The Domain Name System (DNS System domain name) is a service for establishing a correspondence between an IP address and domain name and, more generally, to find information from a domain. At the request of Jon Postel, Paul Mockapetris invented the Domain Name System "in 1983 and wrote the first implementation.
Summary
[hide]
* 1 Associating an IP address and domain name
O 1.1 HOSTS file
o 1.2 Resolution and contrast resolution with DNS
o 1.3 Technical DNS Round-Robin
Ø 1.4 Fully Qualified Domain Name
* 2 A distributed system
* 3 Major DNS records
O 3.1 PTR record
Ø 3.2 MX record
Ø 3.3 NAPTR record
Ø 3.4 SOA record
* 4 Security of DNS
O 4.1 Interception of packets
o 4.2 Manufacture of a response
O 4.3 Corrupting data
Ø 4.4 DNS cache poisoning
o 4.5 Denial of Service
Ø 4.6 DNSSEC
o 4.7 Example of major attacks against DNS servers
* 5 Notes and references
* 6 See also
Ø 6.1 Related Articles
o 6.2 External links
Associate an IP address and domain name [edit]
Computers connected to an IP network, eg Internet, all have an IP address. These addresses are digital to be more easily processed by a machine. Under IPv4, they take the form xxx.yyy.zzz.aaa, where xxx, yyy, zzz and aaa are four numbers between 0 and 255 (in decimal). Under IPv6, the IP are of the form aaaa: bbbb: cccc: dddd: eeee: ffff: gggg: hhhh, where a, b, c, d, e, f, g and h represent characters in hexadecimal. It is not easy for a human to remember this number when you want access to a computer to the Internet. Therefore, a mechanism was put in place to associate an IP address to a name understandable, humanly easier to remember domain name called. Resolving a domain name, such as fr.wikipedia.org is to find the IP address associated with it.
HOSTS file [edit]
Before the DNS resolution must be done through a text file named HOSTS, local to each computer. On UNIX, it is in the / etc. On Windows, it is by default in% systemroot% \ system32 \ drivers \ etc.
In this file, each line corresponds to an IP address that can be associated with one or more domain names. This system poses a maintenance problem because the file must be copied on all network computers. We can not hierarchically organized areas. To solve this problem that Paul Mockapetris developed the DNS in 1983.
Resolution and contrast resolution with DNS [edit]
With DNS resolution is done via a server. When a user wants to access a web server, eg that of fr.wikipedia.org, his computer makes a special request to a DNS server, asking 'What is the address of fr.wikipedia.org?'. The server responds by returning the IP address of the server, which in this case, 91.198.174.2.
It is also possible to ask the opposite question, namely 'What is the domain name or what domain names such IP address?'. This is called inverse resolution (inverse query) or PTR Lookup referring to the DNS record of type PTR.
Note: This statement is important to reverse the public Internet IP addresses as the nonexistence of a reverse lookup may cause the denial of access to a service. For example, a mail server by sending presenting with an IP address with no reverse lookup (PTR) has a good chance of being denied by the remote host, the mail forwarding (message of refusal type: "IP lookup failed ').
Several domains can point to the same IP address (via the A records for IPv4 or AAAA for IPv6).
Similarly, an IP address can be resolved in different domain names through registration of PTR several entries in the sub-domain arpa. dedicated to this address (in-addr.arpa. IPv4 and ip6.arpa. IPv6). The use of multiple PTR records for the same IP address is present in the particular context of virtual hosting multiple domains web behind the same IP address [1].
Technique DNS Round-Robin [edit]
Where a service generates significant traffic, it can appeal to the technique of DNS Round-Robin (in French turnstile), which is to associate multiple IP addresses to domain names. The different versions of Wikipedia, as fr.wikipedia.org example, are associated with multiple IP addresses: 207,142,131,235, 207,142,131,236, 207,142,131,245, 207,142,131,246, 207,142,131,247 and 207,142,131,248. A circular rotation between these addresses and can distribute the load generated by the heavy traffic between the different machines with these IP addresses. It must however qualify this distribution because it takes place only at the resolution of host name and is subsequently cached on different resolver (DNS client).
