an introduction to domain name syatem
TRANSCRIPT
1.INTRODUCTIONThe TCP/IP protocol suite is five-layer model. The top most layer of TCP/IP is
the Application layer. In the Application layer, several Client/Server Application programs like DHCP, HTTP, FTP exits. DNS is also one among them. Paul Mockapetris invented DNS in 1983.
The Domain Name System (DNS) is a Client-Server application that identifies each host on the internet with a unique user-friendly name.
THE OSI MODELThe layered model that dominated data communication and networking literature
before 1990 was the Open Systems Interconnection(OSI) model. It was first introduced in the late 1970s.
The purpose of the OSI model is to show how to facilitate communication between different systems without requiring changes to the logic of the underlying hardware and software. The OSI model is not a protocol; it is a model for understanding and designing a network architecture that is flexible, robust, and interoperable.
The OSI model is composed of seven ordered layers: physical (layer 1), data link(layer 2), network(layer 3), transport(layer 4), session(layer 5), presentation(layer 6), and application(layer 7). Figure shows the layers involved when a message is sent from device A to device B. As the message travels from A to B, it may pass through many intermediate nodes. These intermediate nodes usually involve only the first three layers of the OSI model.
Within a single machine, each layer calls upon the services of the layer just below it. Layer 3, for example, uses the services provided by layer 2 and provides services for layer 4. Between machines, layer x on one machine logically communicates with layer x on another machine. This communication is governed by an agreed-upon series of rules and conventions called protocols.
1
2.NEED FOR DNSTo identify an entity, TCP/IP protocols use the IP address, which uniquely
identifies the connection of a host to the Internet. However, people prefer to sue names instead of numeric addresses. Therefore, we need a system that can map a name to an address or an address to a name.
When the Internet was small, mapping was done using a host file. The host file had only two columns: name and address. Every host could store the host file on its disk and update it periodically from a master host file. When a program or a user wanted to map a make to an address, the host consulted the host file and found the mapping.
Today, however, it is impossible to have one single host file to relate every address with a name and vice versa.
Solution, used today, is to divide this huge amount of information into smaller parts and store each part on a different computer. In this method, the host that needs mapping can contact the closest computer holding the needed information. This method is used by the Domain Name System (DNS).
Figure shows how TCP/IP uses a DNS client and a DNS server to map a name to an address; the reverse mapping is similar.
2
A user want to use a file transfer client to access the corresponding file transfer server running on a remote host. The user knows only the file transfer server name, such as forouzon.com. However, the TCP/IP suite needs the IP address of the file transfer server to make the connection. The following six steps map the host name to an IP address.
1. The user passes the host name to the file transfer client.2. The file transfer client passes the host name to the DNS client.3. We know that each computer, after being booted, knows the address of one DNS
server. The DNS client sends a message to a DNS server with a query that gives the file transfer server name using the known IP address of the DNS server.
4. The DNS server responds with the IP address of the desired file transfer server.5. The DNS client passes the IP address to the file transfer server.6. The file transfer client now uses the received IP address to access the file transfer
server.
3.NAME SPACEA Name Space is one that maps each address to a unique name. The names must
be unique because the addresses are unique. Name Space is of two types:
3
Flat Name Space Hierarchical Name Space
Flat Name Space:-In a Flat Name Space, a name is assigned to an address. A name in this space is a
sequence of characters without structure. The names may or may not have a common section; if they do, it has no meaning. The main disadvantage of a flat name space is that it cannot be used in a large system such as the Internet because it must be centrally controlled to avoid ambiguity and duplication.
Hierarchical Name Space:-In a hierarchical name space, each name is made of several parts. The first
part can define the nature of the organization, the second part and define the name of an organization; the third part can define departments in the organization, and so on.For e.g.:- http:/www.google.com/index
Domain Name Space:-To have hierarchical name space, a domain name space was designed. In
this design, the names are defined in an inverted-tree structure with the root at the top. The tree and have only 128 levels; level 0 (root) to level 127.
Label:-Each node in the tree has a label, which is a string with a maximum of 63
characters. The root label is anull srring. DNS requires that children of a node have different label, which guarantees the uniqueness of the domain names.
4
Domain Name:-Each node in the tree has a domain name. A full domain name is a sequence of
labels separated by dots (.). The domain names are always read form the node up to the root. The last label is the label of the root (null). This means that a full domain name always ends in a null label, which means the last character is a dot because the null string is nothing. Domain names is of two types:
Fully Qualified Domain Name (FQDN) Partially Qualified Domain Name (PQDN)
5
Fully Qualified Domain Name (FQDN):-If a label is terminated by a null string, it is called a fully qualified domain
name. An FQDN is a domain name that contains the full name of a host.For e.g.:- http:/www.google.com.
