For more project visit www.techshristi.com
PAGE INDEX
TOPIC PAGE NO.
1. INTRODUCTION 4
2. DNS HISTORY 9
3. DNS FEATURES 11
4. DNS NAME HIERARCHY 14
5. TYPES OF NAME SERVERS 16
6. ACCESSING A WEB PAGE 20
7. SENDING A EMAIL 26
8. TYPE OF DNS QUERIES 30
9. DNS CACHING 34
10. DOMAIN NAME REGISTRATION 35
11. SECURITY ISSUES 37
12. DNS RESOURCE RECORDS 42
13. DNS CONCERNS 46
14. CONCLUSION 49
15. REFERENCES 50
INTRODUCTION
ABSTRACT:
The Domain Name System (DNS) is a hierarchical naming system for computers,
services, or any resource connected to the Internet or a private network. It
associates various information with domain names assigned to each of the
participants. Most importantly, it translates domain names meaningful to humans
into the numerical (binary) identifiers associated with networking equipment for
the purpose of locating and addressing these devices worldwide. An often-used
analogy to explain the Domain Name System is that it serves as the "phone book"
for the Internet by translating human-friendly computer hostnames into IP
addresses. For example, www.example.com translates to 192.0.32.10.
The Domain Name System makes it possible to assign domain names to groups of
Internet users in a meaningful way, independent of each user's physical location.
Because of this, World Wide Web (WWW) hyperlinks and Internet contact
information can remain consistent and constant even if the current Internet routing
arrangements change or the participant uses a mobile device. Internet domain
names are easier to remember than IP addresses such as 208.77.188.166
(IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). People take
advantage of this when they recite meaningful URLs and e-mail addresses without
having to know how the machine will actually locate them.
2
The Domain Name System distributes the responsibility of assigning domain
names and mapping those names to IP addresses by designating authoritative name
servers for each domain. Authoritative name servers are assigned to be responsible
for their particular domains, and in turn can assign other authoritative name servers
for their sub-domains. This mechanism has made the DNS distributed and fault
tolerant and has helped avoid the need for a single central register to be continually
consulted and updated.
In general, the Domain Name System also stores other types of information, such
as the list of mail servers that accept email for a given Internet domain. By
providing a worldwide, distributed keyword-based redirection service, the Domain
Name System is an essential component of the functionality of the Internet.
Names versus Addresses
An address is how you get to an endpoint
o Often hierarchical, which helps with scaling
950 Charter Street, Redwood City CA, 94063
+1.650.381.6003
204.152.187.11
A name is how an endpoint is referenced
o Often with no structurally significant hierarchy
“David”, “Tokyo”, “itu.int”,”google.com”.
Names are more people-friendly.
3
An Analogy
Devices on the telephone network all have a number
People have a hard time remembering numbers, but…
The network needs the numbers to connect endpoints
So a directory provides association of names people know
with the numbers where they can be reached
Computers on the Internet all have a number
The DNS takes names people can relate to and converts
them into the numbers computers need to interact.
This analogy has a crucial flaw: the DNS is not a directory
service.
There is no way to search the data.
4
com netau
com netorg id
google yahoomicrosoft
C:
ProgramFiles TempWindows
System32 FontsCache Media
dllcache spooldrivers
DNS vs File System
COMPARISON BETWEEN DNS AND FILE SYSTEM
5
com netau
com netorg id
google yahoomicrosoft
C:
ProgramFiles TempWindows
System32 FontsCache Media
dllcache spooldrivers
Naming a Domain Naming a Directory
yahoo.com.au. C:\windows\system32\
drivers\
Start Here
Start Here
A “.” is used as separator
A “\” is used as separator
NAMING A DOMAIN:
6
DNS HISTORY
The practice of using a name as a humanly more meaningful abstraction of a host's
numerical address on the network dates back to the ARPANET era. Before the
DNS was invented in 1983, each computer on the network retrieved a file called
HOSTS.TXT from a computer at SRI (now SRI International). The HOSTS.TXT
file mapped names to numerical addresses. A hosts file still exists on most modern
operating systems, either by default or through explicit configuration. Many
operating systems use name resolution logic that allows the administrator to
configure selection priorities for available DNS resolution methods.
The rapid growth of the network required a scalable system that recorded a change
in a host's address in one place only. Other hosts would learn about the change
dynamically through a notification system, thus completing a globally accessible
network of all hosts' names and their associated IP addresses.
