All About DNS

All about DNS Do not unplug this cable!

DNS is fundamental. The Internet would fall apart without it.
And it does on a regular basis (DDoS).

Concept is simple Maps names (domains) to numbers (IP Addresses)
vmfarms.com resolves to 75.98.16.84 my.vmfarms.com resolves to 72.51.29.52 Why is it so confusing then?

Implementation is confusing So many different concepts: zones, records, TTLs,
authorities, delegations, registrars, WHOIS, serials, etc… Some DNS servers don’t even respect the basic rules! AWS allows multiple zone ﬁles for the same domain. Caching name servers don’t always respect TTLs. DNS is SLOOOWWWWW. A full query (i.e.: no cache), can take several second to complete!

So who is involved? Does anyone “own” DNS? Who controls
it?

United States Government Department of Commerce

Who’s involved? The United States Department of Commerce (DOC) used
to own all components of DNS in the early days of the Internet. In 2006, DOC delegated certain responsibilities to a private nonproﬁt California-based corporation, the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN controls both sides of DNS - the names (formally InterNIC), and the numbers/IPs (Internet Assigned Numbers Authority - IANA). However, DOC retains ultimate control over the Root Zone File, and any changes must be approved by them. More on this later…

Root Zone File Root Name Servers Domains and TLDs (InterNIC)
Registrar (GoDaddy) Registrar (Namecheap)

How does it work?

It all starts at the top, with a dot. A
domain name is composed of several components, and is structured like a tree. my.vmfarms.com is actually -> my.vmfarms.com. and should be read from right-to-left. The dot (.) is the root node of the tree.

my . vmfarms . com . Host name/ Sub-domain Domain
Name Top Level Domain (TLD) Root

Top Level Domains Top Level Domains (TLDs) are controlled by
IANA, delegated by ICANN. IANA maintains a Root Zone Database that contains the full list of all TLDs on the Internet, and which organization is responsible for managing each TLD (called delegations). TLDs are divided into 2 groups: generic (gTLD) and country-code (ccTLD) speciﬁc. Examples: gTLD -> .com, .net, .org ccTLD -> .ca, .co.uk, .io

Domains must be unique ICANN enforces the uniqueness of domain
names. ICANN gives permission to Domain Name Registrars to register domains within the ICANN database. Along with domain registrations, registrars must submit a list of Authoritative Name Servers (minimum of 2 required for most TLDs). Examples of Registrars: GoDaddy Namecheap

A web of DNS servers There are generally 2 types
of DNS servers: caching and authoritative. A DNS server can serve both functions, but the vast majority are either one or the other. Anyone can run a DNS server.

Caching Name Servers Caching name servers are usually operated by
ISPs. Caching logic goes like this: If a query comes in for a record that is currently in it’s cache (and not expired), it provides the results. If not, it will ask another DNS server it knows about, and if it provides the results, it will cache it for a short period of time (TTL). If it still can’t ﬁnd a result, it will query a root name server in a ﬁnal attempt to grab the results.

Root Name Servers Responsible for serving the records from the
master Root Zone File. There are 13 “logical” name servers that exist on the Internet and each is operated by a different entity. While there are “13” logical, there are hundreds of physical servers. The number “13” is due to a limitation of the DNS spec, which speciﬁed a maximum packet size of 512 bytes when using UDP.

A - Verisign (BIND) B - Information Sciences Institute -
University of California (BIND) C - Cogent (BIND) D - University of Maryland (BIND) E - NASA (BIND) F - Internet Systems Consortium (BIND) G - Defense Information Systems Agency (BIND) H - U.S. Army Research Lab (NSD) I - Netnod (BIND) J - Verisign (BIND) K - RIPE NCC (NSD) L - ICANN (NSD) M - WIDE Project (BIND)

Root Zone File Contains the master list of TLDs and
the IPs of the Start of Authority (SOA) name servers. Controlled by the DOC - must approve all changes requested by ICANN. Because ICANN is slow to adopt new TLDs, there are several alternative DNS roots that distribute their own set of root zone ﬁles (alternative Internets). NameCoin P2P DNS Name.Space OpenNIC TOR

Start of Authority (SOA) Authoritative name servers that are responsible
for the zone ﬁle for a particular domain name. Usually managed by hosting or specialized providers (like Zerigo, AWS).

Zone File A zone ﬁle contains a list of DNS
records. Records come in a variety of types: A Record - Maps names to IPs. CNAME Record - Aliases to other records. MX Record - Mail eXchange records for email. NS Record - Name server records that indicate absolute authority of the zone. SOA Record - contains several pieces of metadata needed for zone transfers.

