W5_JTO_Ph2_Datacom_IT.pdf

Transcript

JTO Ph-II DNIT Index

INDEX
S No Chapter Name Page No
1 DYNAMIC HOST CONFIGURATION PROTOCOL 2
2 ROLE OF ICMP PROTOCOL 21
3 DOMAIN NAME SYSTEM 31
4 FIREWALL CONCEPT AND CONFIGURATION 42
5 CLOUD COMPUTING 51
6 NET NEUTRALITY AND GOOGLE CACHING 68
SERVICES
7 M2M AND IOT 77
8 BLOCKCHAIN 89
9 PHP 94
10 ANDROID APP DEVELOPMENT 143

JTO Ph-II DNIT Version 1.0 Sep 2021 Page 1 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

1 DYNAMIC HOST CONFIGURATION PROTOCOL
(DHCP)

1.1 INTRODUCTION
DHCP (Dynamic Host Configuration Protocol) is a network
management protocol used to dynamically assign an Internet Protocol (IP) address to
any device, or node, on a network so they can communicate using IP. DHCP automates
and centrally manages these configurations rather than requiring network administrators
to manually assign IP addresses to all network devices. DHCP can be implemented on
small local networks as well as large enterprise networks.

1.2 HOW DHCP WORKS?

Figure 1:

1.3 SCHEMA OF A TYPICAL DHCP SESSION

DHCP uses the same two IANA assigned ports as BOOTP: 67/udp for the server side,
and 68/udp for the client side.
DHCP operations fall into four basic phases. These phases are IP lease request, IP lease
offer, IP lease selection, and IP lease acknowledgement.
After the client obtained an IP address, the client may start an address resolution query
to prevent IP conflicts caused by address poll overlapping of DHCP servers.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 2 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

DHCP discovery
The client broadcasts on the local physical subnet to find available servers. Network
administrators can configure a local router to forward DHCP packets to a DHCP server
on a different subnet. This client-implementation creates a UDP packet with the
broadcast destination of 255.255.255.255 or subnet broadcast address.
A client can also request its last-known IP address (in the example below,
192.168.1.100). If the client is still in a network where this IP is valid, the server might
grant the request. Otherwise, it depends whether the server is set up as authoritative or
not. An authoritative server will deny the request, making the client ask for a new IP
immediately. A non-authoritative server simply ignores the request, leading to an
implementation dependent time out for the client to give up on the request and ask for a
new IP.

DHCP offers
When a DHCP server receives an IP lease request from a client, it extends an IP lease
offer. This is done by reserving an IP address for the client and sending a DHCPOFFER
message across the network to the client. This message contains the client's MAC
address, followed by the IP address that the server is offering, the subnet mask, the lease
duration, and the IP address of the DHCP server making the offer.
The server determines the configuration, based on the client's hardware address as
specified in the CHADDR field. Here the server, 192.168.1.1, specifies the IP address in
the YIADDR field.

DHCP requests
When the client PC receives an IP lease offer, it must tell all the other DHCP servers
that it has accepted an offer. To do this, the client broadcasts a DHCPREQUEST
message containing the IP address of the server that made the offer. When the other
DHCP servers receive this message, they withdraw any offers that they might have
made to the client. They then return the address that they had reserved for the client
back to the pool of valid addresses that they can offer to another computer. Any number
of DHCP servers can respond to an IP lease request, but the client can only accept one
offer per network interface card.

DHCP acknowledgement
When the DHCP server receives the DHCPREQUEST message from the client, it
initiates the final phase of the configuration process. This acknowledgement phase
involves sending a DHCPACK packet to the client. This packet includes the lease
duration and any other configuration information that the client might have requested.
At this point, the TCP/IP configuration process is complete.
The server acknowledges the request and sends the acknowledgement to the client. The
system as a whole expects the client to configure its network interface with the supplied
options.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 3 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

1.4 DHCP GOALS

Compatibility
The DHCP protocol must be compatible with existing interface and protocols; For
example it should be compatible with all the types of clients, each one can have a
different configuration of communication parameters. As mentioned in "Protocol
introduction", the DHCP protocol should have compatibility with the BOOTP protocol
which was used before.

