DNS Domain Name Systems In Practice 1 DOMAIN

DNS Domain Name Systems In Practice 1

DOMAIN NAME PARTS 2

Parts of a domain name n Domain name consists of two or more parts, separated by periods n n Technically called labels Example: wikipedia. org n n wikipedia. org has the top-level domain org Rightmost label conveys the top-level domain n en. wikipedia. org also has the top-level domain org Each label to the left specifies a subdivision or subdomain of the domain above it n n A. K. A. TLD Note: "subdomain" expresses relative dependence, not absolute dependence: n wikipedia. org comprises a subdomain of the org domain n en. wikipedia. org comprises a subdomain of the domain wikipedia. org Note: The root “. ” is always there. At times it may be implied, others it must be explicitly listed n e. g. wikipedia. org. 3

Parts of a domain name n Domain name usually consists of two or more parts (labels), separated by dots n In theory: n n n Subdivisions can go 127 levels deep Each label can contain up to 63 characters Overall Limit: n n n Entire domain name cannot exceed a total length of 253 characters Length of 255, including separators and length of name In practice: n Some domain registries have shorter limits n Typically restricted by host OS 4

Parts of a domain name n Hostname refers to a domain name that has one or more associated IP addresses n en. wikipedia. org and www. wikipedia. org are hostnames n n n org is a TLD wikipedia. org is a domain Domain Name System consists of a hierarchical set of DNS servers n Each domain or subdomain has one or more authoritative DNS servers n n n Publish information about that domain and the name servers of any domains "beneath" it Hierarchy of authoritative DNS servers matches the hierarchy of domains At the top of the hierarchy stand the root name servers: n Servers to query when resolving a top-level domain name (TLD) 5

Parts of a domain name n Two query types: n Iterative query: the DNS server may provide a partial answer to the query (or give an error) n n DNS servers must support non-recursive or iterative queries Recursive query: the DNS server will fully answer the query (or give an error) n n DNS servers are not required to support recursive queries Resolvers negotiate use of recursive service using bits in the query headers n Or can be another DNS acting recursively on behalf of another resolver 6

ADDRESS RESOLUTION MECHANISM 7

Address resolution mechanism A full host name may have several name segments n n e. g. ahost. ofasubnet. ofabiggernet. inadomain. example. In practice full host names typically consist of three segments n n ahost. inadomain. example www. inadomain. example Note: sometimes the first name is “implied” n e. g. although inadomain. example is a domain name, it may resolved to a server Software interprets the name segment by segment starting on right left n n n Uses an iterative search procedure Each step along the way n n n Program queries a corresponding DNS server Provides a pointer to the next server which it should consult (This description deliberately uses the fictional. example TLD in accordance with the DNS guidelines themselves. ) 8

Address resolution mechanism n Example: n DNS recursor consults three name servers to resolve the address www. wikipedia. org. n n Note: that. at the end is important, that is the root domain Some times it is required, sometimes it is implied 9

Address resolution mechanism n As originally envisaged, the process was simple: n Local system is pre-configured with the known addresses of the root servers in a file of root hints n n n Updated periodically by a local administrator from a reliable source Kept up to date with latest changes Query one of the root servers to find the server authoritative for the next level down Query this second server for the address of a DNS server with detailed knowledge of the second-level domain Repeat the previous step to progress down the name, until the final step which would return the final address sought 10

Address resolution mechanism n Search done in this simple form has a major problem: n Puts a huge operating burden on the root servers n n Root name servers are critical to the overall function of the system n n Each and every search for an address would be started by querying one of them Such a heavy use would create an insurmountable bottleneck for trillions of queries placed every day In practice preemptive measures are taken 11

Circular dependencies and glue records n Name servers in delegations listed by name n n n Not by IP address A resolving name server must issue another DNS request to find out the IP address of the server to which it has been referred Could introduce a circular dependency if the name server referred to is under the domain that it is authoritative of n n Occasionally necessary for the name server providing the delegation to also provide the IP address of the next name server Record is called a glue record 12

