Slide 1
1
Networking
DNS
© Janice Regan, 2006-2017
© Janice Regan, 2006-2017
2
Host names
In addition to identifying a host by the IP address of a connected interface we also identify the interface by an hostname
Hostnames are easier for a human to use and remember that the IP address
In the early Internet names were recorded at a central registry at the Network Information Center (NIC) .
New hosts/names were submitted to the central registry and added to the hosts file
The hosts file was available for distribution to all other sites.
Flat naming structure
© Janice Regan, 2006-2017
3
Hierarchical name space
The central naming system worked well until the Internet grew larger than it could handle (soon after TCP/IP was adopted)
The central servers could no longer deal with the volume of traffic
The manual updating of names was slow, and maintaining network wide consistency was difficult
Enforcing the use of unique names became more difficult (then impossible)
© Janice Regan, 2006-2017
4
DNS
The primary use of DNS is to answer queries requesting the IP address that corresponds to a given host name.
DNS uses a hierarchical classification system for domain names (domains are groups of hosts and networks)
Responsibilities for administering the DNS namespace are distributed
DNS domain names may represent a network a subnetwork or even a host
4
© Janice Regan, 2006-2017
5
Hierarchical name space
A hierarchical system was designed to replace this original flat namespace
Administration was decentralized using a distributed database
Local administrators were given responsibility for building and maintaining a database relating IP address and name for their designated local networks
© Janice Regan, 2006-2017
6
DNS Name Tree
cs
arpa
com
edu
gov
us
uk
ca
fr
bc
sfu
fraser
In-addr
ny
ca
sun
nasa
jpl
.
hp
Labels may have up to 63 characters
fraser
Labels (names) may refer to
domains (hosts +nets)
hosts or networks
© Janice Regan, 2006-2017
7
DNS Name Tree
cs
arpa
com
edu
gov
us
uk
ca
fr
bc
sfu
fraser
In-addr
ny
ca
sun
nasa
jpl
.
hp
All children of a given parent must have unique names
fraser
fred
hp1
hp1
NO!
© Janice Regan, 2006-2017
8
Constructing names: name tree
Start at the leaves of the tree
The domain for the chosen leaf will be the first part of the name.
Add a period to the first part of the name
Check the domain name of the root of the current position in the tree.
If it is not the root of the tree
The domain name of the root of the current position in the tree is added after the period
If it is the root of the tree the name is complete
Repeat steps 3 and 4 until the name is complete
© Janice Regan, 2006-2017
9
jpl.nasa.gov.
.
cs
arpa
com
edu
gov
us
uk
ca
fr
bc
sfu
fraser
In-addr
ny
ca
sun
nasa
jpl
hp
fraser
© Janice Regan, 2006-2017
10
Fully Qualified Domain Name
DNS uses fully qualified domain names
FQDNs are complete domain names including all parts of the domain name from the domain of interest up to the root
Ends in a . to indicate root. For example fraser.sfu.ca.
The terminating . Indicates that the name is absolute
( relative to root, not to any other position in the DNS tree)
Domain names that are not fully qualified (do not end at root, like fraser.sfu) may be interpreted by some software as relative to some particular location (other than root) in the DNS tree. (more later)
© Janice Regan, 2006-2017
11
Authority for the DNS namespace
The central internet authority was ICANN (Internet corporation for assigned numbers and names) and is now IANA (Internet assigned numbers authority).
Responsibility for the root level . domain rests with IANA
TLDs, top level directories for the internet namespace
include generic TLDs (gTLDs) like .com or .org for classification of domain names by type of use
include country code TLDs (ccTLDs) like .ca or .us for geographical classification of domain names
Responsibility for administering the TLDs has been delegated to other contractors by IANA
© Janice Regan, 2006-2017
12
DNS Name Tree: Domains
“”
Root domain
arpa
com
edu
gov
us
uk
ca
fr
bc
sfu
cs
fraser
In-addr
ny
ca
nasa
jpl
hp
Generic Top level domains gTLDS
Country code Top level domains ccTLDS
© Janice Regan, 2006-2017
13
Authority for the DNS namespace
Any organization to which responsibility for a DNS domain is delegated
must provide at least two independent DNS servers to service that domain
These DNS servers must be geographically separated
These servers must be configured to provide continuous service
may delegate authority for parts of the DNS domain for which they are responsible to other organizations.
