The Domain Name System ( DNS ) is one of the most important services in the network . Its main task is to respond to requests for name resolution .

In analogy to a telephone information to the DNS request to a host name (the name of a host of Human noticeable on the Internet) – for example www.example.org – in response to the corresponding IP address (the “Port Number” on the Internet) – to example, an IPv4 address in the form 192.0.2.42 or an IPv6 address as 2001: db8: 85a3: 8D3: 1319:8 a2e: 370:7347 – call.

Overview

The DNS is a globally to thousands of servers distributed hierarchical directory service that the namespace of managed Internet. This namespace is in so-called zones divided, each independent administrators are responsible for. For local requirements – such as within a company network – it is also possible to operate an Internet DNS independent of.

DNA is mainly the implementation of domain names into IP addresses ( ” forward lookup ” ) is used. This is similar to a telephone directory, the names of the participants in their phone number to resolve. The DNS offers thus a simplification, because people can remember the names much better than number columns. So you can get a domain name as example.org usually easier to memorize than in the associated IP address 192.0.32.10 . This becomes following the introduction of IPv6 in importance, because then are still with each IPv4 and IPv6 addresses assigned to one. Triggers, for example, the name www.kame.net in the IPv4 address 203 178 141 194 and the IPv6 address 2001:200:0:8002:203:47 ff: fea5: 3085 on.

Another advantage is that IP addresses – such as Web servers – can be changed relatively risk-free. Since only the (unchanged) DNS name to address Internet users, they are subject to change child IP level largely hidden. Since that name multiple IP addresses can be assigned, even a simple load balancing by DNS ( load balancing ) can be realized.

The DNS name is a reverse resolve IP addresses in ( ” reverse lookup ” ) is possible. In analogy to the phone book the same as searching for the name of a member of a known number, which is within the telecommunications industry under the name inverse search is known.

The DNA was in 1983 by Paul Mockapetris designed and RFC and 883 described 882nd Both are now available from RFC 1034 and RFC 1035 replaced and supplemented by numerous other standards. Original mission was to the local hosts file to replace, which until then for the name resolution were involved, and the enormous increase in the number of new entries were no longer capable of. Because of the proven high reliability and flexibility have been gradually more integrated into the DNA databases, and so made ​​available to Internet users (see below: expansion of the DNS ).

DNA is characterized by:

• decentralized management,
• hierarchical structuring of the namespace in tree form,
• Uniqueness of names
• Extensibility.

Components of the DNS

The domain name space has a tree-like structure. The leaves and nodes of the tree are referred to as labels. A complete domain name of an object consists of the concatenation of all labels of a path. Labels are strings ( alphanumeric , the only special character ‘-’ are allowed), a sign and a maximum of 63 characters, at least, letters start to one with and not with ‘-’ end allowed ( RFC 1035 , section 2.3.1. Preferred name syntax “). The individual labels are separated by dots. A domain name will end with a point (the farthest point is usually omitted, is purely formal, but a complete domain name to be). A correct, complete domain name (also Fully Qualified Domain Name (FQDN) called) is about: www.example.com.

A domain name may be inclusive of all points up to 255 characters long.

A domain name is always right to left and delegated by resolution, that is, the farther right is a label, the higher it is in the tree. The point at the right end of a domain name off the label for the first hierarchical level of the root (English root ). This first level is also called top-level domain TLD) refers to (. The objects of a DNS domain (for example, the computer names) as a set of resource records mostly in a zone file is kept, or more, the authoritative name servers, there is one on. Instead of zone file is usually the more general term zone is used.

Name Server

Name servers are programs on the one hand to answer questions about the domain name space, in the language are, however, the computers that run these programs, referred to as name servers. A distinction between authoritative and non-authoritative name servers.

An authoritative name server is responsible for a zone. His information about this area, therefore, are protected considered. Each zone is at least one authoritative server which primary name server. This is the SOA resource record of a zone file listed. For redundancy and load balancing reasons, authoritative name servers are almost always as a server – Cluster realized, the zone data on one or more secondary name servers are identical. The synchronization between primary and secondary name servers is via zone transfer .

