applications · 2020. 6. 5. · multiple transport protocols (e.g., zoom) cse 461 university of...
TRANSCRIPT
![Page 1: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/1.jpg)
Applications
![Page 2: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/2.jpg)
Remember this?
CSE 461 University of Washington 2
Physical
Link
Network
Transport
Application
![Page 3: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/3.jpg)
Application Communication Needs
•Vary widely; build on Transport services; some use multiple transport protocols (e.g., Zoom)
CSE 461 University of Washington 3
UDP
DNS
TCP
Series of variable length, reliable request/reply
exchanges
Web
UDP
Real-time (unreliable)
stream delivery
Skype
Short, reliable request/reply
exchanges
Message reliability!
![Page 4: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/4.jpg)
Remember this?
•OSI layers that we ignore
CSE 461 University of Washington 4
– User’s tasks– Converts different representations– Manages task dialogs
Considered part of the application, not strictly layered!
![Page 5: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/5.jpg)
Session Concept
•A session is a series of related network interactions in support of an application task• Often informal, not explicit
•Examples:•Web page fetches multiple resources• Skype call involves audio, video, chat
CSE 461 University of Washington 5
![Page 6: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/6.jpg)
Presentation Concept
•Apps need to identify the type of content, and encode it for transfer • These are Presentation functions
• Examples:• Media (MIME) types, e.g., image/jpeg, identify content type• Transfer encodings, e.g., gzip, identify the encoding of content• Application headers are often simple and readable versus
packed for efficiency
CSE 461 University of Washington 6
![Page 7: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/7.jpg)
Evolution of Internet Applications
•Always changing, and growing …
CSE 461 University of Washington 7
20101970 19901980 2000
Traffic
File Transfer (FTP)Email (SMTP)
News (NTTP)
Secure Shell (ssh)Telnet
Web (HTTP)Web (CDNs)
P2P (BitTorrent)Web (Video)
???
![Page 8: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/8.jpg)
Evolution of the Web
CSE 461 University of Washington 9
Source: http://www.evolutionoftheweb.com, Vizzuality, Google, and Hyperakt
![Page 9: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/9.jpg)
Evolution of the Web (2)
CSE 461 University of Washington 10
Source: http://www.evolutionoftheweb.com, Vizzuality, Google, and Hyperakt
![Page 10: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/10.jpg)
Domain Name System
![Page 11: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/11.jpg)
DNS
•Human-readable host names, and more
CSE 461 University of Washington 12
www.uw.edu?
Network
128.94.155.135
![Page 12: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/12.jpg)
Names and Addresses
• Names are higher-level identifiers for resources• Addresses are lower-level locators for resources• Multiple levels, e.g. full name à email à IP address à Ethernet addr
• Resolution (or lookup) is mapping a name to an address
CSE 461 University of Washington 13
Name, e.g.“Donald Trump,”
or “whitehouse.gov”
Address, e.g.“1600 Pennsylvania Ave, DC”
or IPv4 “184.24.56.92”
Directory
Lookup
![Page 13: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/13.jpg)
Before the DNS – HOSTS.TXT
•Directory was a file HOSTS.TXT regularly retrieved for all hosts from a central machine at the NIC (Network Information Center)•Names were initially flat, became hierarchical (e.g.,
lcs.mit.edu) ~85 •Not manageable or efficient as the ARPANET grew …
CSE 461 University of Washington 14
![Page 14: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/14.jpg)
DNS
•A naming service to map between host names and their IP addresses (and more)• www.uwa.edu.au à 130.95.128.140
•Goals:• Easy to manage (esp. with multiple parties)• Efficient (good performance, few resources)
•Approach:• Distributed directory based on a hierarchical namespace• Automated protocol to tie pieces together
CSE 461 University of Washington 15
![Page 15: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/15.jpg)
DNS Namespace
•Hierarchical, starting from “.” (dot, typically omitted)
![Page 16: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/16.jpg)
TLDs (Top-Level Domains)
• Run by ICANN (Internet Corp. for Assigned Names and Numbers)• Starting in ‘98; naming is financial, political, and international J
• 700+ generic TLDs• Initially .com, .edu , .gov., .mil, .org, .net• Unrestricted (.com) vs Restricted (.edu)• Added regions (.asia, .kiwi), Brands (.apple), Sponsored (.aero) in 2012
• ~250 country code TLDs• Two letters, e.g., “.au”, plus international characters since 2010• Widely commercialized, e.g., .tv (Tuvalu)• Many domain hacks, e.g., instagr.am (Armenia)
CSE 461 University of Washington 17
![Page 17: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/17.jpg)
DNS Zones
•A zone is a contiguous portion of the namespace
A zoneDelegation
![Page 18: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/18.jpg)
DNS Zones (2)