At the request of Jon Postel, Paul Mockapetris invented the Domain Name System
in 1983 and wrote the first implementation. The original specifications appeared in
RFC 882 and RFC 883 which were superseded in November 1987 by RFC 1034
and RFC 1035. Several additional Request for Comments have proposed various
extensions to the core DNS protocols.
7
In 1984, four Berkeley students—Douglas Terry, Mark Painter, David Riggle and
Songnian Zhou—wrote the first UNIX implementation, which was maintained by
Ralph Campbell thereafter. In 1985, Kevin Dunlap of DEC significantly re-wrote
the DNS implementation and renamed it BIND—Berkeley Internet Name Domain.
Mike Karels, Phil Almquist and Paul Vixie have maintained BIND since then.
BIND was ported to the Windows NT platform in the early 1990s.
BIND was widely distributed, especially on Unix systems, and is the dominant
DNS software in use on the Internet. With the heavy use and resulting scrutiny of
its open-source code, as well as increasingly more sophisticated attack methods,
many security flaws were discovered in BIND. This contributed to the
development of a number of alternative nameserver and resolver programs. BIND
itself was re-written from scratch in version 9, which has a security record
comparable to other modern Internet software.
The DNS protocol was developed and defined in the early 1980s and published by
the Internet Engineering Task Force.
8
DNS FEATURES
I. DNS is a Database:
Keys to the database are “domain names”
o www.foo.com, 18.in-addr.arpa, 6.4.e164.arpa
Over 100,000,000 domain names are now stored.
Each domain name contains one or more attributes, known as resource
records.
o Each attribute is individually retrievable.
II. Global Distribution:
Data is maintained locally, but retrievable globally
No single computer has all DNS data
DNS lookups can be performed by any Internet-connected device
Remote DNS data is locally cacheable to improve performance
9
III. Loose Coherency:
The database is always internally consistent
o Each version of a subset of the database (a zone) has a serial number
o The serial number is incremented on each database change
Changes to the master copy of the database are replicated according to
timing set by the zone administrator
Cached data expires according to timeout set by zone administrator.
IV. Scalability: No intrinsic limit to the size of the database
Some servers have over 20,000,000 names
Not a particularly good idea
No limit to the number of queries
80,000 queries per second handled regularly
Queries distributed among many different servers
10
V. Reliability:
Data is replicated
o Data from master source is copied to multiple slave servers
o Clients can query master server or slave servers
DNS protocols can use either UDP or TCP
o UDP is inherently unreliable, but the DNS protocol handles
retransmission (perhaps with TCP), sequencing, et cetera.
VI. Dynamic Updates:
Database can be updated dynamically
o Master server accepts update from over the network
o Add/delete/modify any record
Modification of the master database triggers replication
o Only master can be dynamically updated
o Dynamic updates create a single point of failure
11
Managed
by UofTManaged
by ECE
Dept.
. (root)
com
toronto.edu
goveduorg
uci.edu
ece.toronto.edumath.toronto.edu
neon.ece.toronto.edu
Top-level Domains
DNS Name Hierarchy
• DNS hierarchy can be represented by a tree
• Root and top-level domains are administered by an Internet central name
registration authority (ICANN)
• Below top-level domain, administration of name space is delegated to
organizations
• Each organization can delegate further
12
com net au info biz
com net
org
org
OtherccTLDs
id
internal prosrs
google yahoo theagemicrosoftausregistry
“root” zone
TLDs & ccTLDs
2lds
3lds
4lds
MODAL FOR HIERARCHY OF NAME SERVERS:
13
13 root name servers worldwide
b USC-ISI Marina del Rey, CAl ICANN Los Angeles, CA
e NASA Mt View, CAf Internet Software C. Palo Alto, CA (and 36 other locations)
i Autonomica, Stockholm (plus 28
other locations)
k RIPE London (also 16 other locations)
m WIDE Tokyo (also Seoul, Paris, SF)
a Verisign, Dulles, VAc Cogent, Herndon, VA (also LA)d U Maryland College Park, MDg US DoD Vienna, VAh ARL Aberdeen, MDj Verisign, ( 21 locations)
TYPES OF NAME SERVERS
I. ROOT NAME SERVERS: contacted by local name server that can not resolve name
root name server:
o contacts authoritative name server if name mapping not
known
o gets mapping
o returns mapping to local name server
14
Addresses of root servers:
A.ROOT-SERVERS.EDU. (formerly NS.INTERNIC.NET) 10.0.2.32
A.ROOT-SERVERS.NET. (formerly NS1.ISI.EDU) 198.41.0.4
B.ROOT-SERVERS.NET. (formerly C.PSI.NET) 128.9.0.107
C.ROOT-SERVERS.NET. (TERP.UMD.EDU) 192.33.4.12
D.ROOT-SERVERS.NET. (NS.NASA.GOV) 128.8.10.90
E.ROOT-SERVERS.NET. (NS.ISC.ORG) 192.203.23
F.ROOT-SERVERS.NET. (NS.NIC.DDN.MIL) 192.5.5.241
G.ROOT-SERVERS.NET. (AOS.ARL.ARMY.MIL) 192.112.36.4
H.ROOT-SERVERS.NET. (NIC.NORDU.NET) 128.63.2.53
I.ROOT-SERVERS.NET. (at NSI (InterNIC)) 192.36.148.17
J.ROOT-SERVERS.NET. (operated by RIPE NCC) 198.41.0.10
K.ROOT-SERVERS.NET. (at ISI (IANA)) 193.0.14.129
L.ROOT-SERVERS.NET. (operated by WIDE, Japan) 198.32.64
M.ROOT-SERVERS.NET. 202.12.27.33
15
II. Top-level domain (TLD) servers : responsible for com, org, net, edu, etc, and all top-level
country domains uk, fr, ca, jp.