A non-authoritative name server gets its information about a zone from other name servers as it were from second or third hand. His information is as secure not considered. Because DNS data is very rarely change usually save non-authoritative name server for the time of a resolver requested information in the local RAM on this new request for a so fast there. This is known as caching means. Each entry has its own expiration date ( TTL time to live ), the expiry of the cache entry is deleted after the. The TTL is it an authoritative name servers for this entry and will be determined by the change in probability of entry determined by the (frequently changing DNS data obtained a low TTL). This can possibly also mean that the name server time can provide false information in this if the data has changed in the meantime.

A special case is the Caching Only name server. In this case, the name server is responsible for any zone and must resolve all incoming requests for information about other name servers (forwarders). There are several different strategies:

Cooperation between the various name servers

This can find a non-authoritative name server information about other parts of the name space, he uses the following strategies:

Delegation

Part of the name space of a domain are often sub-domains then the name servers specifically removed from store. A name server of a domain name server knows the responsible for this subdomain’s zone file, and delegates requests to its child namespace to one of those name servers.

Forwarding (forwarding)

If the requested name space is outside its own domain, the request is forwarded to a specified name servers configured.

Resolution on the Root Server

no forwarding server configured, or is this not already answered, the root servers are consulted. To this end, in the form of a static file names and IP addresses of root servers stored the. There are 13 root servers (server A to M). The root servers only respond to queries iteratively (the server responds with a referral to other name servers), since the number of these requests would be overloaded with otherwise.

Resolver

Resolvers are simply constructed software modules, the computer of a DNS installed are the subscriber, and the information of name servers retrieve. They form the interface between the application and name server. The resolver accepts request an application, they added, if necessary, to an FQDN and sends it to a normally dedicated name server. A resolver works either recursive or iterative.

In recursive mode, the resolver sends a recursive query to its associated name servers. Is not this the desired information in its own database, so contact the name server other server, and until such time as he either a positive response or until an authoritative server receives a negative response. Recursive resolver working so leave the work to their full resolution name server.

In an iterative query , the resolver either receives the desired resource record or a reference to another name server, the next he asks as. The resolver lurches itself from name server name server until it receives a response from a binding.

The resulting response of the resolver is on the program that has requested data, such as the Web browser . Current resolver clients only work recursively, they will then as a stub resolver called. Name servers usually have their own resolver. These usually work iteratively.

Known programs to verify the name resolution nslookup , host and dig . For more information about the iterative / recursive name resolution can be found at recursive and iterative name resolution .

Protocol

DNS queries are usually via UDP port to the name server sends 53rd The DNS also allows standard TCP . If no Extended DNA is used ( EDNS ), the maximum length of DNS UDP packet 512 bytes . About Long replies are transmitted truncated. By setting the Truncated flag on the requesting client is informed of this fact. He then has to decide whether it is sufficient to answer or not. If necessary, he will request via TCP port 53 repeat.

Zone transfers are always carried out on TCP port 53. The release of zone transfers are but usually via UDP.

Structure of the DNS database

The Domain Name System is a distributed database structure perceived to be tree-like with. The Internet’s DNS data is based on a variety of globally dispersed servers to each other via links – in the DNS terminology delegations are linked – called.

In each of the participating name server, there are one or more files – the so-called zone files – containing all relevant data. These files are lists of resource records . Of great importance are seven types of records:

• With the SOA resource record , parameters of the zone , such as validity, or serial number set.
• With the NS resource record , the links ( delegations ) of the server with each other implements.
• With this record the actual data types are defined:
  • An A resource record has a name an IPv4 address.
  • A AAAA resource record has a name an IPv6 address.
  • A CNAME resource record refers by name to another name.
  • An MX resource record has a name with a mail server , he is, for historical reasons is a special feature, since it refers to a specific service on the Internet, namely the e-mail notification via SMTP relates. All other services use CNAME , A and AAAA resource records for name resolution.
  • A PTR resource record has an IP address to a name ( reverse lookup ) and is used for both IPv4 and IPv6, only IPv4 below the domain ” IN-ADDR.ARPA. “IPv6 and below” IP6.ARPA. ” .

Over time, new types have been defined which extensions to the DNS have been realized. This process is still ongoing. A full list is available at Resource Record .

