IP - The Internet Protocol - School of Computer Science

advertisement
DNS: Domain Name System
CMPSCI 491G: Computer Networking Lab
V. Arun
Slides adapted from Liebeherr & Zarki, Kurose & Ross, Kermani
DNS: domain name system
people: many identifiers:
 SSN, name, passport #
Internet hosts, routers:
 IP address (32 bit) used for addressing
datagrams
 “name”, e.g.,
www.yahoo.com used by humans
Q: how to map between IP
address and name, and
vice versa ?
Domain Name System:


distributed database
implemented in hierarchy of
many name servers
application-layer protocol: hosts,
name servers communicate to
resolve names  addresses
 note: core Internet function,
implemented as applicationlayer protocol
 complexity at network’s
“edge”
Application Layer 2-2
DNS: services, structure
DNS services



Resolution
 hostname  IP address
Aliasing
 canonical, alias names
 mail server aliasing
Load balancing with
replicated web servers:
 many addresses map to
one name
why not centralize DNS?




single point of failure
traffic volume
distant centralized database
maintenance
doesn’t scale!
Application Layer 2-3
Before there was DNS ….
…. there was the HOSTS.TXT file
• Before DNS (until 1985), name resolution was done by
FTP’ing a single file (hosts.txt) from a central server.
– Names in hosts.txt are not structured.
– hosts.txt still works on most operating systems. It can be
used to define local names.
Design principle of DNS
• DNS naming system based on a hierarchical and logical tree structure
called domain namespace.
• An organization obtains authority for parts of the name space, and can add
additional layers of the hierarchy
• Names of hosts can be assigned without regard of location on a link layer
network, IP network or autonomous system
• In practice, allocation of the domain names generally follows the allocation
of IP address, e.g.,
– All hosts with network prefix 128.143/16 have domain name suffix
virginia.edu
– All hosts on network 128.143.136/24 are in the Computer Science
Department of the University of Virginia
DNS Name hierarchy
• DNS hierarchy can be
represented by a tree
• Root and top-level
domains are
administered by an
Internet central name
registration authority
(ICANN)
• Below top-level
domain, administration
of name space is
delegated to
organizations
• Each organization can
delegate further
. (root)
org
gov
edu
uci.edu
com
Top-level
Domains
toronto.edu
math.toronto.edu
Managed
by UofT
ece.toronto.edu
Managed by
ECE Dept.
neon.ece.toronto.edu
Domain name system
• Each node in the DNS tree
represents a DNS name
• Each branch below a node is a
DNS domain.
– DNS domain can contain
hosts or other domains
(subdomains)
• Example:
DNS domains are
.
edu
virginia.edu
www.virginia.edu
cs.virginia.edu
., edu, virginia.edu, cs.virginia.edu
neon.cs.virginia.edu
Top-level domains
• Three types of top-level domains:
– Organizational: 3-character code indicates the function of
the organization
• Used primarily within the US
• Examples: gov, mil, edu, org, com, net
– Geographical: 2-character country or region code
• Examples: us, va, jp, de
– Expanded top-level domains (gTLDs)
• Essentially arbitrary TLDs
– Reverse domains: A special domain (in-addr.arpa) used for
IP address-to-name mapping
Organizational top-level domains
com
Commercial organizations
edu
Educational institutions
gov
Government institutions
int
International organizations
mil
U.S. military institutions
net
Networking organizations
org
Non-profit organizations
Hierarchy of name servers
• The resolution of the hierarchical
name space is done by a
hierarchy of name servers
• Each server is responsible
(authoritative) for a contiguous
portion of the DNS namespace,
called a zone.
root server
org server
edu server
gov server
• Zone is a part of the subtree
uci.edu
server
.virginia.edu
server
• DNS server answers queries
about hosts in its zone
cs.virginia.edu
server
com server
Authority and delegation
• Authority for the root domain is with the Internet Corporation
for Assigned Numbers and Names (ICANN)
• ICANN delegates to accredited registrars (for gTLDs) and
countries for country code top level domains (ccTLDs)
• Authority can be delegated further
• Chain of delegation can be obtained by reading domain name
from right to left.
• Unit of delegation is a “zone”.
DNS domain and zones
• Each zone is anchored at a
specific domain node, but zones
are not domains.
. (root)
Zone
• A DNS domain is a branch of the
namespace
• A zone is a portion of the DNS
namespace generally stored in a
file (could consist of multiple
nodes)
• A server can divide part of its zone
and delegate it to other servers
.edu
.uci.edu
math.virginia.edu
Zone
and
domain
.virginia.edu
cs.virginia.edu
Domain
Primary and secondary name servers
• For each zone, there must be a primary name server and a secondary
name server
– The primary server (master server) maintains a zone file which has
information about the zone. Updates are made to the primary server
– The secondary server copies data stored at the primary server.
Adding a host:
• When a new host is added (“gold.cs.virginia.edu”) to a zone, the
administrator adds the IP information on the host (IP address and name)
to a configuration file on the primary server
DNS resolution: distributed, hierarchical
Root DNS Servers
Top-level domain servers
com DNS servers
yahoo.com
amazon.com
DNS servers DNS servers
…
…
org DNS servers
pbs.org
DNS servers
edu DNS servers
poly.edu
umass.edu
DNS serversDNS servers
Authoritative name servers
client wants IP for www.amazon.com; 1st approx:



