PAGE INDEX

TOPIC / PAGE NO.
1. / INTRODUCTION / 4
2. / DNS HISTORY / 9
3. / DNS FEATURES / 11
4. / DNS NAME HIERARCHY / 14
5. / TYPES OF NAME SERVERS / 16
6. / ACCESSING A WEB PAGE / 20
7. / SENDING A EMAIL / 26
8. / TYPE OF DNS QUERIES / 30
9. / DNS CACHING / 34
10. / DOMAIN NAME REGISTRATION / 35
11. / SECURITY ISSUES / 37
12. / DNS RESOURCE RECORDS / 42
13. / DNS CONCERNS / 46
14. / CONCLUSION / 49
15. / REFERENCES / 50

INTRODUCTION

ABSTRACT:

The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participants. Most importantly, it translates domain names meaningful to humans into the numerical (binary) identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide. An often-used analogy to explain the Domain Name System is that it serves as the "phone book" for the Internet by translating human-friendly computer hostnames into IP addresses. For example, translates to 192.0.32.10.

The Domain Name System makes it possible to assign domain names to groups of Internet users in a meaningful way, independent of each user's physical location. Because of this, World Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 208.77.188.166 (IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). People take advantage of this when they recite meaningful URLs and e-mail addresses without having to know how the machine will actually locate them.

The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains. This mechanism has made the DNS distributed and fault tolerant and has helped avoid the need for a single central register to be continually consulted and updated.

In general, the Domain Name System also stores other types of information, such as the list of mail servers that accept email for a given Internet domain. By providing a worldwide, distributed keyword-based redirection service, the Domain Name System is an essential component of the functionality of the Internet.

Names versus Addresses

  • An address is how you get to an endpoint
  • Often hierarchical, which helps with scaling
  • 950 Charter Street, Redwood City CA, 94063
  • +1.650.381.6003
  • 204.152.187.11
  • A name is how an endpoint is referenced
  • Often with no structurally significant hierarchy
  • “David”, “Tokyo”, “itu.int”,”google.com”.
  • Names are more people-friendly.

An Analogy

Devices on the telephone network all have a number

  • People have a hard time remembering numbers, but…
  • The network needs the numbers to connect endpoints
  • So a directory provides association of names people know with the numbers where they can be reached

Computers on the Internet all have a number

  • The DNS takes names people can relate to and converts them into the numbers computers need to interact.

This analogy has a crucial flaw: the DNS is not a directory service.

  • There is no way to search the data.

COMPARISON BETWEEN DNS AND FILE SYSTEM


NAMING A DOMAIN:


DNS HISTORY

The practice of using a name as a humanly more meaningful abstraction of a host's numerical address on the network dates back to the ARPANET era. Before the DNS was invented in 1983, each computer on the network retrieved a file called HOSTS.TXT from a computer at SRI (now SRI International). The HOSTS.TXT file mapped names to numerical addresses. A hosts file still exists on most modern operating systems, either by default or through explicit configuration. Many operating systems use name resolution logic that allows the administrator to configure selection priorities for available DNS resolution methods.

The rapid growth of the network required a scalable system that recorded a change in a host's address in one place only. Other hosts would learn about the change dynamically through a notification system, thus completing a globally accessible network of all hosts' names and their associated IP addresses.

At the request of Jon Postel, Paul Mockapetris invented the Domain Name System in 1983 and wrote the first implementation. The original specifications appeared in RFC 882 and RFC 883 which were superseded in November 1987 by RFC 1034 and RFC 1035. Several additional Request for Comments have proposed various extensions to the core DNS protocols.

In 1984, four Berkeley students—Douglas Terry, Mark Painter, David Riggle and Songnian Zhou—wrote the first UNIX implementation, which was maintained by Ralph Campbell thereafter. In 1985, Kevin Dunlap of DEC significantly re-wrote the DNS implementation and renamed it BIND—Berkeley Internet Name Domain. Mike Karels, Phil Almquist and Paul Vixie have maintained BIND since then. BIND was ported to the Windows NT platform in the early 1990s.