Partially Qualified Domain Name (PQDN):-If a label is not terminated by a null string, it is called a partially qualified
domain name. A PQDN is a domain name that starts from a node, but it does not reach the root.For e.g.:- google
Domain:-A domain is a sub tree of the domain space. The name of the domain is the name
of the node at the top of the sub tree. Note that a domain may itself be divided into sub domains.
6
Distribution of Name Space:-The information contained in the domain name space must be stored. However, it
is very inefficient and not reliable to have just one computer store such a huge amount of information. It is inefficient because responding to requests from all over the world places a heavy load on the system. It is not reliable because any failure makes the data inaccessible.
Hierarchy of Name Space:-The solution to these problems is to distribute the information among many
computers called DNS servers. One way to do this is to divide the whole space into many domains based on the first level. In other words, we let the root stand-alone and create as many domains (subtrees) as there are first-level nodes. Because a domain created this way could be very large, DNS allows domains to be divided further into smaller domains (subdomains). Each server can be responsible for either a large or small domain. In other words, we have a hierarchy of server in the same way that we have a hierarchy of names.
7
Zone:-Since the complete domain name hierarchy cannot be stored no a single server, it
is divided among many servers. What a server is responsible for or has authority over is called a zone.
8
Root Server:-A Root Server is a server whose zone consists of the whole tree. A root server
usually does not store any information about domains but it only keeps the references to those servers.
Primary and Secondary Servers:-DNS defines two types of servers: Primary and Secondary. A primary server is
a server that stores a file about the zone for which it is an authority. It is responsible for creating, maintaining, and updating he zone file. It stores the zone file on a local disk.
A Secondary Server is a server that transfers the complete information about a zone from another server and stores the file on its local disk. The secondary server neither creates nor updates the zone files. If updating is required, it must be done by the primary server, which sends the updated version to the secondary.
9
4.DNS IN THE INTERNETDNS is a protocol that can be used in different platforms. In the Internet, the
domain name space (tree) is divided into three different sections:
1. Generic Domains2. Country Domains3. Inverse Domains
Generic Domains:-The Generic Domains define registered hosts according to their generic behavior. Each node in the tree defines a domain, which is an index to the domain name space database. For eg. com, org, net.
10
Country Domains:- The Country Domains section uses two-character country abbreviations. Second labels can be organizational, or they can be more specific, national designations. The United States, for example, uses state abbreviations as a sub-division of us.
11
Inverse Domains:-The Inverse Domains is used to map an address to a name. This may happen, for example, when a server has received a request from a client to do a task. Although the server has a file that contains a list of authorized clients, only the IP address fo the client is listed. The server asks its resolver to send a query to the DNS server to map an address to name to determine if the client is on the authorized list.
This type of query is called an inverse or pointer (PTR) query. To handle a pointer query, the inverse domain is added to the domain name space with the first-level node called arpa. The second level is also one single node named in-addr. The rest of the domain defines IP addresses.
The servers that handle the inverse domain are also hierarchical. This configuration makes the domain look inverted when compared to a generic or country domain. To follow the convention of reading the domain labels from the bottom to the top, an IP address such as 132.34.45.121 is read as 121.45.34.132.in-addr.arpa.
12
5.RESOLUTIONMapping a name to an address or an address to a name is called name-address
resolution.
Resolver:-DNS is designed as a client-server application. A host that needs to map an
address to a name or a name to an address calls a DNS client called a resolver. The resolver accesses the closest DNS server with a mapping request. If the server has the
13
information, it satisfies the revolver; otherwise, it either refers the resolver to other servers or asks other servers to provide the information.
Mapping Names to Address:-Most of the time, the resolver gives a domain name to the server and asks, for the
corresponding address. In this case, the server checks the generic domains or the country domains to find the mapping.
If the domain name is from the generic domains section the resolver receives a domain name such as “gmail.com”. The query is sent by the resolver to the local DNS server for resolution. If the local server cannot resolve the query, it either refers the resolver to other servers or asks other servers directly.
Mapping Address to Names:-A client can send an IP address to a server to be mapped to a domain name. As
mentioned before, this is called a PTR query. To answer queries of this kind, DNS uses the inverse domain.
Recursive Resolution:-The client can ask for a recursive answer from a name server. This means that the
resolver expects the server to supply the final answer. If the server is the authority for the domain name, if checks its database and responds. If the server is not authority for the domain, it sends the request to another server and waits for the response. If the parent is the authority, it responds; otherwise, it sends the query to yet another server. When the query is finally resolved, the response travels back until it finally reaches the requesting client.
