DNS: Domain Name System

DNS: Domain Name System

CMPSCI 491G: Computer Networking Lab

V. Arun

Domain Name System:

v

distributed database

implemented in hierarchy of

many

name servers

v

application-layer protocol:

hosts,

name servers communicate to

resolve

names à addresses

§

note: core Internet function,

implemented as

application-layer protocol

§

complexity at network’s

“

edge”

Application Layer 2-2

DNS: domain name system

people:

many identifiers:

§

SSN, name, passport #

Internet hosts, routers:

§

IP address (32 bit) -

used for addressing

datagrams

§

“

name”, e.g.,

www.yahoo.com -

used by humans

Q:

how to map between IP

address and name, and

vice versa ?

Application Layer 2-3

DNS: services, structure

why not centralize DNS?

v

single point of failure

v

traffic volume

v

distant centralized database

v

maintenance

DNS services

v

Resolution

§

hostname à IP address

v

Aliasing

§

canonical, alias names

§

mail server aliasing

v

Load balancing with

replicated web servers:

§

many addresses map to

one name

Before there was DNS ….

…. there was the HOSTS.TXT file

•  Before DNS (until 1985), name resolution was done by

FTP’ing a single file (hosts.txt) from a central server.

–  Names in hosts.txt are not structured.

–  hosts.txt still works on most operating systems. It can be

used to define local names.

Design principle of DNS

•  DNS naming system based on a hierarchical and logical tree structure

called domain namespace.

•  An organization obtains authority for parts of the name space, and can

add additional layers of the hierarchy

•  Names of hosts can be assigned without regard of location on a link layer

network, IP network or autonomous system

•  In practice, allocation of the domain names generally follows the allocation

of IP address, e.g.,

–  All hosts with network prefix 128.119/16 have domain name suffix

umass.edu

–  All hosts on network 128.119.240/24 are in the School of Computer

Science at UMass Amherst.

Managed

by UofT

DNS Name hierarchy

•  DNS hierarchy can be

represented by a tree

•  Root and top-level

domains are

administered by an

Internet central name

registration authority

(ICANN)

•  Below top-level

domain, administration

of name space is

delegated to

organizations

•  Each organization can

delegate further

Managed by

ECE Dept.

. (root)

com

toronto.edu

gov

edu

org

uci.edu

ece.toronto.edu

math.toronto.edu

neon.ece.toronto.edu

Top-level

Domains

Domain name system

•  Each node in the DNS tree

represents a

DNS name

•  Each branch below a node is a

DNS domain

.

–  DNS domain can contain

hosts or other domains

(

subdomains

)

•  Example:

DNS domains are

., edu, virginia.edu, cs.virginia.edu

virginia.edu

cs.virginia.edu

www.virginia.edu

neon.cs.virginia.edu

edu

.

Top-level domains

•  Three types of top-level domains:

– 

Organizational:

3-character code indicates the function of

the organization

•  Used primarily within the US

•  Examples: gov, mil, edu, org, com, net

– 

Geographical:

2-character country or region code

•  Examples: us, va, jp, de

– 

Expanded top-level domains (gTLDs)

•  Essentially arbitrary TLDs

– 

Reverse domains:

A special domain (in-addr.arpa) used for

Organizational top-level domains

com

Commercial organizations

edu

Educational institutions

gov

Government institutions

int

International organizations

mil

U.S. military institutions

net

Networking organizations

org

Non-profit organizations

Hierarchy of name servers

•  The resolution of the hierarchical

name space is done by a

hierarchy of name servers

•  Each server is responsible

(authoritative) for a contiguous

portion of the DNS namespace,

called a

zone

.

•  Zone is a part of the subtree

•  DNS server answers queries

about hosts in its zone

root server com server gov server edu server org server uci.edu

server .virginia.edu server

cs.virginia.edu server

Authority and delegation

•  Authority for the root domain is with the Internet Corporation

for Assigned Numbers and Names (ICANN)

•  ICANN delegates to accredited registrars (for gTLDs) and

countries for country code top level domains (ccTLDs)

•  Authority can be delegated further

•  Chain of delegation can be obtained by reading domain name

from right to left.

DNS domain and zones

•  Each zone is anchored at a

specific domain node, but zones

are not domains.