BIND was widely distributed, especially on Unix systems, and is the dominant DNS software in use on the Internet. With the heavy use and resulting scrutiny of its open-source code, as well as increasingly more sophisticated attack methods, many security flaws were discovered in BIND. This contributed to the development of a number of alternative nameserver and resolver programs. BIND itself was re-written from scratch in version 9, which has a security record comparable to other modern Internet software.

The DNS protocol was developed and defined in the early 1980s and published by the Internet Engineering Task Force.

DNS FEATURES

  1. DNS is a Database:

Keys to the database are “domain names”

  • 18.in-addr.arpa, 6.4.e164.arpa

Over 100,000,000 domain names are now stored.

Each domain name contains one or more attributes, known as resource records.

  • Each attribute is individually retrievable.
  1. Global Distribution:

Data is maintained locally, but retrievable globally

No single computer has all DNS data

DNS lookups can be performed by any Internet-connected device

Remote DNS data is locally cacheable to improve performance

  1. Loose Coherency:

The database is always internally consistent

  • Each version of a subset of the database (a zone) has a serial number
  • The serial number is incremented on each database change

Changes to the master copy of the database are replicated according to timing set by the zone administrator

Cached data expires according to timeout set by zone administrator.

  1. Scalability:

No intrinsic limit to the size of the database

Some servers have over 20,000,000 names

Not a particularly good idea

No limit to the number of queries

80,000 queries per second handled regularly

Queries distributed among many different servers

  1. Reliability:

Data is replicated

  • Data from master source is copied to multiple slave servers
  • Clients can query master server or slave servers

DNS protocols can use either UDP or TCP

  • UDP is inherently unreliable, but the DNS protocol handles retransmission (perhaps with TCP), sequencing, et cetera.
  1. Dynamic Updates:

Database can be updated dynamically

  • Master server accepts update from over the network
  • Add/delete/modify any record

Modification of the master database triggers replication

  • Only master can be dynamically updated
  • Dynamic updates create a single point of failure

DNS Name Hierarchy

•DNS hierarchy can be represented by a tree

•Root and top-level domains are administered by an Internet central name registration authority (ICANN)

•Below top-level domain, administration of name space is delegated to organizations

•Each organization can delegate further

MODAL FOR HIERARCHY OF NAME SERVERS:

TYPES OF NAME SERVERS

  1. ROOT NAME SERVERS:

contacted by local name server that can not resolve name

root name server:

  • contacts authoritative name server if name mapping not known
  • gets mapping
  • returns mapping to local name server

Addresses of root servers:

A.ROOT-SERVERS.EDU. (formerly NS.INTERNIC.NET) 10.0.2.32

A.ROOT-SERVERS.NET. (formerly NS1.ISI.EDU) 198.41.0.4

B.ROOT-SERVERS.NET. (formerly C.PSI.NET) 128.9.0.107

C.ROOT-SERVERS.NET. (TERP.UMD.EDU) 192.33.4.12

D.ROOT-SERVERS.NET. (NS.NASA.GOV) 128.8.10.90

E.ROOT-SERVERS.NET. (NS.ISC.ORG)192.203.23

F.ROOT-SERVERS.NET. (NS.NIC.DDN.MIL) 192.5.5.241

G.ROOT-SERVERS.NET. (AOS.ARL.ARMY.MIL) 192.112.36.4

H.ROOT-SERVERS.NET. (NIC.NORDU.NET)128.63.2.53

I.ROOT-SERVERS.NET. (at NSI (InterNIC))192.36.148.17

J.ROOT-SERVERS.NET. (operated by RIPE NCC) 198.41.0.10

K.ROOT-SERVERS.NET. (at ISI (IANA)) 193.0.14.129

L.ROOT-SERVERS.NET. (operated by WIDE, Japan)198.32.64

M.ROOT-SERVERS.NET. 202.12.27.33

  1. Top-level domain (TLD) servers:

responsible for com, org, net, edu, etc, and all top-level country domains uk, fr, ca, jp.

