Structured Naming
Internet Naming Service: DNS See https://www.isc.org/community/rfcs/dns/
Introduction to the DNS DNS Components
Copyright By PowCoder代写 加微信 powcoder
DNS Structure and Hierarchy The DNS in Context
DNS History (1)
ARPANET utilized a central file HOSTS.TXT
Contains names to addresses mapping Maintained by SRI’s NIC (Stanford-Research-
Institute: Network-Information-Center)
Administrators email changes to NIC NIC updates HOSTS.TXT periodically
Administrators FTP (download) HOSTS.TXT
DNS History (2)
As the system grew, HOSTS.TXT had problems with:
Scalability (traffic and load) Name collisions Consistency
In 1984, released the first version (RFCs 882 and 883, superseded by 1034 and 1035 …)
The DNS is…
The “Domain Name System”
What Internet users use to reference anything by name on the Internet
The mechanism by which Internet software translates names to attributes such as addresses
The DNS is also…
A globally distributed, scalable, reliable database
Comprised of three components
– A “name space”
– Servers making that name space available
– Resolvers (clients) which query the servers about the name space
DNS as a Lookup Mechanism Users generally prefer names to numbers
Computers prefer numbers to names
DNS provides the mapping between the two
– I have “x”, give me “y”
DNS as a Database
Keys to the database are “domain names”
– www.foo.com, 18.in-addr.arpa, 6.4.e164.arpa
Over 200,000,000 domain names stored
Each domain name contains one or more attributes
– Known as “resource records”
Each attribute individually retrievable
Global Distribution
Data is maintained locally, but retrievable globally
– No single computer has all DNS data DNS lookups can be performed by any
Remote DNS data is locally cachable to improve performance
Loose Coherency
Each version of a subset of the database (a zone) has a serial number
The serial number is incremented on each database change
Changes to the master copy of the database are propagated to replicas according to timing set by the zone administrator
Cached data expires according to timeout set by zone administrator
No limit to the size of the database No limit to the number of queries
– Tens of thousands of queries handled easily every second
Scalability
Queries distributed among masters, slaves, and caches
Reliability Data is replicated
– Data from master is copied to multiple slaves
– Master server
Clients will typically query local caches
DNS protocols can use either UDP or TCP
– If UDP, DNS protocol handles retransmission, sequencing, etc.
Clients can query
– Any of the copies at slave servers
Dynamicity
– Add/delete/modify of any record
Modification of the master database triggers replication
Database can be updated dynamically – Only master can be dynamically updated
Introduction to the DNS
DNS Components
– The name space – The servers
– The resolvers
DNS Structure and Hierarchy The DNS in Context
The root node has a null label, written as “”
The Name Space
The name space is the structure of the DNS database
An inverted tree with the root node at the top Each node has a label
The root node “”
top-level node top-level node top-level node
second-level node second-level node second-level node second-level node second-level node
third-level node third-level node third-level node
Root node maintained by the ITU (call it “+”)
Top level nodes = country codes (1, 81, etc)
Second level nodes = regional codes (1-402, 81-3, etc.)
An Analogy – E.164
… 202 650 808 3 4 852
381 779 3489
6003 6003 5226 2024
Each node in the tree must have a label
A string of up to 63 bytes
RFCs 852 and 1123 define legal characters for “hostnames”
A-Z, 0-9, and “-” only with a-z and A-Z treated as the same
Sibling nodes must have unique labels
The null label is reserved for the root node
Domain Names
A domain name is the sequence of labels from a node to the root, separated by dots (“.”s), read left to right
The name space has a maximum depth of 127 levels Domain names are limited to 255 characters in length
A node’s domain name identifies its position in the name space
edu gov int mil net org
east www tornado
metainfo berkeley nwu nato army uu
One domain is a subdomain of another if its domain name ends in the other’s domain name
– So sales.nominum.com is a subdomain of
Subdomains
– nominum.com is a subdomain of com
nominum.com & com
Delegation Administrators can create subdomains to group hosts
According to geography, organizational affiliation etc.