Zone Transfers Domain names are usually required to have more
than one authoritative name server, depending on the requirements of the TLD. The SOA record is used to facilitiate syncing changes between primary and secondary servers. SOA Record contains several pieces of data: Primary DNS server. Primary contact email (with the @ replaced by a .) Serial number (version) used to keep track of when changes are made. Refresh time - time in seconds that secondary DNS servers wait before refreshing from primary. Retry time - time in seconds that secondary DNS servers wait before retrying failed transfers. Default TTL - default time-to-live used for all records

Putting it all together.

Root A Root B Root C Root D Root E
Root F Root G Root H Root I Root J Root K Root L Root M ISP - Rogers ISP - Bell ISP - Peer1 gTLDs ccTLDs Zerigo AWS OS Browser OS Browser Router OS Browser Router OS Browser Router VM Farms VM VM VM VM VM VM Start of Authority (SOA) Name Servers Top Level Domains Root Name Servers Caching Name Servers

mbp:~ hany$ dig +trace my.vmfarms.com ! ; <<>> DiG 9.8.3-P1
<<>> +trace my.vmfarms.com ;; global options: +cmd . 406575 IN NS m.root-servers.net. . 406575 IN NS b.root-servers.net. . 406575 IN NS l.root-servers.net. . 406575 IN NS i.root-servers.net. . 406575 IN NS d.root-servers.net. . 406575 IN NS g.root-servers.net. . 406575 IN NS j.root-servers.net. . 406575 IN NS k.root-servers.net. . 406575 IN NS h.root-servers.net. . 406575 IN NS c.root-servers.net. . 406575 IN NS f.root-servers.net. . 406575 IN NS a.root-servers.net. . 406575 IN NS e.root-servers.net. ! com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. ! vmfarms.com. 172800 IN NS a.ns.zerigo.net. vmfarms.com. 172800 IN NS b.ns.zerigo.net. vmfarms.com. 172800 IN NS d.ns.zerigo.net. vmfarms.com. 172800 IN NS c.ns.zerigo.net. vmfarms.com. 172800 IN NS e.ns.zerigo.net. vmfarms.com. 172800 IN NS f.ns.zerigo.net. vmfarms.com. 172800 IN NS ns1174.dns.dyn.com. vmfarms.com. 172800 IN NS ns2136.dns.dyn.com. vmfarms.com. 172800 IN NS ns3180.dns.dyn.com. vmfarms.com. 172800 IN NS ns4133.dns.dyn.com. ! ! my.vmfarms.com. 86400 IN A 72.51.29.52 vmfarms.com. 900 IN NS f.ns.zerigo.net. vmfarms.com. 900 IN NS ns4.mydyndns.org. vmfarms.com. 900 IN NS e.ns.zerigo.net. vmfarms.com. 900 IN NS a.ns.zerigo.net. vmfarms.com. 900 IN NS ns5.mydyndns.org. vmfarms.com. 900 IN NS b.ns.zerigo.net. vmfarms.com. 900 IN NS ns2.mydyndns.org. vmfarms.com. 900 IN NS d.ns.zerigo.net. vmfarms.com. 900 IN NS ns1.mydyndns.org. vmfarms.com. 900 IN NS ns3.mydyndns.org. vmfarms.com. 900 IN NS c.ns.zerigo.net.

How to break DNS…

Root F Root G Root H Root I Root J Root K Root L Root M ISP - Rogers ISP - Bell ISP - Peer1 gTLDs ccTLDs Zerigo AWS OS Browser OS Browser Router OS Browser Router OS Browser Router VM Farms VM VM VM VM VM VM Start of Authority (SOA) Name Servers Top Level Domains Root Name Servers Caching Name Servers Bad Guys

Root F Root G Root H Root I Root J Root K Root L Root M ISP - Rogers ISP - Bell ISP - Peer1 gTLDs ccTLDs Zerigo AWS OS Browser OS Browser Router OS Browser Router OS Browser Router VM Farms VM VM VM VM VM VM Start of Authority (SOA) Name Servers Top Level Domains Root Name Servers Caching Name Servers Many Bad Guys

Root Name Server Attacks October 21, 2002 On October 21,
2002 an attack lasting for approximately one hour was targeted at all 13 DNS root name servers. February 6, 2007 On February 6, 2007 an attack began at 10 AM UTC and lasted twenty-four hours. At least two of the root servers (G-ROOT and L-ROOT) reportedly "suffered badly" while two others (F-ROOT and M-ROOT) "experienced heavy trafﬁc". The latter two servers largely contained the damage by distributing requests to other root server instances with anycast addressing.

Nuke them from orbit On February 8, 2007 it was
announced by Network World that "if the United States found itself under a major cyberattack aimed at undermining the nation's critical information infrastructure, the Department of Defense is prepared, based on the authority of the President, to launch an actual bombing of an attack source or a cyber counterattack.

Fin. Donation basket will be passed around shortly.

All About DNS

All About DNS

More Decks by VM Farms Inc.

Other Decks in Technology

Featured

Transcript