Introduction to ``Domain Name Service'' (DNS)
- Host name to IP number mapping was originally done by downloading a static file
- The UNIX version of this file is /etc/hosts (the file that we ftp'd in was called hosts.txt)
- The central file was maintained by the Stanford Research
Institute Network Information Center (SRI-NIC)
- As the Internet grew this scheme became unworkable
- The size of the file became too large
- The load on SRI-NIC site became too heavy
- The file was always inconsistent with reality
- Hostname collisions became frequent (anyone could
name their machine ``whitehouse.gov'' if they wanted to)
Overview of DNS
In 1984 Paulk Mockapetris of USC designed the architecture of DNS. It's based on
the idea of ``resource records''.
The InterNIC was set up to manage DNS; however, this responsibility was given over to ICANN (Internet Corporation for Assigned Names and Numbers), and now the ``InterNIC'' is just a website. One of the most important activities of ICANN is
to accredit registrars.
Today, there are hundreds of registrars, and prices for domain names have dropped under $10.
Features
- Local control, with each segment is updated locally
- Global access, with each segment is available (almost) immediately
to the rest of the world upon update
- Robustness, to be achieved through replication
- Adequate performance, to be achieved through caching
Software
- Servers: called name servers, contain information about
some segment of the network and make it available to
clients
- Examples of DNS servers: MaraDNS, BIND, DJBDNS, dnsmasque, ...
- Client: resolvers, a set of library routines that
resolve names by accessing a server (originally
a separate library, like libresolv.a, now
usually part of libc.a)
- Domain name server software is also available for non-UNIX
platforms, such as Windows 2008 and Macintosh OS X.
Domain structure
- Similar to the structure of a hierarchical file system
- The root's name is the null label `` `` but is written
as a single dot ``.''
- Each node represents a 'domain'
- Every domain is named
- The full domain name is the sequence of labels from the
domain to the root, separated by periods
- Unlike a file system pathname the name is read from leaf
to root (right to left rather than left to right)
xi.cs.fsu.edu
Domain management
- Each domain may be managed by a different organization
- The organization may divide itself into subdomains
- Then delegate responsibility for maintaining them
- ICANN (currently) manages the ``provisioning'' of top-level domains
Domain management
What is ICANN?
The Internet Corporation for Assigned Names and
Numbers (ICANN) is responsible for managing and
coordinating the Domain Name System (DNS) to ensure
that every address is unique and that all users of
the Internet can find all valid addresses. It does
this by overseeing the distribution of unique IP
addresses and domain names. It also ensures that
each domain name maps to the correct IP address.
ICANN is also responsible for accrediting the
domain name registrars. "Accredit" means to identify
and set minimum standards for the performance of
registration functions, to recognize persons or
entities meeting those standards, and to enter
into an accreditation agreement that sets forth
the rules and procedures applicable to the
provision of Registrar Services.
Host names
- Each host on a network has a domain
- The domain points to information about the host
- This may include:
- An IP address (A records)
- Mail routing information (MX records)
- Aliases which point to the real (``canonical'') host name (CNAME records)
The domain name space
- There may be any number of branches at a node
- Some implementations limit the tree's depth
- The suggested length is 12 or less characters
- A domain name that is written relative to the root is
called a 'fully-qualified domain name' - FQDN
- Names without trailing dots (``leading dots'') are sometimes
interpreted as relative to some domain other than root
- Sibling nodes must have unique names
- The name of a domain is the domain name of the node at the
top of the domain (example purdue.edu)
- Again, similar to a file system
- A node is in multiple domains
- So, a domain is just a sub-tree of the domain name space (``sub-domain'')
- Must not use underscore ("_"), although other similar naming schemes (prominently, NIS) have allowed this.
Hosts
- Where are the hosts?
- A domain name is just an index into the DNS database
- The 'hosts' are domain names that point to individual
machine information
- The hosts are related 'logically' usually by geography
or organization
- They are NOT necessarily related by network or IP address
or hardware type
- You could have 10 different hosts on 10 different networks
in ten different countries all in the same domain (hp.com)
- Nodes at the leaves of the tree usually represent individual hosts
- Interior nodes may point to both host information and to sub-domain information
For example, ``hp.com'' is both the name of a domain and the name
of a machine that routes mail
The domain name space
Terms
- top-level domain (TLD): a child of root (edu)
- first-level domain: a child of root (edu)
- second-level domain: a child of 1st level domain
(fsu.edu)
The domain name space
Naming rules - the original 7 top-level domains were:
- com - commercial organizations
- edu - educational organizations
- gov - governmental bodies
- mil - military organizations
- net - networking organizations
- org - non-commercial organizations
- int - international organizations
The domain name space
International names (ISO 3166-1 names)
- 2-letter designations are reserved for each country (e.g.: DE - Germany, DK - Denmark, CH - Switzerland)
- Each country may organize its domain space however it wishes
- For example, Australia uses edu.au and com.au
- And Britain uses co.uk - corporations, ac.uk - academic community
- And the U.S. uses states: fl.us, then cities: tlh.fl.us
Name servers
Zones
- A program that stores information about the domain name space
is called a Domain Name Server
- A name server generally has complete information about some part
of the domain name space
- The subspace is called a 'zone'
- The server is said to have 'authority' for one or more zones
- What is the difference between a zone and a domain?
