Professional Documents
Culture Documents
An Introduction To The DNS
An Introduction To The DNS
Session 9260
SHARE 102
Long Beach, CA
Abstract
The Domain Name System is said to be
the glue which holds the internet
together. But how does it work? In
this session, we will look at the
domain name system and how it
works to enable you to connect to a
system without knowing it's internet
address.
The Speaker
Harold Pritchett
Patricia Egen Consulting
(706) 546-0692
harold@uga.edu
Disclaimer
Everybody has lawyers:
The ideas and concepts set forth in this
presentation are solely those of the respective
authors, and not of the companies and or
vendors referenced within and these
organizations do not endorse, guarantee, or
otherwise certify any such ideas or concepts in
application or usage. This material should be
verified for applicability and correctness in each
user environment. No warranty of any kind
available.
Presentation Protocol
Ask Questions for Understanding
For clarification on the current topic:
STICK YOUR HAND UP NOW -
Save Questions on related issues
Hold for Q&A at end of session
The only dumb question is:
the one you didn't ask
A Brief History of the Internet
The ARPANET
! ARPA: Advanced Research Projects Agency
! Part of the Department of Defense
! One function was to fund defense-related projects
! In the late 1960s, ARPA-funded researchers used
ARPA-funded large (for their day) computers
! If in different locations, needed a leased line and a
terminal—maybe multiple lines and terminals
! An ARPA official found this wasteful
! Solution: Connect the computers and terminals
to a network and give everybody one terminal
! The ARPANET, the first packet-switched network,
was born
The ARPANET
!This presented us with a new problem
!How to find a host you wanted to use?
!One early solution?
!Keep a table of these hosts and their network
addresses
In the Beginning
! This was the ARPANET’s HOSTS.TXT file
! HOSTS.TXT mapped every ARPANET host’s name to
its IP address
! Format of an entry was defined in internet standards
documents, and looked something like this:
! HOST:<address>:<name,aliases>:<hardware>:<os>:<list of
services
! HOST : 10.2.0.52 : USC-ISIF,ISIF : DEC-1090T : TOPS20 :
TCP/TELNET,TCP/SMTP,TCP/FTP,TCP/FINGER,UDP/TFTP :
! With this simple format, mapping from name to
address (“forward mapping”) and from address to
name (“reverse mapping”) was easy
! On Unix systems, the HOSTS.TXT file was simply converted to
/etc/hosts format
Life with HOSTS.TXT
! Easily implemented and understood
! Everybody (in theory) had the same version of
the file
! The file was maintained by the SRI Network
Information Center (the "NIC")
! All file edits were done by hand
! Network administrators sent updates via the net
! Initially via electronic mail
! Later via FTP
! The NIC released updated versions of the file
twice a week
The Problem with HOSTS.TXT
! Consistency
! The network changed more quickly than the file was updated
! Flat name space
! Name collisions, i.e. no two hosts could have the same name
! “Good” names were quickly exhausted
! There was no good method to prevent duplicate names
! Human intervention was required
! Traffic and load
! The traffic generated by downloading the file became significant
! Download time was sometimes longer than update period
! The model didn't scale well at all
Solving the Problem
! ARPANET powers-that-be launched an investigation into
replacement for HOSTS.TXT
! Goals:
! Solve the problems inherent in a monolithic host table system
! Use a consistent naming structure
! Create a generic solution that can be used for multiple purposes
! Requirements:
! Decentralized administration
! With data updated locally, but available globally
! A hierarchical name space
! To guarantee unique names
! Massive scalability
The Advent of DNS
! Paul Mockapetris, then of USC's Information
Sciences Institute, designed the architecture of
the new system, called the “Domain Name
System”, or DNS
! The initial DNS RFCs were released in 1984:
! RFC 882, “Domain Names - Concepts and Facilities”
! RFC 883, “Domain Names - Implementation and
Specification”
! The transition plan from HOSTS.TXT to DNS was
initially released in November, 1983, transition to
be completed by May, 1984
The DNS RFCs
! RFCs 882 and 883 were superseded by:
! RFC 1032, “Domain Administrators Guide”
! RFC 1033, “Domain Administrators Operations Guide”
! RFC 1034, “Domain Names -- Concepts and Facilities”
! RFC 1035, “Domain Names -- Implementation and
Specification”
! Additional RFCs specified
! New “resource record” types
! DNS operational considerations
! DNS policies
! DNS continues to evolve to meet the changing
demands of the Internet
Newer DNS RFCs
! Work on DNS continues under the auspices of
The Internet Engineering Task Force Working
Group DNSEXT (For “DNS Extensions”)
! This group is a merger of two previous working
groups:
! DNSIND (Incremental Zone Transfer, Notify, Dynamic
Update)
! RFC 1995, “Incremental Zone Transfer”
! RFC 1996, “A Mechanism for Prompt Notification of Zone
Changes”
! RFC 2136, “Dynamic Updates in the Domain Name System”
! DNSSEC (Security Extensions)
! RFC 2535, “Domain Name System Security Extensions”
Actual DNS Implementations
!BIND (Berkeley Internet Name Domain)
!MS Windows
!Windows 2K/XP Server
!DJBDNS (from the author of QMAIL)
!Cisco DNS/DHCP Manager
third third
level node level node
Restrictions on Labels
! The null label is reserved for the root node
! Legal characters for Internet hosts are
alphanumerics and dash
! Sibling nodes must have unique labels
""
“”
or search on google
ccTLD Organization
! How each country top-level domain is organized
is up to the country
! Some, like Australia’s au, follow the functional
definitions
! com.au, edu.au, etc.