Examples:

The following NS resource record of the zone file the domain in org . “is defined: zone file for the domain” The wikipedia.org . “is on the server” ns0.wikimedia.org. . The dot at the end is important as it clearly provides that no relative name is meant, so after ” org “to be more to do. ” IN “means that the entry is the class” Internet “has and does the number in front of the Time To Live (TTL) in seconds, it says how long this information in a cache may be temporarily stored before being should be asked again. For dynamic IP addresses, this number is mostly between 20 and 300 seconds.

ns0.wikimedia.org wikipedia 86400 IN NS.

The following CNAME resource record of the zone file the domain in wikipedia.org . defines: name “The de.wikipedia.org . “refers to the name” rr.wikimedia.org. .

de 3600 IN CNAME rr.wikimedia.org.

The following resource records in zone file the domain ” wikimedia.org. Define: The name ” rr.wikimedia.org . “refers to the name” rr.esams.wikimedia.org. address “and again this is the IPv4 91 198. 174.2 assigned.

rr 600 IN CNAME rr.esams rr.esams 3600 IN A 91.198.174.2

Ultimately, therefore, all computers that deal with ” de.wikipedia.org. want to connect, “IPv4 packets to the IP address 91.198.174.2 send.

Resolution of a DNS request

Suppose a host X wants to connect to a ” de.wikipedia.org. “(computer Y ) to build. For this he needs the IP address. The following steps describe how this could occur. If the host X -enabled IPv6, the process is initially for IPv6 (query AAAA Resource Record ) and immediately thereafter for IPv4 (query A resource record from). Here, a request IPv6 address using IPv4 transfer to an IPv4 DNS server to be addressed one after. If at the end of an IPv6 and an IPv4 address for host Y will be determined, as a rule, according to the default policy table in RFC 3484 , the communication between X and Y over IPv6 preferred ^[1] , unless the operating system or in the used applications, such as the Web browser was set up differently this behavior.

1. The computer X looks in its hosts file to see if the IP address for ” de.wikipedia.org where it is stored is “. If this is not so, he asks DNS server for the. And these are either registered or is using DHCP or DHCPv6 automatically assigned and has the form nameserver 192.0.2.23 or nameserver 2001: db8:: 23: cafe: monkey: 42 .
2. If the DNS server computer by X an IP address for the requested names are stored, he answers it and the request comes to the end (see last point). Otherwise, he asks one of the 13 root name server for ‘ de.wikipedia.org. .
3. The root name server finds out that the resolution of that name in the ” org. “zone continues and sends the names and IP addresses of the” org. “Name Server ( NS Resource Records and the AAAA and A resource records ) The DNS server machine X .
4. Now computer asks the DNS server of X one of the name server for ” org. “domains for” de.wikipedia.org. .
5. The ” org. “name server sends him the names of name servers (and their IP addresses, unless the same top-level domain belong to) for the zone” wikipedia.org. .
6. Then asks the DNS server from computer X a ” wikipedia.org. “name server as the IP address of the name” de.wikipedia.org. “ is.
7. With this address to the DNS server machine X and the answer …
8. … She sends to the computer X , which is now as its HTTP requests to the IP address from de.wikipedia.org. can send. “

Example name resolution

The following annotated example is the name . www.heise.de address the IPv4 using the resolver tools dig intended. ” + trace “means that the individual answers questions to the name server hierarchy specified are iterative on,” + additional “sees to it that is represented in addition to the name servers for delegation not only NS resource records management, but partly also their IP addresses in the form of A or AAAA resource records to know and deliver, ” t A “finally asks for the A resource record , which is the IPv4 address. It turns out that one after four name servers need to be asked to go to the answer:

$ Dig + trace + additional-t A www.heise.de.