•  A DNS domain is a branch of the

namespace

•  A zone is a portion of the DNS

namespace generally stored in a

file (could consist of multiple

nodes)

•  A server can divide part of its zone

and

delegate

it to other servers

. (root)

.virginia.edu

.edu

.uci.edu

cs.virginia.edu

math.virginia.edu

Domain

Zone

and

domain

Zone

Primary and secondary name servers

•  For each zone, there must be a primary name server and a secondary

name server

–  The

primary server

(

master server

) maintains

a zone file

which has

information about the zone. Updates are made to the primary server

–  The

secondary server

copies data stored at the primary server.

Adding a host:

•  When a new host is added (“gold.cs.virginia.edu”) to a zone, the

administrator adds the IP information on the host (IP address and name)

to a configuration file on the primary server

Application Layer 2-14

Root DNS Servers

com DNS servers

org DNS servers

edu DNS servers

poly.edu

DNS servers

umass.edu

DNS servers

yahoo.com

DNS servers

amazon.com

_{DNS servers}

pbs.org

DNS servers

DNS resolution: distributed, hierarchical

client wants IP for www.amazon.com; 1

st

_approx:

v

client queries root server to find .com TLD DNS server

v

client queries .com TLD DNS server for amazon.com auth server

v

client queries amazon.com DNS auth server to get IP address for

www.amazon.com

… …

Top-level domain servers

Application Layer 2-15

DNS: root name servers

v

contacted when no info about top-level or auth server

v

root name server can:

§

return top-level or auth name server address

§

or contact auth server and return final resolved address

13 root name

“

servers”

worldwide

a. Verisign, Los Angeles CA (5 other sites)

b. USC-ISI Marina del Rey, CA l. ICANN Los Angeles, CA (41 other sites)

e. NASA Mt View, CA f. Internet Software C. Palo Alto, CA (and 48 other sites)

i. Netnod, Stockholm (37 other sites) k. RIPE London (17 other sites)

m. WIDE Tokyo (5 other sites) c. Cogent, Herndon, VA (5 other sites)

d. U Maryland College Park, MD h. ARL Aberdeen, MD

j. Verisign, Dulles VA (69 other sites )

g. US DoD Columbus, OH (5 other sites)

Application Layer 2-16

TLD, authoritative servers

top-level domain (TLD) servers:

§

responsible for com, org, net, edu, aero, jobs, museums,

and all top-level country domains, e.g.: uk, fr, ca, jp

§

Network Solutions maintains servers for .com TLD

§

Educause for .edu TLD

authoritative DNS servers:

§

organization’s own DNS server(s), providing authoritative

hostname to IP mappings for organization’s named hosts

Application Layer 2-17

Local

DNS

name server

v

does not strictly belong to hierarchy

v

deployed by ISP (residential, company, university)

§

also called “default name server”

v

acts as proxy between host and DNS hierarchy

§

has local cache of recent name-to-address translation

Application Layer 2-18

requesting host

cis.poly.edu

gaia.cs.umass.edu

root DNS server

local DNS server

dns.poly.edu

1

2

3

4

5

6

authoritative DNS server

dns.cs.umass.edu

7

8

TLD DNS server

DNS name

resolution example

v

host at cis.poly.edu

wants IP address for

gaia.cs.umass.edu

iterated query:

v

contacted server

replies with name of

server to contact

v

“

I don’t know this

name, but ask this

server”

Application Layer 2-19

4

5

6

3

recursive query:

v

puts burden of name

resolution on

contacted name

server

v

heavy load at upper

levels of hierarchy?

requesting host

cis.poly.edu

gaia.cs.umass.edu

root DNS server

local DNS server

dns.poly.edu

1

2

7

authoritative DNS server

dns.cs.umass.edu

8

DNS name

resolution example

TLD DNS

server

Application Layer 2-20

DNS: caching, updating records

v

any name server can

cache

learned mappings

§

cache entries timeout (disappear) after some time (TTL)

§

TLD servers typically cached in local name servers, so

root name servers not often visited

v

cached entries may be

out-of-date

(best effort

name-to-address translation!)

