AN OVERVIEW OF
DNS ECOSYSTEM
W WW.NIRA.ORG.NG
Muhammed Rudman
Internet eXchange Point of Nigeria (IXPN)
www.ixp.net.ng
NIRA Registrar Training
TOPICS
1. History Of The Internet
2. Introduction To The Domain Name System (DNS)
3. Domain Name Security Extensions (Dnssec) Overview
4. The DNS Ecosystem
5. Questions & Answers
W WW.NIRA.ORG.NG
HISTORY OF THE INTERNET
ARPNET created by DARPA in 1967
The first IMP at UCLA in 1969 connected to a second node at Stanford Research Institute (SRI).
After these tests, more nodes were added to ARPNET and by end of 1969 four nodes formed ARPNET [5]. From this point on the Internet started to grow.
However, more work was needed to incorporate the host-to-host protocol into ARPNET. The first host-to-host protocol called Network Control Protocol (NCP) was developed by the Network Working Group (NWG) in 1970. But NCP did not have “the ability to address networks further downstream than a destination IMP on the ARPNET” .
Kahn then developed what later became the Transmission Control Protocol/Internet Protocol (TCP/IP).
As the number of nodes increased, more universities joined the exclusive club, and APRANET became not only a research facilitator, but it also became a free federally funded postal system of electronic mail.
W WW.IXP.NET .NG 3
THE DEVELOPMENT OF THE INTERNET
CONT.
In 1984, the U.S. National Science Foundation (NSF) joined ARPANET in starting its own network code named NSFNET. NSFNET set a new pace in nodes, bandwidth, speed and upgrades.
This NSF funded network brought the Internet in the reach of many universities throughout the USA and internationally that would not otherwise afford the costs, and many government agencies joined in. At this point other countries and regions were establishing their own networks
With so much success and fanfare, ARPANET ceased to exist in 1989.
As the number of nodes on the Internet climbed into hundreds of thousands worldwide, the role of sponsoring agencies like ARPA and NSF became more and more marginalized. Eventually in 1994 NSF also ceased its support of the Internet. The Internet by now needed no helping hand since it had assumed a momentum of its own.
W WW.IXP.NET .NG 4
Internet Assigned Numbers Authority (IANA) was established
informally as a reference to various technical functions for the
ARPANET.
IANA is the institution which runs TLDs and deals with assignment of
IP addresses and other related attributes.
IANA was managed by mostly Joh Postel and Joyce Reynolds.
Internet Corporation for Assigned Names Numbers (ICANN) was
formed in 25th November, 1988.
14th March, 2014 - NTIA Announces Intent to Transition Key Internet
Domain Name Functions.
W WW.NIRA.ORG.NG
THE DEVELOPMENT OF THE INTERNET
CONT.
MAJOR INTERNET MILESTONES
1971 First ever email sent
1978 First ever spam email sent
1985 first domain registered – symbolics.com
1989 World Wide Web (Invented)
1991 First ever web site built and put online on 6th August
1993 WWW Technology made available on a Royalty-Freee basis on 30th of April by CERN
1993 First ever primitive search engine created W3Catalog (W3C) on September 2nd.
For more additional Internet milestones read Hobbes' Internet Timeline on RFC 2235
W WW.IXP.NET .NG 7
HISTORY OF DNS
1970’s ARPANET
1980’s NSFNET
– Host.txt maintained by the SRI-NIC
– pulled from a single machine
– Problems
• traffic and load
• Name collisions
• Consistency
DNS created in 1983 by Paul Mockapetris (RFCs 882 & 883
which described the DNS, these RFC’s were superseded by RFC’s 1034 & 1035), modified, updated, and enhanced by a myriad of subsequent RFCs.
W WW.NIRA.ORG.NG
Easier for people to remember because it is hard to remember everyone’s IP
address
Computers may be moved between networks, in which case their IP address
will change
The DNS makes it easier by allowing a familiar string of letters (the "domain
name") to be used instead of the arcane IP address.
So instead of typing 52.24.164.21, you can type www.nigeria.gov.ng. It is a
"mnemonic" device that makes addresses easier to remember
W WW.NIRA.ORG.NG
COMPUTERS USE IP ADDRESSES. WHY DO WE NEED NAMES?
