dns - the basics - os3 · dns the basics karst koymans ... nsd/unbound, powerdns, djbdns(tinydns),...

.

......

DNSThe basics

Karst Koymans

Informatics InstituteUniversity of Amsterdam

(version 16.6, 2016/09/16 12:18:40)

Tuesday, September 13, 2016

Karst Koymans (UvA) DNS Tuesday, September 13, 2016 1 / 68

...1 DNS: basic ideas and functionality

...2 A short history of DNS

...3 Basic concepts

...4 Delegation

...5 Root servers

...6 Lookups


DNS: basic ideas and functionality

Outline



...3 Basic concepts

...4 Delegation

...5 Root servers

...6 Lookups



Specification versus implementations

DNS (Domain Name System)Specification

ConceptsTheory

BIND (Berkeley Internet Name Domain)Server implementation

SoftwarePractice

Other implementationsNSD/Unbound, PowerDNS, djbdns(tinydns), . . .



Primary use case

Finding IP addressesStarting with a domain name (human form)Translating to an IP address (machine form)

What is the IP address of www.os3.nl?Client asks serverServer responds with answer. . . case closed?



Secondary use case

Email routingWhere to deliver email for [email protected]?

The domain os3.nl is an aggregate and might nothave an IP address (in fact it has, but shouldn’t)MX record is used to refer to smtp.os3.nlwhich has (and should have) an IP address

What about email for subdomains?

What about other services?



Important entities in DNS

Source: Niels Sijm, 2012-2013 CIA lecture



First architectural option: centralized

Define a protocol for HOSTS.TXT accessOne single DNS server: 1.1.1.1

Simple: one place for all your questions!SPoF (Single Point of Failure) and bottleneck

Multiple DNS servers: 1.1.1.1, 2.2.2.2, 3.3.3.3, . . .Simple: multiple predefined places for all your questions!Easy to remember, easy to use, resilient to network failures.

Scaling issuesEasy for 10 hosts; impossible for 1,000,000,000 hostsAlso the network traffic does not scaleAdministration of database becomes infeasible too



Second architectural option: decentralized

Use a hierarchy instead of one big flat master fileSolves all of your scaling issuesNeed to tweak protocol to redirect questionsSeems simple, introduces quite some challenges (and issues)

How to split up the database?Use subdomain to split up database?Use the first letter of a domain name?Create a cryptographical hash and use first octet?Use /dev/random and remember the outcome?. . .



Third architectural option: distributed

Not a hierarchy but an “unmanaged” networkWho owns what part of the database?

Distributed Hash Table (DHT) works well in practice

Works for P2P networks, BitCoins, CDNs and Skype . . .

Authority problemsCan you hijack a part of the database as in a DHT?What if a node goes down?

How to duplicate information?How to redirect questions?How to keep information up-to-date?



DNS’s choice

Decentralized and hierarchical architecture

Subdomains creating new zones are delegation points

Delegation of authority is done “in-band”Delegation information is put in the database itself

which turned out problematic afterwards



First way of resolving in a decentralized network

Recursive (would put too much load on the root server)




Second way of resolving in a decentralized network

Iterative (scales nicely)



A short history of DNS

Outline



...3 Basic concepts

...4 Delegation

...5 Root servers

...6 Lookups



1973—1985

December 1973HOSTS.TXT (RFC 606)

November 1983DNS invented (RFC 882)

October 1984TLDs defined (RFC 920)



RFC 920, October 1984

Section “Initial Set of Top Level Domains (gTLDs)”gTLD stands for gemeric Top Level Domain.ARPA (“temporary”)Categories

.GOV

.EDU

.COM

.MIL

.ORG

Countries: At first ∅, later to become ccTLDsMultiorganizations: At first ∅ (now obsolete)



RFC 920, definition of country code

.Countries..

......

The English two letter code identifying a country according to

the ISO Standard for “Codes for the Representation of

Names of Countries”: ISO 3166-1 alpha-2.



RFC 920, definition of multiorganization

.Multiorganizations..

......

A multiorganization may be a top level domain if it is large,

and is composed of other organizations;

particularly if the multiorganization can not be easily classified into

one of the categories and is international in scope.