Circular dependencies and glue records n For example: n Sub-domain en. wikipedia. org contains more sub-domains n n The authoritative name server for these are at ns 1. en. wikipedia. org To resolve w 3. en. wikipedia. org a computer will have to resolve ns 1. en. wikipedia. org Since the host ns 1 is also under the en. wikipedia. org subdomain n e. g. w 3. en. wikipedia. org Resolving ns 1. en. wikipedia. org requires resolving ns 1. en. wikipedia. org Which leads to the circular dependency mentioned above Dependency is broken by the glue record in the name server of wikipedia. org n n Provides the IP address of ns 1. en. wikipedia. org directly to the requestor Enabling it to bootstrap the process by figuring out where 13 ns 1. en. wikipedia. org is located

In Practice HOW DNS WORKS 14

How DNS Works In Practice n When an application tries to find the IP address of a domain name: n n Doesn't necessarily follow all of the steps outlined in the Theory section Uses caching 15

How DNS works In practice: Caching and time to live n n Huge volume of requests generated by the DNS system Need a mechanism to reduce the load on individual DNS servers n DNS resolution process allows for caching for a given period of time after a successful answer n n n Caching: the local recording and subsequent consultation of the results of a DNS query How long a resolver caches a DNS response is determined by a value called the time to live (TTL) TTL is set by the administrator of the DNS server handing out the response n The period of validity may vary from just seconds to days or even weeks or years 16

How DNS works In practice: Caching time n As a consequence of the distributed and caching architecture, changes to DNS do not always take effect immediately and globally n Example: n An administrator has set a TTL of 6 hours for the host www. wikipedia. org (valid at 12: 00) n n n The period between 12: 01 pm and 6: 00 pm in this example is called caching time n n Then changes the IP address to which www. wikipedia. org resolves at 12: 01 pm Administrator must consider that a person who cached a response with the old IP address at 12: 00 pm will not consult the DNS server again until 6: 00 pm. The period of time that begins when you make a change to a DNS record and ends after the maximum amount of time specified by the TTL expires This essentially leads to an important logistical consideration when making changes to DNS: not everyone is necessarily seeing the same thing you're seeing. n RFC 1537 helps to convey basic rules for how to set the TTL 17

How DNS works In practice: Caching time n Note that the term "propagation” does not describe the effects of caching well n Specifically, it implies that 1. When a DNS change is made, it somehow spreads to all other DNS servers n 2. Instead, other DNS servers check in with dns as needed There is no control over the amount of time the record is cached n n There is control over the TTL values for all DNS records in your domain Except NS records and any authoritative DNS servers that use that domain name 18

How DNS works In practice: Caching time n Some resolvers may override TTL values n Protocol supports caching over vast periods n n up to 68 years no caching at all (0 seconds) Negative caching (the non-existence of records) is determined by name servers authoritative for a zone which MUST include the SOA record (Start Of Authority) when reporting no data of the requested type exists. The MINIMUM field of the SOA record and the TTL of the SOA itself is used to establish the TTL for the negative answer 19

How DNS works In practice: In the Real World n n DNS resolving from program to OS-resolver to ISP -resolver to greater system Users generally do not communicate directly with a DNS resolver n DNS-resolution takes place transparently in clientapplications n n Web-browsers Mail-clients Other Internet applications When an application makes a request which necessitates a DNS lookup n n Such programs send a resolution request to the local DNS resolver in the local operating system Which in turn handles the communications required 20

Security issues n DNS was not originally designed with security in mind n n Has a number of security issues DNS responses are traditionally not cryptographically signed n n Leads to many attack possibilities DNSSEC “enhances” DNS n n Adds support for cryptographically signed responses Various extensions to support securing zone transfer information as well 21

Security issues n Encryption it still doesn't prevent a DNS server from becoming infected with a virus n Allowing IP addresses of that server to be redirected to a malicious address with a long TTL n n n (or for that matter a disgruntled employee) Could have far reaching impact to potentially millions of internet users if busy DNS servers cache the bad IP data Would require manual purging of all affected DNS caches as required by the long TTL (up to 68 years) 22