Network solutions maintains servers for com TLD

Educause for edu TLD

com / Commercial organizations
edu / Educational institutions
gov / Government institutions
int / International organizations
mil / U.S. military institutions
net / Networking organizations
org / Non-profit organizations
  1. Authoritative DNS servers:

organization’s DNS servers, providing authoritative hostname to IP mappings for organization’s servers (e.g., Web and mail).

Can be maintained by organization or service provider.

  1. Local Name Server:

Each ISP (residential ISP, company, university) has one.

Also called “default name server”

When a host makes a DNS query, query is sent to its local DNS server

Acts as a proxy, forwards query into hierarchy.

Reduces lookup latency for commonly searched hostnames

Accessing a web page

When You type into your web browser and hit enter.

What happens now?

Step 1: Your PC sends a resolution request to its configured DNS Server, typically at your ISP.

Step 2: Your ISPs recursive name server starts by asking one of the root servers predefined in its “hints” file.

Step 3: Your ISPs recursive name server then asks one of the “com” name servers as directed.

Step 4: Your ISPs recursive name server then asks one of the “google.com” name servers as directed.

Step 5: ISP DNS server then send the answer back to your PC. The DNS server will “remember” the answer for a period of time.

ALL STEPS IN ONE:

Sending an Email

DNS is not just used in HTTP protocol (web pages)

DNS is involved in almost every protocol in use on the internet

Next example is how DNS facilitates the transfer of electronic mail.

Step 1: Your PC sends the e-mail to its configured outbound mail server. A DNS request similar to the previous example is required to find the address of the mail server.


Step 2: Your mail server follows the same intensive process to find the authoritative servers for “example.com”.

Step 3: Ask the “example.com” name server for the list of “Mail eXchangers (MX) for that domain.

Step 4: Select a Mail server and deliver the mail.

TYPES OF QUERIES

Recursive and Iterative Queries:

There are two types of queries:

Recursive queries

Iterative (non-recursive) queries

The type of query is determined by a bit in the DNS query

Recursive query: When the name server of a host cannot resolve a query, the server issues a query to resolve the query

Iterative queries: When the name server of a host cannot resolve a query, it sends a referral to another server to the resolver

Recursive queries

In a recursive query, the resolver expects the response from the name server

If the server cannot supply the answer, it will send the query to the “closest known” authoritative name server (here: In the worst case, the closest known server is the root server)

The root sever sends a referral to the “edu” server. Querying this server yields a referral to the server of “virginia.edu”

… and so on

Recursive queries

Iterative queries

In an iterative query, the name server sends a closest known authoritative name server a referral to the root server.

This involves more work for the resolver

DNS CACHING

Caching can substantially reduce overhead

The top-level Domain servers very rarely change

Popular sites (e.g., visited often

Once (any) name server learns mapping, it caches mapping

cache entries timeout (disappear) after some time

TLD servers typically cached in local name servers

Thus root name servers not often visited

Domain Name Registration

The right to use a domain name is delegated by domain name registrarswhich are accredited by the Internet Corporation for Assigned Names and Numbers (ICANN), the organization charged with overseeing the name and number systems of the Internet. In addition to ICANN, each top-level domain (TLD) is maintained and serviced technically by an administrative organization, operating a registry. A registry is responsible for maintaining the database of names registered within the TLD it administers. The registry receives registration information from each domain name registrar authorized to assign names in the corresponding TLD and publishes the information using a special service, the whois protocol.

ICANN publishes the complete list of TLD registries and domain name registrars. Registrant information associated with domain names is maintained in an online database accessible with the WHOIS service. For most of the more than 240 country code top-level domains (ccTLDs), the domain registries maintain the WHOIS (Registrant, name servers, expiration dates, etc.) information. For instance, DENIC, Germany NIC, holds the DE domain data. Since about 2001, most gTLD registries have adopted this so-called thick registry approach, i.e. keeping the WHOIS data in central registries instead of registrar databases.

