Domain Name System (DNS)

DNS is a client/server application program used to help

other application programs.
DNS is used to map a host name (Internet domain name) in
the application layer to an IP address in the network layer
and vice versa..
TCP/IP protocols use the IP address, which uniquely
identifies the connection of a host to the Internet.
However, people prefer to use names instead of numeric
addresses.
Therefore, we need a system that can map a name to an
address or an address to a name. 1
 For example, if someone types example.com into a web
browser, a server will map that name to the corresponding IP
address, something similar in structure to 121.12.12.121.

2
When the Internet was small, mapping was done using a host
file. The host file had only two columns:
Host name and IP address.
Every host could store the host file on its disk and update it
periodically from a master host file.
As the Internet expanded, the host file became too large to be
stored on every host. In addition, it would be impossible to
update all host files every time a change occurred.
The solution, the one used today, is to divide this huge amount
of information into smaller parts and store each part on a
different computer (DNS computer).
In this method, the host that needs mapping can contact the
closest computer holding the needed information.
This method is used by the Domain Name System (DNS)
protocol. 3
Figure below shows how TCP/IP uses a DNS client and a
DNS server to map a name of the file transfer server to an
IP address in order to connect with the file transfer client;
the reverse mapping is similar.

4
 Host Name Space (application layer)
The names assigned to a host must be unique because the IP
addresses are unique.
A name space can be organized in two ways:
flat or hierarchical.

 Flat Name Space

A name in this space is a sequence of characters without
structure.
The main disadvantage of a flat name space is that it
cannot be used in a large system such as the Internet
because it must be centrally controlled to avoid ambiguity
and duplication.
5
 Hierarchical Name Space
In a hierarchical name space, each name is made of
several parts.
 The first part can define the nature of the organization,
 the second part can define the name of an organization,
 the third part can define departments in the
organization, and so on.
In this case, the authority to assign and control the name
spaces can be decentralized.

For example, assume two colleges and a company call one

of their computers challenger.
The first college is given a name such as fhda.edu,
the second college is given the name berkeley.edu, and
the company is given the name smart.com. 6
When each of these organizations adds the name challenger
to the name they have already been given, the end result is
three distinguishable names:
challenger.fhda.edu,
challenger.berkeley.edu, and
challenger.smart.com.
In Domain Name Space, the names are defined in an
inverted-tree structure with the root at the top.
The tree can have only 128 levels: level 0 (root) to level
127 (see Figure below).
However, the maximum length of a Fully Qualified
Domain Name (FQDN) is 255 bytes (including all levels
with dots between them).

The number of
levels in real-world
use is usually no
more than 8-10
levels for reasons
of management
and clarity.
8
DNS MESSAGES
DNS has two types of messages: query and response.
Both types have the same format.
 The query message consists of a header and question
records;
 The response message consists of a header, question
records, answer records, authoritative records, and
additional records (see Figure below).

9
Header
Both query and response messages have the same header
format with some fields set to zero for the query messages.
The header is 12 bytes and its format is shown in Figure below.

The header fields are as follows:

 Identification. This is a 16-bit field used by the client to
match the response with the query. The client uses a different
identification number each time it sends a query. The server
duplicates this number in the corresponding response. 10
 ❑ Flags. This is a 16-bit field consisting of the subfields shown in
Figure below.

A brief description of each flag subfield follows:

 QR (query/response). This is a 1-bit subfield that defines the type
of message. If it is 0, the message is a query. If it is 1, the message
is a response.
 OpCode. This is a 4-bit subfield that defines the type of query or
response .
A 4-bit Opcode field that can represent 16 possible values ​(0-15),
but not all of them are used.
Common values ​are:
0: Standard query (QUERY).
1: Reverse query (IQUERY) - not used much anymore.
2: Server status request (STATUS).
The other values ​(3-15) are either reserved or reserved for
future/special use. 11
 AA (authoritative answer). This is a 1-bit subfield. When it
is set (value of 1) it means that the name server is an
authoritative server. It is used only in a response message.
 TC (truncated). This is a 1-bit subfield. When it is set (value
of 1), it means that the response was more than 512 bytes and
truncated to 512.
 RD (recursion desired‫) التكرار مرغوب‬. This is a 1-bit
subfield. When it is set (value of 1) it means the client desires
a recursive answer. Required recursion (RD=1) means you
ask the server to look up the entire answer for you, and is the
most common option for regular users. It is set in the query
message and repeated in the response message.
 RA (recursion available). This is a 1-bit subfield. When it is
set in the response, it means that a recursive response is
available. It is set only in the response message. 12
 Reserved. This is a 3-bit subfield set to 000.
 rCode. This is a 4-bit field that shows the status of the
error in the response.
Table below shows the possible values for this field.

