1 cmpt 471 networking ii dns © janice regan, 2006-2013
TRANSCRIPT
1
CMPT 471Networking II
DNS
© Janice Regan, 2006-2013
© Janice Regan, 2006-2013 2
Host names In addition to identifying a host by the IP address of a
connected interface we also identify the interface by an hostname
Hostnames are easier for a human to use and remember that the IP address
In the early Internet names were recorded at a central registry at the Network Information Center (NIC) . New hosts/names were submitted to the central
registry and added to the hosts file The hosts file was available for distribution to all
other sites. Flat naming structure
© Janice Regan, 2006-2013 3
Hierarchical name space The central naming system worked well
until the Internet grew larger than it could handle (soon after TCP/IP was adopted) The central servers could no longer deal with
the volume of traffic The manual updating of names was slow, and
maintaining network wide consistency was difficult
Enforcing the use of unique names became more difficult (then impossible)
© Janice Regan, 2006-2013 4
DNS The primary use of DNS is to answer queries
requesting the IP address that corresponds to a given host name.
DNS uses a hierarchical classification system for domain names (domains are groups of hosts and networks)
Responsibilities for administering the DNS namespace are distributed
DNS domain names may represent a network a subnetwork or even a host
© Janice Regan, 2006-2013 5
Hierarchical name space A hierarchical system was designed
to replace this original flat namespace Administration was decentralized using a
distributed database Local administrators were given
responsibility for building and maintaining a database relating IP address and name for their designated local networks
© Janice Regan, 2006-2013 6
DNS Name Tree
cs
arpa com edu gov us uk ca fr
bcsfu
fraser
In-addr nycasun nasa
jpl
.
hp
Labels may have up to 63
characters
fraser
Labels (names) may refer to domains (hosts +nets)
hosts or networks
© Janice Regan, 2006-2013 7
DNS Name Tree
cs
arpa com edu gov us uk ca fr
bcsfu
fraser
In-addr nycasun
nasa
jpl
.
hp
All children of a given parent must have unique names
fraser fredhp1hp1 NO!
© Janice Regan, 2006-2013 8
Constructing names: name tree
1. Start at the leaves of the tree2. The domain for the chosen leaf will be the first part of
the name. 3. Add a period to the first part of the name4. Check the domain name of the root of the current
position in the tree. If it is not the root of the tree
1. The domain name of the root of the current position in the tree is added after the period
If it is the root of the tree the name is complete5. Repeat steps 3 and 4 until the name is complete
© Janice Regan, 2006-2013 9
jpl.nasa.gov..
cs
arpa com edu gov us uk ca fr
bcsfu
fraser
In-addr nycasun nasa
jpl
hp
fraser
© Janice Regan, 2006-2013 10
Fully Qualified Domain Name DNS uses fully qualified domain names FQDNs are complete domain names including all parts of
the domain name from the domain of interest up to the root Ends in a . to indicate root. For example fraser.sfu.ca. The terminating . Indicates that the name is absolute ( relative to root, not to any other position in the DNS tree)
Domain names that are not fully qualified (do not end at root, like fraser.sfu) may be interpreted by some software as relative to some particular location (other than root) in the DNS tree. (more later)
© Janice Regan, 2006-2013 11
Authority for the DNS namespace The central internet authority was ICANN (Internet
corporation for assigned numbers and names) and is now IANA (Internet assigned numbers authority). Responsibility for the root level . domain rests with IANA TLDs, top level directories for the internet namespace
include generic TLDs (gTLDs) like .com or .org for classification of domain names by type of use
include country code TLDs (ccTLDs) like .ca or .us for geographical classification of domain names
Responsibility for administering the TLDs has been delegated to other contractors by IANA
© Janice Regan, 2006-2013 12
DNS Name Tree: Domains
“”Root domain
arpa com edu gov us uk ca fr
bcsfu
csfraser
In-addr nycanasa
jpl
hp
Generic Top level domains gTLDS
Country code Top level domains ccTLDS
© Janice Regan, 2006-2013 13
Authority for the DNS namespace Any organization to which responsibility for a
DNS domain is delegated must provide at least two independent DNS servers to
service that domain These DNS servers must be geographically
separated These servers must be configured to provide
continuous service may delegate authority for parts of the DNS domain
for which they are responsible to other organizations.