Network solutions maintains servers for com TLD
Educause for edu TLD
16
com Commercial organizations
edu Educational institutions
gov Government institutions
int International organizations
mil U.S. military institutions
net Networking organizations
org Non-profit organizations
III. Authoritative DNS servers : organization’s DNS servers, providing authoritative
hostname to IP mappings for organization’s servers (e.g.,
Web and mail).
Can be maintained by organization or service provider.
IV. Local Name Server: Each ISP (residential ISP, company, university) has one.
Also called “default name server”
When a host makes a DNS query, query is sent to its local
DNS server
Acts as a proxy, forwards query into hierarchy.
Reduces lookup latency for commonly searched hostnames
17
Your PCISP “Recursive” DNS server
Tell me the Address of “www.google.com”
Accessing a web page When You type http://www.google.com into your web browser and hit enter.
What happens now?
Step 1: Your PC sends a resolution request to its configured DNS
Server, typically at your ISP.
18
ISP “Recursive” DNS serverRoot Servers
Step 2: Your ISPs recursive name server
starts by asking one of the root servers predefined in
its “hints” file.
Tell me the Address of “www.google.com”
I don’t know the address but I know who’s
authoritative for the ”com” domain ask them
Step 2: Your ISPs recursive name server starts by asking one of the root servers predefined in its “hints” file.
19
ISP “Recursive” DNS server“com” DNS servers
Step 3: Your ISPs recursive name server then
asks one of the “com” name servers as directed.Tell me the Address of “www.google.com”
I don’t know the address but I know who’s
authoritative for the ”google.com” domain
ask them
Step 3: Your ISPs recursive name server then asks one of the “com” name servers as directed.
20
ISP “Recursive” DNS server google.com DNS server
Step 4: Your ISPs recursive name server then
asks one of the “google.com” name servers
as directed.Tell me the Address of
“www.google.com”
The Address of www.google.com is
216.239.53.99
Step 4: Your ISPs recursive name server then asks one of the “google.com” name servers as directed.
21
Step 5: ISP DNS server then send the answer back to your PC. The DNS server will “remember” the answer
for a period of time.
Your PCISP “Recursive” DNS server
The Address of www.google.com is
216.239.53.99
Step 5: ISP DNS server then send the answer back to your PC. The DNS server will “remember” the answer for a period of time.
22
ALL-IN-ONE
ISP “Recursive” DNS server “com” DNS servers
“root” DNS servers
google.com DNS server
3
Your PC5
1
google.com.au Web Server
WEB (HTTP)Request
DNS requests
6
The actual web request
DNS
ALL STEPS IN ONE:
23
Your PCOutbound Mail (SMTP) Server
Please send this message to “[email protected]”
Sending an Email
DNS is not just used in HTTP protocol (web pages)
DNS is involved in almost every protocol in use on the internet
Next example is how DNS facilitates the transfer of electronic
mail.
Step 1: Your PC sends the e-mail to its configured outbound mail server. A DNS request similar to the previous example is required to find the address of the mail server.
24
Outbound Mail serverDNS servers
Tell me the name servers for “example.com”
Here are the name servers for
“example.com”
Step 2: Your mail server follows the same intensive process to find the authoritative servers for “example.com”.
