Project 1 Grading Is Done - Taejoong (Tijay) Chung

Project 1 Grading is done1No team, no points.No compile, no points

Recap2

The IPv4 Shortage3Problem: consumer ISPs typically only give one IP addressper-householdAdditional IPs cost extra! More IPs may not be availableNAT and DHCPNAT DHCP!

Basic NAT Operation4Private NetworkInternetSource: 192.168.0.1Dest: 74.125.228.67Source: 66.31.210.69Dest: 74.125.228.67Private AddressPublic 66.31.210.69Source: 74.125.228.67Dest: 192.168.0.174.125.228.67Source: 74.125.228.67Dest: 66.31.210.69

Port-forwarding5

DHCP: Dynamic Host Configuration Protocol6Let’s say that a ISP has X customers, How many IPs does itneed to have?X?Goal: allow host to dynamically obtain its IP address fromnetwork server when it joins networkcan renew its lease on address in useallows reuse of addresses (only hold address whileconnected/“on”)support for mobile users who want to join network (moreshortly)

DHCP 223.1.2.2223.1.2.0/24223.1.3.1223.1.3.2arriving DHCPclient needsaddress in thisnetwork

DHCP Client-Server8DHCP server: 223.1.2.5DHCP discoversrc : 0.0.0.0, 68Broadcast:is there a DHCPdest.: nsaction ID: 654DHCP offersrc: 223.1.2.5, 67Broadcast:I’m a DHCPdest: an IPtransaction ID: 654addresslifetime: you3600 cansecs useDHCP requestsrc: 0.0.0.0, 68dest:: 255.255.255.255, 67Broadcast:OK. I’ll takeyiaddrr: 223.1.2.4transactionID: 655thatIP address!lifetime: 3600 secsDHCP ACKsrc: 223.1.2.5, 67dest: 255.255.255.255, 68Broadcast:OK. You’veyiaddrr: 223.1.2.4that IP address!transactionID: 655lifetime: 3600 secsgotarrivingclient

DHCP: More than IP address9DHCP can return more than just allocated IP address onsubnetaddress of first-hop router for clientname and IP address of DNS severnetwork mask (indicating network versus host portion ofaddress)

DHCP Header (Do not memorize)10

CSCI-351DATA COMMUNICATION AND NETWORKSLecture 12: DNS and your Project2The slide is built with the help of Prof. Alan Mislove, Christo Wilson, and David Choffnes's class

Why Skipping Transport Layer?12No; we will cover at the next classProject 2 will be announced: DNSApplicationTransportNetworkData LinkPhysical

Project 213

CSCI-351DATA COMMUNICATION AND NETWORKSLecture 12: DNSThe slide is built with the help of Prof. Alan Mislove, Christo Wilson, and David Choffnes's class

Layer 8 (The Carbon-based nodes)15If you want to !Call someone, you need to ask for their phone number !You can’t just dial “P R O F C H U N G”Mail someone, you need to get their address firstWhat about the Internet?If you need to reach Google, you need their IP! Does anyone know Google’s IP?!Problem:People can’t remember IP addresses! Need human readable names that map to IPs!

Internet Names and Addresses16Addresses, e.g. 129.10.117.100Computer usable labels for machines! Conform to structure of the network!Names, e.g. www.rit.eduHuman usable labels for machines! Conform to organizational structure!How do you map from one to the other?!Domain Name System (DNS)

History17Before DNS, all mappings were in hosts.txt/etc/hosts on Linux! C:\Windows\System32\drivers\etc\hosts on Windows!Centralized, manual systemChanges were submitted to SRI via email! Machines periodically FTP new copies of hosts.txt! Administrators could pick names at their discretion! Any name was allowed tijay server at rit pwns joo lol kthxbye!

Towards DNS18Eventually, the hosts.txt system fell apartNot scalable, SRI couldn’t handle the load! Hard to enforce uniqueness of names! e.g RIT !Rochester Institute of Technology?Revolution in Training (US Navy)Many machines had inaccurate copies of hosts.txtThus, DNS was born

19 OutlineDNS BasicsDNS Security

DNS at a High-Level20Domain Name SystemDistributed database!No centralizationSimple client/server architectureUDP port 53, some implementations also use TCP! Why? (You will learn at the TCP-lecture)!Hierarchical namespaceAs opposed to original, flat namespace! e.g. .com ! google.com ! mail.google.com!

