DNS server google.com DNS server

Step 4: Your ISPs recursive name server then

asks one of the “google.com” name servers

as directed.Tell me the Address of

“www.google.com”

The Address of www.google.com is

216.239.53.99

Step 4: Your ISPs recursive name server then asks one of the “google.com” name servers as directed.

21

Step 5: ISP DNS server then send the answer back to your PC. The DNS server will “remember” the answer

for a period of time.

Your PCISP “Recursive” DNS server

The Address of www.google.com is

216.239.53.99

Step 5: ISP DNS server then send the answer back to your PC. The DNS server will “remember” the answer for a period of time.

22

ALL-IN-ONE

ISP “Recursive” DNS server “com” DNS servers

“root” DNS servers

google.com DNS server

3

Your PC5

1

google.com.au Web Server

WEB (HTTP)Request

DNS requests

6

The actual web request

DNS

ALL STEPS IN ONE:

23

Your PCOutbound Mail (SMTP) Server

Please send this message to “[email protected]”

Sending an Email

DNS is not just used in HTTP protocol (web pages)

DNS is involved in almost every protocol in use on the internet

Next example is how DNS facilitates the transfer of electronic

mail.

Step 1: Your PC sends the e-mail to its configured outbound mail server. A DNS request similar to the previous example is required to find the address of the mail server.

24

Outbound Mail serverDNS servers

Tell me the name servers for “example.com”

Here are the name servers for

“example.com”

Step 2: Your mail server follows the same intensive process to find the authoritative servers for “example.com”.

25

Outbound Mail Server example.com DNS server

Tell me the MX’s for “example.com”

The MXs are mx10.example.com and

mx20.backmail.com

Step 3: Ask the “example.com” name server for the list of “Mail eXchangers (MX) for that domain.

26

Outbound Mail Server example.com Mail server

Here is some mail for the “example.com” domain

Mail accepted for delivery

Step 4: Select a Mail server and deliver the mail.

27

TYPES OF QUERIES

Recursive and Iterative Queries:

There are two types of queries:

Recursive queries

Iterative (non-recursive) queries

The type of query is determined by a bit in the DNS query

Recursive query: When the name server of a host cannot resolve a

query, the server issues a query to resolve the query

Iterative queries: When the name server of a host cannot resolve

a query, it sends a referral to another server to the resolver

28

Recursive queries

In a recursive query, the resolver expects the response from the

name server

If the server cannot supply the answer, it will send the query to the

“closest known” authoritative name server (here: In the worst case,

the closest known server is the root server)

The root sever sends a referral to the “edu” server. Querying this

server yields a referral to the server of “virginia.edu”

… and so on

29

Recursive queries

30

Iterative queries

In an iterative query, the name server sends a closest known

authoritative name server a referral to the root server.

This involves more work for the resolver

31

DNS CACHING

Caching can substantially reduce overhead

The top-level Domain servers very rarely change

Popular sites (e.g., www.google.com) visited often

Once (any) name server learns mapping, it caches mapping

cache entries timeout (disappear) after some time

TLD servers typically cached in local name servers

Thus root name servers not often visited

32

Domain Name Registration

The right to use a domain name is delegated by domain name registrars which are

accredited by the Internet Corporation for Assigned Names and Numbers

(ICANN), the organization charged with overseeing the name and number systems

of the Internet. In addition to ICANN, each top-level domain (TLD) is maintained

and serviced technically by an administrative organization, operating a registry. A

registry is responsible for maintaining the database of names registered within the

TLD it administers. The registry receives registration information from each

domain name registrar authorized to assign names in the corresponding TLD and

publishes the information using a special service, the whois protocol.

ICANN publishes the complete list of TLD registries and domain name registrars.

Registrant information associated with domain names is maintained in an online

database accessible with the WHOIS service. For most of the more than 240

country code top-level domains (ccTLDs), the domain registries maintain the

WHOIS (Registrant, name servers, expiration dates, etc.) information. For

instance, DENIC, Germany NIC, holds the DE domain data. Since about 2001,

most gTLD registries have adopted this so-called thick registry approach, i.e.

keeping the WHOIS data in central registries instead of registrar databases.

33

For COM and NET domain names, a thin registry model is used: the domain registry

(e.g. VeriSign) holds basic WHOIS (registrar and name servers, etc.) data. One can

find the detailed WHOIS (registrant, name servers, expiry dates, etc.) at the

registrars.

Some domain name registries, often called network information centers (NIC), also

function as registrars to end-users. The major generic top-level domain registries,

such as for the COM, NET, ORG, INFO domains and others, use a registry-registrar

model consisting of hundreds of domain name registrars (see lists at ICANN or

VeriSign). In this method of management, the registry only manages the domain

name database and the relationship with the registrars. The registrants (users of a

domain name) are customers of the registrar, in some cases through additional

layers of resellers.

34

Security Issues

DNS was not originally designed with security in mind, and thus has a number

of security issues.

One class of vulnerabilities is DNS cache poisoning, which tricks a DNS server

into believing it has received authentic information when, in reality, it has not.

DNS responses are traditionally not cryptographically signed, leading to many

attack possibilities; The Domain Name System Security Extensions (DNSSEC)

modifies DNS to add support for cryptographically signed responses. There are

various extensions to support securing zone transfer information as well.

