Transcript DNS

Lecture #1
DNS: Domain Name System
HAIT
Summer 2005
Shimrit Tzur-David
1
Motivation
• Internet hosts, mailboxes, and other resources have a
network address (IP).
• Imagine that in order to visit ‘ynet’ you would need to
remember the ‘ynet’ server IP address.
• For that reason, any internet host, mailbox, and other
resource has also a name.
• In the ‘ynet’ example –ynet.co.il.
• IP address (32 bit) - used for addressing datagrams
• “name” - used by humans.
2
Motivation – Cont.
• Sending e-mail to [email protected] means that if
Yossi's ISP or organization moves the mail server to a
different machine with a different IP address, his email address has to change.
• ASCII names were introduced to decouple machine
names from machine addresses. In this way, Yossi's
address might be something like [email protected].
• The network itself understands only numerical
addresses, so some mechanism is required to convert
the ASCII strings to network addresses.
• This is the role of the DNS.
3
History
• At the first solution, there was simply a file, hosts.txt,
that listed all the hosts and their IP addresses.
• Every night, all the hosts would fetch it from the site
at which it was maintained.
• For a network of a few hundred machines, this
approach worked reasonably well.
• Few years later, thousands of minicomputers and PCs
were connected to the net and this solution was no
longer applicable for two reasons:
– The size of hosts.txt
– Host names conflicts
4
DNS Definition
• Invention of a hierarchical, domain-based
naming scheme and a distributed database
system for implementing naming scheme.
• It is primarily used for mapping host names
and e-mail destinations to IP addresses but can
also be used for other purposes.
5
Mapping Name to IP Address
• An application program calls a library procedure
called the resolver, passing it the name as a
parameter.
• An example of a resolver is gethostbyname.
• The resolver sends a UDP packet to a local DNS
server, which then looks up the name and returns the
IP address to the resolver, which then returns it to the
caller.
• The program can now establish a TCP/UDP
connection with the destination.
6
Analogy
• In the postal system, name management is done by
requiring letters to specify the country, state or
province, city, and street address of the addressee.
• By using this kind of hierarchical addressing, there is
no confusion between the Marvin Anderson on Main
St. in White Plains, N.Y. and the Marvin Anderson on
Main St. in Austin, Texas.
• DNS works the same way.
7
Main Idea
• The Internet is divided into over 200 top-level
domains.
• Each domain covers many hosts.
• Each domain is partitioned into sub-domains,
and these are further partitioned, and so on.
• The domains can be represented by a tree.
8
The Domains Tree
• The leaves of the tree represent domains that have no subdomains.
• A leaf domain may contain a single host, or it may represent
a company and contain thousands of hosts.
9
Architecture
• The top-level domains come in two flavors:
– generic
– countries
• The original generic domains were com
(commercial), edu (educational institutions), gov (the
U.S. Federal Government), int (certain international
organizations), mil (the U.S. armed forces), net
(network providers), and org (nonprofit
organizations).
• The country domains include one entry for every
country.
10
Domains Names
• Each domain is named by the path upward from it to
the root.
• The components are separated by periods.
• This hierarchical naming means that eng.sun.com (the
engineering department at Sun Microsystems) does
not conflict with a potential use of eng in
eng.yale.edu., which might be used by the Yale
English department.
• Domain names can be either absolute or relative. In
both cases, a named domain refers to a specific node
in the tree and all the nodes under it.
• Domain names are case insensitive.
11
Name Servers
• Why can’t we have a single name server that contains
the entire DNS database and respond to all queries
about it?
–
–
–
–
single point of failure.
traffic volume.
distant centralized database.
maintenance
• If it ever went down, the entire Internet would be
crippled.
• No server has all name-to-IP address mappings.
12
Name Servers – Cont.
• The DNS name space is divided into non-overlapping
zones. Each zone has a local name server.
• local name servers:
– each ISP has local (default) name server
– host DNS query first goes to local name server
• authoritative name server:
– for a host: stores that host’s IP address and name
– can perform name/address translation for that host’s name
13
The Client
• Access to the DNS is through a resolver.
• On Unix hosts the resolver is accessed
primarily through two library functions:
– Gethostbyname : takes a hostname and returns an
IP address.
– Gethostbyaddr: takes an IP address and looks up a
hostname.
• When a resolver has a query about a domain
name, it passes the query to one of the local
name servers to do the mapping.
14
Serving a Request
• If the domain being sought falls under the
jurisdiction of the name server, such as ai.cs.yale.edu
falling under cs.yale.edu, it returns the authoritative
resource records.
• Authoritative record - a record that comes from the
authority that manages the record and is thus always
correct.
• If the domain is remote and no information about the
requested domain is available locally, the name
server sends a query message to the top-level name
server for the domain requested (root domain).
15
Root Name Servers
• Contacted by local name server that can not resolve name.
• root name server:
– Contacts authoritative name server if name mapping not known
– Gets mapping
– Returns mapping to local name server
a NSI Herndon, VA
c PSInet Herndon, VA
d U Maryland College Park, MD
g DISA Vienna, VA
h ARL Aberdeen, MD
j NSI (TBD) Herndon, VA
k RIPE London
i NORDUnet Stockholm
m WIDE Tokyo
e NASA Mt View, CA
f Internet Software C. Palo Alto,
CA
b USC-ISI Marina del Rey, CA
l ICANN Marina del Rey, CA
13 root name
servers
worldwide
16
Recursive Query
• Each server that does not have the requested information
goes and finds it somewhere, then reports back.