, <<>> DiG 9.5.1-P3 <<>> + trace + additional-t A www.heise.de. ;; Global options: printcmd. 6086 IN NS B.ROOT-SERVERS.NET. . 6086 IN NS D.ROOT-SERVERS.NET. . 6086 IN NS j.root-SERVERS.NET. . 6086 IN NS G.ROOT-SERVERS.NET. . 6086 IN NS K.ROOT-SERVERS.NET. . 6086 IN NS c.root-SERVERS.NET. . 6086 IN NS M.ROOT-SERVERS.NET. . 6086 IN NS I.ROOT-SERVERS.NET. . 6086 IN NS H.ROOT-SERVERS.NET. . 6086 IN NS E.ROOT-SERVERS.NET. . 6086 IN NS F.ROOT-SERVERS.NET. . 6086 IN NS A.ROOT-SERVERS.NET. . 6086 IN NS L.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 6644 IN A 128.8.10.90 j.root-SERVERS.NET. 10 421 IN A 192.58.128.30 j.root-SERVERS.NET. 1289 IN AAAA 2001:503: c27:: 2:30 G.ROOT-SERVERS.NET. 10 940 IN A 192.112.36.4 K.ROOT-SERVERS.NET. 4208 IN A 193.0.14.129 K.ROOT-SERVERS.NET. 7277 IN AAAA 2001:7 fd:: 1 c.root-SERVERS.NET. 6126 IN A 192.33.4.12 M.ROOT-SERVERS.NET. 3274 IN A 202.12.27.33 M.ROOT-SERVERS.NET. 7183 IN AAAA 2001: dc3:: 35 I.ROOT-SERVERS.NET. 9788 IN A 192.36.148.17 H.ROOT-SERVERS.NET. 10 421 IN A 128.63.2.53 H.ROOT-SERVERS.NET. 13 739 IN AAAA 2001:500:1:: 803F: 235 E.ROOT-SERVERS.NET. 11 125 IN A 192.203.230.10 F.ROOT-SERVERS.NET. 9973 IN A 192.5.5.241;; Received 500 bytes from 192.168.2.1 # 53 (192.168.2.1) 50 ms

192.168.2.1 (see last line) is the registered name server of the requesting computer and points to the root name servers , all of which can be consulted via IPv4 continues, some may also be questioned by IPv6. The root name server to manage the root of the name resolution, represented by a point whose IP addresses change very often and all name servers must be known, if they answer the questions concerning the Internet. (This IP address can be included such as the “Root Hints” in a designated text file.)

de. 172800 IN NS F.NIC.de. de. 172800 IN NS L.DE.NET. de. 172800 IN NS S.DE.NET. de. 172800 IN NS Z.NIC.de. de. 172800 IN NS A.NIC.de. de. 172800 IN NS C.DE.NET. A.NIC.de. 172800 IN A 194.0.0.53 C.DE.NET. 172800 IN A 208.48.81.43 F.NIC.de. 172800 IN A 81.91.164.5 F.NIC.de. 172800 IN AAAA 2001:608:6:6:: 10 L.DE.NET. 172800 IN A 89.213.253.189 S.DE.NET. 172800 IN A 195.243.137.26 Z.NIC.de. 172800 IN A 194.246.96.1 Z.NIC.de. 172800 IN AAAA 2001:628:453:4905:: 53;; Received 288 bytes from 192.36.148.17 # 53 (I.ROOT-SERVERS.NET) in 58 ms

From the 13 root name servers has been mentioned by chance ” I.ROOT-SERVERS.NET. “chosen to give it the question of” www.heise.de. “position. He responded with six name servers to choose from, for zone ” de. are responsible. “ Also here is on two servers using IPv6 in the query.

heise.de. 86400 IN NS ns.plusline.de. heise.de. 86400 IN NS ns.heise.de. heise.de. 86400 IN NS ns2.pop-hannover.net. heise.de. 86400 IN NS ns.pop-hannover.de. heise.de. 86400 IN NS ns.s.plusline.de. ns.s.plusline.de. 86400 IN A 212.19.40.14 ns.heise.de. 86400 IN A 193.99.145.37 ns.plusline.de. 86400 IN A 212.19.48.14 ns.pop hannover.de. 86400 IN A 193.98.1.200;; Received 220 bytes from 81.91.164.5 # 53 (F.NIC.de) in 52 ms