Naming ailgovmilorgukfretc.Top Level Domains (TLDs) are at thetopMaximum tree depth: 128Each Domain Name is a subtree! rit.edu !www.ccs.rit.edu! .educs.rit.edu !Name collisions are avoided! rit.eduvs. rit.com

Hierarchical gukfretc.Tree is divided into zonesritmit! Eachzone has an administrator! Responsible for the part of the hierarchyExample:cswww! cscontrols *.cs.rit.edu! RIT controls *.rit.eduloginmail

Server Hierarchy23Functions of each DNS server:!Authority over a portion of the hierarchy !Store all the records for hosts/domains in its zone !No need to store all DNS namesMay be replicated for robustnessKnow the addresses of the root servers Resolve queries for unknown namesRoot servers know about all TLDs!The buck stops at the root servers

Root Name Servers24Responsible for the Root Zone File!!com.com.com.Lists the TLDs and who controls them 272KB in red by ICANN!!13 root servers, labeled A!M6 are anycasted, i.e. they are globally replicatedContacted when names cannot be resolved!In practice, most systems cache this information

Map of the Roots (root-servers.org)25

Local Name Servers (Resolvers)26Where isgoogle.com?RITEach ISP/company has a local, default name serverOften configured via DHCPHosts begin DNS queries by contacting the local nameserverFrequently cache query results

Authoritative Name Servers27Where iswww.rit.edu?www.rit.edu 129.21.1.40www.rit.eduRITRooteduAuthorityfor ‘edu’ritAuthority for‘rit.edu’Stores the name!IP mapping for a given host

Basic Domain Name Resolution28Every host knows a local DNS server! Sendsall queries to the local DNS serverIf the local DNS can answer the query, then you’re doneLocal server has cached the record for that name1.Otherwise, go down the hierarchy and search for theauthoritative name server! Everylocal DNS server knows the root servers! Use cache to skip steps if possible e.g. skip the root and go directly to .edu if the root file is cached

Recursive DNS Query29www.google.comWhere is www.google.com?Puts the burden of resolution onthe contacted name serverHow does glados know who toforward responses too?!Random IDs embedded in DNSqueriesns1.google.comglados.cs.rit.eduWhat have we said aboutkeeping state in the network?comRoot

Iterated DNS query30www.google.comWhere is www.google.com?Contact server replies withthe name of the nextauthority in the hierarchy“I don’t know this name, but asgard.ccs.rit.eduthis other server might”This is how DNS works todayns1.google.comcomRoot

DNS Propagation31How many of you have purchased a domain name?Did you notice that it took 72 hours for your name to becomeaccessible?! This delay is called DNS educomns.godaddy.com

Caching vs. Freshness32DNS Propagation delay is caused by cachingWhere is That name doeswww.my-new-site.com? not exist. Cached Root Zone FileCached .com Zone FileCached .net Zone FileEtc.asgard.ccs.rit.eduZone files may be cachedfor 1-72 hoursRootwww.my-new-site.comcomns.godaddy.com

DNS Resource Records33DNS queries have two fields: name and typeResource record is the response to a queryFour fields: (name, value, type, TTL)! There may be multiple records returned for one query!What are do the name and value mean?!Depends on the type of query and response

DNS TypesType A / AAAA! Name domain name! Value IP address! A is IPv4, AAAA is IPv6Query partial domain! Value name of DNS serverfor this domain! “Go send your query to thisother server”Resp.! NameName: rit.eduType: NSName: rit.eduValue: ns1a.rit.edu.QueryType NSName: www.rit.eduType: AResp.34Name: www.rit.eduValue: 129.10.116.81

DNS Types, ContinuedQuery hostname! Value canonical hostname! Useful for aliasing! CDNs use this (will be covered)Resp.! NameName: foo.mysite.comType: CNAMEName: foo.mysite.comValue: bar.mysite.comQueryType CNAMEName: cs.rit.eduType: MXResp.35Name: cs.rit.eduValue: pony-express.cs.rit.edu.Type MX! Name domain in emailaddress! Value canonical name ofmail server

