Professional Documents
Culture Documents
Lecture 8 – DNS
Peter Steenkiste
Justine Sherry
Fall 2017
www.cs.cmu.edu/~prs/15-441-F17
How Do We Identify Hosts?
• Hosts have a
www.google.com
• host name
• IP address Application
DNS
Presentation
• MAC address
Session
ARP Transport
Network
Data link
Physical
2
Host Names & Addresses
• Convenience
• Easier to remember www.google.com than
74.125.239.49
• Doesn’t scale!
7
Goals?
• Scalable
• many names
• many updates
• many users creating names
• many users looking up names
• Highly available
• Correct
• no naming conflicts (uniqueness)
• consistency
• Lookups are fast
How?
• Hierarchical namespace
• As opposed to original flat namespace
• Hierarchically administered
• As opposed to centralized administrator
• Hierarchy of servers
• As opposed to centralized storage
DNS Design: Hierarchy Definitions
11
DNS Design: Zone Definitions
Complete
Tree
12
Server Hierarchy
Verisign, Dulles, VA
DNS Root Servers
• 13 root servers (labeled A-M; see http://www.root-servers.org/)
A Verisign, Dulles, VA
C Cogent, Herndon, VA
D U Maryland College Park, MD
G US DoD Vienna, VA
H ARL Aberdeen, MD K RIPE London
J Verisign
I Autonomica, Stockholm
E NASA Mt View, CA
F Internet Software
Consortium
Palo Alto, CA M WIDE Tokyo
A Verisign, Dulles, VA
C Cogent, Herndon, VA (also Los Angeles, NY, Chicago)
D U Maryland College Park, MD
G US DoD Vienna, VA
H ARL Aberdeen, MD K RIPE London (plus 16 other locations)
J Verisign (21 locations)
I Autonomica, Stockholm (plus 29
other locations)
E NASA Mt View, CA
F Internet Software
Consortium,
Palo Alto, CA M WIDE Tokyo
(and 37 other locations) plus Seoul, Paris,
San Francisco
20
DNS Records
FOR IN class:
• Type=A • Type=CNAME
• name is hostname • name is an alias name for some
• value is IP address “canonical” (the real) name
• Type=NS • value is canonical name
• name is domain (e.g. foo.com) • Type=MX
• value is name of authoritative name • value is hostname of mailserver
server for this domain associated with name
21
Inserting RRs into DNS
• Example: you just created company FooBar
• You get a block of IP addresses from your ISP
• say 212.44.9.128/25
• Two components
• Local DNS servers
• Resolver software on hosts
• Client application
• Obtain DNS name (e.g., from URL)
• Triggers DNS request to its local DNS server
Servers/Resolvers
24
root servers
local
DNS server
(mydns.cmu.edu)
.edu servers
nyu.edu
servers
DNS client
(me.cs.cmu.edu)
25
root servers
local
DNS server
(mydns.cmu.edu)
.edu servers
nyu.edu
servers
DNS client
(me.cs.cmu.edu)
26
root
DNS server
DNS server
(mydns.cmu.edu)
.edu servers
nyu.edu
servers
DNS client
(me.cs.cmu.edu)
27
root
DNS server
DNS server
(mydns.cmu.edu)
.edu servers
nyu.edu
servers
DNS client
(me.cs.cmu.edu)
28
recursive DNS query root
DNS server
DNS server
(mydns.cmu.edu)
.edu servers
nyu.edu servers
DNS client
(me.cs.cmu.edu)
29
root
DNS server
DNS server
(mydns.cmu.edu)
.edu servers
nyu.edu servers
DNS client
(me.cs.cmu.edu)
30
iterative DNS query root
DNS server
DNS server
(mydns.cmu.edu)
.edu servers
nyu.edu servers
DNS client
(me.cs.cmu.edu)
Goals – how are we doing?
• Scalable
• many names
• many updates
• many users creating names
• many users looking up names
• Highly available
Per-domain availability
• Scalable
• many names
• many updates
• many users creating names
• many users looking up names
• Highly available
• Correct
• no naming conflicts (uniqueness)
• consistency
• Lookups are fast
DNS Message Format
Identification Flags
12 bytes No. of Questions No. of Answer RRs
RRs in response
to query Answers (variable number of resource records)
Records for
authoritative Authority (variable number of resource records)
servers
39
DNS Header Fields
• Identification
• Used to match up request/response
• Flags
• 1-bit to mark query or response
• 1-bit to mark authoritative or not
• 1-bit to request recursive resolution
• 1-bit to indicate support for recursive resolution
40
How can one attack DNS?
41
root
DNS server
.edu TLD
local
DNS server
DNS server
Persa (the impersonator)
42
How can one attack DNS?
.edu TLD
local
DNS server
DNS server
44
How can one attack DNS?
.edu TLD
local
DNS server
DNS server
Casha
46
How can one attack DNS?
48
What does DNSSEC provide
• provides message authentication and integrity verification
through cryptographic signatures
• You know who provided the signature
• No modifications between signing and validation
• It does not provide authorization
• It does not provide confidentiality
• It does not provide protection against DDOS
DNSSEC: Deployment Status
50
DNSSEC: Deployment Status
51
Important Properties of DNS
53