DNS & Iodine. Christian Grothoff.

Similar documents
Domain Name Service. DNS Overview. October 2009 Computer Networking 1

Chapter 2 Application Layer. Lecture 5 DNS. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

CSCE 463/612 Networks and Distributed Processing Spring 2018

CS4/MSc Computer Networking. Lecture 3: The Application Layer

Lecture 05: Application Layer (Part 02) Domain Name System. Dr. Anis Koubaa

Application Layer Protocols

Lecture 7: Application Layer Domain Name System

Advanced Networking. Domain Name System

Advanced Networking. Domain Name System. Purpose of DNS servers. Purpose of DNS servers. Purpose of DNS servers

IP ADDRESSES, NAMING, AND DNS

Domain Name System (DNS) 김현철 ( 화 ) 정보통신융합서울대학교컴퓨터공학부

Computer Networking Introduction

CS519: Computer Networks. Lecture 6: Apr 5, 2004 Naming and DNS

The Application Layer: Sockets, DNS

DNS and HTTP. A High-Level Overview of how the Internet works

ECE 435 Network Engineering Lecture 7

Networking Applications

DNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

CSEN 404 Introduction to Networks. Mervat AbuElkheir Mohamed Abdelrazik. ** Slides are attributed to J. F. Kurose

CS 43: Computer Networks. 10: Naming and DNS September 24, 2018

Domain Name System.

A DNS Tutorial

Domain Name System (DNS) DNS Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale. The old solution: HOSTS.

ECE 650 Systems Programming & Engineering. Spring 2018

CSEN 503 Introduction to Communication Networks

CS 3516: Advanced Computer Networks

How to Add Domains and DNS Records

Application Layer: , DNS

DNS. A Massively Distributed Database. Justin Scott December 12, 2018

Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer

APNIC elearning: DNS Concepts

Chapter 2: Application layer

Domain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

CSC 574 Computer and Network Security. DNS Security

DNS. DNS is an example of a large scale client-server application.

Domain Name System (DNS)

How to Configure the DNS Server

DNS and CDNs : Fundamentals of Computer Networks Bill Nace

Protocol Classification

Chapter 2 part B: outline

EECS 122: Introduction to Computer Networks DNS and WWW. Internet Names & Addresses

DNS Basics BUPT/QMUL

Overview General network terminology. Chapter 9.1: DNS

Domain Name System (DNS) Session-1: Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Computer Networks. Domain Name System. Jianping Pan Spring /25/17 CSC361 1

FTP. Mail. File Transfer Protocol (FTP) FTP commands, responses. Electronic Mail. TDTS06: Computer Networks

CSc 450/550 Computer Networks Domain Name System

CSE 265: System & Network Administration

DNS. Introduction To. everything you never wanted to know about IP directory services

Application Layer: OSI and TCP/IP Models

SOFTWARE ARCHITECTURE 9. NAME RESOLUTION.

Writing Assignment #1. A Technical Description for Two Different Audiences. Yuji Shimojo WRTG 393. Instructor: Claudia M. Caruana

Manual Configuration Stateful Address Configuration (i.e. from servers) Stateless Autoconfiguration : IPv6

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Computer Security CS 426

Applications & Application-Layer Protocols: (SMTP) and DNS

S Computer Networks - Spring What and why? Structure of DNS Management of Domain Names Name Service in Practice

Naming Computer Networking. Overview. DNS: Domain Name System. Obvious Solutions (1) Obvious Solutions (2)

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

DNS Management with Blue Cat Networks at PSU

Information Network I: The Application Layer. Doudou Fall Internet Engineering Laboratory Nara Institute of Science and Technique

CS 3640: Introduction to Networks and Their Applications

Domain Name System (DNS)

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

Network Security Part 3 Domain Name System

Oversimplified DNS. ... or, even a rocket scientist can understand DNS. Step 1 - Verify WHOIS information

page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 5 Introduction to DNS in Windows Server 2008

Computer Network 1 1

Application Layer. Goals:

Application Layer. Applications and application-layer protocols. Goals:

CSE 124 January 18, Winter 2017, UCSD Prof. George Porter

CSE 486/586 Distributed Systems

CSCD 330 Network Programming Winter 2015

The Domain Name System

Linux Network Administration

IPv4. Christian Grothoff.