client queries root server to find .com TLD DNS server
client queries .com TLD DNS server for amazon.com auth server
client queries amazon.com DNS auth server to get IP address for
www.amazon.com
Application Layer 2-14
DNS: root name servers


contacted when no info about top-level or auth server
root name server can:
 return top-level or auth name server address
 or contact auth server and return final resolved address
c. Cogent, Herndon, VA (5 other sites)
d. U Maryland College Park, MD
h. ARL Aberdeen, MD
j. Verisign, Dulles VA (69 other sites )
e. NASA Mt View, CA
f. Internet Software C.
Palo Alto, CA (and 48 other
sites)
a. Verisign, Los Angeles CA
(5 other sites)
b. USC-ISI Marina del Rey, CA
l. ICANN Los Angeles, CA
(41 other sites)
g. US DoD Columbus,
OH (5 other sites)
k. RIPE London (17 other sites)
i. Netnod, Stockholm (37 other sites)
m. WIDE Tokyo
(5 other sites)
13 root name
“servers”
worldwide
Application Layer 2-15
TLD, authoritative servers
top-level domain (TLD) servers:
 responsible for com, org, net, edu, aero, jobs, museums,
and all top-level country domains, e.g.: uk, fr, ca, jp
 Network Solutions maintains servers for .com TLD
 Educause for .edu TLD
authoritative DNS servers:
 organization’s own DNS server(s), providing
authoritative hostname to IP mappings for organization’s
named hosts
 can be maintained by organization or service provider
Application Layer 2-16
Local DNS name server


does not strictly belong to hierarchy
deployed by ISP (residential, company, university)
 also called “default name server”

acts as proxy between host and DNS hierarchy
 has local cache of recent name-to-address translation
pairs (but may be out of date!)
Application Layer 2-17
DNS name
resolution example

root DNS server
2
host at cis.poly.edu
wants IP address for
gaia.cs.umass.edu
iterated query:


contacted server
replies with name of
server to contact
“I don’t know this
name, but ask this
server”
3
TLD DNS server
4
5
local DNS server
dns.poly.edu
1
8
7
6
authoritative DNS server
dns.cs.umass.edu
requesting host
cis.poly.edu
gaia.cs.umass.edu
Application Layer 2-18
DNS name
resolution example
root DNS server
recursive query:


puts burden of name
resolution on
contacted name
server
heavy load at upper
levels of hierarchy?
3
2
7
6
TLD DNS
server
local DNS server
dns.poly.edu
1
5
4
8
authoritative DNS server
dns.cs.umass.edu
requesting host
cis.poly.edu
gaia.cs.umass.edu
Application Layer 2-19
DNS: caching, updating records

any name server can cache learned mappings
 cache entries timeout (disappear) after some time (TTL)
 TLD servers typically cached in local name servers, so
root name servers not often visited

cached entries may be out-of-date (best effort
name-to-address translation!)
 if name host changes IP address, may not be known
Internet-wide until all TTLs expire

update/notify mechanisms proposed IETF standard
 RFC 2136
Application Layer 2-20
DNS records
DNS: distributed db storing resource records (RR)
RR format: (name,
type=A
 name is hostname
 value is IP address
type=NS
 name is domain (e.g.,
foo.com)
 value is hostname of
authoritative name
server for this domain
value, type, ttl)
type=CNAME
 name is alias name for some
“canonical” (the real) name
 www.ibm.com is really
servereast.backup2.ibm.com
 value is canonical name
type=MX
 value is name of mailserver
associated with name
Application Layer 2-21
DNS protocol, messages

