[go: up one dir, main page]
Scribd
Upload
6 views34 pages

DNS (Domain Name System)

The Domain Name System (DNS) translates domain names to IP addresses and vice versa, operating in a client-server environment with a distributed database. It was initially proposed by Paul V. Mockapetris and is regulated by IANA and ICANN, with various types of DNS servers including caching and authoritative servers. Security issues like domain hijacking can occur, but DNSSEC provides mechanisms for data integrity and authentication to mitigate these risks.

Uploaded by

foxtatoos.creative
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views34 pages

DNS (Domain Name System)

The Domain Name System (DNS) translates domain names to IP addresses and vice versa, operating in a client-server environment with a distributed database. It was initially proposed by Paul V. Mockapetris and is regulated by IANA and ICANN, with various types of DNS servers including caching and authoritative servers. Security issues like domain hijacking can occur, but DNSSEC provides mechanisms for data integrity and authentication to mitigate these risks.

Uploaded by

foxtatoos.creative
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

DNS (Domain Name System)

Faozan Ahmad
faozan@apps.ipb.ac.id
DNS
• Domain Name System (DNS) berfungsi untuk
menterjemahkan IP Address terhadap nama
domain (forward translation) atau sebaliknya
menterjemahkan nama domain terhadap IP
Address (reverse translation).

• DNS dibangun dalam lingkungan Client-Server.

• Table translasi DNS disimpan dalam bentuk


database yang terdistribusi.
Mengapa Perlu DNS ?
Sejarah
DNS
• Paul V. Mockapetris bersama dengan Jon
Postel yang pertama kali menemukan sistem
DNS

• Paul V. Mockapetris yang mengusulkan


arsitektur DNS pada RFC 882 and RFC 883
(distributed and dynamic DNS database:
essentially DNS as it exists today).

• Dia yang pertama kali mengenali


permasalahan awal internet yaitu translasi
domain disimpan dalam tabel tunggal di
dalam single host.
Regulator DNS
• IANA (The Internet Assigned Numbers Authority) adalah organisasi yang
mengatur dan mengkoordinir implementasi DNS, distribusi IP Address, dan
protocol internet lainnya.

• IANA dioperasikan oleh Internet Corporation for Assigned Names and


Numbers (ICANN).

• Regional Internet Registry (RIR)


– APNIC
– ARIN
– LACNIC
– RIPE
– AFRINIC

• Local Internet Registry (LIR)


– IDNIC
RIR
Struktur DNS
Root Server
TLD (Top Level Domain)
• Daftar TLD dapat dilihat di link alamat berikut:
http://www.iana.org/domains/root/db

• TLD terdiri atas gTLD (generic and generic-


restricted), sTLD (sponsored) dan ccTLD
(country-code)

• Ada sekitar 1095 TLD yang terdaftar saat ini


DNS standard message format
Header qr, rd
Question mydomain.com, type = NS, class = IN DNS query

Answer EMPTY
Authority EMPTY
DNS response
Additional EMPTY

Header qr, rd, ra, aa


Question mydomain.com, type = NS, class = IN
Answer mydomain.com. 20h55m21s IN NS securens.mydomain.com.
Authority mydomain.com. 20h55m21s IN NS securens.mydomain.com.
Additional securens.mydomain.com. 20h55m21s IN A 131.87.24.1
Konfigurasi DNS
DNS Server Type
• Caching Name Server
– DNS Server tidak mengelola suatu domain tertentu,
DNS Server hanya berperan sebagai resolver terhadap
request translasi domain dari klien.

• Authoritative Name Server


– DNS Server yang digunakan untuk mengelola domain
tertentu. Authoritative DNS dapat juga berperan
sebagai caching name server (tetapi tidak disarankan
untuk kepentingan keamanan DNS).
Common Resource Records

RECORD TYPE DESCRIPTION USAGE

A An address record Maps FQDN into an IP address

PTR A pointer record Maps an IP address into FQDN

NS A name server record Denotes a name server for a zone

SOA A Start of Authority record Specifies many attributes concerning the zone,
such as the name of the domain (forward or
inverse), administrative contact, the serial number
of the zone, refresh interval, retry interval, etc.

CNAME A canonical name record Defines an alias name and maps it to the absolute
(canonical) name

MX A Mail Exchanger record Used to redirect email for a given domain or host
to another host
Sub Domain in different NS
The Security problem:
Domain Hijacking
• IP addresses in DNS database are changed by unauthorized
hosts to point traffic destined for one domain to another
1. DNS Spoofing - Trick the DNS server into trusting an update of IP
addresses
2. Cache Poisoning - False IP with a high TTL, which the DNS server
will cache for a long time
3. Hack the DNS Server - Change the data on the server itself
4. Human Error - Administrator enters the DNS information
incorrectly

• DNSSEC can help prevent the first two


DNS cache poisoning attack
broker.com
evil.com
2. anyhost.evil.com?
1. anyhost.evil.com?
ns.broker.com
ns.evil.com cache
5. anyhost.evil.com=A.B.C.E
9.www.bank.com=
3. Store query ID A.B.C.D
4. anyhost.evil.com=A.B.C.E
Attacker host
A.B.C.D 6. www.bank.com? 10.www.bank.com?
8. www.bank.com=A.B.C.D any.broker.com
flooding false responses to name server 11.wrong response
12. wrong connection to the attacker’s host from cache
bank.com 7. www.bank.com
ns.bank.com
DNSSEC definition
– DNS security extensions (RFC 2535 - 2537):
• SIG - stores digital signatures (asymmetric keys)
• KEY - stores public keys
• NXT - authenticates the non-existence of names
or types of RRs in a domain

– DNSSEC intends to provide:


• data origin authentication and data integrity
• key distribution
• on a smaller scale - transaction and request
authentication
DNSSEC chain of trust
The public key of root domain
is pre - trusted by all the name
servers!
. Root name server of the
DNS tree

it. com.
name server

host.foo.com. ? foo.com.
name server
polito.it.
Local name server
It receives the RRs: A, SIG, KEY
host.foo.com.
131.195.21.25
Best Practice
• Forbid recursive queries to prevent spoofing.
• Update BIND as often as possible to limit bug
problems.
• To avoid having a single point of failure, do not
put all DNS servers on the same subnet, or even
behind the same router or the same leased line.
• Restrict the possible queries and the possible
hosts who are allowed to query to the minimum.

You might also like