25
Outbound Mail Server example.com DNS server
Tell me the MX’s for “example.com”
The MXs are mx10.example.com and
mx20.backmail.com
Step 3: Ask the “example.com” name server for the list of “Mail eXchangers (MX) for that domain.
26
Outbound Mail Server example.com Mail server
Here is some mail for the “example.com” domain
Mail accepted for delivery
Step 4: Select a Mail server and deliver the mail.
27
TYPES OF QUERIES
Recursive and Iterative Queries:
There are two types of queries:
Recursive queries
Iterative (non-recursive) queries
The type of query is determined by a bit in the DNS query
Recursive query: When the name server of a host cannot resolve a
query, the server issues a query to resolve the query
Iterative queries: When the name server of a host cannot resolve
a query, it sends a referral to another server to the resolver
28
Recursive queries
In a recursive query, the resolver expects the response from the
name server
If the server cannot supply the answer, it will send the query to the
“closest known” authoritative name server (here: In the worst case,
the closest known server is the root server)
The root sever sends a referral to the “edu” server. Querying this
server yields a referral to the server of “virginia.edu”
… and so on
29
Recursive queries
30
Iterative queries
In an iterative query, the name server sends a closest known
authoritative name server a referral to the root server.
This involves more work for the resolver
31
DNS CACHING
Caching can substantially reduce overhead
The top-level Domain servers very rarely change
Popular sites (e.g., www.google.com) visited often
Once (any) name server learns mapping, it caches mapping
cache entries timeout (disappear) after some time
TLD servers typically cached in local name servers
Thus root name servers not often visited
32
Domain Name Registration
The right to use a domain name is delegated by domain name registrars which are
accredited by the Internet Corporation for Assigned Names and Numbers
(ICANN), the organization charged with overseeing the name and number systems
of the Internet. In addition to ICANN, each top-level domain (TLD) is maintained
and serviced technically by an administrative organization, operating a registry. A
registry is responsible for maintaining the database of names registered within the
TLD it administers. The registry receives registration information from each
domain name registrar authorized to assign names in the corresponding TLD and
publishes the information using a special service, the whois protocol.
ICANN publishes the complete list of TLD registries and domain name registrars.
Registrant information associated with domain names is maintained in an online
database accessible with the WHOIS service. For most of the more than 240
country code top-level domains (ccTLDs), the domain registries maintain the
WHOIS (Registrant, name servers, expiration dates, etc.) information. For
instance, DENIC, Germany NIC, holds the DE domain data. Since about 2001,
most gTLD registries have adopted this so-called thick registry approach, i.e.
keeping the WHOIS data in central registries instead of registrar databases.
33
For COM and NET domain names, a thin registry model is used: the domain registry
(e.g. VeriSign) holds basic WHOIS (registrar and name servers, etc.) data. One can
find the detailed WHOIS (registrant, name servers, expiry dates, etc.) at the
registrars.
Some domain name registries, often called network information centers (NIC), also
function as registrars to end-users. The major generic top-level domain registries,
such as for the COM, NET, ORG, INFO domains and others, use a registry-registrar
model consisting of hundreds of domain name registrars (see lists at ICANN or
VeriSign). In this method of management, the registry only manages the domain
name database and the relationship with the registrars. The registrants (users of a
domain name) are customers of the registrar, in some cases through additional
layers of resellers.
34
Security Issues
DNS was not originally designed with security in mind, and thus has a number
of security issues.
One class of vulnerabilities is DNS cache poisoning, which tricks a DNS server
into believing it has received authentic information when, in reality, it has not.
DNS responses are traditionally not cryptographically signed, leading to many
attack possibilities; The Domain Name System Security Extensions (DNSSEC)
modifies DNS to add support for cryptographically signed responses. There are
various extensions to support securing zone transfer information as well.
Even with encryption, a DNS server could become compromised by a virus (or
for that matter a disgruntled employee) that would cause IP addresses of that
server to be redirected to a malicious address with a long TTL. This could have
far-reaching impact to potentially millions of Internet users if busy DNS servers
cache the bad IP data. This would require manual purging of all affected DNS
caches as required by the long TTL (up to 68 years).
35
Some domain names can spoof other, similar-looking domain names. For
example, "paypal.com" and "paypa1.com" are different names, yet users may be
unable to tell the difference when the user's typeface (font) does not clearly
differentiate the letter l and the numeral 1. This problem is much more serious
in systems that support internationalized domain names, since many characters
that are different, from the point of view of ISO 10646, appear identical on
typical computer screens. This vulnerability is often exploited in phishing.