14
Iterative Resolution:-If the client does not ask for a recursive answer, the mapping an be done
iteratively. If the server is an authority for the name, it sends the answer. If it is not, it returns to the client. The client is responsible for repeating the query to this second server. This process is called Iterative because the client repeats the same query to multiple servers.
15
6.CachingEach time a sever receives a query for a name that is not in its domain, it needs to
search its database for a server IP address. Reduction of this search time world increase efficiency. DNS handles this with a mechanism called Caching. When a server asks for a mapping from another server and receives the response, it stores this information in its cache memory before sending it to the client. If the same or another client asks for the made mapping, it check its cache memory and resolve the problem.
Caching speeds up resolution, but it can also be problematic. If a server caches a mapping for a long time, it may send an outdated mapping to the client. To counter this, server always adds information to the mapping called time-to-live (TTL). It defines the time in seconds that the receiving aserver and cache the information. After that time, the mapping is invalid fand any query must be sent again to the server.
7.DNS MESSAGESDNS has two types of messages:
Query
Response
a. Query b. Response
The query message consists of a header and question section. The response message consists of a header, question section, answer section, authoritative section, and additional section.
HeaderQuestion section
HeaderQuestion sectionAnswer sectionAuthoritative sectionAdditional section
16
Header:-Both query and response messages have the same header format. The
Header is 12 bytes and its format is shown
Identification FlagsNumber of question records Number of answer records Number of authoritative records Number of additional records
The header fields are as follows:
1. Identification:-This is a 16-bit field used by the client to match the response with the query.
2. Flags:-This is a 16-bit field consisting of the subfields.
QR Opcode AA TC RD Three 0’s rCode
QR (query.response):-This is a 1-bit subfield that defines the type of message.
Opcode:-This is a 4-bit subfield that defines the type of query or response.
AA:-This is a 1-bit subfield it checks the server is authoritative server or not.
Rd:-This is a 1-bit subfield, defines the query is recursive.
RA:-
This is a 1-bit subfield, defines the recursion is available or not.
Reserved:- This is a 3-bit subfield set to 000.
rCode:-This is a 4-bit subfield shows the status of the error in the response.
17
Question Section:-This section consisting of one or more questions.
Answer Section:-It is present only on the response messages. This section consisting of one or
more answer.
Authoritative Section:-This is a section consisting of one or more resourece servers for the query.
Additional information section:-This section consisting of one or more resource servers. It is present only on the
response messages. This section provide additional information that may help the resolver.
8.HOW ARE NEW DOMAINS ADDED TO DNS
New domains are added to DNS through a Registrar, a commercial entity accredited by ICANN. A Registrar first verifies that the requested domain name is unique and then enters it into the DNS database. A fee is charged. Today, there are many registrars; their name and addresses can be found at
http://www.intenic.netTo register, the organization needs to give the name of its server and the IP
address of the server.
9.DDNSIn DNS, when there is a change,such as adding a new host, removing a host, or
changing an IP address, the change must be made to the DNS master file.In Dynamic Domain Name System (DDNS),when a binding between a name
and an address is determined, the information is sent, usually by DHCP to a primary DNS server. The primary server updates the zone. The secondary server are notified either actively or passively.
18
10.SECURITY OF DNSDNS is one most important systems in the Internet infrastructure; it provides
crucial services to the Internet users. DNS can be attacked in several ways including:
The attacker may read the response of a DNS server to find the nature or name of sites the user mostly accesses. This type of information can be used to find the user’s profile. To prevent this attack, DNS message needs to be confidential.
The attacker may intercept the response of a DNS server and change it or create a totally new bogus response to direct the user to the site or domain the attacker wishes the user to access. This type of attack can be protected using message origin authentication and message integrity.
The attacker may flood the DNS server to crash it. This type of attack can be protected using the provision against denial-of-service attack.
To protect DNS, IETE has devised a technology named DNS Security (DNSSEC) that provides the message origin authentication and message integrity using a security service called digital signature.
11.OTHER APPLICATIONS AND FUTUER SCOPE
Mail transfer agents use DNS to find out where to deliver e-mail for a particular address.
Software Updates.
Dynamic DNS provides clients the ability to update their IP address.
In future DNS may be used for mapping telephone numbers to IP addresses.
19
12.BIBLIOGRAPHY
1. Behrouz A. Forouzan.
2. THE INTERNET by K.L.James.
3. Wikipedia
20