Local control
Although the DHCP protocol is an external mechanism for allocating a web address and
communication parameters, the administrator of the client must have the capability to
control these parameters.
Communication parameters preserving:
The DHCP server has to give a specific client the same communication parameters in as
many sequential requests as possible, so if a client was disconnected from the web and
requests its address/communication parameters again, it would receive the same
communication parameters as before. (if nothing has changed since the disconnection).
The same is for the DHCP server, which should have the capability to give the same
client the same communication parameters even if it was disconnected from the web.
Unique clients
A main goal of the DHCP protocol is to give each client its unique address. A situation
in which two or more clients are allocated with the same web address must not occur in
any circumstances, to prevent a situation of client send a message to the wrong client.
Automatic Configuration
Usually, a single client should have to be configured automatically by the DHCP server
and not manually by the administrator of that client. A situation in which the
configuration of the communication parameters is done manually by the client's
administrator should occur seldom. But when it happens, the DHCP server must be
compatible with the manual configuration as mentioned before.
Saving hardware
There should not be a DHCP server for each and every link interface. There should be a
wide use of relay-agents to transmit a DHCP messages. If less DHCP servers are used,
it's more financialy agreeable because we'll use the relay-agents which are simpler. The
hardware saving will lead to more economically worthwhile network and will save
money as mentioned in "protocol introduction".

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 4 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

1.5 HISTORICAL BACKGROUND
At first, most TCP/IP networks were relatively small and static. Manual IP address
management techniques were sufficient for them. Each station kept its own IP address
somewhere in its secondary storage. Once the address had to be changed, it required
manual administrator action, usually at the machine console, and in most cases involved
a reboot.
Soon afterwards, as more complex networks were established, as more and more
underlying network hardware was used for TCP/IP communication networks and as
cheap client workstations without secondary storage came in use, a need for central
administration of the hardware to P addresses bindings became obvious. A special
protocol (RARP) for such bindings was designed. It allowed a machine on a network
segment to learn its own IP address and then to begin normal TCP/IP operation.
Another protocol, BOOTP, was also developed to allow diskless stations retrieve all the
TCP/IP configuration parameters and other operating system data, needed to start
functioning normally after a startup. It allowed configuration over broader networks as
it was not limited to a single segment. For that purpose BOOTP defined the concept of a
BOOTP relay agent which specified how BOOTP traffic is forwarded between multiple
segments.
BOOTP was designed to be easily extended by the BOOTP extension mechanism. This
mechanism uses the last field in the frame for more (vendor) specific data and message
options.
The next attempt to extend BOOTP provided the Dynamic Host Configuration Protocol,
DHCP. DHCP was designed to be backward compatible with BOOTP in order to
support BOOTP clients and BOOTP relay agents, yet there are two primary differences
between DHCP and BOOTP:
1. DHCP defines a mechanism through which a client can be assigned a network
address for a finite lease, allowing for a serial reuse the same network address by
different clients.
2. DHCP provides a mechanism for a client to request and acquire all the IP
configuration parameters that it needs in order to operate, and only them.
DHCP comes with a predefined set of DHCP options, which it inherits from the BOOTP
vendor extensions mechanism, and it is open for further extension, inheriting the
openness from BOOTP.

1.6 MAIN DIFFERENCES BETWEEN BOOTP AND DHCP:
The DHCP is an extension of the previous BOOTP protocol, thus it must be compatible
with BOOTP messages, but there are some differences between BOOTP and DHCP.
One difference is that DHCP is designed to allocate a web address to a client
temporarily so the client can disconnect allowing another client to get this web address,
or renew the lease of the web address, a capability which the BOOTP protocol does not
have.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 5 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

Another difference is that the DHCP can configure a client with all the IP parameters
that the client needs in order to establish communication. One BOOTP transfer only
some of these parameters.
Moreover, the BOOTP protocol had a field named 'vendor extentions', to specify the
requested parameters and other options, which were replaced with the field 'options' in
the DHCP protocol.
In addition, the BOOTP protocol had a field named "chaddr" in order to specify the
address of the client which has requested the communication parameters. In DHCP
protocol, there is the field "client identifier". This field can have the physical address of
the client as in "chaddr" of the BOOTP protocol, or it can have another identifier like
DNS name, or another types. New types of identifier can be registered in IANA.
DHCP is currently the most advanced host configuration mechanism for TCP/IP,
although it still has its problems, giving researchers things to work on, for an even better
configuration protocol in the future.

