5_ICS343-Chapter_26_Client-Server Protocols - Part3.pptx
Document Details
Uploaded by AmusingFairy
King Fahd Security College
Tags
Full Transcript
Chapter 26 Standard Client- Server Protocols Client-Server: 26-1 Chapter 26: Standard Client- Server Protocols Introduction 26.1 World-Wide Web (WWW) and HTTP 26.2 FTP 26.3 Electronic Mail 26.5 Secure Shell (SSH) 26.6 Domain Name System (DNS...
Chapter 26 Standard Client- Server Protocols Client-Server: 26-1 Chapter 26: Standard Client- Server Protocols Introduction 26.1 World-Wide Web (WWW) and HTTP 26.2 FTP 26.3 Electronic Mail 26.5 Secure Shell (SSH) 26.6 Domain Name System (DNS Client-Server: 26-2 TELNET TErminal NETwork A remote logging protocol Provides a generic Client/Server pair for remote logging applications Requires a logging name and a password TELNET is not a secure communication protocol Client-Server: 26-3 SECURE SHELL (SSH) Secure Shell (SSH) is a secure application program that can be used today for several purposes such as remote logging and file transfer. It was originally designed to replace TELNET. It has three components. Client-Server: 26-4 Applications SSH for Remote Logging SSH for File Transfer Port Forwarding Client-Server: 26-5 Domain Name System (DNS) People use many identifiers that are easy to memorize: ID, name, website, passport #, etc Internet has hosts and routers which are identified using IP addresses (32 bit, 128 bit) - used for addressing datagrams The Internet needs to have a directory system (phonebook) that can map names to IP addresses Client-Server: 26-6 Domain Name System (DNS) Consists of three components: A “nam espace” DNS servers making that namespace available Resolvers (clients) that query the servers about the name space Client-Server: 26-7 Domain Name Space The name space is the structure of the DNS database. Organized as an inverted tree with the root node at the top. The namespace needs to be made hierarchical to be able to scale. Each node has a label The root node has a null label, written as “” “.” Root Domain … ….com DNS servers.org DNS servers.edu DNS servers Top Level Domains … … … … yahoo.com amazon.com pbs.org nyu.edu umass.edu DNS servers Second-level Domains DNS servers DNS servers DNS servers DNS servers Client-Server: 26-8 Domain Name Space Each node in the tree has a domain name. A full domain name is a sequence of labels separated by dots (.). Domain names are always read from the node up to the root., e.g. google.com, kfupm.edu.sa “.” Root Domain … ….com DNS servers.org DNS servers.edu DNS servers Top Level Domains … … … … yahoo amazon pbs nyu umass DNS servers Second-level Domains DNS servers DNS servers DNS servers DNS servers Client-Server: 26-9 Domain names and labels Client-Server: 26-10 Hierarchy of Name Servers A domain is a subtree of the domain name space. The information contained in the domain name space must be stored in a database. However, having just one computer store such a huge amount of information is inefficient and unreliable. Client-Server: 26-11 Hierarchy of Name Servers The solution to these problems is to distribute the information among many computers called DNS servers. We have a hierarchy of servers in the same way that we have a hierarchy of names. Client-Server: 26-12 Zones Name servers store information about the name space in units called “zones” Client-Server: 26-13 DNS on the Internet On the Internet, the domain name space (tree) can be divided into two sections: Generic domains Country domains Client-Server: 26-14 Generic Domains The generic domains define registered hosts according to their generic behavior. Client-Server: 26-15 Generic Domain Labels Client-Server: 26-16 Country Domains The country domains section uses two-character country abbreviations (e.g., “sa” for Saudi Arabia). Client-Server: 26-17 Resolvers A resolver is a host that needs to map a domain name to an address. A resolution can be either: Recursive or Iterative Client-Server: 26-18 Recursive Resolution Recursive query: puts burden of name resolution on contacted name server heavy load at upper levels of hierarchy? Client-Server: 26-19 Iterative Resolution Iterative query: contacted server replies with name of server to contact “I don’t know this name, but ask this server” Client-Server: 26-20 Caching Each time a server receives a query for a name that is not in its domain, it needs to search its database for a server IP address. Reduction of this search time would increase efficiency. DNS handles this with a mechanism called caching. When a server asks for a mapping from another server and receives the response, it stores this information in its cache memory before sending it to the client cache entries timeout (disappear) after some time (TTL) TLD servers typically cached in local name servers (bypass the root DNS) Client-Server: 26-21 DNS message message header: identification: 16 bit # for query (like ID), reply to query uses same # flags: query or reply recursion desired recursion available reply is authoritative Client-Server: 26-22 DNS protocol messages Application Layer: 2-23 Example 26.13 In UNIX and Windows, the nslookup utility can be used to retrieve address/name mapping. The following shows how we can retrieve an address when the domain name is given. You may also visit one of many Web sites that allow you to remotely employ nslookup (to find DNS records), e.g. https://www.nslookup.io/ , and https://who.is/ Client-Server: 26-24 Registrars How are new domains added to DNS? This is done through a registrar, a commercial entity registered in ICANN (The Internet Corporation for Assigned Names and Numbers ). A registrar first verifies that the requested domain name is unique and then enters it into the DNS database. Client-Server: 26-25 Example: Getting your info into the DNS (Reading) example: new startup “Network Utopia” register name networkuptopia.com at DNS registrar (e.g., Network Solutions) provide names, IP addresses of authoritative name server (primary and secondary) registrar inserts NS, A RRs into.com TLD server: (networkutopia.com, dns1.networkutopia.com, NS) (dns1.networkutopia.com, 212.212.212.1, A) create authoritative server locally with IP address 212.212.212.1 type A record for www.networkuptopia.com type MX record for networkutopia.com (email server alias) Client-Server: 26-26 Security of DNS DNS can be attacked in several ways including: The attacker may read the response of a DNS server to find the nature or names of sites the user mostly accesses. This type of information can be used to find the user’s profile. The attacker may intercept the response of a DNS server and change it or create a totally new response to redirect the user to the site or domain the attacker wishes the user to access. The attacker may flood the DNS server to overwhelm it or eventually crash it. DNS Security (DNSSEC) technology provides message origin authentication and message integrity using a digital signature. There is no specific protection against the denial-of-service (DoS) attack in the specification of DNSSEC. Client-Server: 26-27 End of Chapter 26 Introduction 26.1 World-Wide Web (WWW) and HTTP 26.2 FTP 26.3 Electronic Mail 26.5 Secure Shell (SSH) 26.6 Domain Name System (DNS) Important to do at home : - Read chapter 26 of the textbook Client-Server: 26-28