Course Organization. The Internet as a Blackbox: Applications. Opening the Blackbox: The IP Protocol Stack

CS514: Intermediate Course in Computer Systems

The Domain Name System

2.5 DNS The Internet s Directory Service

Communications Software. CSE 123b. CSE 123b. Spring Lecture 11: Domain Name System (DNS) Stefan Savage. Some pictures courtesy David Wetherall

CSE 123b Communications Software. Overview for today. Names and Addresses. Goals for a naming system. Internet Hostnames

Application Layer. Goals: Service models. Conceptual aspects of network application protocols Client server paradigm

DNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46

Distributed Systems. Distributed Systems Within the Internet Nov. 9, 2011

CS 3640: Introduction to Networks and Their Applications

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Computer Networks. More on Standards & Protocols Quality of Service. Week 10. College of Information Science and Engineering Ritsumeikan University

Expiration Date: May 1997 Randy Bush RGnet, Inc. November Clarifications to the DNS Specification. draft-ietf-dnsind-clarify-02.

Networks, WWW, HTTP. Web Technologies I. Zsolt Tóth. University of Miskolc. Zsolt Tóth (University of Miskolc) Networks, WWW, HTTP / 35

12. Name & Address 최양희서울대학교컴퓨터공학부

Chapter II: Application Layer

Objectives. Upon completion you will be able to:

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

More Internet Support Protocols

FTP. Client Server Model. Kent State University Dept. of Computer Science. CS 4/55231 Internet Engineering. Server Models

Application Protocols in the TCP/IP Reference Model

Managing Caching DNS Server

Transcription:

DNS & Iodine christian@grothoff.org http://grothoff.org/christian/ The Domain Name System is the Achilles heel of the Web. Tim Berners-Lee 1

DNS: Domain Name System Unique Distributed Database Application-layer protocol over UDP or TCP Maps names to IP addresses IP addresses to names Load distribution (multiple IP addresses for one canonical name) 2

Why not centralize DNS? single point of failure traffic volume high latency for those further away maintenance Centralized does not scale! 3

Key DNS Services Hostname to IP address translation (A, AAAA) Host aliasing (canonical name, CNAME record) Mail server aliasing (MX records) Nameserver delegation (NS records) Arbitrary text (TXT records) 4

Distributed, Hierarchical Database NS-records are used to specify delegations. 5

Root name servers 1 1 http://www.root-servers.org/map/ 6

Top-Level Domain (TLD) Servers Responsible for com, org, net, edu, etc and top-level country-code domains (de, uk, fr, ca, jp, eu) Organizations hosting TLD servers: de: DENIC edu: Educause com: Network Solutions These organizations perform domain-name registration 7

Authoritative DNS Servers Individual organization s DNS servers, providing authoritative mappings for organization s servers Can be maintained by organization or service provider Subdomains (www) and services (MX) are specified here Further delegation possible: news.bbc.co.uk 8

Local Name Server Does not strictly belong to hierarchy Each ISP (residental ISP, company, university) has at least one, typically at least two Also called default name server Hosts query the local DNS server, acts as proxy, forwards query into hierarchy 9

Stub Resolver DNS Resolver running on each host Often build deep into the OS Not a full DNS implementation Translates calls to gethostbyname or getaddrinfo into interaction with local name server 10

Iterative DNS Lookup 11

Recursive DNS Lookup 12

DNS Caching DNS servers cache mappings (DNS records) Entries time out based on expiration time in DNS record TLD servers are typically cached in local name servers Root name servers not visited often 13

DNS Zone Transfers A DNS Zone transfer copies the DNS database Organization typically has backup (secodary) DNS server Changes to primary DNS database must be propagated to backup server RFC 2136 DNS UPDATE specifies incremental update for fast convergence 14

DNS Records Records always contain four values: Name (a string) Value Type (a short string) Time-to-live (TTL) how long caching is allowed Each record originates from the authority for the respective name. 15

A records Name: hostname Value: IPv4 address Type: A 16

Name: hostname Value: IPv6 address Type: AAAA AAAA records 17

NS records Name: domain (e.g. foo.com) Value: hostname of authoritative name server Type: NS 18

MX records Name: domain (e.g. foo.com) Value: hostname of mail (SMTP) server Type: MX 19

CNAME records Name: alias name (i.e. www.ibm.com) Value: canonical (real) name (i.e. www2.eastcoast.ibm.com Type: CNAME 20

DNS Protocol (1/2) Query and reply messages have the same format: Identification Flags number of questions number of answer RRs number of authority RRs number of additional RRs questions (variable number) answers (variable number) authority (variable number) additional information (variable number) 21

DNS Protocol (2/2) Identification: 16 bit number of query that reply must match Flags: query or reply, recursion desired / recursion available, reply is authoritative Questions: name, type of a query Answers: RRs in response to query Authority: records for authoritative servers (NS records) Additional information: well RRs that might be useful as 22

Inserting records into DNS Register grothoff.org at DNS registrar: Provide name and IP of authoritative DNS server Registrar inserts two RRs into org TLD server: (grothof f.org, ns1.grothof f.org, N S) (ns1.grothof f.org, 12.34.56.78, A) Configure authoriative server: (www.grothof f.org, 12.34.56.79, A) (home.grothof f.org, 12.34.56.80, A) (home.grothoff.org, 2001 : 24 :: 1, AAAA) (mail.grothof f.org, home.grothof f.org, CN AM E) (grothof f.org, mail.grothof f.org, M X) 23

