DNS

Domain Name SystemsIn Practice

1

DOMAIN NAME PARTS

2

3

Parts of a domain name

Domain name consists of two or more parts (labels), separated by periods

Example: wikipedia.org wikipedia.org has the top-level domain org Rightmost label conveys the top-level domain

A.K.A. TLD

en.wikipedia.org has the top-level domain org Each label to the left specifies a subdivision or subdomain of

the domain above it Note: "subdomain" expresses relative dependence, not absolute

dependence: wikipedia.org comprises a subdomain of the org domain en.wikipedia.org comprises a subdomain of the domain wikipedia.org

Note: The root “.” is always there. At times it may be implied, others it must be explicitly listed

e.g. wikipedia.org.

4

Parts of a domain name

Domain name usually consists of two or more parts (labels), separated by dots In theory:

Subdivisions can go 127 levels deep Each label can contain up to 63 characters Overall Limit:

Entire domain name cannot exceed a total length of 253 characters

Length of 255, including separators and length of name

In practice: Some domain registries have shorter limits

Typically restricted by host OS

5

Parts of a domain name

Hostname may refer to a domain name that has one or more associated IP addresses

For example, the en.wikipedia.org and wikipedia.org domains are both hostnames, but the org domain is not

Domain Name System consists of a hierarchical set of DNS servers

Each domain or subdomain has one or more authoritative DNS servers

Publish information about that domain and the name servers of any domains "beneath" it

Hierarchy of authoritative DNS servers matches the hierarchy of domains

At the top of the hierarchy stand the root name servers:

Servers to query when looking up (resolving) a top-level domain name (TLD)

6

Parts of a domain name

Iterative and recursive queries: Iterative query: the DNS server may provide a

partial answer to the query (or give an error) DNS servers must support non-recursive queries

Recursive query: the DNS server will fully answer the query (or give an error)

DNS servers are not required to support recursive queries

Resolvers negotiate use of recursive service using bits in the query headers

Or can be another DNS acting recursively on behalf of another resolver

ADDRESS RESOLUTION MECHANISM

7

8

Address resolution mechanism

A full host name may have several name segments e.g. ahost.ofasubnet.ofabiggernet.inadomain.example

In practice full host names typically consist of three segments

ahost.inadomain.example www.inadomain.example

Software interprets the name segment by segment, right to left

Uses an iterative search procedure Each step along the way

Program queries a corresponding DNS server Provides a pointer to the next server which it should consult

(This description deliberately uses the fictional .example TLD in accordance with the DNS guidelines themselves.)

9

Address resolution mechanism

Example: DNS recursor consults three name servers to resolve the

address www.wikipedia.org

10

Address resolution mechanism

As originally envisaged, the process was as simple as:

Local system is pre-configured with the known addresses of the root servers in a file of root hints

Needs to be updated periodically by the local administrator from a reliable source to be kept up to date with the changes which occur over time

Query one of the root servers to find the server authoritative for the next level down

Query this second server for the address of a DNS server with detailed knowledge of the second-level domain

Repeat the previous step to progress down the name, until the final step which would return the final address sought

11

Address resolution mechanism

Search done in this simple form has a major problem: Huge operating burden on the root servers

Each and every search for an address would be started by querying one of them

Root name servers are critical to the overall function of the system Such a heavy use would create an

insurmountable bottleneck for trillions of queries placed every day

In practice preemptive measures are taken

12

Circular dependencies and glue records

Name servers in delegations appear listed by name, rather than by IP address Means a resolving name server must issue

another DNS request to find out the IP address of the server to which it has been referred

Could introduce a circular dependency if the name server referred to is under the domain that it is authoritative of

It is occasionally necessary for the name server providing the delegation to also provide the IP address of the next name server