From the six called name servers was accidentally ” F.NIC.de. selected to find out more about ” www.heise.de. “to read. He answered the question with five possible delegation. Among other things, with a delegation on the server ” ns.heise.de. . This information would be without the corresponding A resource record to 193.99.145.37 pointing, no help on the same server, because the name is in the zone ” heise.de. “which he self-administered. One speaks in this type of information by glue records (from English. glue , glue). If the server -ns2.pop hannover.net. “chosen to be the next step for, it would be in a separate name resolution, IP address to determine the first, as they sent along was not here.

www.heise.de. 86400 IN A 193.99.144.85 heise.de. 86400 IN NS ns.pop-hannover.de. heise.de. 86400 IN NS ns.plusline.de. heise.de. 86400 IN NS ns2.pop-hannover.net. heise.de. 86400 IN NS ns.s.plusline.de. heise.de. 86400 IN NS ns.heise.de. ns.heise.de. 86400 IN A 193.99.145.37 ns.pop hannover.de. 10 800 IN A 193.98.1.200 ns2.pop-hannover.net. 86400 IN A 62.48.67.66;; Received 220 bytes from 193.98.1.200 # 53 (ns.pop-hannover.de) in 4457 ms

The five called name servers was accidentally ” ns.pop-hannover.de. “used to the question” www.heise.de. “answer. The answer is 193.99.144.85 . This request is the destination arrived at. There are again the same name server as responsible for ” heise.de. ‘, and therefore without reference to other name servers.

Example Reverse Lookup

For the reverse lookup , so finding a name to an IP address, simply convert the IP address, first name to a formal, for which one then the DNS for a PTR resource record interviews. Since the hierarchy of IP addresses from left to right is special (see subnet ), but the DNA from right to left, turning the first step, the order of the numbers to and from the IPv4 address 193.99.144.85 , for example, The name ” 85.144.99.193.in-addr.arpa. “and from the IPv6 address 2A02: 2E0: 3Fe: 100:: 6 The name ” 6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 .1.0. ef3.0.0.e.2.0.2.0.a.2.ip6.arpa. “generates. (This name is long, because the implicit zeros explicitly called to be back now.)

The PTR resource record for the so-formed IPv4 address can be determined analogous to the previous example:

$ Dig + trace + additional-t-addr.arpa PTR 85.144.99.193.in.

, <<>> DiG 9.5.1-P3 <<>> + trace + additional-t ptr 85.144.99.193.in-addr.arpa. ;; Global options: printcmd. 2643 IN NS M.ROOT-SERVERS.NET. . 2643 IN NS A.ROOT-SERVERS.NET. . 2643 IN NS B.ROOT-SERVERS.NET. . 2643 IN NS c.root-SERVERS.NET. . 2643 IN NS D.ROOT-SERVERS.NET. . 2643 IN NS E.ROOT-SERVERS.NET. . 2643 IN NS F.ROOT-SERVERS.NET. . 2643 IN NS G.ROOT-SERVERS.NET. . 2643 IN NS H.ROOT-SERVERS.NET. . 2643 IN NS I.ROOT-SERVERS.NET. . 2643 IN NS j.root-SERVERS.NET. . 2643 IN NS K.ROOT-SERVERS.NET. . 2643 IN NS L.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 10 978 IN A 198.41.0.4 A.ROOT-SERVERS.NET. 2470 IN AAAA 2001:503: ba3e:: 2:30 c.root-SERVERS.NET. 387 IN A 192.33.4.12 D.ROOT-SERVERS.NET. 2747 IN A 128.8.10.90 E.ROOT-SERVERS.NET. 7183 IN A 192.203.230.10 F.ROOT-SERVERS.NET. 14 225 IN AAAA 2001:500:2 f:: f H.ROOT-SERVERS.NET. 7950 IN A 128.63.2.53 H.ROOT-SERVERS.NET. 13 245 IN AAAA 2001:500:1:: 803F: 235 I.ROOT-SERVERS.NET. 6172 IN A 192.36.148.17 j.root-SERVERS.NET. 7168 IN A 192.58.128.30 j.root-SERVERS.NET. 13 860 IN AAAA 2001:503: c27:: 2:30 K.ROOT-SERVERS.NET. 3541 IN A 193.0.14.129 K.ROOT-SERVERS.NET. 9369 IN AAAA 2001:7 fd:: 1 L.ROOT-SERVERS.NET. 3523 IN A 199.7.83.42;; Received 512 bytes from 192.168.2.1 # 53 (192.168.2.1) 50 ms 193.in-addr.arpa. 86400 IN NS ns3.nic.fr. 193.in-addr.arpa. 86400 IN NS sec1.apnic.net. 193.in-addr.arpa. 86400 IN NS sec3.apnic.net. 193.in-addr.arpa. 86400 IN NS sunic.sunet.se. 193.in-addr.arpa. 86400 IN NS ns-pri.ripe.net. 193.in-addr.arpa. 86400 IN NS sns-pb.isc.org. 193.in-addr.arpa. 86400 IN NS tinnie.arin.net. ;; Received 239 bytes from 199.7.83.42 # 53 (L.ROOT-SERVERS.NET) in 170 ms 99.193.in-addr.arpa. 172800 IN NS auth50.ns.de.uu.net. 99.193.in-addr.arpa. 172800 IN NS ns.ripe.net. 99.193.in-addr.arpa. 172800 IN NS auth00.ns.de.uu.net. ;; Received 120 bytes from 202.12.28.140 # 53 (sec3.apnic.net) in 339 ms 144.99.193.in-addr.arpa. 86400 IN NS ns.heise.de. 144.99.193.in-addr.arpa. 86400 IN NS ns.s.plusline.de. 144.99.193.in-addr.arpa. 86400 IN NS ns.plusline.de. ;; Received 114 bytes from 194.128.171.99 # 53 (auth50.ns.de.uu.net) in 2456 ms 85.144.99.193.in-addr.arpa. 86 400 www.heise.de IN PTR. 144.99.193.in-addr.arpa. 86400 IN NS ns.heise.de. 144.99.193.in-addr.arpa. 86400 IN NS ns.s.plusline.de. 144.99.193.in-addr.arpa. 86400 IN NS ns.plusline.de. ns.heise.de. 86400 IN A 193.99.145.37;; Received 148 bytes from 193.99.145.37 # 53 (ns.heise.de) ms in 4482

