DNS in the internet

 DNS is a protocol that can be used in different platforms.

 In the internet, the domain name space (tree) is divided into three different sections:
1. Generic domains
2. Country domains
3. Inverse domain
Generic Domains
 The generic domain defines
registered hosts according to
their generic behavior.
 Each node in the tree defines a
domain, which is an index to
the domain space database.
 First level in the generic
domain section allows 14
possible levels.
 These labels describe the
organization types as listed in
next table.
Generic Domain Labels
Country domains  The country domains section
uses two character country
abbreviations (e.g. us for
United State)
 The second labels can be
organizational or they can be
more specific, national
designation.
 E.g United states use state
abbreviations as a subdivision of
us (e.g., ca.us.)
 As shown in figure, the address
anza.cup.us can be translated to
De Anza College in California in
the united states.
Inverse Domain  The inverse domain is used to map an address
to a name.

 This may happen, for example, when a server

has received a request from a client to do a task.

 Although the server has a file that contains a list

of authorized clients, only IP address of the
client (extracted from the received IP packet) is
listed.

 The server asks its resolver to send a query to

the DNS server to map an address to a name
to determine if the client is on the authorized
list.
 This type of query is called an inverse or pointer (PTR) query.
 To handle a pointer query, the inverse domain is added to the
domain name space with the first level node called arpa (for
historical reason). The second level is also one single node named
in-addr (for inverse address).
 The rest of the domain defines the IP address.
 Registrar
 The new domains are added to DNS, through a registrar, a commercial entity accredited
by ICANN (Internet Corporation for Assigned Names and Number)

 A registrar first verifies that the requested domain name is unique and then enters it into
the DNS database.

 A fee is charged.
 Today there are many registrars; their names and addresses can be found at
http://www.intenic.net
 To registrar the organization needs to give the name of its server and the IP address of the
server.
 E.g a new commercial organization named wonderful with a server named ws and IP
address 200.200.200.5 needs to give the following information to one of the registrars:
 Domain Name: ws.wonderful.com
 IP address: 200.200.200.5
 Resolution
Mapping a name to an address or an address to a name is called name address
resolution.
Resolver:
 DNS is designed as a client server applications.
 A host that needs to map an address to a name or a name to an address
calls a DNS client called a resolver.
 The resolver accesses the closest DNS server with a mapping request.
 If the server has the information, it satisfies the resolver; otherwise, it either
refers the resolver to other servers or asks other servers to provide the
information.
 After the resolver receives the mapping, it interprets the response to see if it is
a real resolver or an error and finally delivers the result to the process that
requested it.
Mapping names to addresses
 Most of the time, the resolver gives a domain name to the server and asks for
the corresponding address.
 In this case the server checks the generic domain or the country domains to
find the mapping.
 If the domain name is from the generic section, the resolver receives a domain
name such as “chal.atc.fhda.edu” .
 The query is sent by the resolver to the local DNS server for resolution.
 If the local server cannot resolve the query, it either refers the resolver to other
servers or asks other servers directly.
 If the domain name is from the country domain section, the resolver receives a
domain name such as “ch.fhda.cu.ca.us”
 The procedure is the same.
 Mapping addresses to names
 A client can send an IP address to a server to be mapped to a domain name.
(PTR Query)

 To answer queries of this kind, DNS uses the inverse domain.