1.7 PROTOCOL INTRODUCTION
General
The Dynamic Host Configuration Protocol (DHCP) provides configuration parameters
to Internet hosts in a client-server model. DHCP server hosts allocate network addresses
and deliver configuration parameters to other (client) hosts.
DHCP consists of two components: a protocol for delivering host-specific configuration
parameters from a server to a host and a mechanism for allocation of network addresses
to hosts.
IP Address Allocation
DHCP supports three mechanisms for IP address allocation.
1. Automatic allocation -- in which a permanent IP address is assigned to the client.
2. Dynamic allocation -- in which the address is assigned for a limited period of
time (a "lease").
3. Manual allocation -- in which the address is assigned manually by the network
administrator.

1.8 CONFIGURATION PARAMETERS DELIVERY
The client sends a message to request configuration parameters and the server responds
with a message carrying the desired parameters back to the client.
BOOTP Compatibility
The format of DHCP messages is based on the format of BOOTP messages due to the
following reasons:

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 6 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

1. From the client's point of view, is an extension of the BOOTP mechanism. This
behavior allows existing BOOTP clients to interoperate with DHCP servers
without requiring any change to the clients' initialization software.
2. DHCP supports the BOOTP relay agent behavior.

Use of Relay Agents
DHCP does not require a server on each subnet. To allow for scale and economy, DHCP
can work across routers or through the intervention of BOOTP relay agents. A relay
agent listens to DHCP messages and forwards them on (and onto other network
segments). This eliminates the necessity of having a DHCP server on each physical
network.
Allocation of network addresses
DHCP supports three mechanisms for IP address allocation. The DHCP server can use
any one or more of the of these mechanisms:
1. Automatic allocation: The DHCP server assigns a permanent IP address to a
client without any manual interference. Automatic allocation is best suited for in
cases where hosts are permanently connected to a network and the network does
not suffer from an address shortage.
2. Manual allocation: The client's IP address is assigned manually by the network
administrator. The DHCP server simply retrieves it from its storage and delivers
it to the client. Manual allocation is best suited for giving IP addresses to servers
of any kind. As servers are the ones to be addressed, rather than to initiate a
conversation, their location should be permanent and known in the network.
Manual allocation would guarantee that (although a clever use of Automatic
allocation can accomplish that too).
3. Dynamic allocation: The DHCP server assigns a temporary IP address to a client
without any manual interference.
Dynamic allocation is the most interesting method of the three, because it involves not
only the assigning of a network address but also reclaiming and reusing of the same
address by another client. Therefore, using Dynamic allocation allows for an efficient
managing of a pool of network addresses and is particularly useful in cases where:
1. There is a limited amount of network addresses on the net.
2. The network has computers which temporarily connect and disconnect to it (e.g.
portable computers) and so the network is changing frequently.
The basic mechanism for the dynamic allocation of network addresses is simple: the
client requests the use of an address for a limited period of time (which is called a
lease). The DHCP server allocates an address for the client, marks it as 'used' and
notifies the client about the address and the lease time approved. The client, in his turn,
can:
1. Extend its lease with subsequent requests.
2. Ask for a permanent assignment by asking for an infinite lease.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 7 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

3. Release the address back to the server before the lease expires, in case it doesn't
need it.

Renewing and acquiring addresses
The client holds two times in its memory ? time1, and time2.
The first time is the time in which the client starts to ask its server for renewing the lease
of its address ? RENEWING state in the states diagram of the protocol.
The second time is the time in which the client starts to ask other servers for address ?
REBINDING state in the states diagram of the DHCP protocol.
When the first time arrives, the client sends the DHCPREQUEST message to the server
with unique ID to this request. If the renew is approved, the server will send an answer
in DHCPACK message with this ID. Then the client returns to normal functioning. The
new time1 will be the sum of the time in the server's answer and the time which has
passed from the start of the request to the answer.
If no answer has arrived until time2 has passed, the client will enter the REBINDING
state in the states diagram of the DHCP protocol, and will send a multicast message to
all the servers available to acquire new address.
These times can be changed by servers in the 'option' field, and have default values. The
default of time1 is half of the lease time of the current address, and the default of time2
is 0.875x(lease time).
In both cases ? time1 and time2, if the client has not got an answer from the DHCP
servers, it should wait half of the time which is left before sending DHCPREQUEST
again. The shortest waiting time is one minute.
If the client has got its previous address, it continues to work normally. If the client
didn't get its previous address but got a new one, he should continue working, but not
with the current web parameters, and must inform the users about this. If the client
didn't manage to get an address at all, it should stop its work and go back to INIT state
in the states diagram of the DHCP protocol.