© Janice Regan, 2006-2017
14
Authority for the DNS namespace
Responsibility for the .ca TLD has been delegated to CIRA (Canadian Internet Registration Authority) by the contractor to IANA
The .ca TLD is administered by CIRA
Similarly CIRA has delegated authority for the sfu.ca domain to SFU
SFU provides three DNS servers, two at SFU (whistler and seymour), and an independent server located at UBC.
SFU also runs an independent server for UBC
© Janice Regan, 2006-2017
15
Authority for the DNS namespace
Each DNS server must know the name/address of the servers it has delegated responsibility to.
.ca (CIRA) has delegated responsibility for sfu.ca to SFU
The delegated authority has a responsibility to inform the delegator if address or name of the DNS name server changes. This is necessary to guarantee that address queries can be passed down the tree.
The delegator of authority need not inform all organizations it delegates to of changes made by other such organizations. This is an unreasonable load in a rapidly growing/changing internet.
© Janice Regan, 2006-2017
16
Domain Name System
A DNS domain is a subtree
The name of the domain is the domain name of the node at the root of the subtree
The domain includes all domains and hosts contained within itself
.us domain, includes .ca domain and .ny domain
.mycomp domain include .mynet domain and host .myhost
The administrative responsibility for the domain and its subdomains may be arranged in different ways
© Janice Regan, 2006-2017
17
DNS Name Tree: sub-trees
cs
arpa
com
edu
gov
us
ca
fr
bc
sfu
fraser
ny
ca
nasa
jpl
.
mycomp
fraser
myhost
mynet
us domain
mycomp domain
© Janice Regan, 2006-2017
18
How many DNS servers?
Extrapolating this model we discussed before would have a DNS server for each domain
What is the smallest domain?
1 host, host name = domain name
Clearly this makes too many servers
1 local network = 2 DNS servers
Still too many (lots of small networks)
At some reasonable point we need to stop delegating authority
© Janice Regan, 2006-2017
19
Dividing Authority
What about domains that include both hosts and multiple sub-domains?
Can delegate the sub-domains, what about the hosts?
What if you want to delegate only some of the sub-domains?
Need some more flexible administrative unit, the zone
© Janice Regan, 2006-2017
20
Zone
An administrative division of the domain name tree
Each zone is the responsibility of one administrative authority
A zone may include hosts and sub-domains
Sub domains in a zone may or may not have authority delegated to other administrative authorities. Any subset of sub-domains may be delegated
The domain name of the zone is the domain name of domain with the same root domain name
© Janice Regan, 2006-2017
21
Domain Name System
A DNS zone is a subtree
Any delegated subtree
The administrative authority for the zone must maintain at least two completely independent DNS servers for the zone
A given zone will have a corresponding zone in the arpa subtree to be used for inverse queries
A zone may delegate some of its sub domains and not others
© Janice Regan, 2006-2017
22
DNS Name Tree: zones
bc
ab
on
qc
.ca
.ca domain
sk
sk.ca zone
qc.ca zone
.ca zone
© Janice Regan, 2006-2017
23
Authority for the DNS namespace
A particular DNS name server will service a zone. Its database of name information will contain
entries for any hosts in the zone
delegation information for domains or zones that have been delegated to other authorities
Includes the address of (pointer to) the DNS servers for the delegated domains or zones
excludes information about further delegation of authority in delegated zones or hosts in delegated domains
Root servers contain the delegation information for all TLDs
© Janice Regan, 2006-2017
24
Inverse Queries
Given an IP address what is the name of the host
Uses the in-addr.arpa portion of the address tree
The IP address is used as the ‘name’ in this portion of the tree. The four dot separated fields are used in reverse order
For example if the IP address is 202.48.99.111 then the address read from the tree would be 111.99.48.202
© Janice Regan, 2006-2017
25
The in-addr.arpa domain
…
0
…
…
255
0
…
…
255
0
…
255
202
49
99
…
0
…
255
111
In-addr.arpa, structure
On the surface is seems it would be easier to put the IP address parts (each number between the .’s in the dotted decimal notation) in the opposite order
However, to enable delegation of smaller networks (longer masks) from larger networks (shorter masks) requires that the part of the IP address that is most specific be placed at the bottom of the in-addr.arpa tree
© Janice Regan, 2006-2017
26
© Janice Regan, 2006-2017
27
DNS
The primary use of DNS is to answer queries requesting the IP address that corresponds to a given host name.
