DNS & X.500

DNS DNS && X.500 X.500

2DNS & X.500

Overview

The Domain Name System(DNS) Domain Name Space

DNS Name Servers

Name resolution algorithm

Caching: The Key to Efficiency

Domain Server Message Format

Resource Records

Example

X.500 Directory Service

3DNS & X.500

DNS

The Domain Name System(DNS) A name service design whose principal naming database is used across the I

nternet The original Internet naming scheme

• All host names and addresses were held in a single central master file• Downloaded by FTP to all computers that required them

The major shortcomings of original scheme• It does not scale to large numbers of computers• Local organizations wish to administer their own naming system• A general name service is needed – not one that only serves for looking

up computer address To map a name onto an IP address, an application program calls a library pro

cedure called the resolver, passing it the name as a parameter The resolver sends a UDP packet to a local DNS server, which look up the n

ame and returns the IP address to the resolver, which then returns it to the caller

4DNS & X.500

DNS(Cont.)

The Domain Name Space has a tree structure Internet is divided into several hundred top-level domains Each domain is partitioned into subdomains, and these are further partitioned,

and so on The Internet DNS name space is partitioned both organizationally and accordin

g to geography• com, deu, gov, mil, net, org, int…• us, uk, fr, kr…

Domains can be inserted into the tree in two different ways Each domain is named by the path upward from it to the root Each domain controls how it allocates the domains under it To create a new domain, permission is required of the domain in which it will be

included Domains names are completely independent of their location

5DNS & X.500

DNS(Cont.)

int goveducom mil nlnet usorg jp

eng

yalesun acm

keio

ieee

cs

ac co

jack jill

pc24

nec

robot

csllindaai fluit

oce

cs eng

vu

cs

flits

Generic Countries

A portion of the Internet domain name space

…

6DNS & X.500

DNS(Cont.)

Name Servers A name server is a server program that supplies name-to-address

translation, mapping from domain to IP addresses A large organization is highly unlike to store all of its naming information

on a single server such a server would be a bottleneck and a critical point of failure

Each name server maintain entire directories The database is divided up into sections called zones The essential task of a name server is to answer queries using data in

its zones The name server marks its responses to queries so that the requester

can tell whether the response comes from authoritative data or not Authoritative record is one that comes from the authority that manages

the record, and is thus always correct(complete information)

7DNS & X.500

DNS(Cont.)

ns1.cs.ucl.ac.uk(ac.uk)

ns.nasa.gov

dcs.qmw.ac.ukdoc.ic.ac.uk

aAlpha.qmw.ac.uk(qmw.ac.uk)

(root)

(purdue.edu)ns.purdue.edu

(dcs.qmw.ac.uk)magician.dcs.qmw.ac.uk dns-0.doc.ic.ac.uk

(doc.ic.ac.uk)

qmw.ac.uk

ac.ukpurdue.edu

*.purdue.edu

*.doc.ic.ac.uk*.dcs.qmw.ac.ukdcs.qmw.ac.uk*.qmw.ac.uk

DNS name servers

8DNS & X.500

DNS(Cont.)

Name resolution algorithm• There are two ways : by contacting name servers one at a time(non-recursive, iter

ative) or asking the name server system to perform the complete translation(recursive)

• Conceptually, domain name resolution proceeds top-down, starting with the root name server and proceeding to servers located at the leaves of the tree

• The client software forms a domain name query • It sends the query to a name server for resolution• When a domain server receives a query, it checks to see if the name lies in the su

bdomain for which it is an authority• If so, it translates the name to an address according to its database, and appends

an answer to the query before sending it back to the client• If the client requested complete translation, the server contacts a domain name ser

ver that can resolve the name and returns the answer to the client• If the client requested non-recursive resolution, the name server cannot supply an

answer• It generate a reply that specifies the name server the client should contact next to r

esolve the name

9DNS & X.500

Iterative navigation

DNS(Cont.)

UA

NS2

NS1

NS3

Namesevers1

2

3

UA

NS2

NS1

NS3

1 2

34

Non-recursive navigation

UA

NS2

NS1

NS3

12

35

4

Recursive navigation

10DNS & X.500

DNS(Cont.)

Efficient Translation Inefficiencies for three reasons

• Most name resolution refers to local names, those found within the same subdivision of the namespace as the machine from which the request originates

• If each name resolution always started by contacting the topmost level of the hierarchy, the machine at that point would become overloaded

• Failure of machines at the topmost levels of the hierarchy would prevent name resolution, even if the local authority could resolve the name

In the two-step name resolution process, resolution begins with the local name sever

If the local server cannot resolve a name, the query must then be sent to another server in the domain system

11DNS & X.500

DNS(Cont.)

Caching: The Key to Efficiency To improve the overall performance of a name server system, it is n

ecessary to lower the cost lookup for nonlocal names Internet name servers use name caching to optimize search costs Each server maintains a cache of recently used as well as a record

of where the mapping information for that name was obtained (marking as a nonauthoritative)

To keep the cache correct, servers time each entry and dispose of entries that exceed a reasonable time

Servers do not apply a single fixed timeout to all entries, but allow the authority for an entry to configure its timeout

Whenever an authority responds to a request, it includes a Time To Live(TTL) value in the response that species how long it guarantees the binding to remain

12DNS & X.500

DNS(Cont.)

13DNS & X.500

DNS(Cont.)