 In this request, the IP address is reversed and two labels, in-addr and arpa, are
appended to create a domain acceptable by the inverse domain section.
 E.g. if the resolver receives the IP address 132.34.45.121, the resolver first
inverts the address and then adds the two labels before sending.
 The domain name sent is “121.45.34.132.in-addr.arpa.” which is received by
the local DNS and resolved.
Recursive Resolution
 The client (resolver) can ask for a recursive answer from a name server.
 This means that the resolver expects the server to supply the final answer.
 If the server is the authority for the domain name, it checks its database and
responds.
 If the server is not the authority, it sends the request to the another server (the
parent usually) and waits for the response.
 If the parent is the authority, it respond; otherwise it sends the query to yet
another server.
 When the query is finally resolved, the response travels back until it finally
reaches the requesting client.
Recursive Resolution
 Iterative resolution
 If the client does not ask for a recursive answer, the mapping can be done
iteratively.
 If the server is an authority for the name, it sends the answer. If it is not, it returns
(to the client) the IP address of the server that it thinks can resolve the query.
 The client is responsible for reopening the query to this second server.
 If the newly added server can resolve the problem, it answers the query with the
IP address, otherwise it returns the IP address of a new server to the client.
 Now the client must repeat the query to the third server.
 This process is called iterative because the client repeats the same query to
multiple servers.
 In next fig the client queries five servers before it gets an answer from
mcgraw.com server.
ITERATIVE RESOLVING
caching
 Each time a server requires a query for a name that is not in its domain, it
needs to search its database for a server IP address.
 Reduction of this search time would increase efficiency.
 DNS handles this with a mechanism called caching.
 When a server asks for a mapping from another server and receives the
response, it stores this information in its cache memory before sending it to
the client.
 If the same or another client asks for the same mapping, it can check its cache
memory and resolve the problem.
 However, to inform the client that the response is coming from the cache
memory and not from an authoritative source, the server marks the response
as unauthoritative.
caching
 Caching speeds up the resolution but it can also be problematic.
 If a server caches a mapping for a long time, it may send an outdated
mapping to the client.
 To counter this two techniques are used.
1. The authoritative server always adds information to mapping called
time-to-live (TTL). It defines the time in seconds that the receiving
server can cache the information. After that time, the mapping is
invalid and any query must be sent again to the authoritative server.
2. DNS requires that each server keep a TTL counter for each mapping
it caches. The cache memory must be searched periodically and those
mappings with an expired TTL must be purged.
DNS Messages
 DNS has two types of messages: query and response, Both types have the
same format.
Header Formats

 Both query and response messages have the same header format with some
fields set to zero for the query messages.
 The header is 12 bytes and its format is shown in above format.
 Identification: 16 bit field used by the client to match the response with
the query. The client uses a different identification number each time it sends
a query. The server duplicates this number in the corresponding response.
 Flags: this is a 16 bit field consisting of the subfields shown in next
figure.
Flag Fields

a) QR (query/response): 1 bit sub-field that defines the type of the

message. If QR=0, query message, If QR = 1, response message.

b)Opcode: 4 bit sub-field that defines the type of query or response ( 0 =

standard, 1= inverse, 2 = server status request)

c) AA (authoritative answer): 1 bit sub-field, when it is set (value 1)

means name server is an authoritative server. It is used only in response
message.
a) TC (truncated): 1 bit sub-field, when it is set (value 1) means that
response was more than 512 bytes and truncated to 512. It is used
when DNS uses the services of UDP
b)RD (recursion desired): 1 bit sub-field, when it is set (value 1) means
the client desires a recursive answer. It is set in query message and
repeated in the response message.
c) RA (recursion available): 1 bit sub-field, when it is set in the
response, it means that a recursive response is available. It is set only
in the response message.
d)Reserved: 3 bit sub-field set to 000.
e) rcode: 4 bit field that shows status of the error in the response. Only
an authoritative server can make such a judgment. Next table shows
possible values for this field.
Values of rcode:
Value Meaning Value Meaning
0 No error 4 Query type not
supported
1 Format error 5 Administratively
prohibited
2 Problem at name server 6-15 Reserved
3 Domain reference
problem
 Number of question records: 16 bit field consisting the number of
queries in the question section of the message.

 Number of answer records: 16 bit field consisting the number of

answer records in the answer section of the response message. Its
value is zero in the query message.
 Number of authoritative records: 16 bit field containing the
number of authoritative records in the authoritative section of a
response. Its value is zero in the query message.
 Number of Additional Records: 16 bit field containing the number
of additional records in the additional section of a response message.
Its value is zero in the query message.
Types of Records
Two types of records are used in DNS: Question record and Resource
Record
1. Question Record: is used by the client to get the information from a
server. This contains the domain name. next figure shows the format of a
question record.
Question Record format
 Query Name: variable length field containing a domain name. the
count field refers to the number of characters in each section

 Query Class: 16 bit field defining the specific protocol using DNS.
Next table shows the current values, we are interested in only in class 1
(the internet).
Class Mnemonics Description
1 IN Internet
2 CSNET CSNET network (absolete)
3 CS The COAS network
4 HS The Hesiod server developed by MIT
Query Type: 16 bit field defining the type of query. Next table shows
some of the types commonly used. The last two can only be used in a
query.
Resource Records
Each domain name (each node on the tree) is associated with a records
called resource record.
 the server database consists of resource records.
Resource records are also what is returned by the server to the client.
Next figure shows the format of the resource record.
Resource Records
 Domain Name: this is a variable length field containing the domain
name. It is a duplication of the domain name in the question record. Since
DNS requires the use of compression everywhere a name is repeated, this
field is a pointer offset to the corresponding domain name field in the
question record.

