310 likes | 495 Views
DNS. Domain Name Systems In Practice. Domain Name Parts. Parts of a domain name. Domain name consists of two or more parts ( labels ), separated by periods Example: wikipedia.org wikipedia.org has the top-level domain org Rightmost label conveys the top-level domain A.K.A. TLD
E N D
DNS Domain Name Systems In Practice
Parts of a domain name • Domain name consists of two or more parts (labels), separated by periods • Example: wikipedia.org • wikipedia.org has the top-level domain org • Rightmost label conveys the top-level domain • A.K.A. TLD • en.wikipedia.org has the top-level domain org • Each label to the left specifies a subdivision or subdomain of the domain above it • Note: "subdomain" expresses relative dependence, not absolute dependence: • wikipedia.org comprises a subdomain of the org domain • en.wikipedia.org comprises a subdomain of the domain wikipedia.org • Note: The root “.” is always there. At times it may be implied, others it must be explicitly listed • e.g. wikipedia.org.
Parts of a domain name • Domain name usually consists of two or more parts (labels), separated by dots • In theory: • Subdivisions can go 127 levels deep • Each label can contain up to 63 characters • Overall Limit: • Entire domain name cannot exceed a total length of 254 characters • In practice: • Some domain registries have shorter limits • Typically restricted by host OS
Parts of a domain name • Hostname may refer to a domain name that has one or more associated IP addresses • For example, the en.wikipedia.org and wikipedia.org domains are both hostnames, but the org domain is not • Domain Name System consists of a hierarchical set of DNS servers • Each domain or subdomain has one or more authoritative DNS servers • Publish information about that domain and the name servers of any domains "beneath" it • Hierarchy of authoritative DNS servers matches the hierarchy of domains • At the top of the hierarchy stand the root name servers: • Servers to query when looking up (resolving) a top-level domain name (TLD)
Parts of a domain name • Iterative and recursive queries: • Iterative query: the DNS server may provide a partial answer to the query (or give an error) • DNS servers must support non-recursive queries • Recursive query: the DNS server will fully answer the query (or give an error) • DNS servers are not required to support recursive queries • Resolvers (or another DNS acting recursively on behalf of another resolver) negotiate use of recursive service using bits in the query headers
Address resolution mechanism • A full host name may have several name segments • e.g. ahost.ofasubnet.ofabiggernet.inadomain.example • In practice full host names typically consist of three segments • ahost.inadomain.example • www.inadomain.example • Software interprets the name segment by segment, right to left • Uses an iterative search procedure • Each step along the way • Program queries a corresponding DNS server • Provides a pointer to the next server which it should consult • (This description deliberately uses the fictional .example TLD in accordance with the DNS guidelines themselves.)
Address resolution mechanism • Example: • DNS recursor consults three nameservers to resolve the address www.wikipedia.org
Address resolution mechanism • As originally envisaged, the process was as simple as: • Local system is pre-configured with the known addresses of the root servers in a file of root hints • Needs to be updated periodically by the local administrator from a reliable source to be kept up to date with the changes which occur over time • Query one of the root servers to find the server authoritative for the next level down • Query this second server for the address of a DNS server with detailed knowledge of the second-level domain • Repeat the previous step to progress down the name, until the final step which would return the final address sought
Address resolution mechanism • Search done in this simple form has a major problem: • Huge operating burden on the root servers • Each and every search for an address would be started by querying one of them • Root name servers are critical to the overall function of the system • Such a heavy use would create an insurmountable bottleneck for trillions of queries placed every day • In practice preemptive measures are taken
Circular dependencies and glue records • Name servers in delegations appear listed by name, rather than by IP address • Means a resolving name server must issue another DNS request to find out the IP address of the server to which it has been referred • Could introduce a circular dependency if the name server referred to is under the domain that it is authoritative of • It is occasionally necessary for the name server providing the delegation to also provide the IP address of the next name server • This record is called a glue record
