dns domain name systems in practice 1. domain name parts 2
TRANSCRIPT
DNS
Domain Name SystemsIn Practice
1
DOMAIN NAME PARTS
2
3
Parts of a domain name
Domain name consists of two or more parts (labels), separated by periods
Example: wikipedia.org wikipedia.org has the top-level domain org Rightmost label conveys the top-level domain
A.K.A. TLD
en.wikipedia.org has the top-level domain org Each label to the left specifies a subdivision or subdomain of
the domain above it Note: "subdomain" expresses relative dependence, not absolute
dependence: wikipedia.org comprises a subdomain of the org domain en.wikipedia.org comprises a subdomain of the domain wikipedia.org
Note: The root “.” is always there. At times it may be implied, others it must be explicitly listed
e.g. wikipedia.org.
4
Parts of a domain name
Domain name usually consists of two or more parts (labels), separated by dots In theory:
Subdivisions can go 127 levels deep Each label can contain up to 63 characters Overall Limit:
Entire domain name cannot exceed a total length of 253 characters
Length of 255, including separators and length of name
In practice: Some domain registries have shorter limits
Typically restricted by host OS
5
Parts of a domain name
Hostname may refer to a domain name that has one or more associated IP addresses
For example, the en.wikipedia.org and wikipedia.org domains are both hostnames, but the org domain is not
Domain Name System consists of a hierarchical set of DNS servers
Each domain or subdomain has one or more authoritative DNS servers
Publish information about that domain and the name servers of any domains "beneath" it
Hierarchy of authoritative DNS servers matches the hierarchy of domains
At the top of the hierarchy stand the root name servers:
Servers to query when looking up (resolving) a top-level domain name (TLD)
6
Parts of a domain name
Iterative and recursive queries: Iterative query: the DNS server may provide a
partial answer to the query (or give an error) DNS servers must support non-recursive queries
Recursive query: the DNS server will fully answer the query (or give an error)
DNS servers are not required to support recursive queries
Resolvers negotiate use of recursive service using bits in the query headers
Or can be another DNS acting recursively on behalf of another resolver
ADDRESS RESOLUTION MECHANISM
7
8
Address resolution mechanism
A full host name may have several name segments e.g. ahost.ofasubnet.ofabiggernet.inadomain.example
In practice full host names typically consist of three segments
ahost.inadomain.example www.inadomain.example
Software interprets the name segment by segment, right to left
Uses an iterative search procedure Each step along the way
Program queries a corresponding DNS server Provides a pointer to the next server which it should consult
(This description deliberately uses the fictional .example TLD in accordance with the DNS guidelines themselves.)
9
Address resolution mechanism
Example: DNS recursor consults three name servers to resolve the
address www.wikipedia.org
10
Address resolution mechanism
As originally envisaged, the process was as simple as:
Local system is pre-configured with the known addresses of the root servers in a file of root hints
Needs to be updated periodically by the local administrator from a reliable source to be kept up to date with the changes which occur over time
Query one of the root servers to find the server authoritative for the next level down
Query this second server for the address of a DNS server with detailed knowledge of the second-level domain
Repeat the previous step to progress down the name, until the final step which would return the final address sought
11
Address resolution mechanism
Search done in this simple form has a major problem: Huge operating burden on the root servers
Each and every search for an address would be started by querying one of them
Root name servers are critical to the overall function of the system Such a heavy use would create an
insurmountable bottleneck for trillions of queries placed every day
In practice preemptive measures are taken
12
Circular dependencies and glue records
Name servers in delegations appear listed by name, rather than by IP address Means a resolving name server must issue
another DNS request to find out the IP address of the server to which it has been referred
Could introduce a circular dependency if the name server referred to is under the domain that it is authoritative of
It is occasionally necessary for the name server providing the delegation to also provide the IP address of the next name server
This record is called a glue record
13
Circular dependencies and glue records
For example: Sub-domain en.wikipedia.org contains more sub-
domains e.g. w3.en.wikipedia.org The authoritative name server for these are at
ns1.en.wikipedia.org To resolve w3.en.wikipedia.org a computer will have to
