Professional Documents
Culture Documents
DNS
DNS
System
Peter Sjödin
KTH School of ICT
Acknowledgements
2
Course Material
• Forouzan Chapter 19
• Lab: Domain Name System
- BIND 9 reference manual
• http://www.bind9.net/manuals
• Intro – Chapter 1
• Zone files – Chapter 3
• RFC 1034 and RFC 1035 (Reference)
• Liu and Albitz, DNS and BIND, O'Reilly (Reference)
• IANA
- http://www.iana.org/assignments/dns-parameters
3
Outline
• Name Systems
• Internet Domains
• Distributed system of name servers
• Application layer protocol
• DNS servers and zone files
4
DNS – The Domain Name System
User
1
Host
name
Host
name
2
5
IP address
6 3 Query
IP address
Response 4
Transport layer 5
Why Names
6
Domain Name Space
• Hierarchical name space organized as an inverted-
tree structure
7
Domain Names and Labels
• Nodes have labels (root’s label is empty string)
• Each node represents a domain name
8
Domain Names
• Domain name is sequence of labels separated by
dots “.”
• A full domain name is a sequence from bottom to
top
- Root’s label is empty string, so a full domain name ends
with a dot “.”
- Fully Qualified Domain Name (FQDN)
• Otherwise partial name
- Partially Qualified Domain Name (PQDN)
- Relative to a node in the tree
- The term “PQDN” is seldom used in practice though
9
Outline
• Name Systems
• Internet Domains
• Distributed system of name servers
• Application layer protocol
• DNS servers and zone files
10
Domains in the Internet
11
Generic Domains
12
Generic Domain Labels
Domain Intended use Domain Intended use
aero
the air transport industry. mil
the U.S. military
companies, organizations and
individuals in the Asia-Pacific
asia
region mobi
sites catering to mobile devices
• Country code
- Two-letter ISO
codes
• “se”, “uk”, “cn”
- Internationalized
country code TLDs
• Non-latin alphabet
15
Inverse Domain
• Infrastructure
domain
• For mapping
addresses to
names
- in-addr.arpa.
• IPv4
- ip6.arpa.
• IPv6
- …
16
Outline
• Name Systems
• Internet Domains
• Distributed system of name servers
• Application layer protocol
• DNS servers and zone files
17
The DNS System
18
Distributed Database
• Consistency
- All parts of the database are up to date and
synchronized
• Management
- Responsibility for database updates
• Service location
- What server to use, and where to find it
• …
19
Hierarchy of Name Servers
Root DNS Servers
21
Root Servers From Wikipedia, 2015-09-28
No of Sites
Hostname
IPv4/IPv6 Addresses
Operator
Global/Local
198.41.0.4
a.root-servers.net
Verisign 5/0
2001:503:ba3e::2:30
192.228.79.201
b.root-servers.net
USC-ISI 0/1
2001:500:84::b
192.33.4.12
c.root-servers.net
Cogent Communications 8/0
2001:500:2::c
199.7.91.13
d.root-servers.net
University of Maryland 50/67
2001:500:2d::d
192.203.230.10
e.root-servers.net
NASA 1/11
N/A
192.5.5.241
f.root-servers.net
Internet Systems Consortium 57/0
2001:500:2f::f
192.112.36.4 Defense Information Systems
g.root-servers.net
6/0
N/A Agency
128.63.2.53
h.root-servers.net
U.S. Army Research Lab 2/0
2001:500:1::803f:235
192.36.148.17
i.root-servers.net
Netnod 41/0
2001:7fe::53
192.58.128.30
j.root-servers.net
Verisign 61/13
2001:503:c27::2:30
193.0.14.129
k.root-servers.net
RIPE NCC 5/23
2001:7fd::1
199.7.83.42
l.root-servers.net
ICANN 157/0
2001:500:3::42
202.12.27.33
m.root-servers.net
WIDE Project 6/1
2001:dc3::35 22
Top-Level DNS Servers
23
Authoritative DNS Servers
A tipster tells us that the technical reason for the failure is being
caused by the inaccessibility of GoDaddy’s DNS servers —
specifically CNS1.SECURESERVER.NET,
CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are
failing to resolve.”
