Welcome to delmad's home page.

Kerberos
Legal Issues
SSL (Secure Socket Layer)

CSCI 349 DNS Lecture Materials

DNS Functions

maps host IP addresses to host names via client server architecture
program consisting of a DB of name and address info.
Responds to queries from resolvers
At least one DNS server needs a manual update

DNS Topology

DNS DB is a Tree
Each node is a partition of DB
Each domain subdivided into subdomains
Top level directories: com, edu, gov.
Number of subdomains (height of the tree) is 127
No limit on number of branches at each node

Introduction

Each node in the tree is labeled with a name
The full domain name of a node is the sequence of node names on the path from the node up to the root with a dot between node names
DNS servers responsible for the top-level Internet domains such as com are also called Internet root servers.
Domain names are used as indexes into the DNS DB.
Same names possible but in different subdomains

Domain vs. Zone of Authority

Main goal is decentralization (distributed DB)
Delegate subdomain to other administrators
Domain = subtree
Subdomain = subtree of a subtree

Definitions

Name serveris a program running on a system with DNS support; moves info about some part of the domain name space called zone/zone of authority; is called authoritative for the zone for which it has a complete host information and data.
Name servers are devices that store the information about the domain name space. Usually contain complete info about some part of the name space or zone.
Static name servers need manual update of the lookup table whenever an IP address gets assigned or reassigned/deleted after update the server needs to be restarted to make the change effective.
Dynamic name server is capable of updating the look up table itself, whenever DDNS server or the DHCP server informs the DDNS server to update. Never needs manual updating.
Primary name servers are those on which the hosts in the zone are configured (by DNS administrator) and maintained. Can be updated by dynamic clients.
Secondary name servers (acting as primary) contains the same info as the primary name server but instead of getting its info from an administrator, it gets it from another name server through zone transfers over network.
Zone transfer -TCP/IP transfer of domain names from another DNS server, in order to share load and to have a backup if the primary fails
Master name server provides zone transfers to secondary name servers.
Caching-only name server have authority over no zone and gets info by querying. The response is always non-authoritative.
Authoritative name server is either a primary or secondary name server. If a client queries in either primary or secondary name server the response is considered authoritative. Authoritative response is also if caching only server doesn't know and queries the primary/secondary name server on clients behalf.
Parent and Child name servers. This is essentially delegation of authority over parts of your domain. Upper layer is the parent and the lower level is the child.
Root name server has authority over the top layers (.com, .net, .edu). DNS name space tree may be different depending on whether the network is an internal network or if it includes the DNS name space.
Forwarder name server accepts queries to which a DNS server doesn't know the answer. Usually several DNS servers are configured to have the same forwarder. Forwarder caches query results.
Firewall name server are used when not all private DNS server information should be available, it provides limited content DNS server to the Internet.
DHCP server provides the automatic (dynamic) allocation of IP client configurations for a specific time period (called lease period) and to eliminate the work necessary to administer a large IPO network.

DNS Record Types

RR: resource records, belong to name server, and are divided into classes for different types of networks.
The following is a partial list (RFC 1035 for complete listing)
SOA: start of authority the name server is the main source of the authoritative information for the domain.
NS: name server records each record should implicate a valid name server. If a name server provides a wrong information, use bogusns to tell your name server not to query this name server.
RP: responsible persons for the domain.
TXT: records in the DDNS DB may provide more information about how to contact RP.
MX: mail exchanger records indicating a host machine that will either deliver mail to the addressee or forward (SMTP) the mail to another host that is closer to the addressee. To prevent mail loops use preference value (16-bit).
A: address records. This is the DNS record that maps a host name to an IP address.
RR: resource records in the name server DB, maps information to a host name.
PTR: pointer records map IP address to a host name.
CNAME: maps a host alias name to the canonical name of the host. (that is fully qualified domain name of the host that is defined by an address record)
HINFO: contains host information and are not recommended, since it contains information useful to potential hackers. Usually stored encoded so that clients cannot take over other client's host names.
KEY: entries in DDNS DB contain all host name/domain name/primary name server settings created and associated keys to be able to update those host names.

Resolvers

A resolver is a client making queries to the name server on behalf of the programs running on the host. The user programs make calls to the resolver, requesting information from the name server. The resolver transfers request into a search specification of resource records located somewhere in the domain name space.

A resolver typically performs the following three functions:

Host name-to-host address translation. The client program will provide a character string representing a host name. This is either a fully qualified domain name (host.net.com) or a simple unqualified host name. If the name is unqualified, the resover code will append a domain origin name (such as sample.net) to the name before passing it to the server. This domain origin name is one of four parameters that are configured on every IP host:
IP address of the host
- Host name
- Domain origin name The domain to which this host belongs
- IP address of the name server(s) being used
- The resolver then translates this request into a query for address (type A) resource records and passes it to the specified name server. The server will return one or more 32-bit IP addresses.
Host address-to-host name translation Presented with a 32-bit IP address from the client program, the resolver will query the name server for a character string representing the name of the host in question. This type of query is for PTR-type resource records from the in- addr.arpa name space. The resolver will reverse the IP address and append the special character in-addr.arpa before passing the query to the name sever.
General lookup function queries the name server requesting all matching resource records based on the name class and type specified in the query.
There are two types of resolvers, the full, and stub resolver. Both make use of the routines gethostbyname() and gethostbyaddr(). The full resolver has a set of default name servers it knows about. It may also have a cache to retain responses from the name server for later use. The stub resolver is a routine linked to the user program. It performs the same function as the full resolver but generally does not keep a cache.