Circular dependencies and glue records • For example, assume that the sub-domain en.wikipedia.org contains further sub-domains (such as something.en.wikipedia.org) and that the authoritative name server for these is at ns1.en.wikipedia.org • A computer trying to resolve something.en.wikipedia.org • Will have to resolve ns1.en.wikipedia.org • Since ns1 is also under the en.wikipedia.org subdomain • Resolving ns1.en.wikipedia.org requires resolving ns1.en.wikipedia.org • Which is exactly the circular dependency mentioned above • The dependency is broken by the glue record in the name server of wikipedia.org • Provides the IP address of ns1.en.wikipedia.org directly to the requestor • Enabling it to bootstrap the process by figuring out where ns1.en.wikipedia.org is located
In Practice How DNS Works
How DNS Works In Practice • When an application tries to find the IP address of a domain name • Doesn't necessarily follow all of the steps outlined in the Theory section • Uses caching
How DNS works In practice • Caching and time to live • Huge volume of requests generated by a system like DNS • Need to provide a mechanism to reduce the load on individual DNS servers • DNS resolution process allows for caching for a given period of time after a successful answer • Caching: the local recording and subsequent consultation of the results of a DNS query • How long a resolver caches a DNS response is determined by a value called the time to live (TTL) • TTL is set by the administrator of the DNS server handing out the response • The period of validity may vary from just seconds to days or even weeks or years
How DNS Works In Practice- Caching time • As a consequence of the distributed and caching architecture, changes to DNS do not always take effect immediately and globally • Example: • An administrator has set a TTL of 6 hours for the host www.wikipedia.org (valid at 12:00) • Then changes the IP address to which www.wikipedia.org resolves at 12:01pm • Administrator must consider that a person who cached a response with the old IP address at 12:00pm will not consult the DNS server again until 6:00pm. • The period between 12:01pm and 6:00pm in this example is called caching time • The period of time that begins when you make a change to a DNS record and ends after the maximum amount of time specified by the TTL expires • This essentially leads to an important logistical consideration when making changes to DNS: not everyone is necessarily seeing the same thing you're seeing. • RFC 1537 helps to convey basic rules for how to set the TTL
How DNS Works In Practice- Caching time • Note that the term "propagation” does not describe the effects of caching well • Specifically, it implies that • [1] when you make a DNS change, it somehow spreads to all other DNS servers (instead, other DNS servers check in with yours as needed) • [2] that you do not have control over the amount of time the record is cached • you control the TTL values for all DNS records in your domain • except your NS records and any authoritative DNS servers that use your domain name
How DNS Works In Practice- Caching time • Some resolvers may override TTL values • Protocol supports caching over vast periods • up to 68 years • no caching at all (0 seconds) • Negative caching (the non-existence of records) is determined by name servers authoritative for a zone which MUST include the SOA record (Start Of Authority) when reporting no data of the requested type exists. • The MINIMUM field of the SOA record and the TTL of the SOA itself is used to establish the TTL for the negative answer
How DNS Works In Practice- In the Real World • DNS resolving from program to OS-resolver to ISP-resolver to greater system. • Users generally do not communicate directly with a DNS resolver • DNS-resolution takes place transparently in client-applications • Web-browsers • Mail-clients • Other Internet applications • When an application makes a request which necessitates a DNS lookup • Such programs send a resolution request to the local DNS resolver in the local operating system • Which in turn handles the communications required
Security issues • DNS was not originally designed with security in mind • Has a number of security issues • DNS responses are traditionally not cryptographically signed, leading to many attack possibilities; • DNSSEC modifies DNS to add support for cryptographically signed responses • There are various extensions to support securing zone transfer information as well
Security issues • Even with encryption it still doesn't prevent the possibility that a DNS server could become infected with a virus (or for that matter a disgruntled employee) that would cause IP addresses of that server to be redirected to a malicious address with a long TTL • Could have far reaching impact to potentially millions of internet users if busy DNS servers cache the bad IP data • Would require manual purging of all affected DNS caches as required by the long TTL (up to 68 years)