- A zone is a connected subset of tree nodes in domain name space, and which has a master DNS server
Name servers
Types of name servers
- Primary (master) → Gets the data for its zones from flat data (text) files
- Secondary (slave)
- Gets the data for its zone from another server
- It periodically updates its local data by copying the
primary master's files
- This is called a 'zone transfer'
Name servers
Generally keep more than one name server for any given zone
- Redundancy: fault tolerance
- Load: localize it as much as possible
Name service clients
- These are the clients that access name servers
- In BIND these are a set of library routines
- These are compiled (or linked via shared library) into ssh, sftp, scp, telnet, etc. so that
these programs will use DNS to resolve names (``gethostbyname()'' and others)
Duties of a simple resolver
- Sometimes called a 'stub resolver'
- Querying a name server
- Interpreting the response
- [Perhaps send more queries]
- Returning a reply to the program that it is servicing
How does the name server resolve names
- If the name is in the name server's zone then it can give
the resolver an immediate 'authoritative' response
- If not, then the name server must search the domain name space
for an answer
- It only needs one piece of information to get started: the location
of a root-level server
Root name servers
- They can point you to the name servers for each of the top-level
domains
- They, in turn can point you to their subdomains, etc. until the
name is resolved
Recursion
- The first name server can make multiple requests
- Successive requests refer the first server to another machine
- A local server generally responds to a 'recursive query'
- A recursive query places most of the work on a single name server
- When a recursive query is made the name server is obliged to go find the
answer or return an error message
Mapping addresses to names (``reverse look-ups'')
What if you have an IP number and want to find the host name?
- This is useful to make output more readable
- Used for some security checks
- This was easy with the old /etc/hosts tables
- BUT the DNS data is indexed only by name
- Could do an exhaustive search
- The clever solution:
Create a part of the domain name space that uses addresses as names
Mapping addresses to names (``reverse look-ups'')
For example type:
# nslookup 128.186.120.2
Server: 128.186.120.179
Address: 128.186.120.179#53
2.120.186.128.in-addr.arpa name = diablo.cs.fsu.edu.
Mapping addresses to names (``reverse look-ups'')
Now, as you can see, newer nslookup versions will do this automatically.
Caching
- Each time a local name server processes a recursive query
it learns a lot of information
- This is cached which speeds up successive queries
- Example:
- Say our server has already looked up the address of eecs.berkeley.edu
- This means it has cached the name servers for both eecs.berkeley.edu and berkeley.edu
- If we now make a query for baobab.cs.berkeley.edu
the local server can skip the root-level query and
go right to berkeley.edu
Caching
time to live (TTL)
- A TTL is the amount of time that information is cached
before it is discarded
- The trade-off is between consistency and performance
- Remember, caching is also performed by other actors: in particular, nscd can cache names, and it
uses its own TTLs, not those of the actual RRs. Applications such as browsers often also do a good
bit of caching of ip values.
Configuring DNS: Client side
Setting up clients: configure /etc/resolv.conf
domain cs.fsu.edu
nameserver 127.0.0.1
nameserver 128.186.120.179
nameserver 128.186.120.178
Overview of DNS
The client will (generally) try the nameservers in order: 127.0.0.1, then 128.186.120.179, then 128.186.120.178
- you can comment out 127.0.0.1 then use nslookup
and see results
- or put a bogus address in the first entry to see if the resolver
tries number 2
- the changes should take effect immediately
nslookup chi
Server: TRANTOR.UMD.EDU
Address: 128.8.10.14
Name: chi.cs.fsu.edu
Address: 128.186.121.20
However, please note that caching daemons such as nscd can cause bizarre anomalies!
Caching-only servers
Setting up a caching-only nameserver is very easy to do these days: for example, on CentOS, BIND's caching setup is available via yum -y caching-nameserver, then just turn on default installation /etc/init.d/named start and change /etc/resolv.conf
[root@sophie root]# nslookup
> www.yahoo.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
www.yahoo.com canonical name = www.yahoo.akadns.net.
Name: www.yahoo.akadns.net
Address: 68.142.226.43
Name: www.yahoo.akadns.net
Address: 68.142.226.45
Name: www.yahoo.akadns.net
Address: 68.142.226.50
Name: www.yahoo.akadns.net
Address: 68.142.226.35
Name: www.yahoo.akadns.net
Address: 68.142.226.38
Name: www.yahoo.akadns.net
Address: 68.142.226.39
Name: www.yahoo.akadns.net
Address: 68.142.226.41
Name: www.yahoo.akadns.net
Address: 68.142.226.42
>
Logging and named
errors: like most daemons, named errors (and other information) are routed through syslog, which you control with
/etc/syslog.conf:
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#
# INN
#
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice
And here is what you see in /var/log/messages
[root@sophie root]# egrep -i named /var/log/messages
Feb 14 10:18:20 sophie named[7597]: starting BIND 9.2.4 -u named -t /var/named/chroot
Feb 14 10:18:20 sophie named[7597]: using 1 CPU
Feb 14 10:18:20 sophie named: named startup succeeded
Feb 14 10:18:20 sophie named[7597]: loading configuration from '/etc/named.conf'Feb 14 10:18:20 sophie named[7597]: no IPv6 interfaces found
Feb 14 10:18:20 sophie named[7597]: listening on IPv4 interface lo, 127.0.0.1#53Feb 14 10:18:20 sophie named[7597]: listening on IPv4 interface eth0, 128.186.120.8#53
Feb 14 10:18:20 sophie named[7597]: command channel listening on 127.0.0.1#953
Feb 14 10:18:20 sophie named[7597]: zone 0.in-addr.arpa/IN: loaded serial 42
Feb 14 10:18:20 sophie named[7597]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Feb 14 10:18:20 sophie named[7597]: zone 255.in-addr.arpa/IN: loaded serial 42
Feb 14 10:18:20 sophie named[7597]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
Feb 14 10:18:20 sophie named[7597]: zone localdomain/IN: loaded serial 42
Feb 14 10:18:20 sophie named[7597]: zone localhost/IN: loaded serial 42
Feb 14 10:18:20 sophie named[7597]: running