query and reply messages, both with same message
format
2 bytes
2 bytes
msg header


identification: 16 bit # for
query, reply to query uses
same #
flags:
 query or reply
 recursion desired
 recursion available
 reply is authoritative
identification
flags
# questions
# answer RRs
# authority RRs
# additional RRs
questions (variable # of questions)
answers (variable # of RRs)
authority (variable # of RRs)
additional info (variable # of RRs)
Application Layer 2-22
DNS protocol, messages
2 bytes
2 bytes
identification
flags
# questions
# answer RRs
# authority RRs
# additional RRs
name, type fields
for a query
questions (variable # of questions)
RRs in response
to query
answers (variable # of RRs)
records for
authoritative servers
authority (variable # of RRs)
additional “helpful”
info that may be used
additional info (variable # of RRs)
Application Layer 2-23
Inserting records into DNS


example: new startup “Network Utopia”
register name networkuptopia.com at DNS registrar
(e.g., Network Solutions)
 provide names, IP addresses of authoritative name server
(primary and secondary)
 registrar inserts two RRs into .com TLD server:
(networkutopia.com, dns1.networkutopia.com, NS)
(dns1.networkutopia.com, 212.212.212.1, A)

create authoritative server type A record for
www.networkuptopia.com; type MX record for
networkutopia.com
Application Layer 2-24
Resource Records
• The database records of the
distributed data base are
called resource records
(RR)
• Resource records are stored
in configuration files (zone
files) at name servers.
• Resource records for a
zone:
db.mylab.com
$TTL 86400
mylab.com. IN SOA PC4.mylab.com.
hostmaster.mylab.com. (
1 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; ttl
)
;
mylab.com. IN
;
localhost
PC4.mylab.com.
PC3.mylab.com.
PC2.mylab.com.
PC1.mylab.com.
NS
PC4.mylab.com.
A
A
A
A
A
127.0.0.1
10.0.1.41
10.0.1.31
10.0.1.21
10.0.1.11
Resource Records
db.m ylab.com
$TTL 86400
mylab.com. IN SOA PC4.mylab.com. hostmaster.mylab.com. (
1 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; ttl
)
;
mylab.com. IN
;
localhost
PC4.mylab.com.
PC3.mylab.com.
PC2.mylab.com.
PC1.mylab.com.
NS
PC4.mylab.com.
A
A
A
A
A
127.0.0.1
10.0.1.41
10.0.1.31
10.0.1.21
10.0.1.11
Max. age of cached data
in seconds
* Start of authority (SOA) record.
Means: “This name server is
authoritative for the zone
Mylab.com”
* PC4.mylab.com is the
name server
* hostmaster@mylab.com is the
email address of the person
in charge
Name server (NS) record.
One entry for each authoritative
name server
Address (A) records.
One entry for each hostaddress
Lab 7 (DHCP/NAT) review
Exercise 1(B)-3
Configuration:
Router2(config)#ip nat inside source static 10.0.1.2 200.0.0.2
.. ..
PC4% route add –net 200.0.0.0 netmask 255.255.255.0 gw 128.195.7.32
Which ping works and why?
PC3% ping –c3 10.0.1.3
PC3% ping –c3 128.143.136.1
Router3% ping –c3 10.0.1.2
Router3% ping –c3 128.143.136.1
PC4% ping –c3 10.0.1.2
PC4% ping –c3 200.0.0.2
NAT Table on Router2
Router2#show ip nat translations
Pro Inside global
Inside local
--- 200.0.0.2
10.0.1.2
Outside local
---
Outside global
---
28
Exercise 1(B)-3
Configuration:
Router2(config)#ip nat inside source static 10.0.1.2 200.0.0.2
.. ..
PC4% route add –net 200.0.0.0 netmask 255.255.255.0 gw 128.195.7.32
Which ping works and why?
PC3% ping –c3 10.0.1.3
PC3% ping –c3 128.143.136.1
Router3% ping –c3 10.0.1.2
Router3% ping –c3 128.143.136.1
PC4% ping –c3 10.0.1.2
PC4% ping –c3 200.0.0.2
NAT Table on Router2
Router2#show ip nat translations
Pro Inside global
