DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1
Agenda 1 2 3 Introduction to DNS DNS Features Domains, Delegations and Zones DNS Servers Resolution Process Caching Zone Files Forward DNS vs Reverse DNS DNS Security DNSSEC Overview 2
History 1983 DNS was designed/invented by Paul Mockapetris (RFC882 & 883) 1984 Berkeley Internet Name Domain (BIND) Server developed Original Seven Generic TLDs (.com,.edu,.gov,.int,.mil,.net, and.org) 1985 First country codes assigned.us,.uk, and.il 1986.au,.de,.fi,.fr,.jp,.kr,.nl and.se 1987 RFC1034 (Considered the first full DNS Specification).. Country Code TLDs continue to be added. 2000 Seven new TLDs added (.aero,.coop,.museum,.biz,.info,.name, and.pro) 2012 New round of applications for gtlds opened by ICANN 3
What is DNS? A distributed database primarily used to obtain the IP address, a number, e.g., 192.0.32.7 (IPv4) or 2620:0:2d0:200::7 (IPv6) Query: What is www.icann.org? that is associated with a user-friendly name (www.icann.org) User Answer: 192.0.32.7 or 2620:0:2d0:200::7 DNS Server 4 4
DNS Tree Root org net. com... au... sg icann isoc ripe apnic example com www ssac Names in generic Top Level Domains example Names in country-code TLDs Root Second level Top-level FQDN = Fully Qualified Domain Name www.icann.org. 5
DNS Features 6
What are the Key Features of DNS Hierarchical Globally Distributed Dynamic Scalable Reliable Consistent 7
DNS Resolution, Servers, and Caching 8
Root Server Operation 9 9
What do the Root-Server Operators do? Copy a very small database, the content of which is currently decided by PTI (formerly IANA) Put that database in the servers called Root Servers. Make the data available to all Internet users Work stems from a common agreement about the technical basis Everyone on the Internet should have equal access to the data The entire root system should be as stable and responsive as possible 10
What do the Root-Server Operators do not do? Interfere with the content of the database E.g. run the printing presses, but don't write the book Make policy decisions Who runs TLDs, or which domains are in them What systems TLDs use, or how they are connected to the Internet 11
Who are the Root Server operators? Not "one group", 12 distinct operators Operational and technical cooperation Participate in RSSAC as advisory body to ICANN High level of trust among operators Show up at many technical meetings, including IETF, ICANN, RIR meetings, NOG meetings, APRICOT etc. 12
How Secure are the Root Servers? Physically protected Tested operational procedures Experienced, professional, trusted staff Defense against major operational threat i.e. DDoS. Anycast Setting up identical copies of existing servers Same IP address Exactly the same data. Standard Internet routing will bring the queries to the nearest server Provides better service to more users. 13
Avoiding Common Misconceptions Not all internet traffic goes through a root server Not every DNS query is handled by a root server Root servers are not managed by volunteers as a hobby Professionally managed and well funded No single organization(neither commercial nor governmental) controls the entire system The "A" server is not special. Root Server Operators don't administrate the zone content They publish the IANA-approved data 14
Root Server Operation @ICANN + ICANN is the L-Root Operator + L-Root nodes keep Internet traffic local and resolve queries faster + Make it easier to isolate attacks + Reduce congestion on international bandwidth + Redundancy and load balancing with multiple instances 15
L-Root presence 16
L-Root presence +Geographical diversity via Anycast +Around 160 dedicated servers +Presence on every continent +On normal basis 15 ~ 25 kqps +That is app 2 billion DNS queries a day +Interested in hosting a L-Root +Contact your ICANN Global Stakeholder Engagement Representative 17
Types of DNS Servers Authoritative Servers Root Servers Primary Secondary Recursive Servers Or Recursive Resolvers Or Caching Servers 18
DNS Resolution Process 19
Caching Recursive or Caching Servers not only find answers but also store answers locally for TTL period of time TTL = Time To Live 20
Domain, Delegations and Zones 21
Domains Root org net. com... au sg icann isoc ripe apnic example com au domain icann.org domain www learn www org domain example 22
Delegations Administrators can create subdomains to group hosts According to geography, organizational affiliation etc. The authority of such subdomain(s) can be delegated to another party The parent domain retains links to the delegated subdomain The parent domain remembers to whom the subdomain is delegated 23
Zones Root icann.org zone org zone icann org isoc net ripe apnic. com... example au com sg au domain icann.org domain www learn www org domain example learn.icann.org zone 24
Zone Files 25
Zone Data DNS zone data are hosted at an authoritative name server DNS zones contain resource records that describe Name servers IP addresses Hosts, Services Cryptographic keys Signatures etc. 26
Resource Records (RR) Consists of resource mappings Label TTL Class Type RData www 3600 IN A 192.168.0.1 Most common types of RR o o o o o o A AAAA NS SOA MX CNAME Resource Record Label TTL Class Type RDATA Function Name substitution for FQDN Timing parameter, an expiration limit IN for Internet, CH for Chaos RR Type (A, AAAA, MX, PTR) for different purposes Anything after the Type identifier; Payload of the record 27
Zone Files $TTL 86400 ; 24 hours could have been written as 24h or 1d $ORIGIN example.test. @ IN SOA ns1.example.test. hostmaster.example.test. ( 2017092701 ; serial number 3H ; refresh 15 ; retry 1w ; expire 3h ; nxdomain TTL ) IN NS ns1.example.test. ; in the domain IN NS ns2.anotherexample.net. ; external to domain IN MX 10 mail.someotherexample.com. ; external mail provider ns1 IN A 192.168.0.1 ; name server definition www IN A 192.168.0.2 ; web server definition ftp IN CNAME www.example.test. ; ftp server definition host IN A 192.168.0.3 ; host definition 28
Delegating a Zone Delegation is done by adding NS records Ex: if example.com wants to delegate training.example.com to another party, training.example.test. NS ns1.training.example.test. training.example.test. NS ns2.training.example.test. Now how can we get to ns1 and ns2? We must add a Glue Record 29
Glue Record Glue is a non-authoritative data Don t include glue for servers that are not in the sub zones Only this record needs glue Glue Record training.example.test. NS ns1.training.example.test. training.example.test. NS ns2.training.example.test. training.example.test. NS training.example.test. NS ns1.another_example.net. ns2.another_example.net. ns1.training.example.test. A 192.0.2.1 ns2.training.example.test. A 192.0.2.2 30
Delegating a Child Zone from a Parent Zone example.test (Parent Zone) training.example.test (Child Zone) DNS DNS ns.example.test 1. Add NS records and glue 2. Make sure there is no other data from the training.example.test. zone in the zone file ns.training.example.test 1. Setup minimum two servers 2. Create zone file with NS records 3. Add all training.example.test data 31
Propagation of DNS Data Secondary Server (Authoritative Server) Zone Updates Primary Server Refresh Time (Authoritative Server) TTL Expiry Caching Server Refresh Time TTL Expiry Registry DB (Database of Domain Names and Registrants) Secondary Server (Authoritative Server) 32
Engage with ICANN Thank You and Questions Visit us at icann.org Email: champika.wijayatunga@icann.org 33