So the answer is ” www.heise.de. . However, it is not necessary that each IP address is assigned a name, have yet to return resolution equivalent. The resolution begins with the reference to the root name servers and delegations are clearly marked by the boundary points between the numbers instead of. It can be seen in the example, however, that no point in a name must be delegated to each.

Extension to the DNS

As the DNS has proven to be reliable and flexible, were introduced over the years, several major enhancements. One end of this trend is not foreseeable.

Dynamic DNS

In the classic DNS it is difficult to name a new IP address assigned to one. The corresponding zone file must (usually manually) and changed the name server to reload. Time delays up to several days are common. With Dynamic DNS are the changes by sending a DNS request without delay possible.

The Dynamic DNS is a security risk, special precautions everyone DNS entries or delete can not change there. In connection with DHCP Dynamic DNS is almost mandatory because a user often new IP addresses are assigned. The DHCP server sends to every change of address a communication to the name server.

Internationalization

Until now the label – as described – to alphanumeric characters and the character – ‘limited. This is particularly so along ago that the DNS (like the Internet originally) in the USA was developed. Thus, in many countries, common characters (in German language area as the umlauts ä, ö, ü and ß) or characters from completely different writing systems (eg, Chinese) DNS was not originally capable.

A now well-established approach to increase the character set is the 2003 in RFC 3490 described the internationalization of domain names IDNA . In order system compatible with the current to keep the new, the extended character sets allowable characters encoded with, so to currently valid names shown. The extended characters are initially under the Nameprep algorithm ( RFC 3491 ) and then normalized per Punycode ( RFC 3,492 to be used for character set DNS pictured). IDNA requires an adjustment of network applications (eg web browser), the name server infrastructure (servers, resolvers) need not be changed too.

Extended DNS

1999, described Paul Vixie in RFC 2671 some of the smaller backward-compatible extensions to the Domain Name System, as EDNS referred to 0 Version. By use of previously allocated but unused header code can specify the requester that he answers greater than 512 bytes can receive UDP. It was also possible to label types to use them. DNSSEC -aware servers and resolvers must master EDNS.

