domain name system cs249i - modern internet fall 2021 stanford
TRANSCRIPT
![Page 1: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/1.jpg)
Domain Name SystemPart One
CS249i - Modern Internet
Stanford
Fall 2021
Gautam Akiwate
![Page 2: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/2.jpg)
Goal
Understand
the rationale, and operational workings of the
Domain Name System (DNS).
![Page 3: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/3.jpg)
Problem● Communication on the Internet via IP
● Hard to remember IP addresses
● Easier to remember names.
○ Slightly harder to type them in
correctly!
● Map Names to IP addresses
○ theo → 35.186.238.101
![Page 4: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/4.jpg)
Centralized Solution: Historical Solution
![Page 5: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/5.jpg)
Centralized Solution: Historical Solution● hosts.txt file that has mappings for all hosts
○ organization : host → IP address
○ /etc/hosts
● Stanford Research Institute (SRI) kept main copy
○ Single place to update records
○ Download hosts.txt file periodically
![Page 6: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/6.jpg)
Centralized Solution: Historical Solution● hosts.txt file that has mappings for all hosts
○ organization : host → IP address
○ /etc/hosts
● Stanford Research Institute (SRI) kept main copy
○ Single place to update records
○ Download hosts.txt file periodically
● Problems
○ Fragile
○ Hard to scale
○ Hard to keep in sync
![Page 7: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/7.jpg)
Decentralized Solution: Intuition
organization : host → IP addresshosts.txt
![Page 8: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/8.jpg)
Decentralized Solution: Intuition
organization : host → IP addresshosts.txt
organization→ IP address of organization.txthosts.txt
host → IP addressorganization.txt
![Page 9: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/9.jpg)
Decentralized Solution: Intuition
organization→ IP address of organization.txthosts.txt
host → IP addressorganization.txt
![Page 10: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/10.jpg)
Decentralized Solution: Intuition
organization→ IP address of organization.txthosts.txt
host → IP addressorganization.txt
organization→ IP address of organization nameserverroot nameserver
host → IP addressorganization nameserver
![Page 11: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/11.jpg)
Hierarchical Namespace
![Page 12: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/12.jpg)
Hierarchical Namespace
![Page 13: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/13.jpg)
Hierarchical Namespace
![Page 14: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/14.jpg)
Hierarchical Namespace
![Page 15: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/15.jpg)
Life of a DNS Query
![Page 16: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/16.jpg)
Life of a DNS Query
![Page 17: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/17.jpg)
Life of a DNS Query
![Page 18: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/18.jpg)
Life of a DNS Query
![Page 19: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/19.jpg)
Life of a DNS Query
![Page 20: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/20.jpg)
Life of a DNS Query
![Page 21: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/21.jpg)
DNS Query Anatomy
![Page 22: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/22.jpg)
DNS Query Anatomy
![Page 23: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/23.jpg)
DNS Query Anatomy
Rcode Message Function
0 NOERROR Query Successful
2 SERVFAIL Server failed to complete request
3 NXDOMAIN Domain name does not exist
4 NOTIMP Function not implemented
5 REFUSED The server refused to answer the query
![Page 24: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/24.jpg)
DNS Query AnatomyQuery Name (QNAME) -- Domain to resolve!
![Page 25: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/25.jpg)
DNS Query AnatomyQuery Name (QNAME) -- Domain to resolve!
Query Class (QCLASS)
CHAOS -- Used for debugging
IN -- Internet
![Page 26: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/26.jpg)
DNS Query AnatomyQuery Name (QNAME) -- Domain to resolve!
Query Class (QCLASS)
CHAOS -- Used for debugging
IN -- Internet
Query Type (QTYPE)
NS -- Authoritative nameserver for domain
A -- IPv4 Address
AAAA -- IPv6 Address
MX -- Mail Exchange Records
![Page 27: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/27.jpg)
DNS Query Anatomy
![Page 28: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/28.jpg)
DNS Query AnatomyTTL -- How long to cache answer
![Page 29: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/29.jpg)
Caching● Cache DNS Responses
○ Reduces load
○ Improves latency
○ Reuse of previous queries
● Negative Caching
● How long to cache?
