Define Domain Name Systems

History

• Prior to 1983, when DNSs were developed, it was still common practice to assign names that were more meaningful to humans in place of numeric addresses for hosts on a network. Every computer on the network would retrieve a "hosts" file that mapped the numeric addresses to the more user-friendly names. However, when the Internet began expanding rapidly, this system was very inefficient, and Paul Mockapetris invented the DNS as an alternative that would be highly scalable and fault-tolerant.

Domain Names

• 

  To locate computers and other resources on the Internet, there are two namespaces that act as addresses but are location-independent. One is the Internet Protocol (IP) address system. An IP address is a 32-bit (IPv4) or 128-bit (IPv6) number unique to that resource. Since most people find it more difficult to remember these strings of numbers, a second namespace, the domain name hierarchy, is an abstraction of the numeric IP address that is more meaningful to humans.

  DNSs translate, or resolve, addresses in one namespace to the other. For example, when you type a URL into the address bar on your browser, the browser queries the DNS, which resolves the easy-to-remember URL, like http://www.google.com, into the IP address of the server you want to access.

  Domain names are organized into hierarchies that make them easier to locate. For example, the top-level domains are visible in the domain names of URLs, where a ".edu" ending signifies a branch of the hierarchy for US educational institutions, and ".com" indicates a commercial entity.

DNS Components

• A DNS consists of three components:

  First, there is the domain namespace and resource records. The information in the namespace is organized as an inverted tree, where each node contains information that the DNS uses to respond to queries. Resource records can be used to maintain the DNS database, or they may contain information to respond to queries.

  A second component is the name server. Name servers store resource records and information about that server's namespace tree. If the requested information is on that name server it will respond to the query, otherwise it will contain a pointer to the name server that does contain the information.

  The third component is the resolver. Resolvers are programs, run on both DNS clients (users requesting information) and DNS servers that create the actual name server queries.

Distribution

• 

  As mentioned above, DNSs are distributed, hierarchical systems. The fact that all the information is not contained on a single server makes the entire system more fault-tolerant and scalable since as the number of domain names increases, more name servers can be added to balance the load.

  Each name server is a node in the database, and every domain has at least one authoritative name server, or a name server that contains the information that will allow a client to access it. Since every name server is responsible for a particular subdivision of the namespace, resolvers at the client and server ends can identify which name server will contain the requested information.

Security

• Because DNSs were not originally designed with security in mind, there are several possible vulnerabilities with the DNS model. For example, there is a class of DNS cache poisoning attacks where an attacker tricks the DNS server into thinking it has received authentic information when it has not. This could be used to direct users requesting a particular site to a different address, specified by the attacker.

  Traditionally, DNS responses weren't cryptographically signed, making it easier to intercept and alter the messages. The Domain Name System Security Extensions (DNSSEC) now allows support for cryptographically signed responses. However, even with encryption viruses or phishing attacks could be used to misdirect users to an address of the attacker's choosing.