January 1985

SRI runs DNS serviceStanford Research Institute is a not for profit organisationSRI-NIC, in cooperation with IANA

.NET added to top level domains (“forgotten” in RFC 920)



July 1985

ccTLDs established.US (February 15, 1985).UK, .GB (July 24, 1985).AU (March 5, 1986).NL (April 25, 1986).JP (August 5, 1986)



1987—1991

November 1987DNS SpecificationSTD 13 (IETF standard), RFC 1034, RFC 1035

November 1988.INT domain established

May 1991DISA (Defense Information Systems Agency) transfersthe DDN (Defense Data Network) NIC contractfrom SRI International to Government Systems Inc. (GSI)



1993—1995

April 1993InterNIC starts, initiated by NSFand operated by NSI (Network Solutions Inc.) and AT&T

June 1994Commercial use becomes dominant

September 1995Charging for domain name registration starts



1997

.Start planning for competition..

......

On July 1, 1997, as part of the Administration’s Framework for Global

Electronic Commerce, the President directed the Secretary of Commerce to

privatize the management of the domain name system (DNS) in a manner

that increases competition and facilitates international participation in its

management.

Source: MoU (Memorandum of Understanding; November 1998)1

1Also see RFC 2860 (June 2000)Karst Koymans (UvA) DNS Tuesday, September 13, 2016 23 / 68


1998

November 1998Start of ICANN

Internet Corporation for Assigned Numbers and Names

ResponsibilitiesIP address assignment, via ASO

Address Supporting Organization

Internet domain names, via GNSO and ccNSOGeneric Names Supporting OrganizationCountry Code Names Supporting Organization

Protocol parameters and port numbers, supported by IANAInternet Assigned Numbers Authority



2000—2012

More TLDshttps://www.iana.org/domains/root/db

http:

//newgtlds.icann.org/en/program-status/delegated-strings

IDNs (Internationalized Domain Names)Many more gTLDs, including

grTLDs (generic-restricted; .name, .pro, .biz)sTLDs (sponsored Top Level Domains)

Highly political


https://www.iana.org/domains/root/db

http://newgtlds.icann.org/en/program-status/delegated-strings

http://newgtlds.icann.org/en/program-status/delegated-strings


2012—now

Unlimited TLDs (New gTLD Program)https://icannwiki.com/All_New_gTLD_Applications

GeoTLDs introduced“DotBrand” introducedgTLDs and IDNs now have categories

Commerce, Culture, Education, Food & Drink, Government, Health,Industry, Lifestyle, Media, Professional, Real Estate, Sport, Technology

Even more political


https://icannwiki.com/All_New_gTLD_Applications

Basic concepts

Outline



...3 Basic concepts

...4 Delegation

...5 Root servers

...6 Lookups


Basic concepts

DNS concepts

Domain Name Space (Domain Name Tree)

Resource Records (the data itself)

Name Servers (server side)

Resolvers (client side)


Basic concepts

Domain names

Nodes (internal and leaf) have a label (sequence of octets)root label is empty: “” (not “ ” or “ ”)non-root labels must be non-emptylabels are 0-63 octets long (only the root label has length 0)

A domain name is a sequence of labels2

specifying the labels on the path to the rootand thus ending in the (empty) root label

A domain is a domain nametogether with all domain names below it

2in text representation separated by “.” (dot) with maximum length 254Karst Koymans (UvA) DNS Tuesday, September 13, 2016 29 / 68

Basic concepts

Where to put your slashesTo slash or not to slash

Compare domain names to pathnames in a filesystemLabels (filenames)

separated by “/” (slash)

Absolute versus relative pathnames


Basic concepts

Where to put your dotsTo dot or not to dot

Absolute domain (FQDN)mail.serv.os3.nl.

Relative domainmailmail.serv

machine.cs can (or is it could?) give problemsWhy?


