ilab
play

iLab DNS and DNSSEC Dominik Scholz Slides by Benjamin Hof ilab1 - PowerPoint PPT Presentation

Mar 17, 2023 •266 likes •853 views

iLab DNS and DNSSEC Dominik Scholz Slides by Benjamin Hof ilab1 @list.net.in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 5 17ws 1 / 32 Outline Domain Name System

  1. iLab DNS and DNSSEC Dominik Scholz Slides by Benjamin Hof ilab1 @list.net.in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 5 – 17ws 1 / 32

  2. Outline Domain Name System Authoritative name server Resolver Security 2 / 32

  3. Outline Domain Name System Authoritative name server Resolver Security 3 / 32

  4. The quest for memorable names ◮ IP addresses hard to remember for humans ◮ symbolic names mapped to addresses address resolution 1. host files ◮ file with mappings ◮ copy between all machines ◮ /etc/hosts 2. protocol: Domain Name System ◮ by Paul Mockapetris in 1983 ◮ wide deployment in 1988 4 / 32

  5. Domain Name System ◮ application layer protocol on UDP, TCP ◮ glibc call getaddrinfo(3) ◮ distributed name database ◮ deployed globally ◮ hierarchical structure ◮ extensible ◮ e.g. DNSSEC: security extensions inside the protocol itself 5 / 32

  6. Distributed hierarchical name space . net edu org lwn tum gnu debian cs ma ei mail Fully qualified domain name (FQDN) by label concatenation: mail.cs.tum.edu. 6 / 32

  7. Distributed hierarchical name space root zone (empty label) . top level domain net edu org second level domain lwn tum gnu debian cs ma ei mail Fully qualified domain name (FQDN) by label concatenation: mail.cs.tum.edu. 6 / 32

  8. Name server Name servers can fulfill different functions: 1. authoritative name servers ◮ operated by a site on the Internet 2. resolver ◮ asked to resolve names ◮ contacts authoritative name servers Example Knot and unbound 7 / 32

  9. Outline Domain Name System Authoritative name server Resolver Security 8 / 32

  10. Zone ◮ subtree of the global name space ◮ delegated by parent ◮ managed by one organization ◮ hosted on an authoritative name server Example tum.edu. delegated by edu., containing www.tum.edu. and mail.in.tum.edu. 9 / 32

  11. Authoritative name server ◮ only knows about its own part of the name space ◮ responsible, “authoritative”, for its zone ◮ may serve multiple zones ◮ usually primary and secondary servers exist for a zone ◮ synchronized with zone transfer ◮ avoid disappearance of the zone in case of outage ◮ load balancing 10 / 32

  12. Zones: example . net edu org lwn tum gnu debian cs ma ei mail 11 / 32

  13. Resource record ◮ zone contains resource records (RR) example.net. 3600 IN A 198.51.100.5 owner TTL class type RDATA domain name where RR is found 12 / 32

  14. Resource record ◮ zone contains resource records (RR) example.net. 3600 IN A 198.51.100.5 owner TTL class type RDATA validity period in seconds when cached 12 / 32

  15. Resource record ◮ zone contains resource records (RR) example.net. 3600 IN A 198.51.100.5 owner TTL class type RDATA only Internet is relevant for us 12 / 32

  16. Resource record ◮ zone contains resource records (RR) example.net. 3600 IN A 198.51.100.5 owner TTL class type RDATA record type, e.g. IPv4 address 12 / 32

  17. Resource record ◮ zone contains resource records (RR) example.net. 3600 IN A 198.51.100.5 owner TTL class type RDATA resource data: e.g. 32 bit IPv4 address 12 / 32

  18. Resource records owner TTL class type RDATA i.example.net. 3600 IN AAAA 2001:db8::1 like.example.net. 3600 IN AAAA 2001:db8:af23::eb2 dns.example.net. 3600 IN A 192.0.2.25 i.example.net. 3600 IN A 192.0.2.205 13 / 32