This record is called a glue record

13

Circular dependencies and glue records

For example: Sub-domain en.wikipedia.org contains more sub-

domains e.g. w3.en.wikipedia.org The authoritative name server for these are at

ns1.en.wikipedia.org To resolve w3.en.wikipedia.org a computer will have to

resolve ns1.en.wikipedia.org Since the host ns1 is also under the en.wikipedia.org

subdomain Resolving ns1.en.wikipedia.org requires resolving ns1.en.wikipedia.org Which leads to the circular dependency mentioned above

Dependency is broken by the glue record in the name server of wikipedia.org

Provides the IP address of ns1.en.wikipedia.org directly to the requestor Enabling it to bootstrap the process by figuring out where

ns1.en.wikipedia.org is located

HOW DNS WORKSIn Practice

14

15

How DNS Works In Practice

When an application tries to find the IP address of a domain name: Doesn't necessarily follow all of the

steps outlined in the Theory section Uses caching

16

How DNS works In practice:

Caching and time to live Huge volume of requests generated by the

DNS system Need a mechanism to reduce the load on

individual DNS servers DNS resolution process allows for caching for a

given period of time after a successful answer Caching: the local recording and subsequent consultation of

the results of a DNS query How long a resolver caches a DNS response is

determined by a value called the time to live (TTL) TTL is set by the administrator of the DNS server

handing out the response The period of validity may vary from just seconds to days or

even weeks or years

17

How DNS works In practice:

Caching time As a consequence of the distributed and caching

architecture, changes to DNS do not always take effect immediately and globally

Example: An administrator has set a TTL of 6 hours for the host

www.wikipedia.org (valid at 12:00) Then changes the IP address to which www.wikipedia.org

resolves at 12:01pm Administrator must consider that a person who cached a

response with the old IP address at 12:00pm will not consult the DNS server again until 6:00pm.

The period between 12:01pm and 6:00pm in this example is called caching time

The period of time that begins when you make a change to a DNS record and ends after the maximum amount of time specified by the TTL expires

This essentially leads to an important logistical consideration when making changes to DNS: not everyone is necessarily seeing the same thing you're seeing.

RFC 1537 helps to convey basic rules for how to set the TTL

18

How DNS works In practice:

Caching time Note that the term "propagation” does not

describe the effects of caching well Specifically, it implies that

1. When a DNS change is made, it somehow spreads to all other DNS servers Instead, other DNS servers check in with dns as needed

2. There is no control over the amount of time the record is cached There is control over the TTL values for all DNS records

in your domain Except NS records and any authoritative DNS servers

that use that domain name

19

How DNS works In practice:

Caching time Some resolvers may override TTL values

Protocol supports caching over vast periods up to 68 years no caching at all (0 seconds)

Negative caching (the non-existence of records) is determined by name servers authoritative for a zone which MUST include the SOA record (Start Of Authority) when reporting no data of the requested type exists.

The MINIMUM field of the SOA record and the TTL of the SOA itself is used to establish the TTL for the negative answer

20

How DNS works In practice:

In the Real World DNS resolving from program to OS-resolver

to ISP-resolver to greater system. Users generally do not communicate directly

with a DNS resolver DNS-resolution takes place transparently in

client-applications Web-browsers Mail-clients Other Internet applications

When an application makes a request which necessitates a DNS lookup

Such programs send a resolution request to the local DNS resolver in the local operating system

Which in turn handles the communications required

21

Security issues

DNS was not originally designed with security in mind Has a number of security issues DNS responses are traditionally not

cryptographically signed, leading to many attack possibilities;

DNSSEC modifies DNS to add support for cryptographically signed responses

There are various extensions to support securing zone transfer information as well

22

Security issues Even with encryption it still doesn't prevent

the possibility that a DNS server could become infected with a virus (or for that matter a disgruntled employee) that would cause IP addresses of that server to be redirected to a malicious address with a long TTL Could have far reaching impact to potentially

millions of internet users if busy DNS servers cache the bad IP data

Would require manual purging of all affected DNS caches as required by the long TTL (up to 68 years)

23

Security issues Some domain names can spoof other,

similar-looking domain names For example, "paypal.com" and

"paypa1.com" are different names Users may be unable to tell the difference

when the user's typeface (font) does not clearly differentiate the letter l and the number 1.