http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-
millions-of-sites/, 2012-09-11
26
Recursive Resolution
root DNS server
❒ Server should respond with
the requested address
❒ If a server does not have the 2 3
address, the server passes
7 6
the query to another server
TLD DNS
server
Not how it is done in practice:
❒ puts burden of name local DNS server
dns.poly.edu 5 4
resolution on contacted name
server 1 8
❒ high-level servers (root, TLD,
etc) do not accept recursive authoritative DNS server
queries dns.cs.umass.edu
❒ (So figure does not reflect requesting host
cis.poly.edu
real scenario)
Host at cis.poly.edu wants IP
gaia.cs.umass.edu
address for gaia.cs.umass.edu 27
Iterative Resolution root DNS server
iterated query:
❒ contacted server replies 2
3
with name of server to TLD DNS server
contact 4
❒ “I don’t know this name, 5
but ask this server”
local DNS server
In practice: dns.poly.edu
❒ Local DNS server 7 6
performs iterated query 1 8
on behalf of client
❒ Local DNS server stores authoritative DNS server
dns.cs.umass.edu
results of previous requesting host
lookups in a cache cis.poly.edu
29
Zones
30
Zones and Delegations
31
Master and Slaves
32
Outline
• Name Systems
• Internet Domains
• Distributed system of name servers
• Application layer protocol
• DNS servers and zone files
33
DNS Query and Response
Side note: DNS primarily uses UDP. The trend is that messages are getting
larger due to new functionality being introduced, such as security, so a DNS
message may not fit in a single IP datagram. Then TCP might be a better choice,
compared to IP fragmentation. Zone transfers always use TCP.
34
Header format
• Identification
- Match response with query (16-bit number)
• Flags, various purposes including
- Recursion
- Indicating whether server is authoritative
- Return code (error status)
• Answer records
- Results of query
• Authoritative records
- Domain names for authoritative name servers for domain in
question
• Additional records
- For instance, IP addresses for authoritative name servers
35
Examples of Record Types
36
Querying Tools
37
$ dig kth.se
; <<>> DiG 9.8.5-P1 <<>> kth.se
dig kth.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32320
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 6
;; QUESTION SECTION:
;kth.se. IN A
;; ANSWER SECTION:
kth.se. 60 IN A 130.237.32.143
;; AUTHORITY SECTION:
kth.se. 1722 IN NS nic.lth.se.
kth.se. 1722 IN NS a.ns.kth.se.
kth.se. 1722 IN NS ns2.chalmers.se.
kth.se. 1722 IN NS b.ns.kth.se.
;; ADDITIONAL SECTION:
a.ns.kth.se. 34575 IN A 130.237.72.246
b.ns.kth.se. 34574 IN A 130.237.72.250
nic.lth.se. 33753 IN A 130.235.20.3
ns2.chalmers.se. 3964 IN A 129.16.253.252
ns2.chalmers.se. 3964 IN AAAA 2001:6b0:2:20::1
;; ANSWER SECTION:
kth.se. 60 IN A 130.237.32.143
;; AUTHORITY SECTION:
kth.se. 1722 IN NS nic.lth.se.
kth.se. 1722 IN NS a.ns.kth.se.
kth.se. 1722 IN NS ns2.chalmers.se.
kth.se. 1722 IN NS b.ns.kth.se.
;; ADDITIONAL SECTION:
a.ns.kth.se. 34575 IN A
Glue records – IP addresses
130.237.72.246
b.ns.kth.se. 34574 IN A of authoritative
130.237.72.250 name servers
nic.lth.se. 33753 IN A 130.235.20.3
ns2.chalmers.se. 3964 IN A 129.16.253.252
ns2.chalmers.se. 3964 IN AAAA 2001:6b0:2:20::1
40
Reverse Lookups
dig –x <ip address>
41
Outline
• Name Systems
• Internet Domains
• Distributed system of name servers
• Application layer protocol
• DNS servers and zone files
42
Setting up a DNS Server
43
Zone File
44
Start of Authority – SOA
• Defines a zone
• Always first record in a zone file
45
Address Records – A and AAAA
• A – IPv4, AAAA – IPv6
violin IN A 192.249.249.2
guitar IN A 192.249.249.2
harp IN A 192.249.249.1
IN A 192.253.253.1
piano IN A 192.253.253.2
IN AAAA 2001:db80:1:2:3:4:567:891b
46
Canonical Name – CNAME
• Alias
• Several names for same address
47
Nameserver – NS
48
Delegation
child.example.net. IN NS ns.child.example.net.
ns.child.example.net. IN A 11.2.3.4
49
Mail Exchange – MX
50
MX Records
51
Pointer – PTR
52
Root Hints File
• How does a resolving name server (such as the local
DNS server) know where to start?
• Pre-configured with Root Hints file
- Contains the root servers
- Published by IANA
• http://www.iana.org/domains/root/files
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
53
Summary
54
Not Covered
• Compression
• Header details
• Dynamic DNS
- Enables hosts to automatically update zone file when
addresses changes
• DNSSEC, DNS security
- Authentication
55