Management of phone numbers

Another recent extension of the DNS provides ENUM ( RFC two thousand nine hundred and sixteen ) dar. This application allows the addressing of Internet services over phone numbers, that the “Select” Internet accessible by devices using the telephone network known in the numbering scheme. From the broad spectrum of applications is of particular use for voice over IP to services.

RFID support

The Radio Frequency Identification RFID tags can in special stored IDs – so-called electronic product codes , or EPCs – be read without contact. The DNA can be used to ID the server to identify one that contains data about the corresponding object. The Object Naming Service ONS converts the EPC to a DNS name to and asked by one or more default DNS Naming Authority Pointer NAPTR.

Anti-spam

For filtering spam mails check many mail servers routinely using the DNS addresses of the senders of incoming mails. The first step is this MX record determined. the resulting IP address from using reverse lookup a name requested. This sender name must be identical (with the original forward confirmed reverse DNS ), otherwise the mail will be discarded. A spammer will no longer be able to invent any sender addresses, but to registered domain names must resort.

Using Sender Policy Framework can be verified much more effective that a sender name is valid. For every mail domain is through a special SPF resource record listed explicitly, who from this domain may not send out mail (ideally only a single server).

Others

In addition to the IP addresses, DNS names and ISDN numbers, X.25 addresses to ATM addresses, public keys , text lines, etc. are assigned. In practice, such applications but the exception.

DNS on the local network

DNS is not limited to the Internet. It is perfectly possible and compatible with the definition set for the dissolution of local zones with their own name in the server and then enter the appropriate addresses. The one-time cost for installation is also worthwhile for relatively small networks, because then all the addresses in the network can be managed centrally.

For larger companies or organizations often consist of local and Internet DNS mixing system (split DNS) is to be found. The internal user access to the local and external to the Internet DNS. In practice, resulting in very complicated situations.

The DNS server BIND can also use DHCP to work, and thus each client in the network allow for a name resolution.

On Windows, there is another service for name resolution – WINS , which provides a similar function, but uses a different protocol.

DNS server network

It is possible to connect multiple DNS servers. The master called a server for one or more domains responsible. The slaves update after changing the data itself, the master distributes the data is not automated. The collection of data via a zone transfer realized. For example, company with multiple sites in one place a master of their internal DNS to operate one of the servers in the branch offices provides the. The zone transfer is in BIND on TCP (by default port 53) and requires authentication legally recommended. The slaves update itself if the serial number of a zone file changes for or receive a corresponding message from the master. The release for the transfer port firewall should be the IP address of the master bound by. Other software packages may be the data in other ways be compared to by LDAP replication, rsync, or other mechanisms, for example.

DNS Security

The DNS is a central component of a networked IT infrastructure. A disturbance can lead to considerable costs and distortion of the DNA data base of his attacks. More than ten years after the original specification was added to DNS security functions. The following methods are available:

• For TSIG (Transaction Signatures) is a simple, on symmetric key procedure based, with the data traffic between DNS servers and updates of clients can be secured.
• With DNSSEC (DNS Security) requires an asymmetric crypto system made ​​use of all the DNS security requirements can be met almost. In addition to the server-server communication, the communication is client-server backed up.

Forms of attack

The main objective of DNS attacks is, DNS operators to false websites to direct manipulation, then to passwords, PINs, credit card numbers, etc. to obtain. In rare cases, attempts by the Internet DNS Denial of Service attacks off completely and thus cripple the Internet. In addition, the DNS will be used on individuals or companies to step up targeted attacks.

DDOS attack on nameservers

In a distributed denial of service attack DNS servers are a large stream of DNS requests overwhelm, so that legitimate requests can not be answered. Against DDOS attacks on DNS servers, there is currently no defense. As a preventive measure may simply be trying to be sized according to Name server or network with as many servers to install a distributed one. Such an attack is complex, because at least one such a high speed line must have as the server itself, what is so difficult to achieve. Botnets and the like are often used in such attacks at.

DNS Amplification Attack

The DNS Amplification Attack is a denial of service attack in which the DNA is not the actual target itself, but an uninvolved third party. Utilization is that DNS servers sometimes very long answers to short questions in return. These are the IP address of the victim’s drawn to. An attacker can thus outgoing data stream, and it substantially increase the Internet access of its attack target disturb Sun

DNS spoofing

When DNS spoofing address is a requesting client responds with an incorrect IP foisted so wrong on this web page will be a guided that.