DNS and IP Anycast IP anycast makes multiple servers reachable under the same IP address: IP anycast is used for root servers and many TLDs since 2002. 24

Dependency on DNS DoS-Attack targeted Microsoft in January 2011: 25

Questions? The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards and even then I have my doubts. Gene Spafford 26

IP over DNS with Iodine christian@grothoff.org Never let your sense of morals get in the way of doing what s right. Isaac Asimov 27

Disclaimer This is an educational presentation: Ask your geek (me) how to do this Ask your lawyer about the legality of this Ask your priest about the ethics of this 28

Problem Statement Your provider offers an open WLAN network with browser-based authentication and/or payment. Specifically: Your local ISP gives you DNS, but not IP service nslookup www.google.com works prior to payment How can you go online anyway? 29

Related Problem Statements You are at a university and the conference-provided username/password doesn t work, or The university is a bit insane and filters ssh, irc or other useful protocols 30

Solution Tunnel IP over DNS After all, DNS is allowed, right? 31

Prerequisites Iodine (client and server), seems portable Control (root) over some system Control over a domain (i.e. grothoff.org) 32

Setup (while at home...) Point ns record of i.grothoff.org to your machine (i.e. my.home.in.tum.de ) Start iodined on my.home.in.tum.de : # iodined -c -f -D -u grothoff \ -P password 192.168.0.1 i.grothoff.org 33

Setup (while at home...) Configure NAT (on my.home.in.tum.de ): # echo 1 > /proc/sys/net/ipv4/ip_forward # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # iptables -A FORWARD -i eth0 -o dns0 -m state \ --state RELATED,ESTABLISHED -j ACCEPT # iptables -A FORWARD -i dns0 -o eth0 -j ACCEPT 34

For example: Setup WLAN (on the road) # wpa_supplicant... # dhclient wlan0 Check your ISP s DNS resolver: # cat /etc/resolv.conf nameserver 62.101.93.101 Check your default route: # route -n grep 0.0.0.0 0.0.0.0 10.10.10.1... 35

Drop ISP s default route Remove your existing default route: # route del default gw Keep routing DNS queries via old default route: # route add -host 62.101.93.101 gw 10.10.10.1 36

Setup Iodine Start iodine: # iodine -f -u grothoff -P password \ -L0 62.101.93.101 i.grothoff.org Add new default route: # route add default gw 192.168.0.1 37

A few tests: ping # ping -c1 www.net.in.tum.de PING www.net.in.tum.de (131.159.15.49) 56(84) bytes of dat 64 bytes from typo3.net.in.tum.de (131.159.15.49): icmp_req=1 ttl=62 time=27.6 ms --- www.net.in.tum.de ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0m rtt min/avg/max/mdev = 27.634/27.634/27.634/0.000 ms 38

A few tests: ssh $ time ssh gnunet.org -C echo test test real 0m2.186s user 0m0.048s sys 0m0.040s 39

A few tests: wget $ time wget -o /dev/null \ http://grothoff.org/christian/ real 0m6.456s user 0m0.000s sys 0m0.020s 40

A few tests: scp $ ls -al test.pdf -rw-r--r-- 1 g g 303297 test.pdf $ time scp test.pdf my.home.in.tum.de:. real 1m0.900s user 0m0.104s sys 0m0.016s So expect roughly 5 kb/s upload, I got about 15 kb/s downloads. 41

Experiences If you only do one thing at a time, these work: + IMAPS + SMTP + HTTP / HTTPS + SSH 42

What s actually going on? Source: 62.101.93.101 (62.101.93.101) Destination: 10.10.10.33 (10.10.10.33) User Datagram Protocol Source port: domain (53) Destination port: 38275 (38275) Length: 752 Transaction ID: 0x12e5 Queries paaiglzq.i.grothoff.org: type NULL, class IN Name: paaiglzq.i.grothoff.org Type: NULL (Null resource record) Class: IN (0x0001) 43

What s actually going on? Answers paaiglzq.i.grothoff.org: type NULL, class IN Name: paaiglzq.i.grothoff.org Type: NULL (Null resource record) Time to live: 0 seconds Data length: 631 Data Authoritative nameservers i.grothoff.org: type NS, class IN, ns my.home.in.tum.de Name: i.grothoff.org Type: NS (Authoritative name server) Name Server: my.home.in.tum.de 44

Questions? The most all penetrating spirit before which will open the possibility of tilting not tables, but planets, is the spirit of free human inquiry. Believe only in that. Dmitri Mendeleev 45

RTFL Copyright (C) 2011 Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback