1 Chapter 23 – Domain Name System (DNS) 23.2 Names for Machines It is usually easier to refer to a...

1

Chapter 23 – Domain Name System (DNS)

23.2 Names for Machines

It is usually easier to refer to a machine as juniper than as 138.26.66.6

23.3 Flat Namespace

► Early ARPAnet: unique names for machines, registered with Network Information

Center► Continued until 1000 machines

► Beyond that a massive bureaucracy would have been necessary to ensure uniqueness of

names

► The Domain Name System was created

2

Chapter 23 – Domain Name System (DNS) - continued

23.4 Hierarchical Names

City “Athens” – Athens, AL or Athens, GA or Athens, TN … ?

Specifying state removes ambiguity.

23.5 Delegation of Authority for Names

If you want to start a new city and call it “Athens,” you probably need permission from the state – you will probably be allowed to do it if there is not already and “Athens” in your state.

Once you have permission for the city name, you probably have the authority to name the neighborhoods.

In DNS “The topmost level of the hierarchy divides the namespace and delegates authority for each division; it need

not be bothered by changes within a division.”

3

23.6 Subset Authority

This can be carried down to more levels:

local.group.site

There is an analogy to the telephone numbering system:

<area code> – <exchange> – <extension>

(although in this case the highest level is written on the left).

4

In the Internet, hierarchical machine names are assigned according to the structure of organizations that obtain authority for parts of the namespace, not necessarily according to the structure of the physical network connections.

Example 1:

Two small departments, philosophy and foreign languages, might share a floor in the Humanities building; their domain names, pl.uab.edu and fl.uab.edu are different but they may share a single LAN and therefore have the same IP (sub)network address.

Example 2:

The CIS department has a large number of hosts and several LANs. All hosts have domain names with the same suffix, cis.uab.edu but their IP addresses are 138.26.64.x 138.26.65.y 138.26.66.z

5

23.7 Internet Domain Names

The Domain Name System has two, conceptually independent aspects:

■ (“abstract”) - name syntaxand delegating authority over names

■ (“concrete”) - distributed computing system that efficiently maps names to addresses

Section 23.7 continues with the first topic.

6

23.7 Internet Domain Names – continued

Domain name

cs.purdue.edu

contains three labels. This is the lowest-level domain

or third-level domain.

Any suffix of a label in a domain name is also called a domain:purdue.edu is the second-level domainedu is the top-level domain

(labels can be up to 63 ASCII characters long; the total length of the name can be up to 255 characters long)

7

23.8 Top-Level Domains

Figure 23.1 Top-level domains

8

23.8 Top-Level Domains - continued

The domain name space can be represented

by a rooted tree:

top-level domain

second-level domain

third-level domain

Different from Comer! More later

merlin

Figure 23.2

9


top-level domain

second-level domain

third-level domain

All domain names end in .e.g. cs.purdue.edu. but the . is usually omitted in

speech (not omitted in coding).

The domain name of a subtree is a list of its labels, separated by periods, along the path to the root.

10


Conceptually, the top-level names permit two independent naming hierarchies:

■ geographic

■ organizational

An organization can choose which way it wants to be known.

In the US we mostly see the organizational structuree.g uab.edu not uab.al.us

Other countries often use the geographic hierarchye.g. bham.ac.uk for the University of Birmingham (England).

For the geographic scheme each country has a two-letter codee.g. us for United States

Beneath this top level there are second-level domains for each state,e.g. al.us

11


There is a registrar for each top-level domain,

e.g. edu

An organization applies to the top-level registrar for approval of a second-level domain,

e.g. uab.edu

A department of an organization applies to the organization administration for approval of a third-level domain,

e.g. cis.uab.edu

The departmental administrator may assign fourth-level domains,e.g. juniper.cis.uab.edu

12

23.9 Name Syntax and Type

A record in the domain name system specifies the domain name, and also the type of this particular record, e.g.

■ IP address of the named machine (type A)

■ mailbox (type MX –

name of the machine running the SMTP server)

At first we’ll use the first type for examples – other types later

13

23.9 Name Syntax and Type - continued

The syntax of a domain name does not determine what type of object is represented.

gwen.purdue.edu

could be an individual machine (leaf of tree), although

cs.purdue.edu

Is a non-leaf domain, with numerous machines under it.

14

gwen

One cannot distinguish the names of subdomains from the names of individual objects or the type of an object using only the domain name syntax.

Comer’s example: machine gwen.purdue.edu.

15

23.10 Mapping Domain Names to Addresses

Recall that:

DNS has two, conceptually independent aspects:

■ (abstract) - name syntaxdelegating authority over names

■ (“concrete”) - a distributed computing systemthat efficiently maps names to addresses

Now we consider the second aspect.

16

23.10 Mapping Domain Names to Addresses – continued

The domain name system includes an

■ efficient

■ reliable

■ general-purpose

■ distributed

system for mapping names to addresses.

