Chapter 2
(Section 2.5)
Application Layer - DNS
Modified for GT ECE6612
by Prof. John Copeland
A note on the use of these ppt slides:
We’re making these slides freely available to all (faculty, students, readers).
They’re in PowerPoint form so you can add, modify, and delete slides
(including this one) and slide content to suit your needs. They obviously
represent a lot of work on our part. In return for use, we only ask the
following:
 If you use these slides (e.g., in a class) in substantially unaltered form,
that you mention their source (after all, we’d like people to use our book!)
 If you post any slides in substantially unaltered form on a www site, that
you note that they are adapted from (or perhaps identical to) our slides, and
note our copyright of this material.
Thanks and enjoy! JFK/KWR
All material copyright 1996-2009
J.F Kurose and K.W. Ross, All Rights Reserved
Computer Networking:
A Top Down Approach
Featuring the Internet,
5rd edition.
Jim Kurose, Keith Ross
Addison-Wesley, July
2009.
Textbook for ECE3076.
2/25/13
06a DNS.ppt
1
DNS: Domain Name System
People: many identifiers:

SSN, name, passport #
Domain Name System:

distributed database

application-layer protocol
Internet hosts, routers:


IP address (32 bit) used for addressing
datagrams
“name”, e.g.,
www.yahoo.com - used
by humans
Q: map between IP
addresses and name ?
implemented in hierarchy of
many name servers
host, routers, name servers to
communicate to resolve names
(address/name translation)
 note: core Internet
function, implemented as
application-layer protocol
 complexity at network’s
“edge”
06a DNS.ppt
2
DNS
DNS services
 Hostname to IP
address translation
 Host aliasing

Canonical and alias
names
 Mail server aliasing
 Load distribution
 Replicated Web
servers: set of IP
addresses for one
canonical name
DNS is Hierarchical
Why not centralize DNS?
 single point of failure
 traffic volume
 distant centralized
database
 maintenance
doesn’t scale!
06a DNS.ppt
3
Distributed, Hierarchical Database
Root DNS Servers
com DNS servers
yahoo.com
amazon.com
DNS servers DNS servers
org DNS servers
pbs.org
DNS servers
edu DNS servers
poly.edu
umass.edu
DNS servers DNS servers
Client wants IP for www.amazon.com; 1st approx:
 Client queries a root server to find “com” DNS
server
 Client queries com DNS server to get
“amazon.com” Authoritative DNS server
 Client queries amazon.com DNS server to get IP
address for “www.amazon.com”
06a DNS.ppt
4
DNS: Root name servers
 contacted by local name server that can not resolve Top_Level
name (eats in www.macdonalds.eats)
 Originally there were 7 Top-Level domains (com, org, edu, mil,
gov, info, arpa) Now there are hundreds ( us, uk, cn, tv, name, ...)
 ICANN assigns domain names (www.icann.org)
a Verisign, Dulles, VA
c Cogent, Herndon, VA (also Los Angeles)
d U Maryland College Park, MD
k RIPE London (also Amsterdam,
g US DoD Vienna, VA
Frankfurt)
i Autonomica, Stockholm (plus 3
h ARL Aberdeen, MD
j Verisign, ( 11 locations)
other locations)
m WIDE Tokyo
e NASA Mt View, CA
f Internet Software C. Palo Alto,
CA (and 17 other locations)
13 root name
servers worldwide
b USC-ISI Marina del Rey, CA
l ICANN Los Angeles, CA
06a DNS.ppt
5
TLD and Authoritative
Servers
 Top-level domain (TLD) servers: responsible for com, org, net,
edu, etc, and all top-level country domains uk, fr, ca, jp.
 Network Solutions, Inc. maintains servers for com TLD
 Educause maintains servers for edu TLD
 [2007 - TLD servers share responsibilities]
 Authoritative DNS servers: organization’s DNS servers,
providing authoritative hostname to IP mappings for
organization’s servers (e.g., Web and mail).
 Can be maintained by organization or service provider
 Every “Autonomous System” (AS) must have two (backup).
 Local DNS servers: organization’s DNS servers located on various
subnets to provide DNS lookups for hosts on the subnet. May not
be accessible from outside the subnet. Their IP addresses are
part of the host's network configuration (manual or DHCP).
PC looks first at “hosts” file. DNS Hack #0, add false info to it.
6
Local Name Server
 Does not strictly belong to hierarchy
 Each ISP (residential ISP, company,
university) has one.

