Application Layer Protocols

DNS & NAT

 DNS History (1)

• ARPANET utilized a central file HOSTS.TXT

– Contains names to addresses mapping
– Maintained by SRI’s NIC (Stanford-Research-
Institute: Network-Information-Center)

• Administrators email changes to NIC

– NIC updates HOSTS.TXT periodically
• Administrators FTP (download) HOSTS.TXT
 DNS History (2)
• As the system grew, HOSTS.TXT had problems
with:
– Scalability (traffic and load)
– Name collisions
– Consistency

• In 1984, Paul Mockapetris released the first

version (RFCs 882 and 883, superseded by
1034 and 1035 …)
 The DNS is…
• The “Domain Name System”
• What Internet users use to reference anything
by name on the Internet
• The mechanism by which Internet software
translates names to attributes such as
addresses
 The DNS is also…
• A globally distributed, scalable, reliable database
• Comprised of three components
– A “name space”
– Servers making that name space available
– Resolvers (clients) which query the servers about the name
space
 DNS as a Lookup Mechanism
• Users generally prefer names to numbers

• Computers prefer numbers to names

• DNS provides the mapping between the two

– I have “x”, give me “y”
 DNS as a Database
• Keys to the database are “domain names”
– www.foo.com, 18.in-addr.arpa, 6.4.e164.arpa
• Over 200,000,000 domain names stored
• Each domain name contains one or more
attributes
– Known as “resource records”
• Each attribute individually retrievable
Name Server

Architecture: Zone
From data
Name Server Process
disk file
Authoritative Data Master
Zone transfer server
(primary master and
slave zones)
Cache Data
(responses from
other name servers)
Agent
(looks up queries
on behalf of resolvers)

8
 DNS Message Format
Header (12 bytes) Header (12 bytes)
Question section Question section

2 bytes 2 bytes Answer section

Identification Flags Authoritative section

Number of
Number of Additional section
Answer Records
Question Records
(zeroed in query) 0 no error
1 format error
2 problem at name server
Number of Auth- Number of 3 domain reference problem
oritative Records Additional Records 4 query type not supported
(Zeroed in query) (zeroed in query)
5 administratively prohibited
6-15 reserved
0 = query,
1 = response QR OpCode AA TC RD RA 0 0 0 rCode
0 = standard, 1 = inverse, Authoritative Recursion Available flag
2 = server status request Answer flag Truncated flag Recursion Desired flag 9
 Transport
IP UDP
DNS message
header header

max. 512 bytes

● DNS messages are encapsulated in UDP by default.

● If the resolver expects the response to exceed 512 bytes, the
resolver encapsulates the query in TCP instead.
● If a request is sent over UDP and the response is longer than 512
bytes, the server sends the first 512 bytes of the response using
UDP and sets the TC (truncated) flag. The resolver then re-sends
the query using TCP. no limit (up to max. TCP payload size)

IP TCP 2-byte
DNS msg. DNS message
header header length 10
There are a limited number of top-level domains
(TLDs), including:

• .edu, educational
• .com, commercial
• .gov, government
• .org, non profit
• .net, networking organizations

These are called “generic” TLDs.

There are also country code top-level domain
names for every nation, like:
• .us, United States
• .mx, Mexico
• .cl, Chile
• .uk, United Kingdom
• .tv, Tuvalu

These are called “country code” top-level domains (ccTLDs).

The organization or host do not necessarily have to be in

the country to register the name. For example, .tv is
popular everywhere.
 Some TLDs use a four-level hierarchy

• http://www.google.co.uk/
• http://www.unam.edu.mx/
• http://www.ox.ac.uk/
• http://www.google.com.mx/
 Global Distribution
• Data is maintained locally, but retrievable
globally
– No single computer has all DNS data
• DNS lookups can be performed by any device
• Remote DNS data is locally cachable to
improve performance
 Loose Coherency
• Each version of a subset of the database (a zone) has
a serial number
– The serial number is incremented on each database change
• Changes to the master copy of the database are
propagated to replicas according to timing set by the
zone administrator
• Cached data expires according to timeout set by zone
administrator
 Scalability
• No limit to the size of the database
• No limit to the number of queries
– Tens of thousands of queries handled easily every
second
• Queries distributed among masters, slaves,
and caches
 Reliability
• Data is replicated
– Data from master is copied to multiple slaves
• Clients can query
– Master server
– Any of the copies at slave servers
• Clients will typically query local caches
• DNS protocols can use either UDP or TCP
– If UDP, DNS protocol handles retransmission, sequencing,
etc.
 Dynamicity
• Database can be updated dynamically
– Add/delete/modify of any record
– Only master can be dynamically updated