! Others, like Great Britain’s uk and Japan’s jp, divide
the domain functionally but use their own
abbreviations
! ac.uk, co.uk, ne.jp, ad.jp, etc.
! A few, like the United States’ us, are largely
geographical
! ga.us, va.us, etc.
ccTLD Organization
!Canada uses organizational scope
!amazon.ca has national scope
!mbam.qc.ca has Quebec scope
!Some are flat, that is, no hierarchy
!schiphol.nl , louvre.fr
!Each country does it “their way”
New Top Level Domains (TLDs)
! In the last few years, a large re-organization has
taken place in the domain system.
! Initially, the Network Information Center (NIC)
was a part of the Stanford Research Institute
where it operated as a “not for profit”
! In 1993, NSF issued a contract to “Network
Solutions, Inc” to operate the NIC “for profit”
! In 1997, the American Registry for Internet
Numbers (ARIN) was formed to handle
administration and registration of numbers
previously handled by Network Solutions.
New Top Level Domains (TLDs)
!In 1998, the Internet Corporation for
Assigned Names and Numbers (ICANN)
was formed to transition the DNS system
from US government control to the private
sector
!As a part of this transition, the monopoly
of Network Solutions was broken with the
addition of additional domain registrars
New Top Level Domains (TLDs)
Lame Server
www.halshome.net. IN A 192.168.1.3
Name Server Records
halshome.net. IN NS ns1.granitecanyon.com.
halshome.net. IN NS ns2.granitecanyon.com.
Start of Authority Record
harold
"ping www.uga.edu."
Name Resolution – an example
! The Workstation, harold, asks its nameserver,
grumpy, for www.uga.edu’s address?
grumpy
harold
"ping www.uga.edu."
Name Resolution – an example
! The nameserver grumpy asks one of the root
nameservers for www.uga.edu’s address
harold
"ping www.uga.edu."
Name Resolution – an example
! The Root server refers grumpy to the .edu name servers.
! This type of response is called a “referral”
harold
"ping www.uga.edu."
Name Resolution – an example
! The server grumpy then asks a .edu name server
for the address of www.uga.edu.
harold
"ping www.uga.edu." edu server
Name Resolution – an example
! The .edu name server then refers grumpy to the
uga.edu name servers.
harold
"ping www.uga.edu." edu server
Name Resolution – an example
! Next, grumpy asks one of the uga.edu name
servers for the address of www.uga.edu.
uga.edu server
harold
"ping www.uga.edu." edu server
Name Resolution – an example
! The uga.edu name server then responds with
www.uga.edu’s address.
uga.edu server
harold
"ping www.uga.edu." edu server
Name Resolution – an example
! Finally, the nameserver grumpy responds to
harold with www.uga.edu’s address.
Here's the IP
address for
www.uga.edu
uga.edu server
harold
"ping www.uga.edu." edu server
Keeping it close to home
!Notice that one of the name servers
(grumpy) did most of the work
!grumpy sent three queries on jr’s behalf
!The other name servers sent no queries
!Why didn’t (for example) the root name server
query one of the .edu name servers for
grumpy?
!Likewise, why didn’t grumpy refer jr to the
root name servers, rather than sending the
query itself?