Cache Poisoning

When Cache Poisoning be a requesting client also correct answer manipulated data transmitted, for which this does in its cache, and later, possibly unaudited used.

Open DNS servers

Who an authoritative DNS server for its own domains operates must, of course, any IP address to be open for questions. To prevent that Internet subscriber server as a general name servers use this (for example, attacks on root servers), allows BIND to provide answers to their own domains restrict. For example, causes the option allow-recursion {127.0.0.1; 172.16.1.4;}; that recursive queries, ie queries to other domains, only for the local host (localhost) and 172.16.1.4 will be answered. All other IP addresses have only to requests on their own domains for an answer.

An additional safety measure is to allow for input from the outside only UDP. ICCP DP can be allowed in addition. This varies depending on the proxy properties.

An open DNS server can also be a trap when he returns fake IP addresses, see pharming .

Spam Defense

In black lists (‘RBL’; abbreviation for. well Realtime Blackhole Lists ), for example against spammers , DNS is used to query whether a domain name or an IP address is listed: The client sends DNS request to a the RBL server. This responds with ’127 .0.0.1 ‘if the address is not available, otherwise with ’127 .0.0. X’, x> 1 The value of ‘x’ can still contain additional information on the listed address. Since the range 127.0.0.0 / 8 for Local Host is reserved are not possible misinterpretations.

Domain registration

Names on the Internet in order to make known DNS, the owner of the domain, contains the names of those registered. By registering to ensure that certain formal rules are complied with and that domain names are unique worldwide. Domain registrations are organizations (registrars) performed by the purpose by the IANA and ICANN have been authorized. Registrations are (apart from a few exceptions) charges. For domains under. Com is the DENIC responsible.

Detailed information can be found at Domain Registration .

Bonjour and Zeroconf

Apple has in the development of Mac OS X extensions to the DNS made ​​several, what self-configuring services in LANs make to the full. On the one multicast DNS (mDNS “), that the name resolution in a LAN to a dedicated server without permits. Additionally was DNS-SD (for “DNS Service Discovery”) introduced the search (“browsing”) for network services in the DNS or mDNS allows. mDNS and DNS-SD are so far no official RFCs of the IETF , but are still on (even free) implementations already available. Together with a number of other techniques summarizes Apple DNS-SD and mDNS under the name ” Zeroconf “together, as part of Mac OS X as” Rendezvous “or” Bonjour “.

Name server software

Selection of known software for name resolution.

• BIND (Berkeley Internet Name Domain) is the original name server and still the most used name server software, not least because it the reference implementation of most RFCs for DNS is. BIND is open source software.
• djbdns is a very safe and with increasing popularity, but by Daniel J. Bernstein deprecated, because he considers to be done.
• Dnsmasq is a simple DNS and DHCP servers for small networks. There are names from the local network according to / etc / hosts to resolve. Unknown name requests are forwarded and stored in the cache.
• Maradns is a name server to which the developers attach special importance to safety.
• Microsoft Windows is a Windows DNS servers contained in DNS servers, dynamic updates, zone transfers, and notification support. Zone data in the current versions of the Active Directory in zone files are stored and replicated or.
• MyDNS is another open source software that is stored on MySQL – and PostgreSQL is specialized databases.
• NSD is optimized for server solely intended to provide authoritative answers very quickly.
• PowerDNS was a fee-based implementation , which is now under the GPL and is available primarily for the direct operation of zones from SQL databases and LDAP directories, is known.
• UltraDNS Managed DNS Service is a commercial of NeuStar Ultra Services. This company offers a DNSshield also, the DNA of a different ISP Alliance with hedges and specializes in large websites in order to DNS. Also a part of the root-level DNS is guaranteed here. The Internet Systems Consortium (ISC) provides for the F-root server from here.
• Xyria: DNSd is a performance-optimized DNS server that is about twice as fast as BIND. Xyria: DNSd is still quite minimal and does not support zone transfers (except perhaps via SSH) but extremely safe and stable.