Reverse Lookups36What about the IP!name mapping?Separate server hierarchy stores reverse mappings!Rooted at in-addr.arpa and ip6.arpaAdditional DNS record type: PTRName IP address! Value domain nameQueryNot guaranteed to existfor all IPsWhy do we need this?e.g., mail securityName: 129.10.116.51Type: PTRResp.!Name: 129.21.30.104Value: cs.rit.edu

Demo 137Dig: (Domain Information Grouper)Very useful tool to send a DNS request and parse theDNS response

Demo 238Dig: (Domain Information Grouper)Dig @1.1.1.1 rit.eduDig @8.8.8.8 rit.edu

How to buy a domain name (1)39. (Root)IANAMakes TLDs (Top level domains)You have authority to sell .com SLD domainsRegistry(TLD).COM(Verisign).com’s authoritative nameserverYou have authority to sell .com SLD domainsRegistrarGoDaddyBuyexample.comI need a domainOwner

How to buy a domain name (2)Using your own authoritative nameserver40Registry(TLD).COM(Verisign).com’s authoritative nameserverexample.com NS ns.example.comns.example.com A 1.2.3.4RegistrarGoDaddyI need a domainBuyOwnerexample.comNSRecordwww.example.com A 9.9.9.9My nameserver name isns.example.com andthis is the IP addresss: 1.2.3.4.

How to buy a domain name (3)Using the registrar’s default Daddy.com’s authoritative nameserverexample.com NS ns.godaddy.com ns.godaddy.com A 4.5.6.7 (already here)Buyexample.comI need a domainOwnerNSRecordexample.com NS ns.godaddy.comMy webserverIP addresss is 9.9.9.9Internally addexample.com A 9.9.9.9

DNS as Indirection Service42DNS gives us very powerful capabilities!Not only easier for humans to reference machines!Changing the IPs of machines becomes triviale.g. you want to move your web server to a new host! Just change the DNS record!!

Aliasing and Load Balancing43One machine can have many aliases (virtual uare.comwww.huffingtonpost.comcs.rit.edu/ tjc*.blogspot.comOne domain can map to multiple machineswww.google.com

Content Delivery Networks44DNS responses may varybased on geography, ISP,etc(details will be covered)

45 OutlineDNS BasicsDNS Security

The Importance of DNS46Without DNS !How could you get to any websites?You are your mailserverWhen you sign up for websites, you use your email address! What if someone hijacks the DNS for your mail server?!DNS is the root of trust for the webWhen a user types www.bankofamerica.com, they expect to betaken to their bank’s website! What if the DNS record is compromised?!

Denial Of Service47Flood DNS servers with requests until they failOctober 2002: massive DDoS against the root nameserversWhat was the effect?! users didn’t even notice! Root zone file is cached almost everywhere!More targeted attacks can be effectiveLocal DNS server ! cannot access DNS! Authoritative server ! cannot access domain!

DNS Hijacking48Infect their OS or browser with a virus/trojane.g. Many trojans change entries in /etc/hosts! *.bankofamerica.com ! evilbank.com!Man-in-the-middleResponse SpoofingEavesdrop on requests! Outrace the servers response!

Where isbankofamerica.com?DNS Spoofing49123.45.67.89How do you know that a givenname!IP mapping is correct?dns.bofa.comWhere l.com66.66.66.93

Where iswww.google.com?Where isbankofamerica.com?DNS Cache Poisoning50dns.rit.eduwww.google.com 74.125.131.26ns1.google.comUntil the TTL expires, all queries for BofA to dns.rit.eduwill return poisoned resultbankofamerica.com 66.66.66.92Much worse than spoofing/man-in-the-middle! WholeISPs can be impacted!

DNS Header51Query identifier: used to be incremented by 1

Attacking DNS (only few examples)52Kaminsky Attack(QID bruteforcing)Random QID andRandom Port?Man-in-the-Middle?

Solution: DNSSEC (Will be detailed)53Cryptographically sign critical resource records!Resolver can verify the cryptographic signatureTwo new resource types!Type DNSKEY !Name Zone domain nameValue Public key for the zoneType RRSIG Creates a hierarchy oftrustPreventswithin eachzone andhijackingspoofingName (type, name) tuple, i.e. the query itselfValue Cryptographic signature of the query resultsDeploymentOn the roots since July 2010! Verisign enabled it on .com and .net in January 2011! Comcast is the first major ISP to support it (January 2012)!