17


What is meant by these characteristics?

■ efficient most names can be mapped locally, without needing Internet traffic

(probably not true of home network)■ reliable no single machine failure will prevent the system

from operating correctly

■ general-purpose not restricted to mapping machine domain names to IP addresses

(but we will often use this as our example)

■ distributed a set of servers at multiple sites

cooperatively solve the mapping problem

18

Name Server

This is a server that supplies name-to-address translation, mapping from domain names to IP addresses (the example we’re concentrating on).

There is a cooperating system of such servers.

The corresponding client software is called a name resolver, which accesses one or more name servers when needing to translate a name.


19


Figure 23.3

Line means “able to contact” not usually directly

Similarly, the top-level domain server knows how to contact the server for each second-level domain … and so on.The servers can be physically located anywhere.

First, assume:

► name server for each level in the tree

► Search starts at root (top-down)

► Root server knows how to contact all top-level servers

20


► Arrangement on previous slide would produce a large number of small servers.

Figure 23.4

I don’t think this is right! See later.

► In practice the tree of servers will be flattened.

21


The company VeriSign runs the top-level server for .com, .net, and .org, and responds to:

6 – 18 billion requests per day (about 1 – 3 for each person on earth).

second-level domains (2008):

► 80,000,000 .com

► 10,000,000 .net

► 6,000,000 .org

► 174,000,000 total

DNS is an amazing system, which made the Internet usable by ordinary people! (Contrast having to use IP addresses.)

22

23.11 Domain Name Resolution

We continue to assume that name resolution proceeds top-down.

There are two ways to use the system:

■ iterative – the client contacts the chain of servers, one at a time

■ recursive – the client contact the first server and asks it to take over the task or resolution.

In either case the client forms a domain name query that has four components:

■ the domain name to be resolved

■ iterative or recursive resolution

■ the type of answer desired (e.g. machine IP address)

■ the class of the domain name (will always be IP for us)

23

23.11 Domain Name Resolution - continued

Here is a very small portion of the divided namespace:

The entire DNS namespace is divided into non-overlapping zones of authority.

There is a name server for each zone – authoritative server

24


When a domain server receives a query it checks to see if the name lies in the subdomain for which this server is an authority.

If yes:

the server translates the domain name to an IP address, appends the answer to the query, and returns it to the client

If not:the server checks to see if the client requested iterative or recursive

If iterative the server replies to the client with a suggestion about the next server the client should contact

If recursive, the server turns round and recursively becomes a client, acting on behalf of the previous client; eventually an authoritative server is reached, the translation found, and the recursion unwinds, returning the answer to the original client.

25


Q: How does a name server find another name server to contact if the first server cannot answer the query?

A: A name server must know the IP address at least one root server

(there are 13 root servers, spread around the world, referred to as A .. M – the A root server is 198.41.0.4).

The domain name service uses well-known port 53, usually UDP.

Q: How does a client find a name server at which to begin the search?

A: A client must know the IP address of at least one name server.(In UNIX systems these addresses are in the file /etc/resolv.conf)

26

23.12 Efficient Translation

We have pretended that resolution proceeds top-down, but this would be inefficient, because:

■ name resolution often refers to local names

(questionable – not true in home environment;

may be true in organizational environment);

■ if every client always went first to the top-level server, it might become overloaded;

■ failure of the top-level server, or of communication with it, would prevent resolution, even if a local server could resolve the name.

27

23.12 Efficient Translation - continued

So we adopt a two-step name resolution mechanism that preserves the administrative hierarchy but permits efficient translation:

■ resolution begins with a local name server

■ if this server cannot resolve the name, the query is sent to a higher server in the domain name system.

28

23.12 Efficient Translation - continued

Example: User on machine flits.cs.vu.nl pings machine linda.cs.yale.edu

209.86.66.94130.37.16.112

29

23.13 Caching: The Key to Efficiency

Scenario: A name server receives a recursive request for a name not in the server’s zone of authority. The server recursively becomes a client and eventually receives back the requested mapping, which it provides to the original client.

The server also retains the mapping in its DNS cache.If the server receives another request for this same mapping, it supplies the information from its DNS cache. However, it does not mark its reply as authoritative.

Since mappings may change, “soft state” is used. When an authoritative server provides a mapping, the server includes a Time to Live (TTL) that indicates how long the mapping may be assumed to remain valid. The receiving server deletes the mapping after the TTL has elapsed.

TTL is usually set to 1 day

30

23.13 Caching: The Key to Efficiency - continued

After step 7 the server cs.vu.nl would enter the mapping in its DNS cache and start a soft-state timer

(and in step 8 provide the mapping to the name resolver on machine flits).