© Janice Regan, 2006-2013 14
Authority for the DNS namespace Responsibility for the .ca TLD has been
delegated to CIRA (Canadian Internet Registration Authority) by the contractor to IANA
The .ca TLD is administered by CIRA Similarly CIRA has delegated authority for the
sfu.ca domain to SFU SFU provides three DNS servers, two at SFU (whistler
and seymour), and an independent server located at UBC.
SFU also runs an independent server for UBC
© Janice Regan, 2006-2013 15
Authority for the DNS namespace Each DNS server must know the name/address of
the servers it has delegated responsibility to. .ca (CIRA) has delegated responsibility for sfu.ca to SFU The delegated authority has a responsibility to inform
the delegator if address or name of the DNS name server changes. This is necessary to guarantee that address queries can be passed down the tree.
The delegator of authority need not inform all organizations it delegates to of changes made by other such organizations. This is an unreasonable load in a rapidly growing/changing internet.
© Janice Regan, 2006-2013 16
Domain Name System A DNS domain is a subtree
The name of the domain is the domain name of the node at the root of the subtree
The domain includes all domains and hosts contained within itself .us domain, includes .ca domain and .ny domain .mycomp domain include .mynet domain and
host .myhost The administrative responsibility for the domain and its
subdomains may be arranged in different ways
© Janice Regan, 2006-2013 17
DNS Name Tree: sub-trees
cs
arpa com edu gov us ca fr
bcsfu
fraser
nycanasa
jpl
.
mycomp
frasermyhostmynet
us domain
mycomp domain
© Janice Regan, 2006-2013 18
How many DNS servers? Extrapolating this model we discussed before
would have a DNS server for each domain What is the smallest domain?
1 host, host name = domain name Clearly this makes too many servers
1 local network = 2 DNS servers Still too many (lots of small networks)
At some reasonable point we need to stop delegating authority
© Janice Regan, 2006-2013 19
Dividing Authority What about domains that include both
hosts and multiple sub-domains? Can delegate the sub-domains, what about
the hosts? What if you want to delegate only some of
the sub-domains? Need some more flexible administrative
unit, the zone
© Janice Regan, 2006-2013 20
Zone An administrative division of the domain name
tree Each zone is the responsibility of one administrative
authority A zone may include hosts and sub-domains Sub domains in a zone may or may not have authority
delegated to other administrative authorities. Any subset of sub-domains may be delegated
The domain name of the zone is the domain name of domain with the same root domain name
© Janice Regan, 2006-2013 21
Domain Name System A DNS zone is a subtree
Any delegated subtree The administrative authority for the zone
must maintain at least two completely independent DNS servers for the zone
A given zone will have a corresponding zone in the arpa subtree to be used for inverse queries
A zone may delegate some of its sub domains and not others
© Janice Regan, 2006-2013 22
DNS Name Tree: zones
bc ab on qc
.ca .ca domain
sk
sk.ca zone
qc.ca zone
.ca zone
© Janice Regan, 2006-2013 23
Authority for the DNS namespace
A particular DNS name server will service a zone. Its database of name information will contain entries for any hosts in the zone delegation information for domains or zones that have
been delegated to other authorities Includes the address of (pointer to) the DNS servers
for the delegated domains or zones excludes information about further delegation of
authority in delegated zones or hosts in delegated domains
Root servers contain the delegation information for all TLDs
© Janice Regan, 2006-2013 24
Inverse Queries Given an IP address what is the name of the
host Uses the in-addr.arpa portion of the address
tree The IP address is used as the ‘name’ in this
portion of the tree. The four dot separated fields are used in reverse order
For example if the IP address is 202.48.99.111 then the address read from the tree would be 111.99.48.202
© Janice Regan, 2006-2013 25
The in-addr.arpa domain
…
0… …
255
0… …
255
0…
255
202
49
99
…0
…255
111
In-addr.arpa, structure On the surface is seems it would be
easier to put the IP address parts (each number between the .’s in the dotted decimal notation) in the opposite order However, to enable delegation of smaller
networks (longer masks) from larger networks (shorter masks) requires that the part of the IP address that is most specific be placed at the bottom of the in-addr.arpa tree
© Janice Regan, 2006-2013 26
© Janice Regan, 2006-2013 27
DNS The primary use of DNS is to answer queries
requesting the IP address that corresponds to a given host name.