resolve ns1.en.wikipedia.org Since the host ns1 is also under the en.wikipedia.org
subdomain Resolving ns1.en.wikipedia.org requires resolving ns1.en.wikipedia.org Which leads to the circular dependency mentioned above
Dependency is broken by the glue record in the name server of wikipedia.org
Provides the IP address of ns1.en.wikipedia.org directly to the requestor Enabling it to bootstrap the process by figuring out where
ns1.en.wikipedia.org is located
HOW DNS WORKSIn Practice
14
15
How DNS Works In Practice
When an application tries to find the IP address of a domain name: Doesn't necessarily follow all of the
steps outlined in the Theory section Uses caching
16
How DNS works In practice:
Caching and time to live Huge volume of requests generated by the
DNS system Need a mechanism to reduce the load on
individual DNS servers DNS resolution process allows for caching for a
given period of time after a successful answer Caching: the local recording and subsequent consultation of
the results of a DNS query How long a resolver caches a DNS response is
determined by a value called the time to live (TTL) TTL is set by the administrator of the DNS server
handing out the response The period of validity may vary from just seconds to days or
even weeks or years
17
How DNS works In practice:
Caching time As a consequence of the distributed and caching
architecture, changes to DNS do not always take effect immediately and globally
Example: An administrator has set a TTL of 6 hours for the host
www.wikipedia.org (valid at 12:00) Then changes the IP address to which www.wikipedia.org
resolves at 12:01pm Administrator must consider that a person who cached a
response with the old IP address at 12:00pm will not consult the DNS server again until 6:00pm.
The period between 12:01pm and 6:00pm in this example is called caching time
The period of time that begins when you make a change to a DNS record and ends after the maximum amount of time specified by the TTL expires
This essentially leads to an important logistical consideration when making changes to DNS: not everyone is necessarily seeing the same thing you're seeing.
RFC 1537 helps to convey basic rules for how to set the TTL
18
How DNS works In practice:
Caching time Note that the term "propagation” does not
describe the effects of caching well Specifically, it implies that
1. When a DNS change is made, it somehow spreads to all other DNS servers Instead, other DNS servers check in with dns as needed
2. There is no control over the amount of time the record is cached There is control over the TTL values for all DNS records
in your domain Except NS records and any authoritative DNS servers
that use that domain name
19
How DNS works In practice:
Caching time Some resolvers may override TTL values
Protocol supports caching over vast periods up to 68 years no caching at all (0 seconds)
Negative caching (the non-existence of records) is determined by name servers authoritative for a zone which MUST include the SOA record (Start Of Authority) when reporting no data of the requested type exists.
The MINIMUM field of the SOA record and the TTL of the SOA itself is used to establish the TTL for the negative answer
20
How DNS works In practice:
In the Real World DNS resolving from program to OS-resolver
to ISP-resolver to greater system. Users generally do not communicate directly
with a DNS resolver DNS-resolution takes place transparently in
client-applications Web-browsers Mail-clients Other Internet applications
When an application makes a request which necessitates a DNS lookup
Such programs send a resolution request to the local DNS resolver in the local operating system
Which in turn handles the communications required
21
Security issues
DNS was not originally designed with security in mind Has a number of security issues DNS responses are traditionally not
cryptographically signed, leading to many attack possibilities;
DNSSEC modifies DNS to add support for cryptographically signed responses
There are various extensions to support securing zone transfer information as well
22
Security issues Even with encryption it still doesn't prevent
the possibility that a DNS server could become infected with a virus (or for that matter a disgruntled employee) that would cause IP addresses of that server to be redirected to a malicious address with a long TTL Could have far reaching impact to potentially
millions of internet users if busy DNS servers cache the bad IP data
Would require manual purging of all affected DNS caches as required by the long TTL (up to 68 years)
23
Security issues Some domain names can spoof other,
similar-looking domain names For example, "paypal.com" and
"paypa1.com" are different names Users may be unable to tell the difference
when the user's typeface (font) does not clearly differentiate the letter l and the number 1.