• The path of the response is the same as the path of the
request.
• When a DNS client fails to get a response before its
timer goes off, it normally will try another server next
time.
• heavy load?
• Puts burden of name resolution on contacted name
server.
17
Example 1
root name server
• host surf.eurecom.fr
wants IP address of
gaia.cs.umass.edu
1. contacts its local DNS server,
dns.eurecom.fr
2. dns.eurecom.fr
contacts root name server, if
necessary
3. root name server contacts
authoritative name server,
dns.umass.edu, if
necessary
2
4
5
local name server
dns.eurecom.fr
1
3
authorititive name server
dns.umass.edu
6
requesting host
surf.eurecom.fr
gaia.cs.umass.edu
18
Example 2
root name server
Root name server:
• may not know
authoritative name
server
• may know
intermediate name
server: who to
contact to find
authoritative name
server
6
2
7
local name server
dns.eurecom.fr
1
8
3
intermediate name server
dns.umass.edu
4
5
authoritative name server
dns.cs.umass.edu
requesting host
surf.eurecom.fr
19
gaia.cs.umass.edu
Iterated Queries
• When a query cannot be satisfied locally, the
query fails, but the name of the next server
along the line to try is returned.
• Contacted server replies with name of server to
contact.
• “I don’t know this name, but ask this server”
• This is the default use of DNS. Why?
20
Example
root name server
iterated query
2
3
4
7
local name server
dns.eurecom.fr
1
8
intermediate name server
dns.umass.edu
5
6
authoritative name server
dns.cs.umass.edu
requesting host
surf.eurecom.fr
gaia.cs.umass.edu
21
DNS Services
• Name and IP addresses mapping
• Host aliasing - relay1.west-coast.enterprise.com
(canonical)  enterprise.com
• mail server aliasing - [email protected]
 [email protected]
• load distribution - directing traffic to different
sites
22
Caching and Updating Records
• Once (any) name server learns mapping, it
caches the mapping in case it will be needed
later.
• This information is not authoritative (changes
are not propagated to all the caches).
• Cache entries should not live too long.
• At each entry in the cache the is a
Time_to_live field that tells remote name
servers how long to cache records.
23
Resource Records
• Every domain can have a set of resource records
associated with it.
• For a single host, the most common resource record is
just its IP address, but many other kinds of resource
records also exist.
• When a resolver gives a domain name to DNS, it gets
back the resource records associated with that name.
• The primary function of DNS is to map domain
names onto resource records.
24
Resource Records Format
• A resource record is a five-tuple:
Domain_name Time_to_live Type Class Value
• Domain_name - the domain to which this
record applies.
• Time_to_live - gives an indication of how
stable the record is.
• Class – Always IN (for Internet)
• Value – the value of the record.
25
Resource Records Type
• Type – the type of the record.
26
Resource Records Type – Cont.
•
•
•
•
Soa - the primary source of information.
A – name is hostname, value is IP address.
MX - value is name of mail-server associated with name
NS - name is domain (e.g. foo.com), value is IP address of
authoritative name server for this domain.
• CNAME - name is alias name for some “canonical” (the real)
name, www.ibm.com is really servereast.backup2.ibm.com,
value is the canonical name.
• HINFO - what kind of machine and operating system a domain
corresponds to.
• TXT - allow domains to identify themselves in arbitrary ways.
27
Resource Records - Example
Basic information
where the domain is
located
places(2
tolines)
try to
deliver e-mail
Sun workstation
running
UNIX
IP
addresses
places to try to
deliver e-mail
28
Protocol & Messages
• DNS protocol : query and reply messages, both with
same message format.
msg header
• identification: 16 bit #
reply to query uses same
# as the query id.
• flags:
– query or reply
– recursion desired
– recursion available
– reply is authoritative
29
Protocol & Messages - Cont
Name, Type & Class
fields for a query
RRs in reponse
to query
records for
authoritative servers
additional “helpful” info that
may be used. For example, A
RRs referred by new NS should be
presented here.
30
DNS query example
A query for the IP-address of pc2.cs.ucdavis.edu:
Name
Type:
A=1
Class:
IN = 1
31
LDAP
• DNS is extremely important to the correct
functioning of the Internet.
• DNS does not help locate people, resources, services,
or objects in general.
• LDAP (Lightweight Directory Access Protocol) locating these things.
• It organizes information as a tree and allows searches
on different components.
• It can be regarded as a ''white pages'' telephone book.
32
LDAP-Aware
• A client programs that can ask LDAP servers to look
up entries in a wide variety of ways.
• LDAP servers index all the data in their entries, and
"filters" may be used to select just the person or
group the client want
• For example, here's an LDAP search translated into
plain English:
• "Search for all people located in Chicago whose name
contains "Fred" that have an email address. Please
return their full name, email, title, and description."
33
LDAP Permissions
• "Permissions" are set by the administrator to
allow only certain people to access the LDAP
database.
• There is an option to keep certain data private.
• LDAP servers also provide "authentication"
service, so that web, email, and file-sharing
servers can use a single list of authorized users
and passwords.
34