Basic concepts

Resource Records (RRs)

owner (domain name)

ttl (time to live (in cache))

class (IN, CH, HS, . . . )Only IN is actively usedCH is used with Chaosnet, an early LAN protocolHS implements the Hesiod lookup service

type (A, AAAA, CNAME, DNAME, MX, NS, PTR, SOA, SRV, . . . )

resource data (depends on type)


Basic concepts

Textual representation of Resource Records

Differs between implementationsMost well-known is BIND syntax

owner [ttl] [class] type data

ttl and class are optional and default to $TTL and IN


Basic concepts

A record

An A record (address record) translatesa domain name to an IPv4 address

mail.serv.os3.nl. −→ 145.100.96.25

Multihomed hosts have several A recordsRouters may have multiple A records

Example (assuming the $ORIGIN3 is os3.nl.)mail.serv A 145.100.96.25

3BIND variable, but this idea is widely usedKarst Koymans (UvA) DNS Tuesday, September 13, 2016 34 / 68

Basic concepts

Example of multiple A records (os3.nl)

router.studlab.os3.nl. A 145.100.104.1router.studlab.os3.nl. A 145.100.104.33router.studlab.os3.nl. A 145.100.104.65router.studlab.os3.nl. A 145.100.104.97router.studlab.os3.nl. A 145.100.104.129router.studlab.os3.nl. A 145.100.104.145router.studlab.os3.nl. A 145.100.104.161router.studlab.os3.nl. A 145.100.104.193

129.104.100.145.in-addr.arpa. PTR router.studlab.os3.nl.

Source: The domain name system (2014-09-08T191940Z)


Basic concepts

Example of multiple A records (phil.uu.nl)

router.phil.uu.nl. CNAME frege.phil.uu.nl.frege.phil.uu.nl. A 131.211.0.89frege.phil.uu.nl. A 131.211.135.1frege.phil.uu.nl. A 131.211.140.1frege.phil.uu.nl. A 131.211.140.65frege.phil.uu.nl. A 131.211.140.129frege.phil.uu.nl. A 131.211.141.1frege.phil.uu.nl. A 131.211.141.129frege.phil.uu.nl. A 131.211.141.193frege.phil.uu.nl. A 131.211.143.1frege.phil.uu.nl. A 131.211.143.129

129.143.211.131.in-addr.arpa. PTR frege.shrapnel.phil.uu.nl.

Source: The domain name system (historic data)


Basic concepts

AAAA record

AAAA records are sometimes called quad-A records

A quad-A record translates a domain name to an IPv6 addressmail.serv.os3.nl. −→ 2001:610:158:960::25

Many hosts have multiple AAAA recordsIt is quite normal in IPv6 to belong to multiple subnets

Example (assuming the $ORIGIN is os3.nl.)mail.serv AAAA 2001:610:158:960::25


Basic concepts

CNAME record

A CNAME (canonical name) record defines an aliaswww.uva.nl. −→ www-prd.cms.uva.nl. −→ cms-prd-www.lb.uva.nl.

www.uva.nl. CNAME www-prd.cms.uva.nl.www-prd.cms.uva.nl. CNAME cms-prd-www.lb.uva.nl.

No other RRs are allowedDoes not work for subdomains

DNAME record proposed for that (see next slide)

Example (assuming the $ORIGIN is os3.nl.)www CNAME info4u4

4This is now historic and has been replaced by a direct A record.Karst Koymans (UvA) DNS Tuesday, September 13, 2016 38 / 68

Basic concepts

DNAME record

A DNAME is used for non-terminal DNS Name Redirection

Allows other RR types at the same owner except CNAME

DNAME RRset not allowed to contain more than one element

Synthesizes CNAME records for clients

Wildcarded DNAME records should not be used

Also called “Delegation Name” because of its use instead

of NS records in certain cases (see RFC 6672, section 6.3)

Example (assuming the $ORIGIN is nl.)ruu DNAME uu


Basic concepts

MX record

MX (Mail eXchanger) record defines for a domainthe mail servers for that domainand the order of their preferencewhere lower precedence is more preferred

MX must not point to a CNAME (or below a DNAME)

Example (assuming the $ORIGIN is os3.nl.)@ MX 0 smtp

@ MX 10 backup.somewhere.nl.


Basic concepts

NS record

NS (Name Server) record defines a cut (zone)Must list at least two name serversMakes DNS decentralizedDelegates responsibility or authority

NS record must not point to a CNAME (or below a DNAME)

Example (assuming the $ORIGIN is os3.nl.)@ NS ns1

@ NS ns2

@ NS ns1.zurich.surf.net.