○ Time To Live (TTL)
“The caching discipline of the
DNS works well, and
given the unexpectedly bad
performance of the
Internet, was essential to the
success of the system.”
![Page 30: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/30.jpg)
Live Demo
![Page 31: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/31.jpg)
Discussion
Failures
Reliability
Integrity
Confidentiality
![Page 32: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/32.jpg)
Discussion: Failures● Why can a DNS query fail?
![Page 33: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/33.jpg)
Discussion: Failures● Misconfiguration?
○ Typos
○ Misconfigured authoritative nameserver
● Hardware/Network Failures
○ Unreachable Nameserver
● Large Traffic Volume
○ DoS Attacks
![Page 34: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/34.jpg)
Discussion: Reliability● Why use UDP? Why not TCP?
● Reliability through replication
○ Two authoritative nameserver per domain
○ What about root servers? TLD authoritative NS?
● Reliability across the entire life cycle?
![Page 35: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/35.jpg)
Discussion: Reliability
![Page 36: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/36.jpg)
Root Servers● Only 13 root servers?
https://blog.verisign.com/security/verisign-perspective-root-server-attacks/
![Page 37: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/37.jpg)
Root Servers● Only 13 root servers?
https://blog.verisign.com/security/verisign-perspective-root-server-attacks/
![Page 38: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/38.jpg)
Anycast Primer
![Page 39: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/39.jpg)
Anycast Primer
![Page 40: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/40.jpg)
Anycast Primer
![Page 41: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/41.jpg)
Discussion: Reliability
![Page 42: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/42.jpg)
Discussion: Reliability
![Page 43: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/43.jpg)
Discussion: Reliability
![Page 44: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/44.jpg)
Recursive Resolvers● Typically, assigned by DHCP. Defaults to ISP Nameservers.
● Recent shift to large public public resolvers.
○ Smaller ISPs default to using Google Public DNS.
● Google, Cloudflare, OpenDNS, Quad9 -- Also use anycast.
● Why use large public resolvers?
○ Can queries still be intercepted? Modified?
![Page 45: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/45.jpg)
Discussion: Reliability● Why use UDP? Why not TCP?
● Reliability through replication
○ Two authoritative nameserver per domain
○ What about root servers? TLD authoritative NS?
● Reliability across the entire life cycle?
● Anycast adds another layer of reliability across the query life cycle!
![Page 46: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/46.jpg)
Discussion: Integrity● Minimal security considerations in original DNS design.
● How to guarantee integrity of response?
○ Guarantee response has not been modified.
● But in order to do that, how to extend DNS?
![Page 47: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/47.jpg)
Extension Mechanisms for DNS (EDNS)
Add additional section to the end of a DNS packet.
EDNS sections skipped in old resolvers, and nameservers.
Used to implement DNSSEC, and ECS.
![Page 48: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/48.jpg)
DNS Security Extension (DNSSEC)● Add signature to DNS Records
○ Validate signature to ensure integrity of response
● Low adoption rate
○ Complicated to deploy
● Not all resolvers support DNSSEC.
○ Public DNS Resolvers support DNSSEC
![Page 49: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/49.jpg)
EDNS Client Subnet (ECS)CDNs with large number of PoPs.
How to ensure response is mapped
to closest PoP for client?
ECS allows recursive resolvers to
supply the prefix of client IP
137.110.222.10 → 137.110.222.0/24
https://blog.cloudflare.com/introducing-regional-services/
![Page 50: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/50.jpg)
Discussion: ConfidentialityAre DNS queries confidential?
Can we do better?
![Page 51: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/51.jpg)
QName Minimization
![Page 52: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/52.jpg)
Encryption: DoH/DoTDNS over HTTPs
DNS over TLS
Encrypted queries to recursive resolver?
Confidentiality? From whom?
What about ECS?
![Page 53: Domain Name System CS249i - Modern Internet Fall 2021 Stanford](https://reader033.vdocument.in/reader033/viewer/2022051900/62840f3bb773cc534931272e/html5/thumbnails/53.jpg)
Questions?