Also called “default name server” or “resolver”
 When a host makes a DNS query, query is
sent to its local DNS server
Acts as a proxy, forwards query into hierarchy.
 Today a DNS proxy (resolver) is built into most
DSL and cable-modem routers

DNS Hack #1: Change DNS configured IP to IP of
attacker-controlled server (Windows Registry or UNIX
/etc/resolv.conf)
06a DNS.ppt
7
Example
root DNS server
 Host at cis.poly.edu
2
wants IP address for
3
gaia.cs.umass.edu
TLD DNS server
 Host sends a "recursion4
requested" query
5
request to dns.poly.edu.
 [Host is doing a nonlocal DNS server
recursive search]
dns.poly.edu
 Local DNS server does a
6
7
1
8
"recursive" search. This
requires contacting
several other DNS
authoritative DNS server
dns.cs.umass.edu
servers before the final
requesting host
answer is given to host.
cis.poly.edu
$ nslookup gaia.cs.umass.edu
answer 128.119.245.12
gaia.cs.umass.edu
06a DNS.ppt
8
root DNS server
A3.NSLTD.COM
Non-recursive queries
norecurse or
"iterated" query:
 contacted server
local DNS server
dns.poly.edu
replies with name of
server to contact
 “I don’t know this
name, but ask this
server”
requesting host
3
authoritative DNS
server
NS1.umass.edu
4
2
5
1
6
cis.poly.edu
gaia.cs.umass.edu
$ nslookup -norecurse -v gaia.cs.umass.edu
$ nslookup -norecurse -v gaia.cs.umass.edu A3.NSLTD.COM
$ nslookup -norecurse -v gaia.cs.umass.edu NS1.umass.com
answer 128.119.245.12
06a DNS.ppt
9
“dig” with “+trace” will show the entire recursive lookup.
copeland$
dig +trace
www.google.com.
(may have to do from ecelinsrva.ece)
; <<>> DiG 9.8.3-P1 <<>> +trace www.google.com.
;; global options: +cmd
.
495753 IN
NS
e.root-servers.net.
.
495753 IN
NS
c.root-servers.net.
.
495753 IN
NS
a.root-servers.net.
. . . (11 lines deleted)
;; Received 496 bytes from 128.61.244.254#53(128.61.244.254) in 13 ms
...
com.
172800 IN
NS
h.gtld-servers.net.
com.
172800 IN
NS
j.gtld-servers.net.
com.
172800 IN
NS
e.gtld-servers.net.
. . . (11 lines deleted)
; Received 504 bytes from 192.58.128.30#53(192.58.128.30) in 138 ms
google.com.
172800 IN
NS
google.com.
172800 IN
NS
google.com.
172800 IN
NS
google.com.
172800 IN
NS
;; Received 168 bytes from 192.55.83.30#53(192.55.83.30)
ns2.google.com.
ns1.google.com.
ns3.google.com.
ns4.google.com.
in 56 ms
www.google.com.
300
IN
A
74.125.196.104
www.google.com.
300
IN
A
74.125.196.105
. . . (4 lines deleted)
;; Received 128 bytes from 216.239.36.10#53(216.239.36.10) in 64 ms
10
DNS: caching and updating records
 once (any) name server learns a mapping, it
caches the mapping (Domain’s DNS = IP)
cache entries timeout (disappear) after some
time (usually 20 minutes)
 TLD servers typically cached longer in local
name servers

• Thus root name servers not often visited
 update/notify mechanisms under design by IETF
 RFC 2136

http://www.ietf.org/html.charters/dnsind-charter.html
DNS Hack #0: Add a “name -> IP” entry in the
UNIX /etc/hosts file, or Windows Registry file.
06a DNS.ppt
11
DNS records
DNS: distributed db storing resource records (RR)
RR format: (name,
 Type=A (AAAA for IPv6)
 name is hostname
 value is IP address
 Type=NS
 name is domain (e.g.
foo.com)
 value is hostname of
authoritative name
server for this domain
value, type, ttl)
 Type=CNAME
 name is alias name for some
“canonical” (the real) name
www.ibm.com is really
servereast.backup2.ibm.com

value is canonical name
 Type=MX
 value is name of mailserver
associated with name
06a DNS.ppt
12
DNS protocol, messages
DNS protocol : query and reply messages, both with
same message format
msg header
 identification: 16 bit #
for query, reply to query
uses same #
 flags:
 query or reply
 recursion desired
 recursion available
 reply is authoritative
06a DNS.ppt
13
DNS protocol, messages
Name, type fields
for a query
*
RRs in response
to query
records for
authoritative servers
additional “helpful”
info that may be used
14
Inserting records into DNS
 Example: just created startup “Network Utopia”
 Register name networkuptopia.com at a registrar
(e.g., Network Solutions)