§

if name host changes IP address, may not be known

Internet-wide until all TTLs expire

v

update/notify mechanisms proposed IETF standard

Application Layer 2-21

DNS records

DNS:

distributed db storing resource records

(RR)

type=NS

§ 

_{name is domain (e.g.,}

foo.com)

§ 

_{value is hostname of}

authoritative name

server for this domain

RR format:

(name, value, type, ttl)

type=A

§ 

_{name is hostname}

§ 

value is IP address

type=CNAME

§ 

_{name is alias name for some}

“

_{canonical” (the real) name}

§

_www.ibm.com

is really

servereast.backup2.ibm.com

§ 

_{value is canonical name}

type=MX

§ 

_{value is name of mailserver}

Application Layer 2-22

DNS protocol, messages

v

query

and

reply

messages, both with same

message

format

msg header

v

identification:

16 bit # for

query, reply to query uses

same #

v

flags:

§ 

query or reply

§ 

recursion desired

§ 

recursion available

§ 

reply is authoritative

identification

flags

# questions

questions (variable # of questions)

# additional RRs

# authority RRs

# answer RRs

answers (variable # of RRs)

authority (variable # of RRs)

additional info (variable # of RRs)

Application Layer 2-23

name, type fields

for a query

RRs in response

to query

records for

authoritative servers

additional “helpful”

info that may be used

identification

flags

# questions

questions (variable # of questions)

# additional RRs

# authority RRs

# answer RRs

answers (variable # of RRs)

authority (variable # of RRs)

additional info (variable # of RRs)

DNS protocol, messages

Application Layer 2-24

Inserting records into

DNS

v

example: new startup “Network Utopia”

v

register name networkuptopia.com at

DNS registrar

(e.g., Network Solutions)

§

provide names, IP addresses of authoritative name server

(primary and secondary)

§

registrar inserts two RRs into .com TLD server:

(networkutopia.com, dns1.networkutopia.com, NS)

(dns1.networkutopia.com, 212.212.212.1, A)

v

create authoritative server type A record for

www.networkuptopia.com; type MX record for

networkutopia.com

Resource Records

•  Resource records are stored

in configuration files (zone

files) at name servers.

•  Example resource records

for a zone:

db.mylab.com

$TTL 86400

mylab.com. IN SOA PC4.mylab.com.

hostmaster.mylab.com. (

1 ; serial

28800 ; refresh

7200 ; retry

604800 ; expire

86400 ; ttl

)

;

mylab.com. IN NS PC4.mylab.com.

;

localhost

A

127.0.0.1

PC4.mylab.com. A

10.0.1.41

PC3.mylab.com. A

10.0.1.31

PC2.mylab.com. A

10.0.1.21

PC1.mylab.com. A

10.0.1.11

Resource Records

db.mylab.com

$TTL 86400

mylab.com. IN SOA PC4.mylab.com. hostmaster.mylab.com. (

1 ; serial

28800 ; refresh

7200 ; retry

604800 ; expire

86400 ; ttl

)

;

mylab.com. IN

NS

PC4.mylab.com.

;

localhost

A

127.0.0.1

PC4.mylab.com.

A

10.0.1.41

PC3.mylab.com.

A

10.0.1.31

PC2.mylab.com.

A

10.0.1.21

PC1.mylab.com.

A

10.0.1.11

Max. age of cached data

in seconds

* Start of authority (SOA) record.

Means: “This name server is

authoritative for the zone

Mylab.com”

* PC4.mylab.com is the

name server

* [email protected] is the

email address of the person

in charge

Name server (NS) record.

One entry for each authoritative

name server

Address (A) records.

Exercise  1(B)    

28  

NAT  Table  on  Router2  

Router2#show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 200.0.0.2 10.0.1.2 --- ---

Which  ping  works  and  why?  

PC3% ping –c3 10.0.1.3 PC3% ping –c3 128.143.136.1 Router1% ping –c3 10.0.1.2 Router1% ping –c3 128.143.136.1 PC4% ping –c3 10.0.1.2 PC4% ping –c3 200.0.0.2

ConfiguraEon:  

Router2(config)#ip nat inside source static 10.0.1.2 200.0.0.2 .. ..

Exercise  1(B)  

29  

NAT  Table  on  Router2  

Router2#show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 200.0.0.2 10.0.1.2 --- ---

Which  ping  works  and  why?  

PC3% ping –c3 10.0.1.3 PC3% ping –c3 128.143.136.1 Router1% ping –c3 10.0.1.2 Router1% ping –c3 128.143.136.1 PC4% ping –c3 10.0.1.2 PC4% ping –c3 200.0.0.2

ConfiguraEon:  

Router2(config)#ip nat inside source static 10.0.1.2 200.0.0.2 .. ..

Exercise  1(B)  

30  

NAT  Table  on  Router2  

Router2#show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 200.0.0.1 10.0.1.1 --- ---

--- 200.0.0.2 10.0.1.2 --- --- --- 200.0.0.3 10.0.1.3 --- ---

Which  ping  works  and  why?  