 Domain Type: this field is same as the query type field in the question
record except the last two types are now allowed.

 Domain Class: this field is same as the query class field in the question
record.
 Time-to-Live: 32 bit field that defines the number of seconds the
answer is valid. The receiver can cache the answer for this period of
time. A zero value means that the resource record is used only in a single
transaction and is not cached.

 Resource Data length: 16 bit field defining the length of the resource
data.

 Resource Data: variable length field containing the answer to the query
(in the answer section) or the domain name of the authoritative server (in
the authoritative section) or additional information (in the additional
information section). The format and contents of this field depends on
the value of the type field. It can be one of the following:
Resource Records
a. A Number: this is written in octets. E.g an IPv4 address is a 4 octet
integer and an IPv6 address is 16 octet integer.

b. A Domain Name: domain name are expressed as a sequence of labels.

Each label is preceded by 1 byte length field that defines the number of
characters in the label. since every domain name ends with the null
label, the last byte of every domain name is the length field and an
offset pointer, the two high order bits of a length field are always zero
(00). This will not create a problem because the length of a label
cannot be more than 63, which is a maximum of 6 bits (111111).
a. An offset Pointer: domain name can be replaced with an offset
pointer. An offset pointer is 2 byte field with each of the 2 high order
bits set to 1 (11).

b. A character String: is 1 byte length field followed by the number of

characters defined in the length field. The length field is not
restricted like domain name length field. The character string can be
as long as 255 characters (including the length field.)
Compression
 DNS requires that a domain name be repeated.
 For example, in a resource record the domain name is usually a repetition of the
domain name in the question record.
 For efficiency, DNS defines a 2 byte offset pointer that points to a previous
occurrence of the domain or part of it.
 The format of the field is shown in the next figure.

 first 2 bits (11)- to distinguish an offset pointer from length field.

 14 bits- represent a number that points to the corresponding byte number in the
message.
 for example if an offset pointer refers to byte 12 (the 13th byte)
of the message, the value should be 1100000000001100.
 Here the 2 leftmost bits define the fields as an offset pointer
and the other bits define the decimal number 12
Example 1
A resolver sends a query message to a local server to find the IP address for the host
“chal.fhda.edu.”. We discuss the query and response messages separately.

Example of a
query message
Solution continued….of Example 1

Example of a
response message
 Example 2
An FTP server has received a packet from an FTP client with IP address 153.2.7.9.
The FTP server wants to verify that the FTP client is an authorized client.

Example of
inverse query
message
Solution continued….of Example 2

Example of
inverse
response message
Encapsulation

 DNS can either UDP or TCP connection – on the well known port used by
the server is port 53.

 UDP is used when the size of the response message is less than 512 bytes
because most UDP packages have a 512 byte packet size limit.

 If the size of the response message is more than 512 bytes, a TCP
connection is used.
 In that case, one of the two scenarios can occur:
 If the resolver has prior knowledge that the size of the response
message is more than 512 bytes, it uses the TCP connection. E.g ,
if a secondary name server (acting as a client) needs a zone transfer
from a primary server, it uses the TCP connection because the size of
the information being transferred usually exceeds 512 bytes.

 If the resolver does not know the size of the response message, it
can use the UDP port.
 However if the size of the response message is more than 512 bytes,
the server truncates the message and turns on the TC bit.
 The resolver now opens a TCP connection and repeats the request to
get a full response from the server.
 Dynamic Domain name System (DDNS)
 DNS master file must be updated dynamically.
 The dynamic Domain name system (DDNS) is devised to respond to
this need.
 In DDNS, when a binding between a name and an address is
determined, the information is sent, usually by DHCP to a primary DNS
server.
 The primary server updates the zone.