Need to provide registrar with names and IP addresses of
your authoritative name server (primary and secondary)
Registrar inserts two RRs into the .com TLD server:
(networkutopia.com, dns1.acme.com, NS)
(dns1.acme.com, 212.212.212.1, A)
 Put in authoritative server Type A record for
www.networkuptopia.com and Type MX record for
networkutopia.com into dns1.acme.com (DNS service)
DNS Hack #2 Register a domain like “myserver.ru”, have
links in email like “www.usbank.com.273846.myserver.ru”.
This can hide the real domain. A unique subnet can id the
local resolver, and email recipient or Web page viewer.
06a DNS.ppt
15
>dig
anyhost.nt.com +norecurse -q=any
; NO NS SPECIFIED
; <<>> DiG 8.3 <<>> anyhost.nt.com +norecurse -q=any
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11306
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 0
;; QUERY SECTION:
;;
anyhost.nt.com, type = A, class = IN
;; AUTHORITY SECTION:
IN
SOA
a.root-servers.net.
nstld.verisign-grs.com.
2013022500 1800 900 604800 86400
SOA = Start of Authority Final Dot = Authoritative
A.ROOT-SERVERS.NET. <- SPECIFY DNS NEXT TIME
;;
;;
;;
;;
Total query time: 4 msec
FROM: bigzilla.ece.gatech.edu to SERVER: default -- 130.207.230.5
WHEN: Fri Feb 20 08:00:38 2009
MSG SIZE sent: 28 rcvd: 156
16
>dig @C.ROOT-SERVERS.NET
nt.com. +norecurse
; SPECIFY NAME SERVER
; <<>> DiG 8.3 <<>> @C.ROOT-SERVERS.NET nt.com. +norecurse
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26071
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 15
;; QUERY SECTION:
;;
nt.com, type = A, class = IN
;; AUTHORITY SECTION:
com.
2D IN NS
com.
2D IN NS
com.
2D IN NS
…
;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET.
2D
A.GTLD-SERVERS.NET.
2D
B.GTLD-SERVERS.NET.
2D
B.GTLD-SERVERS.NET.
2D
•••
;;
;;
;;
;;
C.GTLD-SERVERS.NET.
L.GTLD-SERVERS.NET.
A.GTLD-SERVERS.NET.
IN
IN
IN
IN
A
AAAA
A
AAAA
{TOP-LEVEL NS for .com}
192.5.6.30
2001:503:a83e::2:30
192.33.14.30
2001:503:231d::2:30
Total query time: 23 msec
FROM: bigzilla.ece.gatech.edu to SERVER: C.ROOT-SERVERS.NET 192.33.4.12
WHEN: Fri Feb 20 08:06:09 2009
MSG SIZE sent: 24 rcvd: 512
17
>dig @192.5.6.30 nt.com. +norecurse -q=any
; <<>> DiG 8.3 <<>> @192.5.6.30 nt.com. +norecurse -q=any
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24266
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5
;; QUERY SECTION:
;;
nt.com, type = A, class = IN
;; AUTHORITY SECTION:
{Authoritative Name Servers for domain nt.com}
nt.com.
2D IN NS
ns-guy2.nortelnetworks.com.
nt.com.
2D IN NS
ns-har2.nortelnetworks.com.
•••
;; ADDITIONAL SECTION:
ns-guy2.nortelnetworks.com. 2D IN A 47.237.0.21
ns-har2.nortelnetworks.com. 2D IN A 47.251.0.21
•••
;; Total query time: 58 msec
;; FROM: bigzilla.ece.gatech.edu to SERVER: 192.5.6.30 192.5.6.30
;; WHEN: Fri Feb 20 08:07:40 2009
;; MSG SIZE sent: 24 rcvd: 229
------------------------------------------------18
Next:
dig @47.237.0.21 anyhost.nt.com. +norecurse -q=any
>whois nt.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: NT.COM
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS-GUY2.NORTELNETWORKS.COM
Name Server: NS-HAR2.NORTELNETWORKS.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 20-jan-2009
Creation Date: 28-sep-1990
Expiration Date: 27-sep-2010
>>> Last update of whois database: Fri, 20 Feb 2009 13:33:26 UTC <<<
19
DNS Cache Poisoning
root DNS server
www.bigbank.com
33.22.11.44
3
TLD DNS server - IP = 87.65.43.21
4
5
1 Spoofed Request for no.bigbank.com
source IP = 12.34.56.78
local DNS server
dns.poly.edu
8
requesting host
cis.poly.edu
IP = 12.34.56.78
2 Spoofed Response
- source IP = 87.65.43.21
Auth. DNS for bigbank.com =66.66.66.66
authoritative
DNS server
dns.bigbank.com