PC3% ping –c3 10.0.1.3 PC3% ping –c3 128.143.136.1 Router1% ping –c3 10.0.1.2 Router1% ping –c3 128.143.136.1 PC4% ping –c3 10.0.1.2 PC4% ping –c3 200.0.0.2

ConfiguraEon:  

Router2(config)#ip nat inside source static 10.0.1.2 200.0.0.2 Router2(config)#ip nat inside source static 10.0.1.1 200.0.0.1 Router2(config)#ip nat inside source static 10.0.1.3 200.0.0.3

Exercise  1(B)  

31  

NAT  Table  on  Router2  

Router2#show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 200.0.0.1 10.0.1.1 --- ---

--- 200.0.0.2 10.0.1.2 --- --- --- 200.0.0.3 10.0.1.3 --- ---

Which  ping  works  and  why?  

PC3% ping –c3 10.0.1.3 PC3% ping –c3 128.143.136.1 Router1% ping –c3 10.0.1.2 Router1% ping –c3 128.143.136.1 PC4% ping –c3 10.0.1.2 PC4% ping –c3 200.0.0.2

ConfiguraEon:  

Router2(config)#ip nat inside source static 10.0.1.2 200.0.0.2 Router2(config)#ip nat inside source static 10.0.1.1 200.0.0.1 Router2(config)#ip nat inside source static 10.0.1.3 200.0.0.3

Exercise  1(B)  

32  

Before  Router2:  

Src: 10.0.1.2 (10.0.1.2), Dst: 128.143.136.1 (128.143.136.1)

Show  IP  source/desEnaEon  addresses  before/aOer  Router2  

PC3% ping –c3 128.143.136.1

AOer  Router2:  

Src: 200.0.0.2 (200.0.0.2), Dst: 128.143.136.1 (128.143.136.1)

NAT  Table  on  Router2  

Router2#show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 200.0.0.1 10.0.1.1 --- ---

--- 200.0.0.2 10.0.1.2 --- --- --- 200.0.0.3 10.0.1.3 --- ---

Exercise  1(C)-­‐  NAT/PAT/Masquerade  

33  

telnet  commands;  which  one  successful?  

PC1% telnet 10.0.1.3 (Router1)

PC1% telnet 128.143.136.1 (PC4)

Router1# telnet 10.0.1.2 (PC1)

Router1# 128.143.136.1 (PC4)

PC4: telnet 10.0.1.2 (PC3)

Exercise  1(C)-­‐  NAT/PAT/Masquerade  

34  

telnet  commands;  which  one  successful?  

PC1% telnet 10.0.1.3 (Router1)

PC1% telnet 128.143.136.1 (PC4)

Router1# telnet 10.0.1.2 (PC1)

Router1# 128.143.136.1 (PC4)

Exercise  1(C)-­‐  NAT  &  telnet  

35  

PC1% telnet 128.143.136.1 (PC4)

Before  translaEon  (PC2)  

Destination port: telnet (23) Sequence number: 1857633137

AOer  translaEon  (PC2)  

Internet Protocol

Source: 128.143.136.22 Destination: 128.143.136.1 Transmission Control Protocol Source port: 32774

Destination port: telnet (23)

Exercise  1(C)-­‐  PAT  &  ICMP  (ping)  

36  

PC1% ping 128.143.136.1 (PC4)

Internet Protocol, Src Addr: 10.0.1.2,

Dst Addr: 128.143.136.1

Identification: 0x0000

Protocol: ICMP (0x01)

Source: 10.0.1.2

Destination: 128.143.136.1

Internet Protocol, Src Addr: 128.143.136.22,

Dst Addr: 128.143.136.1

Identification: 0x0000

Protocol: ICMP (0x01)

Source: 128.143.136.22

Destination: 128.143.136.1

• 

Ping  (ICMP)  does  not  use  port  number  

• 

“IdenEficaEon”  is  used  to  help  with  NAT  

Exercise  1(D)-­‐  NAT  &  FTP  

n

FTP  uses  2  ports  

¨

Control  connecEon,  port  21  

¨

Data  connecEon  port  20  

n

No  problem  with  NAT  &  control  connecEon.  

n

For  data  connecEon,  the  server  iniEates  a  

connecEon  from  its  port  20  to  a  (random)  port  on  

client  

¨

Causes  problem  with  NAT  

¨

Only  client  can  iniEate  connecEon  

n

PASSIVE  mode  solves  this  problem  

Exercise  1(D)-­‐  NAT  &  FTP  

38