1.9 CONFIGURATION PARAMETERS DELIVERY
The DHCP server is designed to supply DHCP clients with the configuration parameters
defined in the Host Requirements RFCs (1122 and 1123). Most of those parameters are
related to the TCP/IP protocol stack but DHCP allows the configuration of non-related
parameters too.
The server provides a permanent storage of network parameters for network clients. The
DHCP storage model is a set of key-value pairs for each client, where the key is some
unique identifier and the value contains the configuration parameters for the client. In
other words, the storage model is a per-host list of entries of the form:
key = value

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 8 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

The client addresses the server with a request message to retrieve its configuration
parameters. The server answer with a response message carrying the configuration
parameters in the (later discussed) options field.
Not all clients require initialization of all possible parameters. Two techniques are used
to reduce the number of parameters delivered from the server to the client:
1. Most of the parameters have defaults defined in the Host Requirements RFCs
(1122 and 1123). If the client receives no parameters from the server that
override the defaults, a client uses those default values.
2. A client and server may negotiate for the delivery of only those parameters
required by the client. In a case like that the client includes the parameter request
list option in the requested message and fills it with the list of parameters it
needs.

1.10 MESSAGE FORMAT
As mentioned earlier, the format of the DHCP messages is based on the format of
BOOTP messages in order to keep compatible with BOOTP relay agents and BOOTP
clients.
Here is the DHCP message format. The numbers in parentheses indicate the size of each
Field in Bytes.

Figure 2: Description of Fields in a DHCP message

Field Bytes Description

Message op code / message type.
op 1
1 = BOOTREQUEST, 2 = BOOTREPLY

htype 1 Hardware address type (e.g., '1' = 10Mb Ethernet)

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 9 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

hlen 1 Hardware address length (e.g. '6' for 10Mb Ethernet)

Client sets to zero, optionally used by relay agents when booting via a
hops 1
relay agent.

Transaction ID.
xid 4 A random number chosen by the client, used by the client and server to
associate the request message with its response.

Seconds passed since client began the request process.
secs 2
Filled in by client.

flags 2 Flags

Client IP address.
ciaddr 4 Filled in by client if it knows its IP address (from previous requests or
from manual configurations) and can respond to ARP requests.

yiaddr 4 'your' (client) IP address. Server's response to client.

Server IP address. Address of sending server or of the next server to
siaddr 4
use in the next bootstrap process step.

giaddr 4 Relay agent IP address, used in booting via a relay agent.

chaddr 16 Client hardware address.

sname 64 Optional server host name. Null terminated string.

Boot file name.
file 128 Null terminated string; "generic" name or null in request, fully
qualified directory-path name in reply.

Field to hold the optional parameters.
options variable
(See next section).

Table 1. The 'options' Field in a DHCP message
Apart from the small amount of the Fields imported from the BOOTP frame format
there came a need for a lot more Fields, some of them changing from one message to
another, others from one subnet to another etc.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 10 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

That need came first after defining the BOOTP protocol which led to the BOOTP
extension mechanism, where the last Field in the frame format, the 'vendor extensions'
filed was of variable length and could contain the extra information. DHCP improved
this mechanism, changing the Field name to 'options' and adding more options.
One way to categorize those options would be to split them into two groups:
1. Configuration parameters.
2. Message control information.
All options begin with a tag octet, which uniquely identifies the option. The next octet is
the option length specifier, its value does not include the two Bytes specifying the tag
and length. The length octet is followed by length Bytes of data.
All these options/vendor extensions are defined in RFC 2132, where they are split to the
following groups:
1. RFC 1497 Vendor Extensions.
2. IP Layer Parameters per Host.
3. IP Layer Parameters per Interface.
4. Link Layer Parameters per Interface.
5. TCP Parameters.
6. Application and Service Parameters.
7. DHCP Extensions.

1.11 SOME IMPORTANT DHCP OPTIONS:

Message Type (a DHCP control):
Specifies the type of the DHCP message in order to be more specific than the originally
BOOTP Field 'op'. Different message types are used at different stages of the
client/server interaction. Appears in every DHCP message (therefore the 'options' Field
is never empty):
Renewal Time Value (a DHCP control):
Specifies the time interval from address assignment until the client attempts to contact
the server that originally issued the client's network address before the lease expire.
Parameter Request List (a DHCP control):
A list of valid DHCP option codes. Used by a DHCP client to request values for
specified configuration parameters.
Subnet Mask (a Configuration parameter):
Specifies the client's subnet mask.
DNS Option (a Configuration parameter):

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 11 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

Specifies a list of DNS name servers available to the client.
Message Format in IPv6
Every message in DHCP protocol of IPv6 has a constant length header and variable
length data. This data is located in the "options" Field, and composed from Bytes, in
network byte format (least significant byte first. This is the format of a message which
sent from client directly to the server:

Figure 3:

Field Bytes Description

This is the type of the message chosen from the 11 types of direct
msg-type 1 messages from client to server (an exact list in "Message Types
Summary").

transaction-
3 The ID for this message transport.
id

options variable The options for this message.