Example: User on machine flits.cs.vu.nl pings machine linda.cs.yale.edu

31

23.13 Caching: The Key to Efficiency – continued

We can now refine the algorithm for a DNS server receiving a query:

IF query domain is in server’s Zone Of Authorityreply with answer marked AUTHORITATIVE

ELSE IF query domain is in server’s cache reply with answer not marked AUTHORITATIVE

and provide source of information

ELSE IF recursion requested & available server becomes client and searches

ELSE IF iteration requested or recursion not available return no answer, but provide suggestions

of other servers that may be helpful

32

23.14 Domain Name System Message Format

This format is used for all messages (requests and replies):

Figure 23.5

33

23.14 Domain Name System Message Format - continued

Figure 23.6

9 reserved 10 authenticated 11 disabled

4-bit op-code

Response code

34

23.14 Domain Name System Message Format – continued

Format of the QUESTION section of the general format:

Figure 23.7

juniper.cis.uab.edu.

A IP

35

The domain name system database consists of a collection of resource records

Figure 23.8

All DNS replies (ANSWER section, AUTHORITY section, and

ADDITIONAL INFORMATION section are in the form of resource records

juniper.cis.uab.edu.

A IP

138.26.66.64

1 day

36

23.15 Compressed Name Format

The first paragraph is not actually about compression!

Count byte

A: Domain names are stored as a sequence of labels; each label begins with an octet that specifies its length.

So juniper.cis.uab.edu is stored as 07 6a 75 6e 69 70 65 72 03 63 69 73 03 75 61 62 03 65 64 75 00 j u n i p e r c i s u a b e d u

End of name

Q: Because DNS labels and names are variable in length, how can we represent them internally?

Q: How do we know when the name is complete?

A: All names end at the root, which has a “zero-length name,” so the length prefix at the end of the name will be zero (explains why not “un-named root”).

37

23.15 Compressed Name Format – continued

To conserve space in the reply, name servers compress by sending only the first copy of each domain name.

Subsequent mentions of the name, or parts of it, are represented by pointer bytes to the first occurrence.

Pointers always occur at the beginning of a label and replace the count byte.

A: Labels cannot be more than 63 characters long, so the leftmost two bits of a count byte must be 00

Q: How do we distinguish count bytes from pointers?

Pointers are distinguished by having the leftmost two bits 11The next 14 bits of a two-byte field are the pointer.

38

Part of a Wireshark trace of DNS reply to query for

juniper.cis.uab.edu

AUTHORITY and ADDITIONAL INFORMATION sections

The complete name is in the RR but it is compressed in the answer section.

39

23.16 Abbreviation of Domain Names

Telephone analogy:

If destination and source are in same area,

it’s (usually) not necessary to dial the area code

Similarly, within CIS departmentjuniper

may be used for juniper.cis.uab.edu.

40

Although the human user may key in “juniper” the client software must add the suffix before accessing the domain

name system.

The DNS system allows for lookupof fully-qualified domain names only.

23.16 Abbreviation of Domain Names - continued

(in a UNIX system file /etc/resolv.conf contains possible values of the suffix)

41

23.17 Inverse Mappings and 23.18 Pointer Queries

We have been concentrating on mapping from a machine’s domain name to its IP address.

Sometimes we need the inverse mapping (given address, find name)

There is a special domain in-addr.arpa for this

For an IP address 138.26.66.6the form of the query to the DNS system is

6.66.26.138.in-addr.arpa

which should give the reply

juniper.cis.uab.edu

42

23.19 Object Types and Resource Record Contents

Recall that in reply to a query the DNS sends a copy of the relevant resource records.

DNS contains several types of resource record.

Figure 23.9

Here are some:

43

23.19 Object Types and Resource Record Contents - continued

A server always returns helpful information in the ADDITIONAL INFORMATION SECTION of the response.

For example, the ANSWER SECTION responding to a mail-server question contains the domain name of a server for the requested domain.

The ADDITIONAL INFORMATION SECTION will provide the corresponding IP address ( a type A resource record)

44

Wireshark trace of DNS reply to query for juniper.cis.uab.edu

45

23.19 Object Types and Resource Record Contents - continued

A small portion of a possible DNS database for domain cs.vu.nl

46

23.20 Obtaining Authority for a Subdomain

Before an organization is granted authority for a second-level domain it must agree to operate a DNS server that meets stringent standards.

The Internet authority requires that the information in every second-level domain server be replicated.

The information must appear in at least two independent name servers.

“Independent” means that the servers have no single common point of failure.

The servers ■ cannot be on the same physical network;■ cannot obtain electrical power from the same source.

In practice, an organization must find at least one other site that agrees to run a backup server.

For UAB the backup is at deltacom.net

Q: What is the definition of independent?

1 Chapter 23 – Domain Name System (DNS) 23.2 Names for Machines It is usually easier to refer to a...

Documents

Transcript of 1 Chapter 23 – Domain Name System (DNS) 23.2 Names for Machines It is usually easier to refer to a...