•Zones are the basis for distribution• EDU Registrar administers .edu• UW administers washington.edu• CSE administers cs.washington.edu
•Each zone has a nameserver to contact for information about it• Zone must include contacts for delegations, e.g., .edu
knows nameserver for washington.edu
CSE 461 University of Washington 19
![Page 19: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/19.jpg)
DNS Resolution
•DNS protocol lets a host resolve any host name (domain) to IP address• If unknown, can start with the root nameserver and
work down zones• Let’s see an example first …
CSE 461 University of Washington 20
![Page 20: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/20.jpg)
DNS Resolution (2)
• flits.cs.vu.nl resolves robot.cs.washington.edu
![Page 21: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/21.jpg)
Iterative vs. Recursive Queries
•Recursive query• Nameserver resolves and returns final answer• E.g., flits à local nameserver
• Iterative (Authoritative) query• Nameserver returns answer or who to contact for answer• E.g., local nameserver à all others
CSE 461 University of Washington 22
![Page 22: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/22.jpg)
Iterative vs. Recursive Queries (2)
Recursive
Iterative
![Page 23: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/23.jpg)
Iterative vs. Recursive Queries (3)
•Recursive query• Servers can offload client burden• Servers can cache results for a pool of clients
• Iterative query• Server can “file and forget”• Easy to build high load servers
CSE 461 University of Washington 24
![Page 24: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/24.jpg)
Local Nameservers
• Local nameservers often run by IT (enterprise, ISP)• But may be your host or AP• Or alternatives e.g., Google public DNS (8.8.8.8)
Cloudflare’s public DNS (1.1.1.1)•Clients need to be able to contact local nameservers• Typically configured via DHCP
CSE 461 University of Washington 25
![Page 25: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/25.jpg)
Root Nameservers
• Root (dot) is served by 13 server names• a.root-servers.net to m.root-servers.net• All nameservers need root IP addresses• Handled via configuration file (named.ca)
• There are >250 distributed server instances• Highly reachable, reliable service• Most servers are reached by IP anycast (Multiple locations
advertise same IP! Routes take client to the closest one.)• Servers are IPv4 and IPv6 reachable
CSE 461 University of Washington 26
![Page 26: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/26.jpg)
Root Server Deployment
CSE 461 University of Washington 27
Source: http://www.root-servers.org. Snapshot on 27.02.12. Does not represent current deployment.
![Page 27: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/27.jpg)
Caching
•Resolution latency needs to be low•URLs don’t have much churn•Cache query/responses to answer future queries
immediately• Including partial (iterative) answers• Responses carry a TTL for caching
CSE 461 University of Washington 28
Nameserver
query out
responseCache
![Page 28: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/28.jpg)
Caching (2)
• flits.cs.vu.nl looks up and stores eng.washington.edu
CSE 461 University of Washington 29
1: query 2: query
UW nameserver(for washington.edu)
3: eng.washington.edu4: eng.washington.edu
Local nameserver(for cs.vu.nl)
Cache
![Page 29: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/29.jpg)
Caching (3)
• flits.cs.vu.nl now directly resolves eng.washington.edu
CSE 461 University of Washington 30
1: query
UW nameserver(for washington.edu)
4: eng.washington.edu
Local nameserver(for cs.vu.nl)
I know the server for washington.edu!
Cache
![Page 30: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/30.jpg)
DNS Protocol
•Query and response messages• Built on UDP messages, port 53• ARQ for reliability; server is stateless!•Messages linked by a 16-bit ID field
Query
Response
Time
Client ServerID=0x1234
ID=0x1234
![Page 31: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/31.jpg)
DNS Protocol (2)
•Service reliability via replicas• Run multiple nameservers for domain• Return the list; clients use one answer• Helps distribute load too
CSE 461 University of Washington 32
NS for uw.edu?A
B
C
Use A, B or C
![Page 32: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/32.jpg)
DNS Resource Records
•A zone is comprised of DNS resource records that give information for its domain names
CSE 461 University of Washington 33
Type MeaningSOA Start of authority, has key zone parametersA IPv4 address of a hostAAAA (“quad A”) IPv6 address of a hostCNAME Canonical name for an aliasMX Mail exchanger for the domainNS Nameserver of domain or delegated subdomain
![Page 33: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/33.jpg)
DNS Resource Records (2)
CSE 461 University of Washington 34
IP addresses of computers
Name server
Mail gateways
Start of Authority
![Page 34: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/34.jpg)
DIG DEMO
![Page 35: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/35.jpg)
DNS Security
•Security is a major issue• Compromise redirects to wrong site!• Not part of initial protocols ..