BIND's Treatment of DNS Database Entries

The following is a brief example of how a new or changed resource record is propagated to all authoritative name servers using Berkeley Internet Name Domain 8.1.1

To change a static DNS resource record, an administrator edits the zone file containing it, and updates the serial number. The serial number is a field in the SOA must be incremented by the administrator when the file is updated manually or implicitly by the transaction server.
The primary zone server responsible for the changed zone then reads the edited zone file.
The primary zone server then sends notify message to all known secondary name servers for the changed zone. When multiple secondary servers must be notified, the primary server will wait about a minute between sending each notify to reduce the risk that all secondary servers request zone transfers at the same time.
If the secondary server supports notify it immediately zone transfers. If it doesn't support notify, it discards the notify and waits till its next scheduled cycle to request a zone transfer from the primary server. Present BIND documentation suggests that full zone transfer should be made at least every 24 hours.
The secondary server then sends notify to all other secondary servers that may depend on it
If dynamic updates are supported (by the primary server, DNS client or DHCP server), then a DNS client or a DHCP server can send a resource records change (update transaction) to the primary server. This may cascade to all secondary servers.
Once an update transaction is received by the primary server, it increments the zone SOA serial number and writes the changed zone data to a new zone file. The new zone file is the only permanent record of the update transaction. The update transaction is then propagated to secondary servers.

In this standard-based scenario, the supposedly identical zone files in the primary and secondary name servers are out of synch for some period of time. In a network with dynamic naming, hundreds of zone updates are required every second so zone transfers propagate to the entire DNS very slowly.

Dynamic IP

Dynamic IP allows you to define network host configuration parameters at a central location and to automate configuration of IP hosts. This enables it to support mobile hosts. Dynamic IP is the combination of DHCP (provides configuration info to IP hosts), and DDNS (provides dynamic host-to-IP address and IP address-to-host name ) mapping for the Dynamic IP clients. The Dynamic IP evolved due to the following reasons:

Implementing changes to the network infrastructure requires a massive coordinated effort to recofigure all affected hosts.
The administrator had to manually change the host's name-to-IP address mappings in the host's authoritative DNS server, and assign a new IP address.
For a mobile host, an IP address must be reserved for each subnetwork location at which the mobile host may possibly attach. The end user then had to manually reconfigure the IP software, and other IP network parameters.

The goal of Dynamic IP is to simplify these tasks and to provide an easy way to access and administer IP networks.
Dynamic IP provides the following:

Automating IP network access
Simplification of network administration
Administration of site-specific host environments
Customized, location-sensitive host serving.

Automation of IP Network Access is when a Dynamic IP client host can automatically obtain and use IP configuration information, including the network address, routers and name servers to be used. Dynamic IP also provides a mechanism to enable other hosts in the network to locate Dynamic IP hosts at their current points of attachment.
Dynamic IP simplifies the job of configuring IP hosts by allowing a network administrator to provide configuration information for a network and its hosts from a central server (includes changes in routing infrastructure or in network services). Dynamic IP hosts can also be configured to maintain DNS mapping in a Dynamic DNS server.
Using Dynamic IP decreases the amount of configuring of the off-the-shelve network applications used by many businesses.
Dynamic IP clients automatically receive the configuration parameters needed to access the network at a particular location. These are location-sensitive because they are selected and served based on information about the host's location, specifically the subnet to which they are attached.
Dynamic IP uses only open standards (IETF RFC's ) so it is compatible with any existing IP products from other manufacturers. This means that one can integrate DHCP and DDNS servers and Dynamic IP clients into network without changing the existing router or router tables, and with a little change to the existing DNS hierarchy.

How Does Dynamic IP Work?

Dynamic IP has the following components:

Dynamic IP hosts run the DHCP and Dynamic DNS client programs. The DHCP and DDNS clients work together to obtain and implement configuration information to automatically access IP networks.
DHCP servers provide the addresses and configuration information to DHCP and BOOTP clients on the network. DHCP servers contain information about the network configuration and about host operational parameters as specified by the network administrator.
Dynamic DNS servers are superset of the traditional BIND DNS servers. The dynamic enhancements enable client hosts to dynamically and securely register their name and address mappings in the DNS tables directly, rather than having an administrator do it manually.
BootP relay agents can be used in IP router products to forward information between DHCP clients and servers on different subnets. BOOTP relays eliminate the need for having a DHCP server on each subnet to service the broadcast requests from DHCP clients.