Inside local
--- 200.0.0.2
10.0.1.2
Outside local
---
Outside global
---
29
Exercise 1(B)-4
Configuration:
Router2(config)#ip nat inside source static 10.0.1.2 200.0.0.2
Router2(config)#ip nat inside source static 10.0.1.1 200.0.0.1
Router2(config)#ip nat inside source static 10.0.1.3 200.0.0.3
Which ping works and why?
PC3% ping –c3 10.0.1.3
PC3% ping –c3 128.143.136.1
Router3% ping –c3 10.0.1.2
Router3% ping –c3 128.143.136.1
PC4% ping –c3 10.0.1.2
PC4% ping –c3 200.0.0.2
NAT Table on Router2
Router2#show ip nat translations
Pro Inside global
Inside local
--- 200.0.0.1
10.0.1.1
--- 200.0.0.2
10.0.1.2
--- 200.0.0.3
10.0.1.3
Outside local
-------
Outside global
-------
30
Exercise 1(B)-4
Configuration:
Router2(config)#ip nat inside source static 10.0.1.2 200.0.0.2
Router2(config)#ip nat inside source static 10.0.1.1 200.0.0.1
Router2(config)#ip nat inside source static 10.0.1.3 200.0.0.3
Which ping works and why?
PC3% ping –c3 10.0.1.3
PC3% ping –c3 128.143.136.1
Router3% ping –c3 10.0.1.2
Router3% ping –c3 128.143.136.1
PC4% ping –c3 10.0.1.2
PC4% ping –c3 200.0.0.2
NAT Table on Router2
Router2#show ip nat translations
Pro Inside global
Inside local
--- 200.0.0.1
10.0.1.1
--- 200.0.0.2
10.0.1.2
--- 200.0.0.3
10.0.1.3
Outside local
-------
Outside global
-------
31
Exercise 1(B)
Show IP source/destination addresses before/after Router2
PC3% ping –c3 128.143.136.1
Before Router2:
Src: 10.0.1.2 (10.0.1.2), Dst: 128.143.136.1 (128.143.136.1)
After Router2:
Src: 200.0.0.2 (200.0.0.2), Dst: 128.143.136.1 (128.143.136.1)
NAT Table on Router2
Router2#show ip nat translations
Pro Inside global
Inside local
--- 200.0.0.1
10.0.1.1
--- 200.0.0.2
10.0.1.2
--- 200.0.0.3
10.0.1.3
Outside local
-------
Outside global
-------
32
Exercise 1(C)- NAT/PAT/Masquerade
telnet commands; which one successful?
PC1% telnet 10.0.1.3 (Router1)
PC1% telnet 128.143.136.1 (PC4)
Router1# telnet 10.0.1.2 (PC1)
Router1# 128.143.136.1 (PC4)
PC4: telnet 10.0.1.2
(Router2)
33
Exercise 1(C)- NAT/PAT/Masquerade
telnet commands; which one successful?
PC1% telnet 10.0.1.3 (Router2)
PC1% telnet 128.143.136.1 (PC4)
Router1# telnet 10.0.1.2 (PC1)
Router1# 128.143.136.1 (PC4)
PC4: telnet 10.0.1.2
(Router2)
34
Exercise 1(C)- NAT & telnet
PC1% telnet 128.143.136.1 (PC4)
Before translation (PC2)
Internet Protocol
Source: 10.0.1.2
Destination: 128.143.136.1
Transmission Control Protocol
Source port: 32774
Destination port: telnet (23)
Sequence number: 1857633137
After translation (PC2)
Internet Protocol
Source: 128.143.136.22
Destination: 128.143.136.1
Transmission Control Protocol
Source port: 32774
Destination port: telnet (23)
Sequence number: 1857633137
35
Exercise 1(C)- PAT & ICMP (ping)
•Ping (ICMP) does not use port number
•“Identification” is used to help with NAT
PC1% ping 128.143.136.1 (PC4)
Internet Protocol, Src Addr: 10.0.1.2,
Dst Addr: 128.143.136.1
Identification: 0x0000
Protocol: ICMP (0x01)
Source: 10.0.1.2
Destination: 128.143.136.1
Internet Protocol, Src Addr: 128.143.136.22,
Dst Addr: 128.143.136.1
Identification: 0x0000
Protocol: ICMP (0x01)
Source: 128.143.136.22
Destination: 128.143.136.1
36
Exercise 1(D)- NAT & FTP

FTP uses 2 ports
Control connection, port 21
 Data connection port 20



No problem with NAT & control connection.
For data connection, the server initiates a
connection from its port 20 to a (random) port on
client
Causes problem with NAT
 Only client can initiate connection


PASSIVE mode solves this problem
37
Exercise 1(D)- NAT & FTP
PC3% ftp 128.143.136.22 (PC2)
38
Download