An administrator of a domain can delegate responsibility for managing a subdomain to someone else
The parent domain retains links to the delegated subdomains
Delegation Creates Zones
Each time an administrator delegates a subdomain, a new unit of administration is created
– The subdomain and its parent domain can now be administered independently
– These units are called zones
– The boundary between zones is a point of delegation in
the name space
Delegation is good: it is the key to scalability
Dividing a Domain into Zones
nominum.com domain
rwc.nominum.com zone
nominum.com zone
ams.nominum.com zone
gouda cheddar
Introduction to the DNS
DNS Components – The name space
– The servers
– The resolvers
DNS Structure and Hierarchy The DNS in Context
Name servers store information about the name space in units called “zones”
– The name servers that load a complete zone are said to “have authority for” or “be authoritative for” the zone
Usually, more than one name server are authoritative for the same zone
– This ensures redundancy and spreads the load
Name Servers
Also, a single name server may be authoritative for many zones
Name Servers and Zones
128.8.10.5 serves data for both nominum.com and isc.org zones
202.12.28.129 serves data for nominum.com zone only
204.152.187.11 serves data for isc.org zone only
Name Servers
nominum.com
128.8.10.5
202.12.28.129
204.152.187.11
Types of Name Servers Two main types of servers
– Authoritative – maintains the data
– Caching – stores data obtained from an authoritative server
Master – where the data is edited Slave – where data is replicated to
No special hardware necessary
Name Server Architecture You can think of a name server as part of:
– database server, answering queries about the parts of the name space it knows about (i.e., is authoritative for),
– cache, temporarily storing data it learns from other name servers, and
– agent, helping resolvers and other name servers find data
Name Server Architecture
Name Server Process
Zone data file
Zone transfer
Authoritative Data
(primary master and slave zones)
Cache Data
(responses from other name servers)
(looks up queries on behalf of resolvers)
Master server
Authoritative Data
Name Server Process
Authoritative Data
(primary master and slave zones)
Cache Data
(responses from other name servers)
(looks up queries on behalf of resolvers)
Using Other Name Servers
Name Server Process
Authoritative Data
(primary master and slave zones)
Cache Data
(responses from other name servers)
(looks up queries on behalf of resolvers)
Another name server
Name Server Process
Cached Data
Authoritative Data
(primary master and slave zones)
Cache Data
(responses from other name servers)
(looks up queries on behalf of resolvers)
Introduction to the DNS
DNS Components – The name space
– The servers
– The resolvers
DNS Structure and Hierarchy The DNS in Context
Name resolution is the process by which resolvers and name servers cooperate to find data in the name space
Name Resolution
– Starting point: the names and IP addresses of the name
Closure mechanism for DNS?
servers for the root zone (the “root name servers”)
– The root name servers know about the top-level zones and can tell name servers whom to contact for all TLDs
Name Resolution A DNS query has three parameters:
– A domain name (e.g., www.nominum.com),
– A class (e.g., IN), and
Remember, every node has a domain name! – A type (e.g., A)
– http://network-tools.com/nslook/
Upon receiving a query from a resolver, a name server
– 1) looks for the answer in its authoritative data and its cache
– 2) If step 1 fails, the answer must be looked up
The Resolution Process
Let’s look at the resolution process step-by- step:
annie.west.sprockets.com
ping www.nominum.com.
The Resolution Process
The workstation annie asks its configured name
server, dakota, for www.nominum.com’s address
dakota.west.sprockets.com
What’s the IP address of www.nominum.com?
annie.west.sprockets.com
ping www.nominum.com.
The Resolution Process
The name server dakota asks a root name server, m, for
www.nominum.com’s address
dakota.west.sprockets.com
What’s the IP address of www.nominum.com?
ping www.nominum.com.
m.root-servers.net
annie.west.sprockets.com
The root server m refers dakota to the com name servers This type of response is called a “referral”
The Resolution Process
dakota.west.sprockets.com
Here’s a list of the com name servers.
Ask one of them.
m.root-servers.net
annie.west.sprockets.com
ping www.nominum.com.