  19. Resource records owner type RDATA i.example.net. AAAA 2001:db8::1 like.example.net. AAAA 2001:db8:af23::eb2 dns.example.net. A 192.0.2.25 i.example.net. A 192.0.2.205 i.example.net. AAAA 2001:db8::2 ◮ RRset for i.example.net. type AAAA with more than one record! ◮ note: TTL and class usually omitted 13 / 32

  20. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later 14 / 32

  21. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] 14 / 32

  22. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] ; RRset with two records: NS example.net. NS ns1 ; primary authoritative NS example.net. NS ns2.registrar.example. ; secondary 14 / 32

  23. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] ; RRset with two records: NS example.net. NS ns1 ; primary authoritative NS example.net. NS ns2.registrar.example. ; secondary ns1 A 198.51.100.1 14 / 32

  24. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] ; RRset with two records: NS example.net. NS ns1 ; primary authoritative NS example.net. NS ns2.registrar.example. ; secondary ns1 A 198.51.100.1 example.net. MX 10 mail ; priority to order multiple MX RRs 14 / 32

  25. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] ; RRset with two records: NS example.net. NS ns1 ; primary authoritative NS example.net. NS ns2.registrar.example. ; secondary ns1 A 198.51.100.1 example.net. MX 10 mail ; priority to order multiple MX RRs mail AAAA 2001:db8::1 A 198.51.100.2 14 / 32

  26. Zone file and record types $ORIGIN example.net. ; everything will be relative to this $TTL 1h ; default TTL could be overwritten later example.net. IN SOA ns1 hostmaster [. . . ] ; RRset with two records: NS example.net. NS ns1 ; primary authoritative NS example.net. NS ns2.registrar.example. ; secondary ns1 A 198.51.100.1 example.net. MX 10 mail ; priority to order multiple MX RRs mail AAAA 2001:db8::1 A 198.51.100.2 webmail CNAME mail ; alias for a canonical name 14 / 32

  27. Delegation sub.example.net. NS ns.sub.example.net. ns.sub.example.net. A 198.51.100.3 ◮ make ns.sub.example.net. responsible for the sub.example.net. zone ◮ glue record to make the new name server findable ◮ possible misconfigurations 1. missing glue records 2. delegation loops 15 / 32

  28. Outline Domain Name System Authoritative name server Resolver Security 16 / 32

  29. Resolving name server tasks ◮ query: owner, class, type ◮ resolve a query from the root downwards ◮ cache responses based on TTL ◮ changes might only be visible after days Allow access only from your network, never open for everybody 17 / 32

  30. DNS packet layout IP UDP DNS header query answer authoritative additional ID, flags, records number of RRs header c,s QR query or response s AA authoritative answer s TC truncation (TCP as fallback) c RD recursion desired s RA recursion available s 4 bit response code: no error, name error, server failure, refused ◮ number of resource records in each section 18 / 32

  31. DNS packet layout IP UDP DNS header query answer authoritative additional ID, flags, records number of RRs record sections ◮ query: only one record with owner, type, class ◮ answer: answer RRs ◮ authoritative section: name server delegation ◮ additional section: glue records, EDNS pseudo record packet size limited to 512 octets 18 / 32

  32. Lookup stub forwarder recursor IP? in.tum.de. ◮ recursive queries 19 / 32

  33. Lookup k.root-servers.net. 2001:7fd::1 in.tum.de. A de. NS a.nic.de. a.nic.de. A 194.0.0.53 stub forwarder recursor in.tum.de. ◮ recursive queries ◮ iterative queries ◮ glue 19 / 32

  34. Lookup k.root-servers.net. a.nic.de. in.tum.de. A tum.de. NS dns1.lrz.de. stub forwarder recursor dns1.lrz.de A 129.187.19.183 in.tum.de. ◮ recursive queries ◮ iterative queries ◮ glue 19 / 32

  35. Lookup k.root-servers.net. a.nic.de. in.tum.de. A stub forwarder recursor dns1.lrz.de. in.tum.de. A 131.159.0.35 in.tum.de. ◮ recursive queries ◮ iterative queries ◮ glue 19 / 32