Fully Qualified Domain Name [edit]
Host names are uniquely identified by its FQDN (Fully Qualified Domain Name, Domain Name or Fully Qualified). They hôte.domaine.tld format. where host is the hostname of the machine and domain.tld. the area to which the host belongs (tld here means Top Level Domain, that is to say all areas located directly under the root-root .- as. com.. com. or. org.). fr.wikipedia.org., for example, is composed of generic domain org domain wikipedia filed and hostname fr.
The endpoint, optional in most commands, is needed regarding the DNS. Thus, to ping a machine whose FQDN machine.domaine.tld. Use the command "ping machine.domaine.tld" poses no problem even if the FQDN is incomplete, however, use the address with the endpoint " ping machine.domaine.tld. "Is more accurate, but produces the same result. Thus, type http://fr.wikipedia.org. instead of more conventional http://fr.wikipedia.org in the address bar of web browsers makes no difference as to perform the DNS query, the implementation of the TCP / IP underlying handles add the final point needed for name resolution. A l'inverse, omettre le point final peut avoir des conséquences importantes avec certaines versions de BIND : spécifier dans le fichier de la zone domaine.tld. machine.domaine.tld the host's IP address 1.2.3.4 (using an A record, see below) is tantamount to specifying the machine's FQDN machine.domaine.tld.domaine . tld.
A distributed system [edit]
There are hundreds of thousands of DNS servers worldwide. Everyone really has at its disposal a limited set of information.
When a host needs to resolve a domain name, it must know the IP address of one or more recursive name servers, that is to say who will eventually forward the request to one or more other servers names to provide an answer. IP addresses of these servers are often recursive obtained via DHCP or configured disk on the host machine. Providers of Internet access are normally available to their customers these recursive servers.
When a DNS server (for example, that of a provider of Internet access) must find the IP address of fr.wikipedia.org, some communication is established then with other DNS servers. Firstly, our server asks the DNS servers few called root servers which servers can answer it for zone org. Among these, our server will select one to know which server is able to respond to the area wikipedia.org. It is the latter which may give the IP address of fr.wikipedia.org.
To optimize subsequent queries, most DNS servers (including those of suppliers of Internet access) also function as DNS cache: keeping in mind the response of a name resolution so as not to make this process again later.
A domain name can use several DNS servers. Typically, domain names in use at least two: one primary and at least one secondary. All primary and secondary servers are authoritative for a domain that is to say that the answer does not appeal to another server or a cache. The servers of ISPs Internet provide answers that are not necessarily current, because the cache in place. This is called response nonauthoritative ((in) Non-authoritative answer).
To find the domain name to an IP, it uses the same principle. In a domain, the most general is right: in fr.wikipedia.org org. In an IP address, the opposite: 213 is the most general of 213.228.0.42. To maintain a coherent logic, we reverse the order of four terms of address and it concatenates the username field in-addr.arpa. For example, to find the domain name to IP address 91.198.174.2, we solve 2.174.198.91.in-addr.arpa, which is a pointer to rr.knams.wikimedia.org.
This architecture ensures the Internet some continuity in name resolution. When a DNS server fails, the proper functioning of the name resolution does not call into question the extent of secondary servers are available. In addition, the DNS allows to update the IP address associated with a domain name in the world easily and fairly quickly (within 48 hours is generally sufficient, depending on the configuration of the domain name).
Major DNS records [edit]
The main records defined by DNS are:
* A record or address record that maps a hostname to an IPv4 address of 32 bits distributed over four bytes ex: 123.234.1.2;
* AAAA record or IPv6 address record that maps a hostname to an IPv6 address 128 bits distributed in sixteen bytes;
* CNAME record or canonical name record that can make a domain alias to another. This alias inherits all sub-domains of the original;
* MX record or mail exchange record that defines the mail servers for this domain;
* PTR record or pointer record that associates an IP address registered domain name, also called "reverse" because it does exactly the opposite of a record;
* NS record or name server record that defines the DNS servers for this domain;
* SOA record or Start Of Authority record, which gives general information of the zone: master server, e-mail contact, different durations with the expiration, serial number area;
* SRV record which generalizes the notion of MX record, standardized in RFC 2782;
* NAPTR record or Name Authority Pointer record that gives access to rewrite rules of information, allowing for loose connections between a domain and a resource. It is specified in RFC 3403;
* TXT record allows an administrator to insert any text into a DNS record (eg, registration was used to implement the Sender Policy Framework specification);
* Other types of records are used occasionally, they serve merely to provide information (eg, a record type LOC indicates the physical location of a host, that is to say, its latitude and longitude ).
