PCH / PfP 1, Los Angeles

October 28, 2005 Stichting NLnet Labs

http://www.nlnetlabs.nl/
An Introduction to the
Domain Name System
Olaf Kolkman
[email protected]
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
This Presentation
An introduction to the DNS
Laymen level
For non-technologists
About protocol features
Not a tutorial on how to set up DNS
Ask Questions!
Jargon, terminology or Dutch pronunciation.
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Yours Truly
NLnet Labs
Open Source Software Lab
DNSSEC Deployment engineering
NSD, Fonkey, ldns
IETF DNSEXT co-chair
Systems Architect, responsible for
DNSSEC deployment at RIPE NCC
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Presentation Road Map
Why a naming system
DNS Features
DNS Components
Final Musing
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
IP: Identifiers on the Internet
The fundamental identifier on the internet
is an IP address.
Each host connected to the Internet has a
unique IP address
IPv4 or IPv6
Uniqueness guaranteed through allocation
from one single pool (IANA-RIR system)
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
How Devices use Identifiers
The operating systems use the identifiers as
the binding points during networking
End points of sockets in the TCP/IP protocol
TCP/IP is the transport protocol used on the
Internet
These Identifiers are numbers:
213.154.224.54
2001:7b8:206:1:211:24ff:fea0:7f4
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
What is easier to remember?
Humans tend to remember names better,
easier to associate
NL 1098VA 419 or Kruislaan 419,
Amsterdam, NL
89 GH 23 or Olafs Ford Focus
www.nlnetlabs.nl or 213.154.224.1
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
host.txt
In the1970s ARPA net, tables where
maintained mapping host-names to IP
addresses
SRI-NIC
Tables were pulled from the single machine
Problems
traffic and load
Name collisions
Consistency
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
DNS
Domain Name System provides a scalable,
distributed lookup mechanism.
DNS created in 1983 by Paul Mockapetris
RFCs 822 and 823
IETF Full Standard: RFCs 1034 and 1035 (1987)
modified, updated, and enhanced
DNS Security extensions being the most recent
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Presentation Road Map
Why a naming system
DNS Features
DNS Components
Final Musing
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
DNS Features
A lookup mechanism for translating objects into
other objects
A globally distributed, loosely coherent, scalable,
reliable, dynamic database
Comprised of three components
! A name space
! Servers making that name space available
! Resolvers (clients) which query the servers about
the name space
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
DNS Features: Global
Distribution
Data is maintained locally, but retrievable globally
No single computer has all DNS data
Total number of servers: in the 10
6
to 10
7
range
DNS lookups can be performed by any device
Remote DNS data is locally cachable to improve
performance
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
DNS Features: Loose Coherency
The database is always internally consistent
Each version of a subset of the database (a zone) has a
serial number
The serial number is incremented on each database change
Changes to the master copy of the database are
replicated according to timing set by the zone
administrator
Cached data expires according to timeout set by
zone administrator
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
DNS Features: Scalability
No limit to the size of the database
One server has over 40,000,000 names
No limit to the number of queries
24,000 queries per second handled easily
Queries distributed among masters, slaves,
and caches
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
DNS Features: Reliability
Data is replicated
Data from master is copied to multiple slaves
The system can deal with outage of servers
Clients can query
Master server
Any of the copies at slave servers
Clients will typically query local caches
DNS protocols can use either UDP or TCP
If UDP, DNS protocol handles retransmission,
sequencing, etc.
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
DNS Features: Dynamicity
Database can be updated dynamically
Add/delete/modify of any record
Modification of the master database
triggers replication
Only master can be dynamically updated
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Presentation Road Map
Why a naming system
DNS Features
DNS Components
Final Musing
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
The three components
A name space
Servers making that name space
available
Resolvers (clients) which query the
servers about the name space
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
The Namespace
Design
The namespace needs to be made
hierarchical to be able to scale
Control of parts of the namespace follows the
hierarchy
Hierarchy represented in labels
player.testlab.nlnetlabs.nl
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
The namespace: Domains
Domains are namespace subsets
Everything below .com is in the com domain.
Everything below ripe.net is in the ripe.net domain and in
the net domain.
net domain
com domain
ripe.net domain
net
com
ripe
www
www
edu
isi
pch

disi
ws1 ws2

ftp
sun
moon
google
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
net domain
The namespace:
Zones and Delegations
Zones are administrative spaces
Zone administrators are responsible for portion of a
domains name space
Authority is delegated from a parent and to a child
ripe.net zone
net zone
disi.ripe.net zone
net
com
ripe
www
www
edu
isi
tislabs

disi
ws1 ws2

ftp
sun
moon
google
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Name Servers
Name servers answer DNS questions.
Several types of name servers
Authoritative servers
Server data for Zones
(Caching) recursive servers
Also called caching forwarders
Mixture of functionality
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Zones are served by
authoritative name servers
net
com
ripe
www
www
edu
isi
tislabs

disi
ws1 ws2

ftp
sun
moon
google
Each zone served by at least two servers (over 10
6
) in total
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Concept: Resolving process &
Cache
Resolver
Question:
www.NLnetLabs.net A
www.nlnetlabs.nl A ?
Recursive
name server
root-server www.nlnetlabs.nl A ?
Ask nlserver @ns.domain-registry.nl (+ glue)
.nl server
www.nlnetlabs.nlt A ?
Ask ripe server @ ns.nlnetlabs.nl (+ glue)
NlnetLabs server
www.nlnetlabsl.nl A ?
192.168.5.10
192.168.5.10
Add to cache
Client side
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Hooking this together
Registry DB
Master
Slave server
Slave
Cache server
Changes in DNS do not propagate instantly!
Not going to net if TTL>0
Might take up to refresh
to get data from master
Upload of zone
data is local policy
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Presentation Road Map
Why a naming system
DNS Features
DNS Components
Final Musing
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Back to the namespace
The root
The root-zone contains the entry point into the
namespace
Served by root-servers
IANA registered namespace served by the [a-m].root-
servers.net
In reality more than 80 machines in 34 countries
(December 2004)
If different content is served from different
servers one deals with a different namespace
Ambiguity is the result
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Why is ambiguity a problem?
The namespace is used in several protocols and it
is assumed to be unambiguous
http://www.paypal.com
SIP:[email protected]
<xsl:stylesheet xmlns:xsl=
http://www.w3.org/1999/XSL/Transform
version="1.0">
All the above are relevant to business applications
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Servers serving different content
cause ambiguity
com
net
nl
kids
kids
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
Who chooses the namespace
which root-servers to configure
Resolver
Question:
www.NLnetLabs.net A
www.nlnetlabs.nl A ?
Recursive
name server
root-server
www.nlnetlabs.nl A ?
Ask nlserver @ns.domain-registry.nl (+ glue)
.nl server
www.nlnetlabs.nlt A ?
Ask ripe server @ ns.nlnetlabs.nl (+ glue)
NlnetLabs server
www.nlnetlabsl.nl A ?
192.168.5.10
192.168.5.10
Add to cache Client side
Hints File
Client side.
Often corporate/ISP
level
DNSSEC: also the
trust-anchor
configuration
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
You mentioned DNSSEC
Specification published
In early deployment
.SE and some in-addr.arpa zones
Ideally one trust-anchor .
Designed with single namespace in mind
PCH / PfP 1, Los Angeles http://www.nlnetlabs.nl/
QUESTIONS?
(Acknowledgements)
A number of these slides are based on earlier work at RIPE NCC and course
material developed for ISOC and APRICOT DNS courses.
Bill Manning and Ed Lewis co-authored the APRICOT DNS course.