For COM and NET domain names, a thin registry model is used: the domain registry (e.g. VeriSign) holds basic WHOIS (registrar and name servers, etc.) data. One can find the detailed WHOIS (registrant, name servers, expiry dates, etc.) at the registrars.

Some domain name registries, often called network information centers (NIC), also function as registrars to end-users. The major generic top-level domain registries, such as for the COM, NET, ORG, INFO domains and others, use a registry-registrar model consisting of hundreds of domain name registrars (see lists at ICANN or VeriSign). In this method of management, the registry only manages the domain name database and the relationship with the registrars. The registrants (users of a domain name) are customers of the registrar, in some cases through additional layers of resellers.

Security Issues

DNS was not originally designed with security in mind, and thus has a number of security issues.

One class of vulnerabilities is DNS cache poisoning, which tricks a DNS server into believing it has received authentic information when, in reality, it has not.

DNS responses are traditionally not cryptographically signed, leading to many attack possibilities; The Domain Name System Security Extensions (DNSSEC) modifies DNS to add support for cryptographically signed responses. There are various extensions to support securing zone transfer information as well.

Even with encryption, a DNS server could become compromised by a virus (or for that matter a disgruntled employee) that would cause IP addresses of that server to be redirected to a malicious address with a long TTL. This could have far-reaching impact to potentially millions of Internet users if busy DNS servers cache the bad IP data. This would require manual purging of all affected DNS caches as required by the long TTL (up to 68 years).

Some domain names can spoof other, similar-looking domain names. For example, "paypal.com" and "paypa1.com" are different names, yet users may be unable to tell the difference when the user's typeface (font) does not clearly differentiate the letter l and the numeral 1. This problem is much more serious in systems that support internationalized domain names, since many characters that are different, from the point of view of ISO 10646, appear identical on typical computer screens. This vulnerability is often exploited in phishing.

Techniques such as Forward Confirmed reverse DNS can also be used to help validate DNS results.

USAGE OTHER APPLICATIONS

The system outlined above provides a somewhat simplified scenario. The Domain Name System includes several other functions:

  • Hostnames and IP addresses do not necessarily match on a one-to-one basis. Many hostnames may correspond to a single IP address: combined with virtual hosting, this allows a single machine to serve many web sites. Alternatively a single hostname may correspond to many IP addresses: this can facilitate fault tolerance and load distribution, and also allows a site to move physical location seamlessly.
  • There are many uses of DNS besides translating names to IP addresses. For instance, Mail transfer agents use DNS to find out where to deliver e-mail for a particular address. The domain to mail exchanger mapping provided by MX records accommodates another layer of fault tolerance and load distribution on top of the name to IP address mapping.
  • E-mail Blacklists: The DNS system is used for efficient storage and distribution of IP addresses of blacklisted e-mail hosts. The usual method is putting the IP address of the subject host into the sub-domain of a higher level domain name, and resolve that name to different records to indicate a positive or a negative. A hypothetical example using blacklist.com,
  • 102.3.4.5 is blacklisted => Creates 5.4.3.102.blacklist.com and resolves to 127.0.0.1
  • 102.3.4.6 is not => 6.4.3.102.blacklist.com is not found, or default to 127.0.0.2
  • E-mail servers can then query blacklist.com through the DNS mechanism to find out if a specific host connecting to them is in the blacklist. Today many of such blacklists, either free or subscription-based, are available mainly for use by email administrators and anti-spam software.
  • Software Updates: many anti-virus and commercial software now use the DNS system to store version numbers of the latest software updates so client computers do not need to connect to the update servers every time. For these types of applications, the cache time of the DNS records are usually shorter.
  • Sender Policy Framework and DomainKeys, instead of creating their own record types, were designed to take advantage of another DNS record type, the TXT record.
  • To provide resilience in the event of computer failure, multiple DNS servers are usually provided for coverage of each domain, and at the top level, thirteen very powerful root servers exist, with additional "copies" of several of them distributed worldwide via Anycast.
  • Dynamic DNS (also referred to as DDNS) provides clients the ability to update their IP address in the DNS after it changes due to mobility

DNS Resource Records