This is the format of a message from relay-agent to another relay-agent or a server:

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 12 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 13 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

Figure 4:

Field Bytes Description

msg-type 1 The code of the message, RELAY-FORW or RELAY-REPL.

hop-count 1 Counts the relay-agents which the message has passed until now.

link- Used by the server to identify the link of the client in RELAY-
12
address FORW message or in RELAY-REPL message.

peer- The address of the relay-agent or the client from which the message
12
address was received ? the current hop.

Options for the message. Here the message has to have "Relay
options variable
Message option" among the other options.

Table 2.

The options are in this format:

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 14 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

Figure 5:

Field Bytes Description

option- The number of option according to "types of
2
code options".

option-len 2 The length of the option-data in bytes.

option- the value in "option-len" in
The data of the options.
data bytes

Table 3.

1.12 CLIENT/SERVER MODEL
The client and the server negotiate in a series of messages in order for the client to get
the parameters it needs.
The following diagram shows the messages exchanged between the DHCP client and
servers when allocating a new network address. Next is a detailed explanation of all the
various messages and a description of the communication steps.
This process can involve more than one server but only one server is selected by the
client. In the figure, the selected server is marked 'selected' and the other, 'not selected'
server stands for all the possible not selected servers.

1.13 STEPS OF COMMUNICATION :
1. The client broadcasts a DHCPDISCOVER.
2. Each server may responds with a DHCPOFFER message.
3. The client receives one or more DHCPOFFER messages from one or more
servers and chooses one server from which to request configuration parameters.
4. The client broadcasts a DHCPREQUEST message.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 15 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

5. Those servers not selected by the DHCPREQUEST message use the message as
notification that the client has declined that server's offer.
6. The server selected in the DHCPREQUEST message commits the responds with
a DHCPACK message containing the configuration parameters for the
requesting client.
7. The client receives the DHCPACK message with configuration parameters. At
this point, the client is configured.
8. If the client receives a DHCPNAK message, the client restarts the configuration
process.
9. The client may choose to relinquish its lease on a network address by sending a
DHCPRELEASE message to the server (e.g. on shutdown).
10. The server receives the DHCPRELEASE message and marks the lease as free.

Variations on the timeline diagram. There are two main variations on the
presented client/server interaction scenario:

1. Reuse of a previously allocated network address: If a client remembers (in its
cache) and wishes to reuse a previously allocated network address, a client may
choose to omit some of the steps taken in case of a new allocation. In the first
DHCPREQUEST the client includes its network address in the 'requested IP
address' option. The server that has the knowledge of the client's configuration
respond with a DHCPACK message and from then on the diagram continues
from step (5).
2. Obtaining parameters with externally configured network address:
If a client has obtained a network address through some other means (e.g.,
manual configuration), it may use a DHCPINFORM request message to obtain
other local configuration parameters. Servers receiving a DHCPINFORM
message construct a DHCPACK message with any local configuration
parameters appropriate for the client without allocating a new address.

1.14 MESSAGE TYPES
Message Use

DHCPDISCOVER Client broadcast to locate available servers.

DHCPOFFER Server to client in response to DHCPDISCOVER with offer
of configuration parameters.

DHCPREQUEST Client message to servers either (a) requesting offered
parameters from one server and implicitly declining offers
from all others, (b) confirming correctness of previously
allocated address after, e.g., system reboot, or (c) extending

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 16 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

the lease on a particular network address.

DHCPACK Server to client with configuration parameters, including
committed network address.

DHCPNAK Server to client indicating client's notion of network address
is incorrect (e.g., client has moved to new subnet) or client's
lease as expired

DHCPDECLINE Client to server indicating network address is already in use.

DHCPRELEASE Client to server relinquishing network address and canceling
remaining lease.

DHCPINFORM Client to server, asking only for local configuration
parameters; client already has externally configured network
address.