  36. Lookup k.root-servers.net. a.nic.de. stub forwarder recursor dns1.lrz.de. in.tum.de. ◮ recursive queries ◮ iterative queries ◮ glue 19 / 32

  37. Lookup k.root-servers.net. a.nic.de. stub forwarder recursor dns1.lrz.de. 131.159.0.35 in.tum.de. ◮ recursive queries ◮ iterative queries ◮ glue 19 / 32

  38. Reverse lookup IPv4 ◮ PTR record type ◮ special domain in-addr.arpa. ◮ 198.51.100.5 → 5.100.51.198.in-addr.arpa. ◮ small subnets require lots of CNAMEs IPv6 ◮ ip6.arpa. ◮ can be delegated per nibble ◮ 2001:db8::1 is: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 20 / 32

  39. Outline Domain Name System Authoritative name server Resolver Security 21 / 32

Recommend

your exercise iLab 1+2 info event online Tell your friends!

your exercise iLab 1+2 info event online Tell your friends!

The iLab Experience a blended learning hands-on course concept you set the focus Final Lecture Marc-Oliver Pahl, Jul 25, 2017 your exercise iLab 1+2 info event online Tell your friends!

1.81k views • 96 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Surveillance and operational security 14ws 1 lecture evaluation oral

916 views • 30 slides
ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP addresses. Human beings do not memorize IP

779 views • 23 slides
ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to applications application application 4

647 views • 26 slides
iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 7 17ws 1 / 41 Outline Trust Transport Layer Security Packet filter

1.19k views • 43 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 18ss 1 / 36 Outline Introduction Trust architecture Protocols Attacks

663 views • 45 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 16ss 1 / 38 Outline Introduction Trust architecture Protocols Attacks

879 views • 47 slides
iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 16ss 1 / 34 Motivation: IPv4 Address Scarcity source:

784 views • 54 slides
course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance, operational security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt

986 views • 47 slides
iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 4 14ws 1 Outline Transport Layer UDP TCP MTCP / SCTP 2 Outline

720 views • 32 slides
ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) /

812 views • 25 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen October 18, 2017 Based on slides of Lukas Schwaighofer 1

678 views • 46 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen April 25, 2017 Based on slides of Lukas Schwaighofer 1

471 views • 10 slides
iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 2 17ws 1 / 21 Outline Meta

540 views • 27 slides
The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself - Hardware YE - Topic Outline May 29, 2018 10.4. Kick Off, IPv6 1 IPv6 BGP 17.4. 2 Minilab 1 2 mini labs Advanced Wireless Playground BGP

1.64k views • 125 slides
iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 10 16ss 1 / 32 Oral attestations available dates Friday,

521 views • 33 slides
iLab TCP / UDP Minoo Rouhi rouhi@net.in.tum.de Slides by Florian Wohlfart wohlfart@in.tum.de

iLab TCP / UDP Minoo Rouhi rouhi@net.in.tum.de Slides by Florian Wohlfart wohlfart@in.tum.de

iLab TCP / UDP Minoo Rouhi rouhi@net.in.tum.de Slides by Florian Wohlfart wohlfart@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 4 17ws 1 / 43 Outline Meta

1.55k views • 57 slides
iLab Basics Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Basics Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Basics Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 1 15ss 1 Outline Internet protocol architecture MAC addresses Internet protocol

241 views • 21 slides
iL iLab ab Lab 1+2 The Basics / Static Routing Consultation hours We will introduce

iL iLab ab Lab 1+2 The Basics / Static Routing Consultation hours We will introduce

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen iL iLab ab Lab 1+2 The Basics / Static Routing Consultation hours We will introduce consultation hours Starting next week

632 views • 41 slides
iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 14ss 1 Outline Cryptography

780 views • 54 slides
iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 15ws 1 / 72 Outline Cryptography

903 views • 88 slides
iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

563 views • 29 slides
iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de

iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de

iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 16ss 1 / 38 Outline

504 views • 46 slides

More recommend