Domain Server Message Format Standard message format

ADDITOINAL INFORMATION SECTION

AUTHORITY SECTION

ANSWER SECTION

QUESTION SECTION

NUMBER OF ADDITIONALNUMBER OF AUTHORITY

NUMBER OF ANSWERNUMBER OF QUESTIONS

PARAMETERIDENTIFICATION

0 3116

14DNS & X.500

DNS(Cont.)

Unique IDENTIFACTION field that the client uses to match response PARAMETER field that specifies the operation requested and a response NUMBER OF QUESTION gives the count of entries in the QUESTION

SECTION QUESTION SECTION contains queries for which answers are desired ANSWER SECTION, AUTHORITY SECTION, ADDITIONAL SECTION

consists of a set of resource records The client fills in only the question section; the server returns the question

and answers in its response

15DNS & X.500

RESOURCE DATA

RESOURCE DATA LENGTH

TIME TO LIVE

CLASSTYPE

RESOURCE DOMAIN NAME310 16

QUERY CLASSQUERY TYPE

QUERY DOMAIN NAME

0 16 31

DNS(Cont.) The format entries in the QUESTION SECTION of a domain name server message

The format of Resource Records of messages returned by domain name servers

16DNS & X.500

DNS(Cont.)

Resource Records When a resolver gives a domain name to DNS, what it gets back are

the resource records associated with that name

RESOURCE DOMAIN NAME field contains the domain name to which this resource record refers

TIME TO LIVE field describes how long can be cashed before it should be discarded

CLASS field species the data’ class. For Internet information, it is always IN

The TYPE field specifies the type of the data included in the resource record

The RESOURCE DATA field can be a number, a domain name, or an ASCII string depending on the record record type

17DNS & X.500

The principal DNS resource record types

DNS(Cont.)

Type Meaning Value

SOA Start of Authority Parameters for this zone

A IP address of a host 32-Bit integer

MX Mail exchange Priority, domain willing to accept email

NS Name Server Name of a server for this domain

CNAME Canonical name Domain name

PTR Pointer Alias for an IP address

HINFO Host description CPU and OS in ASCII

TXT Text Uninterpreted ASCII text

18DNS & X.500

int goveducom mil nlnet usorg jp

eng

yalesun acm

keio

ieee

cs

ac co

jack jill

pc24

nec

robot

csllindaai fluit

oce

cs eng

vu

cs

flits

DNS(Cont.) How a resolver looks up a remote name

Originator name serverVU CS

name server name serverEdu Yale Yale CS

yale.eduflits.cs.vu.nl Edu-server.net cs.yale.educs.vu.nl

1 432

7 568

19DNS & X.500

X.500 Directory Service

Attribute–based name service : <name, attribute> X.500 directory is under a common root directory is a tree hierar

chy of : country, organization, organizational unit, person wide range of attributes are stored at each node in the tree access is not just by name searching for entries with any required combination of attributes

DIT(Directory Information Tree) The X.500 name tree

DIB(Directory Information Base) Entire directory structure including the data associated with the nodes

Two of the largest directory service provider are InterNIC and ESnet

20DNS & X.500

X.500 Directory Service(Cont.)

X500 Service (root)

…France(country)

Great Britain(country)

Greece(country)…

…BT Plc(organization) Cambridge University(oiganization)…

….Computing Service(organizational Unit)

…Computer Lab(organizationalUnit)

Engineering Department(organizationalUnit)…

…Departmental Staff(organizationalUnit)ely (applicationProcess)

Research Students(organizationalUnit)…

Jon Fairbairn(person) Ken Moody(person) Karen Sparck-jones(person)……Jean Bacon(person)

Part of the X.500 Directory Information Tree

21DNS & X.500

DUA

DSA

DSA DSA

DUA

DUA DSA

DSA

DSA

DSA(Directory Service Agents) : serverEach local directoryrepresent one organization or a group of organizations

DUA(Directory User Agents) : clientuser interface program for access to one of more DSAs

X.500 Directory Service(Cont.)

22DNS & X.500

X.500 Directory Service(Cont.)

Operation client ---- connection ----> server

access directory(issued query) If have no required data in DIB

• invoke other server or

• redirected the client to another server

The full name of an entry corresponds to a path through the DIT from the root of the tree to the entry

A DIB entry consists of a set of attributes, where an attributes has a type and one or more values

Type name : for example, countryName, organizationalName, commonName, telephoneNumber, mailbox, objectClass

23DNS & X.500

The name of a DIB entry is determined by selecting one or more of its attributes as distinguished attributes – Distinguished Name(DN)

Two main types of access request read

• an absolute or relative name for an entry is given together with a list of attributes to be read

• The DSA server retrieves the required attributes and returns them to the client

search

• A base name and a filter expression are supplied as arguments

• This command returns a list of names for all of the entries below the base node for which the filter evaluates to TRUE

X.500 Directory Service(Cont.)

24DNS & X.500

DNS X.500

- simply look up data attached to a given domain name

- supports many types of searching- matches and specify incomplete information

- relatively simple distributed database meant to solve a particular problem

- is a full-blown distributed database meant to be used for a wide variety of applications

- can store the phone book , information about all sorts of network devices and their attributes

- is not secure - has a security features involving credentials and the support of multiple encryption types

X.500 Directory Service(Cont.)

DNS Versus X.500