Security issues n Some domain names can spoof similar-looking domain names n "paypal. com" and "paypa 1. com" are different names n Users may be unable to tell the difference when the user's typeface (font) does not clearly differentiate the letter l and the number 1. n n n Courier New: 1 or l Rockwell: 1 or l Problem is much more serious in systems that support internationalized domain names n Many characters that are different, from the point of view of ISO 10646, appear identical on typical computer screens 23

Who’s involved? DNS “PLAYERS” 24

Legal users of domains n Registrant n Most of the NICs in the world receive an annual fee from a legal user in order for the legal user to utilize the domain name n n n ICANN holds a complete list of domain registries in the world n n i. e. a sort of a leasing agreement exists, subject to the registry's terms and conditions Depending on the various naming convention of the registries, legal users become commonly known as "registrants" or as "domain holders" One can find the legal user of a domain name by looking in the WHOIS database held by most domain registries For most of the more than 140+ country code top-level domains (cc. TLDs), the domain registries hold the authoritative WHOIS (Registrant, name servers, expiry dates, etc. ). n For instance, DENIC, Germany NIC, holds the authoritative WHOIS to a. DE domain name 25

Legal users of domains n Registrant (cont. ) n However, some domain registries, such as for. COM, . ORG, . INFO, etc. , use a registry-registrar model n n n There are hundreds of Domain Name Registrars that actually perform the domain name registration with the end user (see lists at ICANN or Veri. Sign) By using this method of distribution, the registry only has to manage the relationship with the registrar, and the registrar maintains the relationship with the end users, or 'registrants' For. COM, . NET domain names, the domain registries, Veri. Sign holds a basic WHOIS (registrar and name servers, etc. ) One can find the detailed WHOIS (registrant, name servers, expiry dates, etc. ) at the registrars Since about 2001, most g. TLD registries have adopted a so-called "thick" registry approach n n I. E. keeping the authoritative WHOIS with the various registries instead of the registrars (g. TLD: generic: . ORG, . BIZ, . INFO) 26

Legal users of domains n Administrative contact n A registrant usually designates an administrative contact to manage the domain name n n The administrative contact usually has the most immediate power over a domain Management functions delegated to the administrative contacts may include: n n n Technical contact n n A technical contact manages the name servers of a domain name The many functions of a technical contact include: n n n making sure the configurations of the domain name conforms to the requirements of the domain registry updating the domain zone providing the 24× 7 functionality of the name servers n n allows accessibility of the domain name Billing contact n n the obligation to conform to the requirements of the domain registry in order to retain the right to use a domain name authorization to update the physical address, e-mail address and telephone number etc. in WHOIS The party whom a NIC invoices Name servers n Namely the authoritative name servers that host the domain name zone of a domain name 27

WHOIS n Lookup facility for Domain owner info n n n http: //whois. icann. org/en https: //www. whois. net/ http: //ajklinux 2. uncc. edu/cgibin/whois. sh? uncc. edu 28

Resume 2/15 29

Politics n Many investigators have voiced criticism of the methods currently used to control ownership of domains n Critics commonly claim abuse by monopolies or near-monopolies n n Such as Veri. Sign, Inc Particularly noteworthy was the Veri. Sign Site Finder system which redirected all unregistered. com and. net domains to a Veri. Sign webpage Despite widespread criticism, Veri. Sign only reluctantly removed it after the Internet Corporation for Assigned Names and Numbers (ICANN) threatened to revoke its contract to administer the root name servers There is also significant disquiet regarding the United States' political influence over ICANN n n Was a significant issue in the attempt to create a. xxx top-level domain Sparked greater interest in alternative DNS roots that would be beyond the control of any single country 30

Politics n Truth in Domain Names Act n Main article: n n Anticybersquatting Consumer Protection Act In the United States, the "Truth in Domain Names Act" in combination with the PROTECT Act, forbids the use of a misleading domain name with the intention of attracting people into viewing a visual depiction of sexually explicit conduct on the Internet 31

Resolvers 1. 2. 3. 4. Serve DNS names Always returns an IP address Request an IP address Are recursive 32

Other Internet Resources n See also n n n Dynamic DNS Alternative DNS root Comparison of DNS server software 33