Security issues • Some domain names can spoof other, similar-looking domain names • For example, "paypal.com" and "paypa1.com" are different names • Users may be unable to tell the difference when the user's typeface (font) does not clearly differentiate the letter l and the number 1. • Problem is much more serious in systems that support internationalized domain names • Many characters that are different, from the point of view of ISO 10646, appear identical on typical computer screens
Legal users of domains • Registrant • Most of the NICs in the world receive an annual fee from a legal user in order for the legal user to utilize the domain name (i.e. a sort of a leasing agreement exists, subject to the registry's terms and conditions) • Depending on the various naming convention of the registries, legal users become commonly known as "registrants" or as "domain holders" • ICANN holds a complete list of domain registries in the world • One can find the legal user of a domain name by looking in the WHOIS database held by most domain registries • For most of the more than 240 country code top-level domains (ccTLDs), the domain registries hold the authoritative WHOIS (Registrant, name servers, expiry dates, etc.). • For instance, DENIC, Germany NIC, holds the authoritative WHOIS to a .DE domain name • However, some domain registries, such as for .COM, .ORG, .INFO, etc., use a registry-registrar model • There are hundreds of Domain Name Registrars that actually perform the domain name registration with the end user (see lists at ICANN or VeriSign) • By using this method of distribution, the registry only has to manage the relationship with the registrar, and the registrar maintains the relationship with the end users, or 'registrants' • For .COM, .NET domain names, the domain registries, VeriSign holds a basic WHOIS (registrar and name servers, etc.) • One can find the detailed WHOIS (registrant, name servers, expiry dates, etc.) at the registrars • Since about 2001, most gTLD registries (generic: .ORG, .BIZ, .INFO) have adopted a so-called "thick" registry approach, i.e. keeping the authoritative WHOIS with the various registries instead of the registrars
Legal users of domains • Administrative contact • A registrant usually designates an administrative contact to manage the domain name • The administrative contact usually has the most immediate power over a domain • Management functions delegated to the administrative contacts may include: • the obligation to conform to the requirements of the domain registry in order to retain the right to use a domain name • authorization to update the physical address, e-mail address and telephone number etc. in WHOIS • Technical contact • A technical contact manages the name servers of a domain name • The many functions of a technical contact include: • making sure the configurations of the domain name conforms to the requirements of the domain registry • updating the domain zone • providing the 24×7 functionality of the name servers • allows accessibility of the domain name • Billing contact • The party whom a NIC invoices • Name servers • Namely the authoritative name servers that host the domain name zone of a domain name
Politics • Many investigators have voiced criticism of the methods currently used to control ownership of domains • Critics commonly claim abuse by monopolies or near-monopolies, such as VeriSign, Inc • Particularly noteworthy was the VeriSign Site Finder system which redirected all unregistered .com and .net domains to a VeriSign webpage • Despite widespread criticism, VeriSign only reluctantly removed it after the Internet Corporation for Assigned Names and Numbers (ICANN) threatened to revoke its contract to administer the root name servers • There is also significant disquiet regarding the United States' political influence over ICANN • Was a significant issue in the attempt to create a .xxx top-level domain • Sparked greater interest in alternative DNS roots that would be beyond the control of any single country • Truth in Domain Names Act • Main article: Anticybersquatting Consumer Protection Act • In the United States, the "Truth in Domain Names Act" (actually the "Anticybersquatting Consumer Protection Act"), in combination with the PROTECT Act, forbids the use of a misleading domain name with the intention of attracting people into viewing a visual depiction of sexually explicit conduct on the Internet
Resolvers • Serve DNS names • Always returns an IP address • Request an IP address • Are recursive
Other Internet Resources • See also • Dynamic DNS • Alternative DNS root • Comparison of DNS server software