Problem is much more serious in systems that support internationalized domain names
Many characters that are different, from the point of view of ISO 10646, appear identical on typical computer screens
Resume 2/11
24
25
Legal users of domains
Registrant Most of the NICs in the world receive an annual fee from a
legal user in order for the legal user to utilize the domain name
i.e. a sort of a leasing agreement exists, subject to the registry's terms and conditions
Depending on the various naming convention of the registries, legal users become commonly known as "registrants" or as "domain holders"
ICANN holds a complete list of domain registries in the world One can find the legal user of a domain name by looking in the
WHOIS database held by most domain registries For most of the more than 140+ country code top-level
domains (ccTLDs), the domain registries hold the authoritative WHOIS (Registrant, name servers, expiry dates, etc.).
For instance, DENIC, Germany NIC, holds the authoritative WHOIS to a .DE domain name
26
Legal users of domains
Registrant (cont.) However, some domain registries, such as
for .COM, .ORG, .INFO, etc., use a registry-registrar model There are hundreds of Domain Name Registrars that actually
perform the domain name registration with the end user (see lists at ICANN or VeriSign)
By using this method of distribution, the registry only has to manage the relationship with the registrar, and the registrar maintains the relationship with the end users, or 'registrants'
For .COM, .NET domain names, the domain registries, VeriSign holds a basic WHOIS (registrar and name servers, etc.)
One can find the detailed WHOIS (registrant, name servers, expiry dates, etc.) at the registrars
Since about 2001, most gTLD registries (generic: .ORG, .BIZ, .INFO) have adopted a so-called "thick" registry approach, i.e. keeping the authoritative WHOIS with the various registries instead of the registrars
27
Legal users of domains Administrative contact
A registrant usually designates an administrative contact to manage the domain name
The administrative contact usually has the most immediate power over a domain
Management functions delegated to the administrative contacts may include: the obligation to conform to the requirements of the domain registry in order to retain the right to
use a domain name authorization to update the physical address, e-mail address and telephone number etc. in WHOIS
Technical contact A technical contact manages the name servers of a domain name The many functions of a technical contact include:
making sure the configurations of the domain name conforms to the requirements of the domain registry
updating the domain zone providing the 24×7 functionality of the name servers
allows accessibility of the domain name Billing contact
The party whom a NIC invoices Name servers
Namely the authoritative name servers that host the domain name zone of a domain name
28
Politics Many investigators have voiced criticism of the methods currently
used to control ownership of domains Critics commonly claim abuse by monopolies or near-monopolies
Such as VeriSign, Inc
Particularly noteworthy was the VeriSign Site Finder system which redirected all unregistered .com and .net domains to a VeriSign webpage
Despite widespread criticism, VeriSign only reluctantly removed it after the Internet Corporation for Assigned Names and Numbers (ICANN) threatened to revoke its contract to administer the root name servers
There is also significant disquiet regarding the United States' political influence over ICANN
Was a significant issue in the attempt to create a .xxx top-level domain Sparked greater interest in alternative DNS roots that would be beyond the
control of any single country
29
Politics Truth in Domain Names Act
Main article: Anticybersquatting Consumer Protection Act
In the United States, the "Truth in Domain Names Act" in combination with the PROTECT Act, forbids the use of a misleading domain name with the intention of attracting people into viewing a visual depiction of sexually explicit conduct on the Internet
Resolvers
1. Serve DNS names
2. Always returns an IP address
3. Request an IP address
4. Are recursive
30
Serve DNS names
Alway
s retu
rns a
n IP ad
d...
Request an IP
address
Are recu
rsive
12% 13%
52%
22%
31
Other Internet Resources
See also Dynamic DNS Alternative DNS root Comparison of DNS server software