Basic concepts

PTR record

A PTR (pointer) record literally points

to a(n arbitrary) point in the DNS tree

Mostly used for reverse lookup145.100.96.25 −→ mail.serv.os3.nl.Lookup works via in-addr.arpa.

25.96.100.145.in-addr.arpa. (why not 145.100.96.25.in-addr.arpa.?)Wasn’t .ARPA supposed to be temporary?

Example (assuming the $ORIGIN is os3.nl.)25.96.100.145.in-addr.arpa. PTR mail.serv


Basic concepts

SOA record

An SOA (Start Of Authority) record administratesimportant zone parameters

hostname of the (non-hidden) master server

ns1.os3.nl.

email address (in “dot” form5) of the person responsible

[email protected] −→ hostmaster.os3.nl.

numerical parameters

5Using an escaped “dot” if necessary: First\.Last.example.com.Karst Koymans (UvA) DNS Tuesday, September 13, 2016 43 / 68

Basic concepts

Numerical SOA parameters ((former) recommended values)

Parameter values (except Serial) are given in secondsSerial (“YYYYMMDDnn” is a common convention)Refresh (86400 = 1 day)Retry (7200 = 2 hours)Expire (3600000 = 1000 hours ∼ 40 days)“Minimum” (172800 = 2 days, historic. . . )

Properties of the SOA record as a wholeThe SOA record itself can have a low TTLEven 0 (don’t cache) according to RFC 1035


Basic concepts

Numerical SOA params (OS3 example during IP migration)

These values are quite low

Serial (2007110900)

Refresh (3600 = 1 hour)

Retry (1800 = 30 minutes)

Expire (21600 = 6 hours)

Minimum (3600 = 1 hour, but. . . )


Basic concepts

SOA example (with “modern”, normal values)

cwi.nl. SOA ns1.cwi.nl. hostmaster.cwi.nl. (

2015090700 ;serial (version)

28800 ;refresh period (8 hours)

7200 ;retry interval (2 hours)

604800 ;expire time (1 week)

43200 ;"minimum" (12 hours)

)


Basic concepts

“Minimum”

Different interpretationsMinimal TTL allowed (never used this way)Default TTL, if TTL not specified (BIND 8)TTL for caching negative replies (BIND 9)

BIND 9 uses global $TTL for the default TTL


Basic concepts

SRV record

A SRV (service) record specifies the location

of the services that a domain supports

The format for the information about a certain “Domainname” uses“ Service. Proto.Domainname” as the owner domain name“Priority Weight Port Target” as its resource data

It is a typical generator of so-called “empty non-terminals”Like “ Proto.Domainname” in the above case

Examplesip. tcp.example.com. SRV 10 20 5060 sip.example.com.


Basic concepts

Resource Record sets (RRsets)

An RRset is a grouping of a set of RRs

with the same owner, class and type

All RRs in an RRset must have the same TTL

DNSSEC signs complete RRsets with RRSIG RRsWhich might make the RRSIG RR an exception to the TTL rule :)But in fact the DNSSEC specification tells us they do not forma resource record set at all (RFC 4035, section 2.2)


Delegation

Outline



...3 Basic concepts

...4 Delegation

...5 Root servers

...6 Lookups


Delegation

Name servers and zones

Zones are created by cuts (delegations)

Cuts are defined by NS records“inside” parent zonenon-authoritative by definitionbest interpreted as the edge leading to the child zone

Glue A records sometimes neededWhen name servers for the delegation are “in bailiwick”Or in the more general case when name servers havecircular dependencies and create bailiwick loops


Delegation

Bootstrap issues

Hint file for root server’s A and AAAA RRs

Glue for child zonesGlue NS records

Stub server automates this

Glue A records (only for servers inside the child zone)

Glue data is not authoritative unless the parent is

also a (slave) server for the child zone

Non-authoritative data should be replaced by authoritative data

as soon as the latter becomes available


Delegation

Name server types

Master (primary)

Slave (secondary)

Stub (limited secondary)

Stealth (secondary that is not listed)Lame (listed but not operating as secondary)