Techniques such as Forward Confirmed reverse DNS can also be used to help
validate DNS results.
36
USAGE OTHER APPLICATIONS
The system outlined above provides a somewhat simplified scenario. The Domain
Name System includes several other functions:
Hostnames and IP addresses do not necessarily match on a one-to-one
basis. Many hostnames may correspond to a single IP address: combined
with virtual hosting, this allows a single machine to serve many web sites.
Alternatively a single hostname may correspond to many IP addresses: this
can facilitate fault tolerance and load distribution, and also allows a site to
move physical location seamlessly.
There are many uses of DNS besides translating names to IP addresses. For
instance, Mail transfer agents use DNS to find out where to deliver e-mail
for a particular address. The domain to mail exchanger mapping provided
by MX records accommodates another layer of fault tolerance and load
distribution on top of the name to IP address mapping.
37
E-mail Blacklists: The DNS system is used for efficient storage and
distribution of IP addresses of blacklisted e-mail hosts. The usual method is
putting the IP address of the subject host into the sub-domain of a higher
level domain name, and resolve that name to different records to indicate a
positive or a negative. A hypothetical example using blacklist.com,
o 102.3.4.5 is blacklisted => Creates 5.4.3.102.blacklist.com and
resolves to 127.0.0.1
o 102.3.4.6 is not => 6.4.3.102.blacklist.com is not found, or default to
127.0.0.2
o E-mail servers can then query blacklist.com through the DNS
mechanism to find out if a specific host connecting to them is in the
blacklist. Today many of such blacklists, either free or subscription-
based, are available mainly for use by email administrators and anti-
spam software.
Software Updates: many anti-virus and commercial software now use the
DNS system to store version numbers of the latest software updates so
client computers do not need to connect to the update servers every time.
For these types of applications, the cache time of the DNS records are
usually shorter.
38
Sender Policy Framework and DomainKeys, instead of creating their own
record types, were designed to take advantage of another DNS record type,
the TXT record.
To provide resilience in the event of computer failure, multiple DNS servers
are usually provided for coverage of each domain, and at the top level,
thirteen very powerful root servers exist, with additional "copies" of several
of them distributed worldwide via Anycast.
Dynamic DNS (also referred to as DDNS) provides clients the ability to
update their IP address in the DNS after it changes due to mobility
39
DNS Resource Records
DNS: distributed db for storing resource records (RR)
• Type=A
– name is hostname
– value is IP address
• Type=NS
– name is domain (e.g. foo.com)
– value is hostname of authoritative name server for this domain
40
RR format: (name, value, type, ttl)
• Type=CNAME
– name is alias name for some “canonical” (the real) name
www.ibm.com is really
servereast.backup2.ibm.com
– value is canonical name
• Type=MX
– value is name of mailserver associated with name
41
Table for Various Type of Resource Records
EXAMPLES OF RESOURCE RECORDS
42
43
DNS CONCERNS
I.) Load Concerns:
• DNS can handle the load
– DNS root servers get approximately 3000 queries per second
• Empirical proofs (DDoS attacks) show root name servers can
handle 50,000 queries per second
– Limitation is network bandwidth, not the DNS protocol
– in-addr.arpa zone, which translates numbers to names,
gets about 2000 queries per second
44
45
II.) Performance Concerns:
• DNS is a very lightweight protocol
– Simple query – response
• Any performance limitations are the result of network
limitations
– Speed of light
– Network congestion
– Switching/forwarding latencies
46
CONCLUSION
The whole process of Presentation Seminar was very helpful and
educative for me in terms of the experience which I gained during its
preparation. I got to know the real meaning of how a web page is
accessed in real life requirements. I am responsible for the success or
failure of the presentation. This sense of responsibility could only have
been inculcated within me through such an exercise.
Thus, Basically Domain Name System (DNS) is a hierarchical naming
system for computers, services, or any resource connected to the Internet
or a private network. And helps in translation of Domain Names into
their corresponding IP Addresses.
In the end, I am very grateful to all my teachers, friends and the people
who helped me immensely in preparation of this presentation.
Thank You….
47
REFERENCES
http://en.wikipedia.org/wiki/
Category:Domain_name_system
http://www.livinginternet.com/i/iw_dns.htm
http://www.centr.org
Domain Names - Concepts and Facilities, P.
Mockapetris
Role of the Domain Name System (DNS)-O'Reilly
48