Even with encryption, a DNS server could become compromised by a virus (or

for that matter a disgruntled employee) that would cause IP addresses of that

server to be redirected to a malicious address with a long TTL. This could have

far-reaching impact to potentially millions of Internet users if busy DNS servers

cache the bad IP data. This would require manual purging of all affected DNS

caches as required by the long TTL (up to 68 years).

35

Some domain names can spoof other, similar-looking domain names. For

example, "paypal.com" and "paypa1.com" are different names, yet users may be

unable to tell the difference when the user's typeface (font) does not clearly

differentiate the letter l and the numeral 1. This problem is much more serious

in systems that support internationalized domain names, since many characters

that are different, from the point of view of ISO 10646, appear identical on

typical computer screens. This vulnerability is often exploited in phishing.

Techniques such as Forward Confirmed reverse DNS can also be used to help

validate DNS results.

36

USAGE OTHER APPLICATIONS

The system outlined above provides a somewhat simplified scenario. The Domain

Name System includes several other functions:

Hostnames and IP addresses do not necessarily match on a one-to-one

basis. Many hostnames may correspond to a single IP address: combined

with virtual hosting, this allows a single machine to serve many web sites.

Alternatively a single hostname may correspond to many IP addresses: this

can facilitate fault tolerance and load distribution, and also allows a site to

move physical location seamlessly.

There are many uses of DNS besides translating names to IP addresses. For

instance, Mail transfer agents use DNS to find out where to deliver e-mail

for a particular address. The domain to mail exchanger mapping provided

by MX records accommodates another layer of fault tolerance and load

distribution on top of the name to IP address mapping.

37

E-mail Blacklists: The DNS system is used for efficient storage and

distribution of IP addresses of blacklisted e-mail hosts. The usual method is

putting the IP address of the subject host into the sub-domain of a higher

level domain name, and resolve that name to different records to indicate a

positive or a negative. A hypothetical example using blacklist.com,

o 102.3.4.5 is blacklisted => Creates 5.4.3.102.blacklist.com and

resolves to 127.0.0.1

o 102.3.4.6 is not => 6.4.3.102.blacklist.com is not found, or default to

127.0.0.2

o E-mail servers can then query blacklist.com through the DNS

mechanism to find out if a specific host connecting to them is in the

blacklist. Today many of such blacklists, either free or subscription-

based, are available mainly for use by email administrators and anti-

spam software.

Software Updates: many anti-virus and commercial software now use the

DNS system to store version numbers of the latest software updates so

client computers do not need to connect to the update servers every time.

For these types of applications, the cache time of the DNS records are

usually shorter.

38

Sender Policy Framework and DomainKeys, instead of creating their own

record types, were designed to take advantage of another DNS record type,

the TXT record.

To provide resilience in the event of computer failure, multiple DNS servers

are usually provided for coverage of each domain, and at the top level,

thirteen very powerful root servers exist, with additional "copies" of several

of them distributed worldwide via Anycast.

Dynamic DNS (also referred to as DDNS) provides clients the ability to

update their IP address in the DNS after it changes due to mobility

39

DNS Resource Records

DNS: distributed db for storing resource records (RR)

• Type=A

– name is hostname

– value is IP address

• Type=NS

– name is domain (e.g. foo.com)

– value is hostname of authoritative name server for this domain

40

RR format: (name, value, type, ttl)

• Type=CNAME

– name is alias name for some “canonical” (the real) name

www.ibm.com is really

servereast.backup2.ibm.com

– value is canonical name

• Type=MX

– value is name of mailserver associated with name

41

Table for Various Type of Resource Records

EXAMPLES OF RESOURCE RECORDS

42

43

DNS CONCERNS

I.) Load Concerns:

• DNS can handle the load

– DNS root servers get approximately 3000 queries per second

• Empirical proofs (DDoS attacks) show root name servers can

handle 50,000 queries per second

– Limitation is network bandwidth, not the DNS protocol

– in-addr.arpa zone, which translates numbers to names,

gets about 2000 queries per second

44

45

II.) Performance Concerns:

• DNS is a very lightweight protocol

– Simple query – response

• Any performance limitations are the result of network

limitations

– Speed of light

– Network congestion

– Switching/forwarding latencies

46

CONCLUSION

The whole process of Presentation Seminar was very helpful and

educative for me in terms of the experience which I gained during its

preparation. I got to know the real meaning of how a web page is

accessed in real life requirements. I am responsible for the success or

failure of the presentation. This sense of responsibility could only have

been inculcated within me through such an exercise.

Thus, Basically Domain Name System (DNS) is a hierarchical naming

system for computers, services, or any resource connected to the Internet

or a private network. And helps in translation of Domain Names into

their corresponding IP Addresses.

In the end, I am very grateful to all my teachers, friends and the people

who helped me immensely in preparation of this presentation.

Thank You….

47

REFERENCES

http://en.wikipedia.org/wiki/

Category:Domain_name_system

http://www.livinginternet.com/i/iw_dns.htm

http://www.centr.org

Domain Names - Concepts and Facilities, P.

Mockapetris

Role of the Domain Name System (DNS)-O'Reilly

48