•DNSSEC (DNS Security Extensions)•Mostly deployed
CSE 461 University of Washington 36
Um, security??
![Page 36: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/36.jpg)
Goal and Threat Model
•Naming is a crucial Internet service• Binds host name to IP address•Wrong binding can be disastrous…
Introduction to Computer Networks 37
Internet
bank.com? 11.22.33.4499.88.77.66
![Page 37: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/37.jpg)
Goal and Threat Model (2)
•Goal is to secure the DNS so that the returned binding is correct• Integrity vs confidentiality
•Attacker can tamper with messages on the network
Introduction to Computer Networks 38
bank.com? 11.22.33.44
Network
![Page 38: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/38.jpg)
DNS Spoofing
•Hang on – how can attacker corrupt the DNS?
Introduction to Computer Networks 39
![Page 39: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/39.jpg)
DNS Spoofing
•Hang on – how can attacker corrupt the DNS?•Can trick nameserver into caching the wrong binding• By using the DNS protocol itself • This is called DNS spoofing
Introduction to Computer Networks 40
![Page 40: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/40.jpg)
DNS Spoofing (2)
•To spoof, Trudy returns a fake DNS response that appears to be true• Fake response contains bad binding
Client Nameserver
DNS query
FalseDNS reply Trudy
Cache
Nameserver
![Page 41: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/41.jpg)
DNS Spoofing (3)
• Lots of questions!1. How does Trudy know when the DNS query is sent and
what it is for?2. How can Trudy supply a fake DNS reply that appears to
be real? 3. What happens when the real DNS reply shows up?
•There are solutions to each issue …
Introduction to Computer Networks 42
![Page 42: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/42.jpg)
DNS Spoofing (4)
1. How does Trudy know when the query is sent and what it is for?
Introduction to Computer Networks 43
![Page 43: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/43.jpg)
DNS Spoofing (5)
1. How does Trudy know when the query is sent and what it is for?
•Trudy can make the query herself!• Nameserver works for many clients• Trudy is just another client
Introduction to Computer Networks 44
![Page 44: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/44.jpg)
DNS Spoofing (6)
2. How can Trudy supply a fake DNS reply that appears to be real?
Introduction to Computer Networks 45
![Page 45: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/45.jpg)
DNS Spoofing (7)
2. How can Trudy supply a fake DNS reply that appears to be real?
•A bit more difficult. DNS checks:• Reply is from authoritative nameserver (e.g., .com)• Reply ID that matches the request• Reply is for outstanding query
• (Nothing about content though …)
Introduction to Computer Networks 46
![Page 46: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/46.jpg)
DNS Spoofing (8)
2. How can Trudy supply a fake DNS reply that appears to be real?
•Example Technique:1. Put IP of authoritative nameserver as the source IP ID is
16 bits (64K)2. Send reply right after query3. Send many guesses! (Or if a counter, sample to predict.)
•Good chance of succeeding!Introduction to Computer Networks 47
![Page 47: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/47.jpg)
DNS Spoofing (8)
3. What happens when real DNS reply shows up?
Introduction to Computer Networks 48
![Page 48: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/48.jpg)
DNS Spoofing (9)
3. What happens when real DNS reply shows up?
• Likely not be a problem• There is no outstanding query after fake reply is accepted• So real reply will be discarded
Introduction to Computer Networks 49
![Page 49: Applications · 2020. 6. 5. · multiple transport protocols (e.g., Zoom) CSE 461 University of Washington 3 UDP DNS TCP Series of variable length, reliable request/reply exchanges](https://reader036.vdocuments.us/reader036/viewer/2022071604/613f363ca7a58608c268c70e/html5/thumbnails/49.jpg)
DNSSEC (DNS Security Extensions)
• Extends DNS with new record types• RRSIG for digital signatures of records• DNSKEY for public keys for validation• DS for public keys for delegation• First version in ‘97, revised by ’05
•Deployment requires software upgrade at both client and server• Root servers upgraded in 2010• Followed by uptick in deployment
Introduction to Computer Networks 50