Types of Queries
! Resolvers send recursive queries
! This type of query requires the recipient to provide an
answer, not a referral
! Resolvers need answers, not referrals, because most
resolvers are too dumb to follow referrals
! Name servers send non-recursive or iterative
queries to each other
! Referrals are allowed
! Of course, so is the answer to the query
! Name servers are smart(er) and can follow referrals
Another reason for Recursion
! Imagine if all the name servers in the world sent
recursive queries to the Internet’s root name
servers
! A name server usually sends other name servers non-
recursive queries so as not to burden them
! A resolver, on the other hand, is usually
configured to query a name server run by the
same organization, so that name server should
bear most of the burden of resolution
Caching
!Caching speeds up the resolution process
!Name servers cache all records they
receive from other name servers
!Remember the time to live (TTL) field in
resource records?
!It determines how long a name server can
cache that particular record
The Resolution Process
!After the previous query, the name server
grumpy now knows:
!The names and IP addresses of the .edu name
servers
!The names and IP addresses of the uga.edu
name servers
!The IP address of www.uga.edu
Name Resolution – again
! Here’s a second look at the resolution process,
step by step:
harold
"ping ftp.uga.edu."
Name Resolution – again
! The Workstation, harold, asks its nameserver,
grumpy, for ftp.uga.edu’s address?
grumpy
harold
"ping ftp.uga.edu."
Name Resolution – again
! Next, grumpy asks one of the uga.edu name servers for
the address of ftp.uga.edu. It already knows the address
of the uga.edu nameservers from it’s cache
What's the IP address of
ftp.uga.edu?
uga.edu server
harold
"ping ftp.uga.edu." edu server
Name Resolution – again
! The uga.edu name server then responds with
ftp.uga.edu’s address.
uga.edu server
harold
"ping ftp.uga.edu." edu server
Name Resolution – again
! Finally, the nameserver grumpy responds to
harold with ftp.uga.edu’s address.
Here's the IP
address for
ftp.uga.edu
uga.edu server
harold
"ping ftp.uga.edu." edu server
“Dynamic DNS”
!Lots of talk these days about “Dynamic
DNS”
!Used by Windows Active Directory
!Usually shorthand for three recent DNS
protocol enhancements working together:
!Dynamic Update
!NOTIFY
!Incremental Zone Transfer (IXFR)
Dynamic Update
! Allows authorized agents (e.g., DHCP servers) to
update zone data by sending specially formatted
messages to a zone’s authoritative name server
! Really a DNS message with fields redesignated
! Updaters can add or delete records
! The update can be contingent upon certain conditions
! Existence or non-existence of a domain name
! Existence or non-existence of a record type for a domain
name
! About the only thing you can’t do with Dynamic
Update is create or delete zones
Dynamic Update Security
! There is none in the protocol itself
! Up to the server to decide whether or not to process
updates
! BIND 8.2+ currently authorizes updaters by:
! Source IP address
! Transaction signature (TSIG)
! But TSIG is very new and few updaters use it
! The default is to deny all updates
! Dynamic update is enabled by creating an access list
for allowed updaters
Notify
!Allows the master name server for a zone
to notify the slave servers of changes to
the zone by sending them specially
formatted messages
!Upon receipt of these messages, NOTIFY-
capable slaves
!Verify that the message came from one of
their master servers
!Immediately check the zone’s SOA record on
their configured master server(s)
Incremental Zone Transfer
! Until recently, all transfers of zone data have
transferred the entire zone
! Even if just a single record in the zone has changed
! This form of zone transfer is called AXFR, after the
query type that initiates the transfer
! Incremental zone transfer allows slave name
servers to transfer just the changes in a zone
! Which records have been added
! Which records have been deleted
! This form of zone transfer is called IXFR
Latest things in DNS
!Support for IPv6
!IDN
!Support for Unicode characters in domain
names
!DNSSEC
!Cryptographic extensions to DNS to provide
source authentication and integrity checking
!More new top-level domains
! As you can see from this presentation, DNS is a
rather amazing distributed database. It handles
billions of requests for billions of names every
day through a network of millions of name
servers administered by millions of people. Every
time you send an e-mail message or view a URL,
you are making requests to multiple name
servers scattered all over the globe. What's
amazing is that the process is usually completely
invisible and extremely reliable!
Primary Reference Materials
www.oreilly.com
Other References
Internet Security Consortium
www.isc.org
Internet RFC Archives
www.faqs.org/rfcs
ICANN Home Page
www.icann.org
DNS Resource Directory
www.dns.net/dnsrd
Other References
Questions?