There are two approaches to answering a query
Iterative: the name server receiving the query responds with either the IP address of the host or the name of the next server it would consult (next higher server in the tree)
Recursive: the name server will, if necessary, directly query the next name server, and will return the final answer
© Janice Regan, 2006-2017
28
Caching
Each time a DNS query is made by the DNS server, the information in the response is cached
This cached information can be used to improve the efficiency of later queries to the DNS server
© Janice Regan, 2006-2017
29
Common DNS implementations
Reference implementation DNS: BIND (Berkeley Internet Name Daemon) managed by ISC
Current release BIND 9
2010, 1st year of 5 year building of BIND 10
Using a recent release is important. Bind 8.2 and 9 include
more extensive security features.
incremental updates of slave servers (before a full retransmission of the DNS database was necessary for updates).
New configuration syntax
© Janice Regan, 2006-2017
30
BIND
Bind has two major components
The resolver is a subroutine library that is used by DNS clients to make and interpret queries
The name server daemon named (listens port 53 for UDP and TCP)
© Janice Regan, 2006-2017
31
BIND
BIND usually uses UDP to transfer data.
If a response contains more data than will fit in the allowed UDP packet (512 octets) the it will be truncated and flagged. The resolver will then request to have the full response sent using TCP
TCP is also used for transferring or updating the contents of DNS databases from one DNS server to another (master to slave)
© Janice Regan, 2006-2017
32
Operation of a DNS server
A DNS name server is initialized, knowing the addresses of the root servers, knowing the addresses of some other servers, or with the zone data files for one or more zones.
As queries are made the information received from the queries is added to a cache.
Entries generally have a long (hours to days) lifetime.
Lifetime (TTL) is set by administrator when configuring the server, or reset by the administrator at a later time
Shorter lifetime keeps information up to date but causes increased load of queries to the DNS server
When further queries are made the cache is checked before queries are transmitted
© Janice Regan, 2006-2017
33
Types of DNS servers
Primary Master or Master Server:
Each domain has at lease one.
Initializes from a series of files (zone data files) maintained by a system manager.
Authoritative for zone.
© Janice Regan, 2006-2017
34
Types of DNS servers
Secondary Master or Slave Server:
Initializes from the master server.
Authoritative for zone.
If a slave server reboots it will first load the DNS data that it had before the server went down. It will then contact the master server and update information as necessary from the current zone data files.
DNS Servers
A DNS server may service more than one zone
A DNS server may be Master server for one zone and Slave server for another zone
© Janice Regan, 2006-2017
35
© Janice Regan, 2006-2017
36
Types of DNS servers
Cache Only Server: Begins with the addresses of the root servers or with the names of a few local name servers to which to forward all queries.
Not Authoritative for any zone. .
When the requested information is returned it is cached
When the server replies that the requested information is not available this information is also saved (negative caching)
Must ask primary server in its zone to do lookups for its local zone
© Janice Regan, 2006-2017
37
References DNS and DHCP
If you want to know more than we cover in this class I suggest these books as excellent references
The DHCP Handbook (second edition 2002)
by Ralph Droms and Ted Lemon
DNS and BIND (4th edition 2001)
by Paul Albitz and Cricket Liu
/docProps/thumbnail.jpeg