The Resolution Process
The name server dakota asks a com name server, f,
for www.nominum.com’s address
What’s the IP address of www.nominum.com?
dakota.west.sprockets.com
m.root-servers.net
annie.west.sprockets.com
ping www.nominum.com.
f.gtld-servers.net
The Resolution Process The com name server f refers dakota to the
nominum.com name servers
dakota.west.sprockets.com
m.root-servers.net
Here’s a list of the nominum.com name servers.
Ask one of them.
annie.west.sprockets.com
ping www.nominum.com.
f.gtld-servers.net
The Resolution Process
The name server dakota asks a nominum.com name server,
ns1.sanjose, for www.nominum.com’s address
What’s the IP address of www.nominum.com?
dakota.west.sprockets.com
m.root-servers.net
ns1.sanjose.nominum.net
annie.west.sprockets.com
ping www.nominum.com.
f.gtld-servers.net
The Resolution Process The nominum.com name server ns1.sanjose
responds with www.nominum.com’s address
dakota.west.sprockets.com
Here’s the IP address for www.nominum.com
ping www.nominum.com.
m.root-servers.net
ns1.sanjose.nominum.net
annie.west.sprockets.com
f.gtld-servers.net
The name server dakota responds to annie with www.nominum.com’s address
The Resolution Process
dakota.west.sprockets.com
Here’s the IP address for www.nominum.com
m.root-servers.net
ns1.sanjose.nominum.net
annie.west.sprockets.com
ping www.nominum.com.
f.gtld-servers.net
Resolution Process (Caching)
Let’s look at the resolution process again
After the previous query, the name server dakota now knows:
– The names and IP addresses of the com name servers
– The names and IP addresses of the nominum.com name servers – The IP address of www.nominum.com
annie.west.sprockets.com
ping ftp.nominum.com.
Resolution Process (Caching) The workstation annie asks its configured name
server, dakota, for ftp.nominum.com’s address
dakota.west.sprockets.com
What’s the IP address of ftp.nominum.com?
ns1.sanjose.nominum.net
m.root-servers.net
annie.west.sprockets.com
ping ftp.nominum.com.
f.gtld-servers.net
Resolution Process (Caching) dakota has cached a NS record indicating ns1.sanjose is an
nominum.com name server, so it asks it for ftp.nominum.com’s address
What’s the IP address of ftp.nominum.com?
dakota.west.sprockets.com
m.root-servers.net
ns1.sanjose.nominum.net
annie.west.sprockets.com
ping ftp.nominum.com.
f.gtld-servers.net
Resolution Process (Caching) The nominum.com name server ns1.sanjose
responds with ftp.nominum.com’s address
dakota.west.sprockets.com
Here’s the IP address for ftp.nominum.com
ns1.sanjose.nominum.net
m.root-servers.net
annie.west.sprockets.com
ping ftp.nominum.com.
f.gtld-servers.net
Resolution Process (Caching)
The name server dakota responds to annie with ftp.nominum.com’s address
dakota.west.sprockets.com
Here’s the IP address for ftp.nominum.com
m.root-servers.net
ns1.sanjose.nominum.net
annie.west.sprockets.com
ping ftp.nominum.com.
f.gtld-servers.net
Iterative Name Resolution The principle of iterative name resolution.
Recursive Name Resolution (1) The principle of recursive name resolution.
Recursive Name Resolution (2)
Server for node
Should resolve
Passes to child
Receives and caches
Returns to requester
#
#
#
#
#
Recursive name resolution of
Iterative versus Recursive Resolution (1)
How about communication cost? Performance-wise, which is better? Which works better with caching?
Iterative versus Recursive Resolution (2)
Performance-wise, which is better?
Recursive method puts higher performance demand on each name server
Which works better with caching? Recursive method works better with caching
How about communication cost?
Recursive method can reduce communication cost
The comparison between recursive and iterative name resolution with respect to communication costs.