 The secondary servers are notified either actively or passively.

 In active notification, the primary server sends a message to the

secondary servers about the change in the zone
 In Passive notification, the secondary periodically check for any
changes.

 In either case, after being notified about the change, the secondary
requests information about the entire zone (Zone transfer).

 To provide security and prevent unauthorized changes in the DNS

records. DDNS can use an authentication mechanism.
 Security of DNS
 DNS can be attacked in several ways including:
1. The attacker may read the response of a DNS server to find the nature
or names of sites the user mostly accesses. This type of information can
be used to find the user’s profile. To prevent this attack, DNS message
needs to be confidential.
2. The attacker may intercept the response of a DNS server and change it
or create a totally new bogus response to direct the user to the site or
domain the attacker wishes the use to access. This type of attack can be
protected using message origin authentication and message integrity.
3. The attacker may flood the DNS server to overwhelm it or eventually
crash it. This type of attack can be protected using the provision against
denial of service attack.
 To protect DNS, IETF has devised a technology named DNS
Security (DNSSEC) that provides the message origin
authentication and message integrity using security service
called digital signature.
 DNSSEC does not provide confidentiality for DNS message.
 There is no specific protection against the denial-of-service
attack in the specification of DNSSEC.
 The caching system protects the upper level servers
against this attack to some extent.
Multicast DNS
■ mDNS is also involved in the resolution of domain names to the IP
addresses, similar to DNS.

■ Unlike the conventional DNS, the operation of mDNS is up to the level

of local network since the operation of DNS takes place at global level.

■ In computer networking, the multicast DNS (mDNS) protocol

resolves hostnames to IP addresses within small networks that do not
include a local name server.
■ It was designed to work as either a stand-alone protocol or compatibly
with standard DNS servers
■ It uses IP multicast User Datagram Protocol (UDP) packets
mDNS client needs to resolve a hostname process:

1) it sends an IP multicast query message that asks the host having that name to
identify itself.
2)That target machine then multicasts a message that includes its IP address.

3)All machines in that subnet can then use that information to update their mDNS
caches.
4) Any host can relinquish its claim to a name by sending a response packet with
a time to live (TTL) equal to zero.

■ By default, mDNS exclusively resolves hostnames ending with the .local top-
level domain.
Packet structure
An mDNS message is a multicast UDP packet sent using the following addressing:
■ IPv4 address 224.0.0.251 or IPv6 address ff02::fb
■ UDP port 5353
■ When using Ethernet frames, the standard IP multicast MAC
address 01:00:5E:00:00:FB (for IPv4) or 33:33:00:00:00:FB (for IPv6)

■ The payload structure is based on the unicast DNS packet format, consisting of
two parts—the header and the data.

■ The header is identical to that found in unicast DNS, as are the sub-sections in
the data part: queries, answers, authoritative-name servers, and additional
records.
Queries
■ The wire format for records in the query section is slightly modified
from that in unicast DNS, adding the single-bit UNICAST-RESPONSE
field
■ As in unicast DNS, the QNAME field consists of a series of
length/value sub-fields called "labels". Each label represents one of
the dot-separated substrings in a fully qualified domain
name (FQDN). The list is terminated by either a single null-byte
representing the "root" of the DNS, or by a byte with the two high-
order bits set (value 192) to signal an indirect pointer to another
location in the message. This is known as name compression in RFC-
6762.
■ The UNICAST-RESPONSE field is used to minimize unnecessary
broadcasts on the network: if the bit is set, responders SHOULD send
a directed-unicast response directly to the inquiring node rather than
broadcasting the response to the entire network.
■ The QCLASS field is identical to that found in unicast DNS.
 Resource Records
■ All records in the answers, authoritative-name servers, and additional records
sections have the same format and are collectively known as Resource Records
(RR).
■ Resource Records in mDNS also have a slightly modified general format
compared to unicast DNS:
■ The CACHE-FLUSH bit is used to instruct neighbor nodes that the record
should overwrite, rather than be appended onto any existing cached
entries for this RRNAME and RRTYPE.

■ The formats of the RDATA fields are the same as those found in unicast
DNS.
■ However, DNS Service Discovery (DNS-SD), the most common use-case
for mDNS, specifies slight modifications to some of their formats
(notably TXT records).