❑ Number of question records. This is a 16-bit field

containing the number of queries in the question section of
the message.
❑ Number of answer records. This is a 16-bit field
containing the number of answer records in the answer
section of the response message. Its value is zero in
the query message. 13
❑ Number of authoritative records. This is a 16-bit
field containing the number of authoritative records in
the authoritative section of a response message. Its value
is zero in the query message.
❑ Number of additional records. This is a 16-bit field
containing the number of additional records in the
additional section of a response message. Its value is
zero in the query message.
Question Section
This is a section consisting of one or more question
records. It is present on both query and response
messages.

14
Answer Section
This is a section consisting of one or more resource records.
It is present only on response messages. This section includes
the answer from the server to the client.
Authoritative Section
This section contains information about authoritative name
servers that can answer the query if the current server is
unable to provide an authoritative answer. Only on response
messages.
Additional Information Section
This is a section consisting of one or more resource records.
It is present only on response messages. This section provides
additional information that may help the DNS client.

15
 Types of records
Two types of records are used in DNS.
 The question records are used in the question
section of the query and response messages.
 The resource records are used in the answer,
authoritative, and additional information sections
of the response message.
1-Question Record
A question record is used by the client to get information
from a server. This contains the domain name.
Figure below shows the format of a question record.
16
❑ Query name. This is a variable-length field containing
a domain name (see Figure below).
The count field refers to the number of characters in each
section.

❑ Query type. This is a 16-bit field defining the type of

query. Table below shows some of the types commonly
used. The last two can only be used in a query.
17
❑ Query class. This is a 16-bit field defining the specific
context or protocol using DNS.
Table below shows the current values.
In this lecture we are interested only in class 1 (the Internet).
18
 Class Mnemonic Description
The most commonly used class, refers to the Internet, and is
1 IN used in most queries
An old class used with the CSNET network. It was created in
2 CS the early 1980s to extend the benefits of networking to
computer science departments at universities and research
institutions that could not connect directly to the ARPANET.
CHAOS: Used for special purposes, such as debugging or
3 CH querying internal information about the DNS server itself.
Hesiod is a naming system designed to facilitate the
4 HS management of information on local networks, such as user
names, passwords, or locations of services (such as mail or
files). It is not currently common and was developed in the
1980s by MIT (Massachusetts Institute of Technology).

2-Resource Record (RR)

Each domain name (each node on the tree) is associated with a
record called the resource record.
RRs are the basic building blocks of host-name and are used to resolve
all DNS queries.
Resource Record (RR) is a data structure that contains information associated with
a particular DNS domain name. Resource Records are used to store various types of
information about a domain, and they are an essential part of DNS data. 19
DDNS
• When the DNS was designed, no one predicted that there
would be so many address changes.
• In DNS, when there is a change, such as adding a new
host, removing a host, or changing an IP address, the
change must be made to the DNS master file.
• These types of changes involve a lot of manual updating.
• The size of today’s Internet does not allow for this kind
of manual operation.
• The DNS master file must be updated dynamically.
• The Dynamic Domain Name System (DDNS) therefore
was devised to respond to this need.
20
• To provide security and prevent unauthorized changes in
the DNS records, DDNS can use an authentication
mechanism.

SECURITY OF DNS
• DNS is one of the most important systems in the Internet
infrastructure; it provides crucial services to the Internet
users.
• Applications such as Web access or e-mail are heavily
dependent on the proper operation of DNS.
• DNS can be attacked in several ways including:
• 1. The attacker may read the response of a DNS server
to find the names of sites the user mostly accesses.
21
• This type of information can be used to find the user’s
profile. To prevent this attack, DNS message needs to be
confidential.
• 2. The attacker may interrupt the response of a DNS
server and change it or create a totally new false
response to direct the user to the site or domain the
attacker wishes the user to access.
• This type of attack can be protected using message origin
authentication and message integrity.
• 3. The attacker may flood the DNS server to overwhelm
it or eventually crash it. This type of attack can be
protected using the provision against denial-of-service
attack.
22
• To protect DNS, IETF has devised a technology named
DNS Security (DNSSEC) that provides the message
origin authentication and message integrity using a
security service called digital signature.
• DNSSEC however, does not provide confidentiality‫س‬
for the DNS messages.
• There is no specific protection against the denial-of-
service attack in the specification of DNSSEC.

23