INTRODUCTION TO DNSEvery computer on the Internet has a unique address – just like a
telephone number – which is a rather complicated string of number.
More complicated with IPv6
OLD SOLUTION: HOSTS.TXT
A centrally-maintained file, distributed to all hosts on the Internet
This feature still exists
/etc/hosts [Unix]
c:\windows\system32\drivers\etc\hosts [Windows]
W WW.NIRA.ORG.NG
196.216.148.233 IXP.ng
196.216.149.45 Print-server
192.168.1.1 File-server
NAMES AND ADDRESSES IN GENERAL
An address is how you get to an endpoint
– Typically, hierarchical (for scaling):
• 8th Floor, NCR Building,
Broad Street, Marina,
Lagos, Nigeria
“A name indicates what we seek. An address indicates where it is. A
route indicates how we get there.”
~ Jon Postel
W WW.NIRA.ORG.NG
THE DOMAIN NAME SYSTEM WAS
BORN
DNS is a Distributed Database for holding name to IP address (and
other) information
Distributed:
Shares the administration
Shares the load
Robustness and performance through:
Replication
Caching
A critical piece of Internet infrastructure
W WW.NIRA.ORG.NG
DNS IS HIERARCHICAL
W WW.NIRA.ORG.NG
com net org edu ng
com net org
nira
www forum
Root level
domainSecond level
domain
Third level
domain
Subdomain of
nira.org.ng
W WW.NIRA.ORG.NG
HOW DNS QUERY WORKS
W WW.NIRA.ORG.NG
Caching
NS
Query1
“ “Root servers
2
ng
DNS Servers
3
nira.ng
DNS Servers
4Response
6
mail.nira.ng
DNS Servers
5
How DNS works video
APPROXIMATE GEOGRAPHICAL LOCATION OF
ALL DNS ROOT NAME SERVERS
W WW.NIRA.ORG.NG
http://www.root-servers.org/
CONCEPT: NAME SERVERS
Name servers answer ‘DNS’ questions
Several types of name servers
– Authoritative servers
• master (primary)
• slave (secondary)
– (Caching) recursive servers
• also caching forwarders
– Mixture of functionality
W WW.NIRA.ORG.NG
CONCEPT: NAME SERVERS CONTD.
Authoritative name server
– Give authoritative answers for one or more zones
– The master server normally loads the
data from a zone file
– A slave server normally replicates the
data from the master via a zone transfer
W WW.NIRA.ORG.NG
COMMONLY SEEN RRS
SOA (start of authority): used for delegation and management of the DNS itself
A (address): map hostname to IPv4 address
AAA (address): map hostname to IPv6 address
PTR (pointer): map IP address to name
MX (mail exchanger): where to deliver mail for user@domain
CNAME (canonical name): map alternative hostname to real hostname
TXT (text): any descriptive text
NS (name server): Name servers for the domain
W WW.NIRA.ORG.NG
HOW DO YOU CHOOSE WHICH
CACHE(S) TO CONFIGURE?
Must have PERMISSION to use it
e.g. cache at your ISP, or your own
Prefer a nearby cache
Minimises round-trip time and packet loss
Can reduce traffic on your external link, since often the cache can answer without
contacting other servers
Prefer a reliable cache
Can you run one better than your ISP?
W WW.NIRA.ORG.NG
CACHING REDUCES THE LOAD ON
AUTH NAMESERVERS
Especially important at the higher levels: root servers, GTLD servers
(.com, .net ...) and ccTLDs
All intermediate information is cached as well as the final answer - so
NS records from REFERRALS are cached too
W WW.NIRA.ORG.NG
CACHES CAN BE A PROBLEM IF DATA
BECOMES STALE
If caches hold data for too long, they may give out the wrong answers if
the authoritative data changes
If caches hold data for too little time, it means increased work for the
authoritative servers
W WW.NIRA.ORG.NG
THE OWNER OF AN AUTH SERVER
CONTROLS HOW THEIR DATA IS
CACHED
Each resource record has a "Time To Live" (TTL) which says how long
it can be kept in cache.
The SOA record says how long a negative answer can be cached (i.e.
the non-existence of a resource record).