There are two approaches to answering a query Iterative: the name server receiving the query
responds with either the IP address of the host or the name of the next server it would consult (next higher server in the tree)
Recursive: the name server will, if necessary, directly query the next name server, and will return the final answer
© Janice Regan, 2006-2013 28
Caching Each time a DNS query is made by the
DNS server, the information in the response is cached
This cached information can be used to improve the efficiency of later queries to the DNS server
© Janice Regan, 2006-2013 29
Common DNS implementations Reference implementation DNS: BIND (Berkeley
Internet Name Daemon) managed by ISC Current release BIND 9 2010, 1st year of 5 year building of BIND 10 Using a recent release is important. Bind 8.2
and 9 include more extensive security features. incremental updates of slave servers (before
a full retransmission of the DNS database was necessary for updates).
New configuration syntax
© Janice Regan, 2006-2013 30
BIND Bind has two major components
The resolver is a subroutine library that is used by DNS clients to make and interpret queries
The name server daemon named (listens port 53 for UDP and TCP)
© Janice Regan, 2006-2013 31
BIND BIND usually uses UDP to transfer data.
If a response contains more data than will fit in the allowed UDP packet (512 octets) the it will be truncated and flagged. The resolver will then request to have the full response sent using TCP
TCP is also used for transferring or updating the contents of DNS databases from one DNS server to another (master to slave)
© Janice Regan, 2006-2013 32
Operation of a DNS server A DNS name server is initialized, knowing the
addresses of the root servers, knowing the addresses of some other servers, or with the zone data files for one or more zones.
As queries are made the information received from the queries is added to a cache. Entries generally have a long (hours to days) lifetime. Lifetime (TTL) is set by administrator when configuring the
server, or reset by the administrator at a later time Shorter lifetime keeps information up to date but causes
increased load of queries to the DNS server When further queries are made the cache is checked
before queries are transmitted
© Janice Regan, 2006-2013 33
Types of DNS servers
Primary Master or Master Server: Each domain has at lease one. Initializes from a series of files (zone data
files) maintained by a system manager. Authoritative for zone.
© Janice Regan, 2006-2013 34
Types of DNS servers
Secondary Master or Slave Server: Initializes from the master server. Authoritative for zone. If a slave server reboots it will first load the
DNS data that it had before the server went down. It will then contact the master server and update information as necessary from the current zone data files.
DNS Servers A DNS server may service more than one
zone A DNS server may be Master server for
one zone and Slave server for another zone
© Janice Regan, 2006-2013 35
© Janice Regan, 2006-2013 36
Types of DNS servers Cache Only Server: Begins with the addresses of the
root servers or with the names of a few local name servers to which to forward all queries. Not Authoritative for any zone. . When the requested information is returned it is cached When the server replies that the requested information is not
available this information is also saved (negative caching) Must ask primary server in its zone to do lookups for its local
zone
© Janice Regan, 2006-2013 37
References DNS and DHCP If you want to know more than we covered in
this class I suggest these books as excellent references
The DHCP Handbook (second edition 2002)by Ralph Droms and Ted Lemon
DNS and BIND (4th edition 2001) by Paul Albitz and Cricket Liu