Future requests for all
URLs in bigbank.com
go to =66.66.66.66
www.bigbank.phisher.com
66.66.66.66
20
wireshark Display of DNS Response
ID is random nonce
used to authenticate
Response to Query
21
DNS protocol, spoofed messages
<Name, type fields
for a query
32 bits
->
*
RRs in response
to query
records for
authoritative servers
additional “helpful”
info that may be used
* 16-bit ID is used to match responses to requests. To spoof,
•use 1 request and 65,536 responses, or
•use 256 requests and 256 responses (Birthday attack).
06a DNS.ppt
22
DNS Cache Poisoning - Anticipated Attack
Sends a Request
for a URL,
and N fake Replies
with random IDs
Time
Correct guess of
<- ID Nonce
Probable no. of hits
= N / 65,354
UDP Connection
closed
->
66.66.66.66
cached
www.cnn.com ->
64.236.90.21
(not noticed)
Local DNS
NS-CNN.COM
Hacker
23
DNS Cache Poisoning – Bellovin Birthday Attack
Time
<- Sending 260
requests for same
domain, cnn.com,
and N Replies
with fake Auth. N.S. IP
address.
with random IDs
*
Local DNS ->
caches
www.cnn.com
=
66.66.66.66
* Local DNS
sends 260
queries with
different IDs.
<- Correct guess
of one ID.
Probable no. of hits
260*N/(2^16)
=1 if N =252
Prob(hits>0)=0.63
Total packets = 512
DOS Attack
Local DNS
NS-CNN.COM
Hacker
DNS Hack #3: Change DNS IP configured in local cache.
24
Fast-Flux DNS (Botnet Distributed Phishing)
•Botmaster registers his DNS server, with the “ru” TLD (Top
Level DNS) as the Authority for “bg4589.ru”
•Botnet hosts sent out email to lure victims to a Phishing Web
site www.bny.com.bg4589.ru (IP 23.45.67.89 )
•Problem: as soon as BNY Network Security person sees one
of the emails, they do a DNS lookup (get 23.45.67.89), a
“whois”, and shut the 23.45.67.89 host down.
•Solution: vary the IP address returned to one of a thousand
botnet Web servers.
•Problem: BNY NetSec repeatedly does DNS lookups to get a
complete list of botnet hosts.
•Solution: After several lookups from the same IP, have many
other bots do a Distributed Denial of Service attack (DDoS)
for several days against BNY NetSec.
DNS Hack #4: Use a Fast Flux DNS to prevent total shutdown.
25
Fast Flux DNS
root DNS server
URL in Phish -> One of Many bots
 Host at poly.edu wants IP
address for
www.urhckd.com
 Host sends a "recursionrequested" query request
to dns.poly.edu.
 [Host is doing a nonrecursive search]
 Local DNS server does a
"recursive" search. This
requires contacting several
other DNS servers before
the final answer is given to
host.
Note: the dot after "com" below is
necessary to avoid getting the same
cached answer from dns.poly.edu.
2
3
TLD DNS server
4
5
local DNS server
dns.poly.edu
1
8
requesting host
$ nslookup www.urhckd.com.
answer 78.82.245.12
joe.poly.edu
7
Fast Flux - many
IP’s of bot Phishing
sites.
6
authoritative DNS server
dns.urhcked.com
$ nslookup www.urhckd.com.
answer 53.119.24.124
06a
Adapted from “Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross
DNS.ppt
26
New Protocols supplement DNS and DHCP on LAN
* In addition to network configuration (DHCP) and Name
Resolution (DNS), it’s nice to have a list of servers available on
your LAN. For example, be able to select from a list of printers.
•Link-Local: Rather than initially using the Network IP Address
(host bits 0), randomly select one of 65,534 addresses in
169.254.x.x/16 (you don’t have to know the network address).
•Apple’s mDNS (UDP port 5353) is an open specification that lets
a host announce a chosen Name (e.g., “Lab Printer”) in a
multicast message to 224.0.0.251). Hosts running mDNS will all
listen to this multicast address and add “Lab Printer” and its IP
address and MAC address to the list of servers available. DNS-SD