PTR record [edit]
In contrast to an entry of type A, a PTR entry indicates how host name matches an IPv4 address. If specified, it must contain the registration of a reverse DNS entry A. For example, the PTR record:
51.51.51.62.in-addr.arpa IN PTR 3E333333.dslaccess.aol.com
corresponds to this entry:
3E333333.dslaccess.aol.com IN A 62.51.51.51
PTR records are used to specify the hostname corresponding to an IPv6 address. These entries are PTR recorded in the area ip6.arpa. During the in-addr.arpa zone. IPv4 addresses.
The rule to find the entry for an IPv6 address is similar to that for IPv4 addresses (reverse address search and a subdomain dedicated area arpa.), But differs in the number of bits address used to write the name of the domain where the search field PTR: where to cut the IPv4 address is byte for IPv6 is a quartet by cutting is used.
For example [2], the IPv6 address:
4321:0:1:2:3:4:567:89 ab
matches the domain name:
ba9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa.
MX record [edit]
A DNS MX entry indicates the SMTP server to contact to send an email to a user of a given area. Unix can retrieve MX entries corresponding to a domain using the program host (1) (among others). For example:
$ Host-v-t MX wikimedia.org
[...]
; QUESTION SECTION:
; wikimedia.org. IN MX
;; ANSWER SECTION:
wikimedia.org. 3600 IN MX 10 mchenry.wikimedia.org.
wikimedia.org. 3600 IN MX 50 lists.wikimedia.org.
We see that the email sent to an address en@wikimedia.org are actually sent to the server mchenry.wikimedia.org. or lists.wikimedia.org .. The number in the server is the priority. Normally one is supposed to use the server with the priority the smallest digital. Here, therefore mchenry.wikimedia.org. to be used primarily with a value of 10.
MX entries are rendered obsolete by the SRV entries that can do the same thing but for all services, not just SMTP (email). The advantage of the SRV entries compared with MX entries is that they can choose an arbitrary port for each service and to make load balancing more effectively. The disadvantage is that there are still some client programs that manage the SRV entries.
NAPTR record [edit]
Uncommon at present (they are mainly used by ENUM). They describe a rewriting of a key (domain name) to a URI. For example, ENUM, NAPTR records can be used to find the email address of a person, knowing his phone number (which is the key to ENUM).
Its parameters are in order:
1. Order: indicates in what order to assess the NAPTR records, while there are still records a certain value of order to examine the records of the following values of order are not considered;
2. Preference: gives an indication of relative priority among multiple NAPTR records that have the same value of order;
3. Flags: for example, indicates whether the record describes a transitional rewrite (whose result is a domain pointing to another NAPTR record) or a final rewrite, the precise semantics of flags depends on the application DDDs ( 'Dynamic Delegation Discovery System ", RFC 3401) used (ENUM is one among others);
4. Services: Describes the use of rewriting for example in ENUM, the value of services specifies the type of the resulting URI, the precise semantics of this parameter also depends on the application used DDDs;
5. Regexp: Rewrite the transaction itself, formalized into a regular expression, this regular expression is applied to the key, can be provided along with replacement;
6. Replacement: domain name pointing to another NAPTR record, for example by rewriting transitional delegation, can be provided along with regexp.
The NAPTR record is defined by RFC 3403.
SOA record [edit]
This registration allows you to specify the name server authoritative, a technical contact and expiration settings. These parameters are in order:
1. Serial: indicates a version number for the area, this number must be incremented at each change of zone file, is used by convention a date format yyyymmddhhmm;
2. Refresh: the number of seconds between requests to update the server made from secondary or slave servers;
3. Retry: The number of seconds that must wait for the secondary server or slave servers when their previous request failed;
4. Expires: number of seconds after which the area is considered stale if the secondary or slave can not reach the primary server;
5. Low: used to determine the minimum life of the zone file and, therefore, how long to keep cached responses that correspond to requests for nonexistent records.
