DNS/DNSSEC Workshop

In Collaboration with PANDI – Jakarta - Indonesia

Champika Wijayatunga
Regional Security Engagement Manager – Asia Pacific

23-24 November 2017

|1
 What is DNS?

A distributed database primarily

used to obtain the IP address,
a number, e.g.,
192.0.32.7 (IPv4) or Query: What is www.icann.org?
2620:0:2d0:200::7 (IPv6)

that is associated with a

user-friendly name (www.icann.org)
User DNS Server
Answer:
192.0.32.7
or
2620:0:2d0:200::7

2 |2
DNS Tree
Root

“.”
org net com ... au ... sg

icann isoc ripe apnic example com

www ssac example

Names in generic Top Level Domains Names in country-code TLDs

Root

Top-level
Second level

FQDN = Fully Qualified Domain Name www.icann.org.

|3
DNS Features

|4
What are the Key Features of DNS

Globally
Hierarchical
Distributed

Dynamic Scalable

Reliable Consistent

|5
DNS Resolution, Servers, and Caching

|6
 Root Server Operation

7 |7
What do the Root-Server Operators do?

• Copy a very small database, the content of which is currently

decided by PTI (formerly IANA)
• Put that database in the servers called ‘Root Servers.
• Make the data available to all Internet users
• Work stems from a common agreement about the technical
basis
– Everyone on the Internet should have equal access to the data
– The entire root system should be as stable and responsive as
possible

|8
Root Server Operation @ICANN

+ ICANN is the L-Root Operator

+ L-Root nodes keep Internet traffic local and resolve queries faster

+ Make it easier to isolate attacks

+ Reduce congestion on international bandwidth

+ Redundancy and load balancing with multiple instances

|9
L-Root presence

| 10
L-Root presence

+Geographical diversity via Anycast

+Around 160 dedicated servers
+Presence on every continent
+On normal basis 15 ~ 25 kqps
+That is app 2 billion DNS queries a day
+Interested in hosting a L-Root
+Contact your ICANN Global Stakeholder Engagement Representative

| 11
Types of DNS Servers

¤ Authoritative Servers
¡ Root Servers
¡ Primary
¡ Secondary

¤ Recursive Servers
¡ Or Recursive Resolvers
¡ Or Caching Servers

| 12
DNS Resolution Process

| 13
Caching

Recursive or Caching Servers

not only find answers
but also store answers locally
for
“TTL” period of time

TTL = Time To Live

| 14
Domain, Delegations and Zones

| 15
 Domains

Root

“.”
org net com ... au sg

icann isoc ripe apnic example com

au domain
www learn example
org domain
icann.org
domain www

| 16
Delegations

• Administrators can create subdomains to group hosts

– According to geography, organizational affiliation etc.

• The authority of such subdomain(s) can be delegated to

another party

• The parent domain retains links to the delegated subdomain

– The parent domain “remembers” to whom the subdomain is delegated

| 17
 Zones

Root
org zone
“.”
icann.org
org net com ... au sg
zone
icann isoc ripe apnic example com
au domain
www learn example
org domain
icann.org
domain www

learn.icann.org
zone

| 18
Zone Files

| 19
Zone Data

• DNS zone data are hosted at an authoritative name server

• DNS zones contain resource records that describe

– Name servers
– IP addresses
– Hosts, Services
– Cryptographic keys
– Signatures etc.

| 20
Resource Records (RR)

• Consists of resource mappings

Label TTL Class Type RData

www 3600 IN A 192.168.0.1

• Most common types of RR Resource Record Function

o A Label Name substitution for FQDN
o AAAA TTL Timing parameter, an expiration limit
o NS Class IN for Internet, CH for Chaos

o SOA Type RR Type (A, AAAA, MX, PTR) for

different purposes
o MX RDATA Anything after the Type identifier;
o CNAME Payload of the record

| 21
Zone Files
$TTL 86400 ; 24 hours could have been written as 24h or 1d
$ORIGIN example.test.
@ IN SOA ns1.example.test. hostmaster.example.test. (
2017092701 ; serial number
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain TTL )

IN NS ns1.example.test. ; in the domain

IN NS ns2.anotherexample.net. ; external to domain
IN MX 10 mail.someotherexample.com. ; external mail provider
ns1 IN A 192.168.0.1 ; name server definition
www IN A 192.168.0.2 ; web server definition
ftp IN CNAME www.example.test. ; ftp server definition
host IN A 192.168.0.3 ; host definition

| 22
Delegating a Zone

• Delegation is done by adding NS records

– Ex: if example.com wants to delegate training.example.com to another party,

training.example.test. NS ns1.training.example.test.
training.example.test. NS ns2.training.example.test.

• Now how can we get to ns1 and ns2?

– We must add a Glue Record

| 23
Glue Record

• Glue is a ‘non-authoritative’ data

• Don’t include glue for servers that are not in the sub zones

Only this record needs glue

training.example.test. NS ns1.training.example.test.
training.example.test. NS ns2.training.example.test.

training.example.test. NS ns1.another_example.net.
Glue training.example.test. NS ns2.another_example.net.
Record
ns1.training.example.test. A 192.0.2.1
ns2.training.example.test. A 192.0.2.2

| 24
Delegating a Child Zone from a Parent Zone
example.test (Parent Zone)
DNS
ns.example.test
1. Add NS records and glue
2. Make sure there is no other data
from the training.example.test. zone
in the zone file
training.example.test (Child Zone)
DNS
ns.training.example.test
1. Setup minimum two servers
2. Create zone file with NS records
3. Add all training.example.test data
| 25
Engage with ICANN – Thank You and Questions

Visit us at icann.org Email: champika.wijayatunga@icann.org

| 26