Caching-only (never authoritative)

Forward-only (using forwarders)


Root servers

Outline



...3 Basic concepts

...4 Delegation

...5 Root servers

...6 Lookups


Root servers

DNS structure

Hierarchical treeits root is unnamed (unlabeled)

in fact the root uses the empty label: “”

Top Level Domains (TLDs)

generic TLDs (gTLDs)country code TLDs (ccTLDs). . . TLDs

Decentralized database


Root servers

Root servers

Status in 2001, according to ICANN official Michael Roberts13 root serversMost of them located in the US (10)

Nowadays there is a complete infrastructure with

both global and local servers


Root servers

Root servers map

Source: ICANN


Root servers

Root server list (part 1)

Name Org Where Globals Locals

A Verisign Los Angeles, CA, US 8 0B USC-ISI Marina del Rey, CA, US 0 1C Cogent Communications Herndon, VA, US 8 0D University of Maryland College Park, MD, US 1 0E NASA (Ames) Mountain View, CA, US 1 11F ISC (Internet Software Consortium) Palo Alto, CA, US 5 51G US DOD NIC Columbus, OH, US 6 0

Source: http://www.root-servers.org/ (retrieved 20130909)


http://www.root-servers.org/

Root servers

Root server list (part 2)

Name Org Where Globals Locals

H US Army Research Lab (ARL) Aberdeen, MD, US 2 0I Netnod (NORDUnet) Stockholm, SE 0 43J Verisign Dulles, VA, US 63 5K RIPE NCC London, UK 5 12L ICANN Los Angeles, CA, US 0 146M WIDE Tokyo, JP 5 1




Root servers

Anycast

Overloading of an IP address

Route to nearest instance (BGP metric)

Global or local significance

Live data for k root can be found at

http://k.root-servers.org/

Research exercise:Find two documented ways for finding out which specific serverfrom the anycasted set of servers answers your query.


http://k.root-servers.org/

Root servers

k root server presence (2006 snapshot)

Source: http://k.root-servers.org/pics/map.png (RIPE NCC)


http://k.root-servers.org/pics/map.png

Root servers

Anycasted root servers map (snapshot 20130909)




Lookups

Outline



...3 Basic concepts

...4 Delegation

...5 Root servers

...6 Lookups


Lookups

Recursive and iterative queries

Recursive queriesIn this case the server

follows referrals itself on behalf of its clientsoften doesn’t have authoritative data at all (almost)should build up a cache

Iterative queriesIn this case the server

either answers with authoritative dataor passes referrals back to clientsoften has only authoritative data and no cache


Lookups

Resolvers

Stub resolverLibrary doing domain name lookup

Uses /etc/resolv.conf

Contacts a recursive (allowing recursion) name serverDoes not follow referrals itself

Resolving nameserverRuns name server software

Recursive (sets RA, allowing recursive queries as server)Caching (remembers outcome of iterative queries made as client)


Lookups

Caching

Necessary for performance

Negative caching adds more functionalitySee RFC 2308Lots of subtleties


Lookups

IETF WG dprive (DNS PRIVate Exchange)

Usually a client sends the complete query name in a DNS request

Query minimisationDNS Query Name Minimisation to Improve Privacy (RFC 7816)Only send the relevant suffix to find the needed NS delegationsPatented by Verisign?!?

https://datatracker.ietf.org/ipr/2542/

https://www.verisign.com/en_US/patent-information/

dns-query/index.xhtml

https://www.ietf.org/rfc/rfc3979.txt


https://datatracker.ietf.org/ipr/2542/

https://www.verisign.com/en_US/patent-information/dns-query/index.xhtml

https://www.verisign.com/en_US/patent-information/dns-query/index.xhtml

https://www.ietf.org/rfc/rfc3979.txt

Lookups

Common mistakes

See RFC 1912 and also RFCs 2181 and 4697Using CNAMEs in MX and NS recordsForgetting the final “.”Lame delegationLack of human coordination

New efforts on its way (CSYNC RRs), seeChild-to-Parent Synchronization in DNS (RFC 7477)


dns - the basics - os3 · dns the basics karst koymans ... nsd/unbound, powerdns, djbdns(tinydns),...

Documents