advertises Server Names and services.
•Microsoft’s NetBios Name Service (NBNS) is similar, but uses
the Network Broadcast Address (host bits all 1). UPnP protocol
Simple Service Delivery (SSDP) advertises services.
•The IETF is developing a similar Internet standard - Service
Location Protocol (SLP).
en.wikipedia.org/wiki/MDNS
2/26/10
27
DNSSEC – DNS Security Extensions
DNSSEC works by digitally signing records for DNS lookup using publickey cryptography. The correct DNSKEY record is authenticated via a chain
of trust, starting with a set of verified public keys for the DNS root zone
which is the trusted third party.
New DNS record types were created or adapted to use with DNSSEC:
RRSIG, DNSKEY, DS, NSEC, NSEC3, NSEC3PARAM.
When DNSSEC is used, each answer to a DNS lookup will contain an
RRSIG DNS record, in addition to the record type that was requested. The
RRSIG record is a digital signature of the answer DNS resource record
set. The digital signature can be verified by locating the correct public key
found in a DNSKEY record.
Stub resolvers (host software) are "minimal DNS resolvers that use
recursive query mode to offload most of the work to a recursive name
server.”
A validating stub resolver can also potentially perform its own signature
validation by setting the Checking Disabled (CD) bit in its query messages,
for end-to-end DNS security for domains implementing DNSSEC.
en.wikipedia.org/wiki/DNSSEC
2/26/13
28
Reverse DNS Lookups
Reverse DNS Lookups (e.g., nslookup 130.207.225.101)
> nslookup 130.207.225.101
101.225.207.130.in-addr.arpa
name = seiya.ece.gatech.edu.
The “arpa” top-level domain is now only used for reverse lookups. ARPA
has been redefined as standing for “Address and Routing Parameter
Area.”
For looking up a IPv4 address, the dotted-decimal text string is reversed,
and the domain name “in-addr.arpa” is added. Like normal name lookups,
the recursion proceeds from right to left. If the block of addresses
130.207.0.0/16 are assigned to the Autonomous System (AS) gatech.edu,
then Georgia Tech (OIT) is responsible for maintaining a database for
x.y.207.130 (addresses 130.207.0.0 to 130.207.255.255).
The domain for IPv6 addresses is ip6.arpa.
en.wikipedia.org/wiki/DNSSEC
2/26/13
29
dig www.ece.gatech.edu
[ MX records not shown]
; <<>> DiG 9.6-ESV-R4-P3 <<>> www.ece.gatech.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56886
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5
;; QUESTION SECTION:
;www.ece.gatech.edu.
IN
A
;; ANSWER SECTION:
www.ece.gatech.edu.
28800
IN
A
130.207.225.101
;; AUTHORITY SECTION:
ece.gatech.edu.
28800
IN
NS
dns1.gatech.edu.
ece.gatech.edu.
28800
IN
NS
dns3.gatech.edu.
;; ADDITIONAL SECTION:
dns1.gatech.edu. 28800
IN
A
128.61.244.253
dns1.gatech.edu. 28800
IN
AAAA
2610:148:1f00:f400::3
dns3.gatech.edu. 28800
IN
A
168.24.2.35
;; Query time: 37 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
{note: mail handlers (MTAs) not shown.}
;; WHEN: Mon Feb 25 12:50:39 2013
;; MSG SIZE rcvd: 213
30
nslookup -q=ANY gatech.edu
{note: use domain name only, for MX info}
Server:
192.168.1.1
Address: 192.168.1.1#53
gatech.edu
origin = brahma5.dns.gatech.edu
mail addr = hostmaster.gatech.edu
serial = 380555175
refresh = 10800
retry = 3600
expire = 2592000
minimum = 60
Name:
gatech.edu
Address: 130.207.160.29
gatech.edu
nameserver = dns1.gatech.edu.
gatech.edu
nameserver = heath.dpo.uab.edu.
{Backup DNS at U. Alabama}
gatech.edu
nameserver = dns3.gatech.edu.
gatech.edu
nameserver = dns2.gatech.edu.
gatech.edu
mail exchanger = 10 mx1.gatech.edu.
gatech.edu
mail exchanger = 10 mx2.gatech.edu.
gatech.edu
text = "MS=ms45592394"
gatech.edu
text = "MS=ms74949178"
31