DNS

uni

2.3 The Domain Name System (DNS) (2.4)

Problem: internet hosts and routers have both

• an IP address (IP), used for addressing datagrams
• a “name”, used by humans (like www.google.com)
  How do we map between IP address and name, and vice versa?
  solution: the DNS

The Domain Name System (DNS) is a distributed database implemented in a hierarchy of many name servers.
It is an application-layer protocol: hosts and name servers communicate to resolve names (address-name translation), this keeps the complexity at the network’s edge.

Registering a subdomain means linking it univocally to an IP address, registering it in the DNS database.

2.3.1 ICANN

The distributed DNS server is managed by  Internet Corporation for Assigned Names and Numbers (ICANN), which also defines what the top layer domains* are.

2.3.2 DNS services (2.4.1)

• hostname to IP address translation
• host aliasing:
  • alias names for the canonical hostname
• mail server aliasing
• load distribution: replicated web servers: many IP addresses correspond to one name. When a client ask for the resolution for a hostname, the DNS server answers with the whole list of associated IP addresses, but each time in a different order, since the client normally goes for the first in the list.

2.3.3 DNS structure

The DNS is a distributed, hierarchical database:

• ROOT: the client queries the root DNS server to find the IP address of the Top level domain’s DNS server
• TOP LEVEL DOMAIN: the client queries the top level domain DNS server to find the address of the authoritative DNS server
• AUTHORITATIVE: the client queries the authoritative DNS server to find the IP address for the desired link.

A distributed structure was chosen because a centralized DNS:

• doesn’t scale
• is a single point of failure (SPF)
• cannot be near every host
• cannot handle that much traffic volume (Comcast DNS servers serve 600B DNS queries per day)
• cannot be easily maintained

ROOT name servers

These servers are the official contact-of-last-resort for name servers that cannot resolve the queried name.
These are extremely important internet function, internet couldn’t function without it. DNSSEC provides security: authentication and service integrity.

The are 13 logical root name servers worldwide, each server is replicated many times (there are more than 200 root name server in the US alone).

TLD name servers

These servers are the ones responsible for resolving every top level domain (.com, .org, ecc) and every Country Code Top Level Domains (CCTLDs) (.it, .uk, ecc).

For example:

• Network Solutions is the authoritative registry for .com and .net TLDs
• Educause is the authoritative registry for the .edu TLS
• Registro.it is the authoritative registry for the .it CCTLD

Authoritative DNS servers

These servers are the organizations’ own DNS server(s), providing authoritative hostname-to-IP mappings for the organization’s name hosts.
These can be maintained by the organization or a service provider.

Local DNS name servers

Also called default name servers, these are installed into each ISP and they act as a sort of proxy DNS server, they have a local cache of recent name-to-address translations pairs, BUT it may be out of date!
When a host makes a DNS query it is sent to its local DNS server.

Local DNS servers use the user-server paradigm, but use UDP connections.

2.3.4 Name resolution Approaches

Iterated Query

The host first asks the local DNS server, which in turn contacts every required DNS server until resolution, the contacted servers reply with the name of the server to contact and the local DNS server executes.
When the local DNS server has resolved the name, it replies to the host with the answer.

This approach is better.

Recursive Query

The host first asks the local DNS server, which in turn contacts the next server (the root), which then asks the next (TLD) eccetera, until resolution.
Every contacted server asks the next, in a chain of queries and answers, until the authoritative server has the answer, at this point every server replies with the answer down the chain, until it arrives to the host.

More load on the servers, apart from the local DNS servers.

2.3.5 DNS records (2.4.3)

Once a name server learns a mapping, it caches it. Caches entries timeout and disappear after some time (TTL).
Typically local name servers cache TLD servers mapping, as to put less stress on root name servers.
Cached entries may be out-of-date, this is a best-effort name-to-address translation: if a hostname changes IP address, it may not be know Internet-wide until all TTLs expire.

The DNS is a distributed database storing resource records (RR):

RR format: (name, value, type, ttl)

• type=A (address)
  • name is a hostname
  • value is the associated IP address
• type=NS (name system)
  • name is domain (what you enter in the search bar)
  • value is the hostname of the authoritative name server for this domain
• type=CNAME (“canonical name”)
  • name is an alias name for some “canonical” name (the real name)
  • value is the canonical name for the alias
• type=MX
  • value is the name of the mailserver associated with name
• there are even more types

2.3.6 DNS protocol messages

DNS query and reply messages use the same format:

• message header:
  • identification: 16 bit number (ID) for query, reply uses the same number
  • flags:
    • query or reply
    • recursion desired
    • recursion available
    • reply is authoritative

← 2 bytes →	← 2 bytes →
identification	flags
# questions	# answer RRs
# authority RRs	# additional RRs
questions (4 bytes)	..
answers (4 bytes)	..
authority (4 bytes)	..
additional info (4 bytes)	..
nslookup: command-line tool to discover the IP address or DNS record of a specific domain name

2.3.7 Inserting Records into DNS

1. register the name (name.topleveldomain) at the DNS registrar* (e.g. Network Solutions)
   • provide names and IP addresses of the authoritative name server (both primary and secondary)
   • registrar inserts NS and A records (RRs) into the TLD (top level domain) server
2. create the authoritative server locally with the IP address inserted into the TLD

2.3.8 example of DNS resolution

Requesting host (alice.iet.unipi.it) asks the local DNS server what the IP for www.networkutopia.com is.
Local DNS server contacts the root DNS server, which replies with the IP of the .com DNS server.
Local DNS server now contacts the .com DNS servers, which replies with the IP of the authoritative server for networkutopia.com.
Now the local DNS server contacts the authoritative server, which replies with the information needed, which is now rooted back towards the initial client with finally a reply to the requesting host.

2.3.9 DNS security

DNS servers are susceptible to:

• DDoS attacks
  • not successful to date against root servers
• Redirect attacks
  • man-in-the-middle: intercepting DNS queries
  • DNS poisoning: sending false replies to the DNS servers, which then get cached
• exploit DNS for DDoS
  • spoofing the source IP address of DNS requests so they appear to come from the victim’s IP. When DNS servers respond, they send the (much larger $⟹$ amplification) replies to the victim, overwhelming it with traffic.

DNSSEC

Redirect Attacks and Exploit DNS for DDoS are accounted for in DNSSEC: domain name system security extensions are a set of extension that add security to the DNS protocol. This works by signing with crypted signatures the DNS records. This guarantees the authenticity and integrity of the replies.

Link to original