Problem is much more serious in systems that support internationalized domain names

Many characters that are different, from the point of view of ISO 10646, appear identical on typical computer screens

Resume 2/11

24

25

Legal users of domains

Registrant Most of the NICs in the world receive an annual fee from a

legal user in order for the legal user to utilize the domain name

i.e. a sort of a leasing agreement exists, subject to the registry's terms and conditions

Depending on the various naming convention of the registries, legal users become commonly known as "registrants" or as "domain holders"

ICANN holds a complete list of domain registries in the world One can find the legal user of a domain name by looking in the

WHOIS database held by most domain registries For most of the more than 140+ country code top-level

domains (ccTLDs), the domain registries hold the authoritative WHOIS (Registrant, name servers, expiry dates, etc.).

For instance, DENIC, Germany NIC, holds the authoritative WHOIS to a .DE domain name

26

Legal users of domains

Registrant (cont.) However, some domain registries, such as

for .COM, .ORG, .INFO, etc., use a registry-registrar model There are hundreds of Domain Name Registrars that actually

perform the domain name registration with the end user (see lists at ICANN or VeriSign)

By using this method of distribution, the registry only has to manage the relationship with the registrar, and the registrar maintains the relationship with the end users, or 'registrants'

For .COM, .NET domain names, the domain registries, VeriSign holds a basic WHOIS (registrar and name servers, etc.)

One can find the detailed WHOIS (registrant, name servers, expiry dates, etc.) at the registrars

Since about 2001, most gTLD registries (generic: .ORG, .BIZ, .INFO) have adopted a so-called "thick" registry approach, i.e. keeping the authoritative WHOIS with the various registries instead of the registrars

27

Legal users of domains Administrative contact

A registrant usually designates an administrative contact to manage the domain name

The administrative contact usually has the most immediate power over a domain

Management functions delegated to the administrative contacts may include: the obligation to conform to the requirements of the domain registry in order to retain the right to

use a domain name authorization to update the physical address, e-mail address and telephone number etc. in WHOIS

Technical contact A technical contact manages the name servers of a domain name The many functions of a technical contact include:

making sure the configurations of the domain name conforms to the requirements of the domain registry

updating the domain zone providing the 24×7 functionality of the name servers

allows accessibility of the domain name Billing contact

The party whom a NIC invoices Name servers

Namely the authoritative name servers that host the domain name zone of a domain name

28

Politics Many investigators have voiced criticism of the methods currently

used to control ownership of domains Critics commonly claim abuse by monopolies or near-monopolies

Such as VeriSign, Inc

Particularly noteworthy was the VeriSign Site Finder system which redirected all unregistered .com and .net domains to a VeriSign webpage

Despite widespread criticism, VeriSign only reluctantly removed it after the Internet Corporation for Assigned Names and Numbers (ICANN) threatened to revoke its contract to administer the root name servers

There is also significant disquiet regarding the United States' political influence over ICANN

Was a significant issue in the attempt to create a .xxx top-level domain Sparked greater interest in alternative DNS roots that would be beyond the

control of any single country

29

Politics Truth in Domain Names Act

Main article: Anticybersquatting Consumer Protection Act

In the United States, the "Truth in Domain Names Act" in combination with the PROTECT Act, forbids the use of a misleading domain name with the intention of attracting people into viewing a visual depiction of sexually explicit conduct on the Internet

Resolvers

1. Serve DNS names

2. Always returns an IP address

3. Request an IP address

4. Are recursive

30

Serve DNS names

Alway

s retu

rns a

n IP ad

d...

Request an IP

address

Are recu

rsive

12% 13%

52%

22%

31

Other Internet Resources

See also Dynamic DNS Alternative DNS root Comparison of DNS server software