Upload
tobias-sattler
View
315
Download
1
Embed Size (px)
Citation preview
Domain Name Basics
DNS, DNSSEC and DANEa short introduction for newcomers
Domain Name System (DNS) DNS is a hierarchical distributed naming system to translate domain names into IP
addresses, which makes websites easier to remember, such as united-domains.de instead of 89.31.137.101
The domain name space is a tree and its root is a „dot“. www.united-domains.de.
uk com de
united-domains
...
www ...
.
2 | Tobias Sattler, CIO www.united-domains.de
Root Name Server To resolve domain names root name servers are needed.
The root server zone file contains all top-level domains (.de, .com, .net) and the
according IP addresses of their authoritative name server.
There are 13 root name servers and they are available via IPv4 and IPv6.
These servers are load balanced across multiple computing resources; therefore
there are actually more than hundreds of servers world wide, minimizing response
time and server overload.
Source: https://commons.wikimedia.org/wiki/File:Root-current.svg - Effective 03/2016
3 | Tobias Sattler, CIO www.united-domains.de
Who is maintaining the DNS? The root DNS is maintained by the Internet Assigned Numbers Authority (IANA) and
the Internet Corporation for Assigned Names and Numbers (ICANN).
Top-level domains (TLDs) are maintained by Registries.
Domain names are usually maintained by Registrars, such as 1&1 Internet, united-
domains, GoDaddy etc.
4 | Tobias Sattler, CIO www.united-domains.de
What is a DNS query? A DNS query is the process to inquire the IP address for a name, such as
www.domain.org into 192.0.2.0.
Domain name resolvers determine the domain name server responsible for the
domain name in question by a sequence of queries starting with the right-most
(top-level) domain label.
Source: https://whois.icann.org/en/dns-and-whois-how-it-works - Effective 03/2016
5 | Tobias Sattler, CIO www.united-domains.de
Name Servers
6 | Tobias Sattler, CIO www.united-domains.de
Name servers are often called DNS servers as well, and this is likely the origin of all
of the confusion associated with it.
A name server is a server that has DNS server software installed on it and provides
responses to queries to locate the IP address of a web or email server.
Depending on the top-level domain (TLD) a domain name may have zero or more
name servers assigned with it.
Usually a domain name has at least 2 name servers.
Anycast Name Server
7 | Tobias Sattler, CIO www.united-domains.de
Anycast is a network addressing and routing methodology in which one source can
‘talk’ to a service that is advertised or hosted on multiple nodes configured with the
same IP address.
It announces the same IP address simultaneously from different servers on the
web.
Network routing will route the packets to the ‘nearest’ target based upon topology.
What are the benefits of Anycast? Increased Reliability
Load Balancing
Improved Performance
Enhanced Security
Localized Impact of DoS Attacks
Simplified Client Configuration
DNSSEC
8 | Tobias Sattler, CIO www.united-domains.de
The original design of the Domain Name System (DNS) did not include security and
allowed false DNS data to be returned.
Domain Name System Security Extensions (DNSSEC) is a set of extensions to DNS
which provide to DNS clients via a digital signature (resolvers) origin authentication
of DNS data.
DNSSEC doesn’t provide confidentiality of data, as all DNSSEC responses are
authenticated but not encrypted.
By checking the digital signature, a DNS resolver is able to check if the information
is identical to the information published by the zone owner and served on an
authoritative DNS server and thereby mitigate, such as ‘man-in-the-middle attacks’
(see also https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
DANE
9 | Tobias Sattler, CIO www.united-domains.de
DNS-based Authentication of Named Entities (DANE) is a protocol to allow
certificates (SSL) to be bound to DNS names using DNSSEC in order to further limit
security breaches from falsely issued certificates.
DANE enables the administrator of a domain to certify the keys used in that
domain's TLS clients or servers by storing them in the DNS.
Source: https://www.afnic.fr/medias/images/dossiersthematiques/DT-12-Fig4-en.PNG - Effective 04/2016
1/3 DNS Resource Records
10 | Tobias Sattler, CIO www.united-domains.de
There are a lot of DNS Resource Records, this list is an overview of the most commonly
used records:
AReturns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host.
AAAAReturns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.
CNAMERedirect to another name: the DNS lookup will continue by retrying the lookup with the new name.
DNSKEYThe key record used in DNSSEC.
DSThe record used to identify the DNSSEC signing key of a delegated zone.
2/3 DNS Resource Records
11 | Tobias Sattler, CIO www.united-domains.de
MXMaps a domain name to a list of message transfer agents for that domain. Used for email.
NSDelegates a DNS zone to use the given authoritative name servers.
NSEC3An extension to DNSSEC that allows proof of nonexistence for a name without permitting zonewalking.
PTRPointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. Used
for reverse DNS lookups.
RRSIGSignature for a DNSSEC-secured record set.
3/3 DNS Resource Records
12 | Tobias Sattler, CIO www.united-domains.de
SOASpecifies authoritative information about a DNS zone, including the primary name server, the email of the
domain administrator, the zone serial number, and several timers relating to refreshing the zone.
SRVGeneralized service location record, used for newer protocols instead of creating protocol-specific records
such as MX. Commonly used for SIP (VoIP) and XMPP (Jabber / Instant Messanger).
TLSAA record for DANE. This resource record is used to associate a TLS server certificate or public key with the
domain name where the record is found.
TXTOriginally for arbitrary human-readable text in a DNS record. By now usually used for DKIM, DMARC, SPF,
etc.
DNS Zone File Example
13 | Tobias Sattler, CIO www.united-domains.de
Thank you!
Please get in touch if you have any further questions:
https://tobiassattler.com
tobiassattler
14 | Tobias Sattler, CIO www.united-domains.de