Example of a SOA entry
maboite.com. IN SOA serveur.example.com contact.example.com (
200612301905; serial (version)
3600; refresh period
900; retry refresh this often
604800; expiry period
3600; minimum TTL
)
Recent versions of BIND (named) accept suffixes M, H, D or W to indicate a time interval in minutes, hours, days or weeks, respectively.
DNS Security [edit]
The DNS protocol has been designed with a minimum order of security. Several security vulnerabilities of the DNS protocol have been identified since. The main fault of the DNS are described in RFC 3833 published in August 2004. [3]
Interception of packets [edit]
One of the flaws highlighted is the ability to intercept packets transmitted. DNS servers communicate using packet single and unsigned. These two characteristics make it very easy interception. The interception can occur in various ways, including via an attack on the man in the middle, listening data transferred and sends spoofed response (see below).
Manufacture of an answer [edit]
The packages being DNS servers poorly secured, authenticated by a number of application, it is possible to manufacture fake packets. For example, a user wishing to access the site http://mabanque.com made a request to the DNS. It suffices that an attacker responds to the request of the user before the DNS server that the user is on the site http://mesvirus.com.
Data corruption [edit]
The betrayal by a server, or data corruption, is technically identical to intercept packets. La seule différence venant du fait que l'utilisateur envoie volontairement sa requête au serveur. This can happen when, for example, the operator of the DNS server wishes to put forward a business partner.
DNS cache poisoning [edit]
Article: DNS cache poisoning.
[4]
The Denial of Service [edit]
Article: Denial of service.
A Denial of Service (DDoS or, in English, Denial of Service attack or DoS attack) is an attack on a computer server that results in an inability for the server to respond to requests from its customers.
DNSSEC [edit]
Article: DNSSEC.
To counter these vulnerabilities, DNSSEC has been developed.
Example of major attacks against DNS servers [edit]
In July 2008, days after the publication of the report "United States Computer Emergency Readiness Team" on the vulnerability of DNS servers to cache poisoning them, many DNS servers have suffered major attacks. [5] One more important was that waged against the servers of AT & T's. The attack poisoning the cache of DNS servers from AT & T's has allowed the hacker to redirect all requests to Google to a phishing site. [6]
Notes and references [edit]
1. ? In the case of hosting massive virtual domains behind a single IP address, it is recommended not to indiscriminately apply the rule a PTR record by record (or AAAA): The number of fields to return PTR can be overcome to response size UDP packets and cause the use of TCP (more expensive in resources) to send the reply to query DNS see the section "4.4 Usage and deployment considerations" of the draft draft-ietf-dnsop-reverse-mapping -considerations [archive]
2. ? derived from section "2.5 IP6.ARPA Domain" of RFC 3596 [archive]
3. ? http://www.rfc-archive.org/getrfc.php?rfc=3833 [archive]
4. ? http://www.kb.cert.org/vuls/id/800113 [archive]
5. ? http://blogs.orange-business.com/securite/2008/07/dns-poisoning-premieres-attaques.html [archive]
6. ? http://www.pcworld.com/businesscenter/article/149126/dns_attack_writer_a_victim_of_his_own_creation.html [archive]
See also [edit]
Related Articles [edit]
* Dig
* DNS black holing
* DNS Black Listing
* DNS Cache Poisoning
* Hosting Domain Name
* Hosts
ICANN *
* The TCP / IP: A Donationes the library department
* Nslookup
* Difficulty passing protocol network firewalls
* Network (Computer)
* RFC
* DNS Root Servers
[Edit]
* (En) Test on the DNS Vulnerability, stats of the French zone
* (En) DNS on the site commentcamarche.net
* (En) Little progress on the DNS on the site "The Internet Fast and Permanent"
* (En) Support Course of UREC / CNRS on DNS [pdf]
* (En) Security and DNS [pdf]: intrinsic vulnerabilities of a protocol key
* (En) Sebsauvage: DNS easy (and how have its domain name)
* (En) List of public DNS servers
* (En) Self-training DNS AFNIC
* (En) DNS in detail
* (En) relating to the DNS RFC
* (In) Good explanation of NAPTR by Nominet
Recent Posts