Iterative versus Recursive Resolution (3)
Introduction to the DNS DNS Components
DNS Structure and Hierarchy The DNS in Context
DNS Structure and Hierarchy
If a site is not connected to the Internet, it can use any domain hierarchy it chooses
– Can make up whatever TLDs (top level domains) you want
The DNS imposes no constraints on how the DNS hierarchy is implemented except:
– A single root
– The label restrictions
– So, can we create a host with a name a.wonderful.world?
Connecting to the Internet implies use of the existing DNS hierarchy
Top-level Domain (TLD) Structure
e.g., ARPA, DDN, CSNET, etc.
Bad idea: if your network changes, your name changes
e.g., GOV for Government, COM for commercial, EDU for education, etc.
In 1983 (RFC 881), the idea was to have TLDs correspond
to network service providers
By 1984 (RFC 920), functional domains was established
RFC 920 also
Provided country domains
Provided “Multiorganizations”
Large, composed of other (particularly international) organizations
Provided a stable TLD structure until 1996 or so
The Current TLDs
Generic TLDs (gTLDs)
Country Code TLDs (ccTLDs)
International TLDs (iTLDs)
US Legacy TLDs (usTLDs)
Commercial Organizations
AF Afghanistan
International Treaty Organizations
Governmental Organizations
Network Infrastructure
AL Albania
ARPA (Transition Device)
Military Organizations
Other Organizations
DZ Algeria
Educational Institutions
YU Yugoslavia
ZW Zimbabwe
Internet Corporation for Assigned Names and Numbers (ICANN)
– Addresses
ICANN’s role: to oversee the management of Internet resources including
– Protocol identifiers and parameters
Administration of the root zone file
Oversee the operation of the root name servers
Delegating blocks of addresses to the regional registries Allocating port numbers, etc.
The root zone file lists the names and IP addresses of the authoritative DNS servers for all top-level domains (TLDs)
The root zone file is published on 13 servers, “A” through “M”, around the Internet
The Root Nameservers
Root name server operations currently provided by volunteer efforts by a very diverse set of organizations
Root Name Server Operators
Nameserver
Operated by:
Verisign (US East Coast)
University of S. California –Information Sciences Institute (US West Coast)
Cogent Communications (US East Coast)
University of Maryland (US East Coast)
NASA (Ames) (US West Coast)
Internet Software Consortium (US West Coast)
U. S. Dept. of Defense (ARL) (US East Coast)
U. S. Dept. of Defense (DISA) (US East Coast)
Autonomica (SE)
Verisign (US East Coast)
RIPE-NCC (UK)
ICANN (US West Coast)
Registries, Registrars, and Registrants
the agent which submits change requests to the registry on behalf of the registrant
A classification of roles in the operation of a domain name space Registry
the name space’s database
the organization which has edit control of that database
the organization which runs the authoritative name servers for that name space
Registrant
the entity which makes use of the domain name
Registries, Registrars, and Registrants
Registry updates zone
Master updated
Slaves updated
Registrar submits add/modify/delete to registry
Registrar Registrar
End user requests add/modify/delete
Registrants
Verisign: the registry and
registrar for gTLDs .COM, .NET, and .ORG
– By far the largest top level domains on the Internet
Verisign received the contract for the registry for .COM, .NET, and .ORG
– also a registrar for these TLDs
Introduction to the DNS DNS Components
DNS Hierarchy
The DNS in Context
Load Concerns DNS can handle the load
– DNS root servers get approximately 3000 queries per second
• Empirical proofs (DDoS attacks) show root name servers can handle 50,000 queries per second
– Limitation is network bandwidth, not the DNS protocol
– in-addr.arpa zone, which translates numbers to names, gets about 2000 queries per second
Performance Concerns DNS is a very lightweight protocol
– Simple query – response
Any performance limitations are the result of network limitations
– Speed of light
– Network congestion
– Switching/forwarding latencies
Security Concerns
Base DNS protocol (RFC 1034, 1035) is insecure
– DNS spoofing (cache poisoning) attacks are possible
DNS Security Enhancements (DNSSEC, RFC 2565) remedies this flaw
– But creates new ones
DoS attacks
Amplification attacks
– Hierarchy (delegation) is good
DNSSEC strongly discourages large flat zones
Questions?
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com