• Modification of the master database triggers

replication
 Domain Names
• A domain name is the sequence of labels from a node to the root,
separated by dots (“.”s), read left to right
– The name space has a maximum depth of 127 levels
– Domain names are limited to 255 characters in length
• A node’s domain name identifies its position in the name space
""

com edu gov int mil net org

nominum metainfo berkeley nwu nato army uu

west east www

dakota tornado
 Internet Corporation for Assigned Names
and Numbers (ICANN)
• ICANN’s role: to oversee the management of Internet
resources including
– Addresses
• Delegating blocks of addresses to the regional registries
– Protocol identifiers and parameters
• Allocating port numbers, etc.
– Names
• Administration of the root zone file
• Oversee the operation of the root name servers
 The Root Nameservers
• The root zone file lists the names and IP addresses of
the authoritative DNS servers for all top-level
domains (TLDs)

• The root zone file is published on 13 servers, “A”

through “M”, around the Internet

• Root name server operations currently provided by

volunteer efforts by a very diverse set of
organizations
 Root Name Server Operators
Nameserver Operated by:
A Verisign (US East Coast)
B University of S. California –Information Sciences Institute (US West Coast)
C Cogent Communications (US East Coast)
D University of Maryland (US East Coast)
E NASA (Ames) (US West Coast)
F Internet Software Consortium (US West Coast)
G U. S. Dept. of Defense (ARL) (US East Coast)
H U. S. Dept. of Defense (DISA) (US East Coast)
I Autonomica (SE)
J Verisign (US East Coast)
K RIPE-NCC (UK)
L ICANN (US West Coast)
M WIDE (JP)
 Registries, Registrars, and Registrants

• A classification of roles in the operation of a domain name space

• Registry
– the name space’s database
– the organization which has edit control of that database
– the organization which runs the authoritative name servers for that
name space
• Registrar
– the agent which submits change requests to the registry on behalf
of the registrant
• Registrant
– the entity which makes use of the domain name
 Registries, Registrars, and Registrants
Registry updates Master
zone updated
Registry Zone DB
Slaves
Registrar submits
updated
add/modify/delete
to registry

Registrar Registrar Registrar

End user requests

add/modify/delete

Registrants
 Load Concerns
• DNS can handle the load
– DNS root servers get approximately 3000 queries
per second
• Empirical proofs (DDoS attacks) show root name
servers can handle 50,000 queries per second
– Limitation is network bandwidth, not the DNS protocol
– in-addr.arpa zone, which translates numbers to
names, gets about 2000 queries per second
 Performance Concerns
• DNS is a very lightweight protocol
– Simple query – response
• Any performance limitations are the result of
network limitations
– Speed of light
– Network congestion
– Switching/forwarding latencies
 Security Concerns
• Base DNS protocol (RFC 1034, 1035) is insecure
– DNS spoofing (cache poisoning) attacks are possible
• DNS Security Enhancements (DNSSEC, RFC 2565)
remedies this flaw
– But creates new ones
• DoS attacks
• Amplification attacks
• DNSSEC strongly discourages large flat zones
– Hierarchy (delegation) is good
 Network Address Translation
• RFC-1631
• A short term solution to the problem of the
depletion of IP addresses
– Long term solution is IP v6 (or whatever is finally
agreed on)
– CIDR (Classless InterDomain Routing ) is a possible
short term solution
– NAT is another
• NAT is a way to conserve IP addresses
– Hide a number of hosts behind a single IP address
– Use:
• 10.0.0.0-10.255.255.255,
• 172.16.0.0-172.32.255.255 or
• 192.168.0.0-192.168.255.255 for local networks
Network Address Translation (NAT)
• NAT is a router function where IP addresses (and
possibly port numbers) of IP datagrams are replaced at
the boundary of a private network

• NAT is a method that enables hosts on private

networks to communicate with hosts on the Internet

• NAT is run on routers that connect private networks to

the public Internet, to replace the IP address-port pair
of an IP packet with another IP address-port pair.

30
 Basic Operation of NAT

• NAT device has address translation table

• One to one address translation
31
 Pooling of IP Addresses
• Scenario: Corporate network has many hosts but only
a small number of public IP addresses
• NAT solution:
– Corporate network is managed with a private address
space
– NAT device, located at the boundary between the
corporate network and the public Internet, manages a pool
of public IP addresses
– When a host from the corporate network sends an IP
datagram to a host in the public Internet, the NAT device
picks a public IP address from the address pool, and binds
this address to the private address of the host

32
 Pooling of IP Addresses
Private Internet
network

Source = 10.0.1.2 Source = 128.143.71.21

Destination = 213.168.112.3 Destination = 213.168.112.3

private address: 10.0.1.2 NAT

public address: 213.168.112.3
public address: device
H1 H5

Private Public
Address Address
10.0.1.2

Pool of addresses: 128.143.71.0-128.143.71.30

33
 Supporting Migration between Network Service
Providers
• Scenario: In CIDR, the IP addresses in a corporate network are obtained
from the service provider. Changing the service provider requires changing
all IP addresses in the network.
• NAT solution:
– Assign private addresses to the hosts of the corporate network
– NAT device has static address translation entries which bind the
private address of a host to the public address.
– Migration to a new network service provider merely requires an
update of the NAT device. The migration is not noticeable to the hosts
on the network.
Note:
– The difference to the use of NAT with IP address pooling is that the
mapping of public and private IP addresses is static.