Note: the cache owner has no control - but they wouldn't want it
anyway
W WW.NIRA.ORG.NG
A COMPROMISE POLICY
Set a fairly long TTL - 1 or 2 days
When you know you are about to make a change, reduce the TTL
down to 10 minutes
Wait 1 or 2 days BEFORE making the change
After the change, put the TTL back up again
W WW.NIRA.ORG.NG
SLAVES CONNECT TO MASTER TO
RETRIEVE COPY OF ZONE DATA
The master does not "push" data to the slaves
W WW.NIRA.ORG.NG
Master
Slave
Slave
DNS TOOLS
Nslookup –type=any or nslookup –query=soa
Ipconfig /flushdns (Windows)
http://network-tools.com/
http://www.intodns.com/
http://dns.squish.net/
http://dnsstuff.com
https://www.zonemaster.net/
http://dr.xoozoo.com/default.aspx
http://www.iptools.com/
W WW.NIRA.ORG.NG
THREATS AGAINST DNS
DNS spoofing (or DNS cache poisoning)
DNS hijacking or DNS redirection
DNS Client Flooding (Denial of Service)
Compromised dynamic updates
W WW.NIRA.ORG.NG
KAMINSKY’S ATTACK
In 2008, Dan Kaminsky revealed an attack on the DNS system which
can trick a DNS recursive resolvers into storing incorrect DNS records.
Once the nameserver has stored the incorrect response, it will happily
return it to everyone who asks until the cache entry expires (usually
dictated by the TTL). This is so-called “DNS poisoning” attack could
allow arbitrary attacker to trick DNS, and redirect web browsers (and
other applications) to incorrect servers allowing them to hijack traffic.
W WW.NIRA.ORG.NG
DNS SPOOFING (OR DNS CACHE
POISONING)
W WW.NIRA.ORG.NG
Recursive
NameserverAuthoritative
Nameserver
Q: What is the IP address of nira.ng
A: 41.222.79.4
Resolver
MAN-IN-THE-MIDDLE ATTACKS ON DNS
In March of 2014, the government of Turkey decided to block Twitter
inside the country. They did so at the DNS level by instructing Turkish ISP’s
to return specified records for twitter.com and send them to a Turkish
government web site.
W WW.NIRA.ORG.NG
INTRODUCTION TO DNSSEC
Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified in RFCs 4033, 4034, and 4035, with additional RFCs providing supporting information.
DNSSEC provides the ability for DNS servers and resolvers to trust DNS responses by using digital signatures for validation. All signatures generated are contained within the DNS zone itself in the new resource records. When a resolver issues a query for a name, the accompanying digital signature is returned in the response. Validation of the signature is then performed through the use of a preconfigured trust anchor. Successful validation proves that the data has not been modified or tampered with in any way.
W WW.NIRA.ORG.NG
WHAT DNSSEC DOES
DNSSEC uses public key cryptography and digital signatures to provide:
– Data origin authentication
“Did this DNS response really come from the .ng zone?”
– Data integrity
“Did an attacker (e.g., a man-in-the-middle) modify the data in this
response since it was signed?”
Bottom line: DNSSEC offers protection against spoofing of DNS data
W WW.NIRA.ORG.NG
WHAT DNSSEC DOESN’T DO
DNSSEC does not:
Provide any confidentiality for DNS data
• I.e., no encryption
• The data in the DNS is public, after all
Address attacks against the name server itself
• Denial of service,
• Packets of death,
• etc.
W WW.NIRA.ORG.NG
THE DOMAIN NAME ECOSYSTEM
W WW.NIRA.ORG.NG
https://newgtlds.icann.org/en/announcements-and-media/infographics/dns-industry-ecosystem
REGIONAL INTERNET ASSOCIATIONS -
ccTLDS
AfTLD:African Top Level Domain
CENTR: Council of European National Top Level Domain Registries
APTLD:Asia Pacific Top Level Domain
LACTLD: Latin America and Caribbean ccTLD
General Assembly –All Stakeholders
9 Board of Trustees
10 Executive Board
Permanent Staff
Committees :
Establishment & Finance
Technical
Accreditation & Business Development
Audit
Communication & Publicity
Domain name policy
Stakeholder Engagement
NIRA is a Not-For-Profit , Multi- stakeholder, Membership based Organization. NIRA operates the 3R (Registry, Registrar and Registrant ) Model
NIRA STRUCTURE