System operation can be broken up into two components

Acquiring configuration information
Becoming known on the network

Consider the following example, where client CLIENT is a workstation on subnet X that has been configured to use the DHCP client and Dynamic DNS client. Server DHCPSERV is a DHCP server on subnet Y. Server DYNODNS is a DDNS server on subnet Y. Router ROUTER is an IP router that connects subnets X and Y and that has been enabled for BOOTP relay and has been configured to forward IP broadcast messages to DHCPSERV.
To acquire information, the DHCP client must obtain the configuration information needed to access the network. This involves the following steps:

When CLIENT is started, the DHCP client program broadcasts a DHCP DISCOVER message onto the LAN, soliciting responses from any available DHCP servers.
When ROUTER receives the DHCP broadcast message, it inserts its IP address on subnet X and forwards the message to DHCPSERV.
When DHCPSERV receives the DHCP broadcast message, it reads the IP address inserted by ROUTER to determine where the DHCP DISCOVER request packet originated. DHCPSERV selects an IP address and a set of network parameters appropriate for the originating subnet, subnet X, and returns them in a DHCP OFFER packet to be forwarded to CLIENT by way of ROUTER.
CLIENT receives the OFFER , decides whether the offer meets its needs, and assuming so, sends a REQUEST message to DHCPSERV, requesting use of the configuration parameters for the specified lease time.
DHCPSERV receives the request and acknowledges the request by sending an ACK message to CLIENT.
Upon receipt of the ACK, CLIENT implements the configuration information to access the IP network.

It is necessary to update the DNS server, DYNODNS, with the name and address information assigned CLIENT so that others can discover the IP address assigned to CLIENT. In general, the following steps are involved in updating the Dynamic DNS server:

The fully qualified domain name, consisting of a host name appended with a domain name
The name or address of the primary DNS server, which is the DNS server that accepts dynamic updates for the domain.

To become known on the network the following is involved:

CLIENT creates a message to be sent to DYNODNS, which includes the necessary information.
DDNS client configuration program prompts the user for the host name.

In this example, WARPSPEED is the host name. The DHCP client appends the pre-configured domain name, for example, dynamic.your-company.com the host name. The name of the primary Dynamic DNS server defaults to WARPSPEED will be uniquely known as warpspeed.dynamic.your-company.com, and all associated DNS update requests for WARPSPEED will be sent to the DNS server known as ns-updates.dynamic.your- company.com.

WARPSPEED sends a name update message to DYNODNS indicating to its fully qualified host the lease time.
DYNODNS sends an acknowledgment to WARPSPEED that the information has been received and the database has been updated.

Configuring for Network Availability

When using only a single DHCP server, the failure of this server will affect only the DHCP clients attempting to join the network. The DHCP clients already on the network will continue operating until their lease expires. If the lease time is short, chose a lease time to restart or respond to the failed DHCP server.
Using multiple DHCP servers, enables the subnet service in case of one DHCP server failure. The DHCP servers can be accessible either by direct attachment to the physical subnet or through a BOOTP relay function in an attached IP router. Two DHCP servers cannot serve the same addresses for a particular subnet, the address pools defined for a particular subnet must be divided across those servers. It is possible to configure each DHCP server to act as a primary server with an address pool consisting of 70% of the available addresses for the subnet and the secondary server with an address pool consisting of the remaining 30% of the available addresses. In the case that one DHCP server fails, the other DHCP server may not be able to serve all of the new hosts wishing to enter the network.

Enabling Host Mobility

Dynamic IP is well suited for networking mobile hosts, such as laptop computers. When accessing a Dynamic IP network, Dynamic IP clients can automatically obtain and implement configuration information and register their current location/address with the Dynamic DNS server. DHCP can provide location- specific configuration information therefore mobile clients can be assured of always having an accurate configuration.
If you move the Dynamic IP client computer out of its current subnet, you will simply need to restart it to obtain configuration information for the new location and to update the Dynamic DNS server with the new IP address. Because the Dynamic DNS server that you update remains constant, other hosts will be able to reach you using your fully qualified host name even if you move out of the domain.

Securing Your Dynamic IP Network

The DHCP protocol specification does not include any mechanisms to limit access to DHCP services. It only prevents unauthorized access to Dynamic DNS update services. DNS security extensions are used in DDNS to authenticate hosts that request to enter or change entries in the DDNS server database.
DDNS servers support two modes of controlling updates for a particular dynamic DNS zone: dynamic secured and dynamic pre-secured.

Dynamic secured mode allows any host that complies with the DDNS protocol to make entries in a domain that is declared dynamic.
With dynamic pre-secured mode, the Dynamic DNS administrator must pre-register all hosts that are allowed to make updates to the DNS database.
In either mode, the Dynamic DNS client and server use RSA.

NCSA's Beginner's Guide to HTML
HTML Basics
Student Computing
College of ECT Home Page
Other user home pages Send me mail