34
 Supporting Migration between network service
Providers

35
 IP Masquerading
• Also called: Network address and port
translation (NAPT), port address translation
(PAT).
• Scenario: Single public IP address is mapped to
multiple hosts in a private network.
• NAT solution:
– Assign private addresses to the hosts of the corporate
network
– NAT device modifies the port numbers for outgoing
traffic

36
 IP Masquerading

37
Translation Modes
• Dynamic Translation (IP Masquerading)
– large number of internal users share a single external address
• Static Translation
– a block external addresses are translated to a same size block of
internal addresses
• Load Balancing Translation
– a single incoming IP address is distributed across a number of
internal servers
• Network Redundancy Translation
– multiple internet connections are attached to a NAT Firewall that
it chooses and uses based on bandwidth, congestion and
availability.
Dynamic Translation (IP Masquerading )
• Also called Network Address and Port Translation (NAPT)
• Individual hosts inside the Firewall are identified based on of each
connection flowing through the firewall.
– Since a connection doesn’t exist until an internal host requests a
connection through the firewall to an external host, and most Firewalls
only open ports only for the addressed host only that host can route back
into the internal network
• IP Source routing could route back in; but, most Firewalls block
incoming source routed packets
• NAT only prevents external hosts from making connections to internal
hosts.
• Some protocols won’t work; protocols that rely on separate
connections back into the local network
• Theoretical max of 216 connections, actual is much less
Static Translation
• Map a range of external address to the same size block of internal
addresses
– Firewall just does a simple translation of each address
• Port forwarding - map a specific port to come through the Firewall rather
than all ports; useful to expose a specific service on the internal network
to the public network
Load Balancing
• A firewall that will dynamically map a request to a pool of identical clone
machines
– often done for really busy web sites
– each clone must have a way to notify the Firewall of its current load so the
Fire wall can choose a target machine
– or the firewall just uses a dispatching algorithm like round robin
• Only works for stateless protocols (like HTTP)
Network Redundancy
• Can be used to provide automatic fail-over of servers or load balancing
• Firewall is connected to multiple ISP with a masquerade for each ISP and
chooses which ISP to use based on client load
– kind of like reverse load balancing
– a dead ISP will be treated as a fully loaded one and the client will be routed
through another ISP
Problems with NAT
• Can’t be used with:
– protocols that require a separate back-channel
– protocols that encrypt TCP headers
– embed TCP address info
– specifically use original IP for some security reason
 NAT Summary
• NAT provides transparent and bi-directional
connectivity between networks having arbitrary
addressing schemes

• NAT eliminates costs associated with host renumbering

• NAT conserves IP addresses

• NAT eases IP address management

• NAT enhances network privacy

44
 NAT Limitations
• Applications with IP-address content
– Need AGL (Application Level Gateway)

• Applications with inter-dependent control and

and data sessions

• Translation of fragmented FTP control packets

45
 Extra: Hacking through NAT
• Static Translation
– offers no protection of internal hosts
• Internal Host Seduction
– internals go to the hacker
• e-mail attachments – Trojan Horse virus’
• peer-to-peer connections
• hacker run porn and gambling sites
– solution = application level proxies
• State Table Timeout Problem
– hacker could hijack a stale connection before it is timed out
– very low probability but smart hacker could do it
• Source Routing through NAT
– if the hacker knows an internal address they can source route a packet to
that host
• solution is to not allow source routed packets through the firewall
VPN

VPN
VPN

VPN
VPN is a private connection between two systems or
networks over a shared or public network (typically
Internet).
VPN technology lets an organization securely extend its
network services over the Internet to remote users, branch
offices, and partner companies.
In other words, VPN turns the Internet into a simulated
private WAN.
VPN is very appealing since the Internet has a global
presence, and its use is now standard practice for most
users and organizations.
VPN

VPN
VPN

How VPN Works

To use the Internet as a private Wide Area Network,
organizations may have to address two issues :
First, networks often communicate using a variety of
protocols, such as IPX and NetBEUI, but the Internet can
only handle TCP/IP traffic. So VPN may need to provide a
way to pass non-TCP/IP protocols from one network to
another.
Second data packets traveling the Internet are
transported in clear text. Therefore, anyone who can see
Internet traffic can also read the data contained in the
packets. This is a problem if companies want to use the
Internet to pass important, confidential business
information.
VPN

How VPN Works

VPN overcome these obstacles by using a strategy called
Tunneling. Instead of packets crossing the Internet out in
the open, data packets are fist encrypted for security, and
then encapsulated in an IP packet by the VPN and tunneled
through the Internet.
The VPN tunnel initiator on the source network
communicates with a VPN tunnel terminator on the
destination network. The two agree upon an encryption
scheme, and the tunnel initiator encrypts the packet for
security.
VPN

Advantages of Using VPN

VPN technology provides many benefits. Perhaps the
biggest selling point for VPN is cost savings. One can avoid
having to purchase expensive leased lines to branch offices
or partner companies. On another cost-related note, you
can evade having to invest in additional WAN equipment
and instead leverage your existing Internet installation.
Another benefit of VPN is that it is an ideal way to handle
mobile users.