1.15 MESSAGE TYPES IN IPV6
Message Use

SOLICIT This message is sent by a node to discover new DHCP servers

ADVERTISE This message is sent by the DHCP server in response to a
"SOLICIT" message. It means that this DHCP server is available to
serve the client.

REQUEST A request of an address and communication parameters after a node
has found a DHCP server.

CONFIRM A multicast message to all DHCP servers which are available, to
confirm, that its address is still appropriate to its link.

RENEW A request to renew address lifetime or updating communication
parameters. The message is sent to a specific DHCP server which has
sent its address/communication parameters beforehand.

REBIND A multi Broadcast message to all the servers available with the request to
renew addraddreess or updating its communication parameter. This
message is sent sentafter a "RENEW" request didn't get any response
from the node‟s DHDHCPPrver.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 17 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

REPLY A message that is sent to a node by a DHCP server.
Address/communication parameters are sent in response to a
"SOLICIT", "REQUEST", "RENEW" or "REBIND" messages from
a node. Additionally it is used to confirm or reject an address in
response to a "CONFIRM" message, or it simply used as an ack
message in response to a "RELEASE" or "DECLINE" message from
a node.

RELEASE A message from a node to the DHCP server which granted it an
address. It is sent when the node no longer needs that adress. This
message is mean to let the DHCP server know that this address is
free to use by other nodes.

DECLINE A message to the DHCP server which means that a node declines the
address which is already taken, and the node requests another
address. It can happen when a node discovers that an address which
the DHCP server has gaven it is used by another node in the link.

RECONFIGURE A message sent by the DHCP server when it wants to update a node's
communication parameters. The node response should be a
"RENEW" message back to the DHCP server.

INFORMATION- This message is sent to a DHCP server when a node wants to get
REQUEST communication parameters without an address.

RELAY-FORW A message which is sent from relay-agent to a DHCP server or
another relay-agent, and encapsulates the innitial message from a
node to the DHCP server.

RELAY-REPL A message which is sent from DHCP server or another relay-agent to
a certain relay-agent, and encapsulates the innitial message from a
DHCP server to the node.

1.16 SECURITY IN DHCP
Security is a significant subject in when considering DHCP, this is because the main
goal is to get communication parameters/IP address from an external source. This can
give an opportunity do damage the host from outside of the system.
There numerous threats to a host which using DHCP. For example: Deploying fake
DHCP servers that will always deny service. Another way is by sending incorrect
communication parameters and wrong DHCP server information either because of
flawed server, or deliberately.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 18 of 167
For Restricted Circulation
 JTO Phase-II IT DHCP

These threats require authentication of the DHCP server or/and the communication
parameters to ensure that we are dealing with real DHCP server which sends valid
parameters.
In order to achieve higher safety, the following two rules must be obeyed:
1. The protocol cannot be changed. (i.e. its structure, msg types etc. must remain
intact.)
2. Interact with the DHCP server as little as possible ? minimize the number of
stages of the communication with the DHCP server.
Main way to authenticate a DHCP message is to include an authentication field in the
"option" field of the DHCP message.

Figure 6: This is the format of DHCP client/server message with "authentication
option?:

Description of Fields in a DHCP message

Code Bytes Description

op 1 The code of an authentication message is 90.

Length 1 The length of the information data.

The name of the protocol used for authentication (there are
Protocol 1
number of techniques).

The name of the algorithm used by the protocol in the "protocol"
Algorithm 1
field.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 19 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

RDM stands for "Replay Detection Method" ? the method used for
RDM 4
replay detection.

Replay This is a sequence of authentication. If the RDM field is 0x00, the
8
Detection sequence must be a monotonic increasing counter.

1.17 SUMMARY
In addition to the method of adding "options", like in IPv4, there is also use of the IPsec
mechanisms for communication between relay-agents or relay-agent - server in IPv6.
IPSec is mechanism of security on the IP level. It provides services such as reply
detection, access control etc.
The servers and relay-agents are configured manually. Each relay-agent or server has to
hold a list of pairs of servers and relay-agents to know which one will get the message.
Servers and relay agents can accept messages only from DHCP sources which are on the
list in their configuration.
In addition to this tool, one can use also the general security tools of IPv6 for DHCP
security. There are many sources to these tools in the web, and a partial list can be found
in this Link.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 20 of 167
For Restricted Circulation
JTO Phase-II IT ROLE OF ICMP PROTOCOL

2 ROLE OF ICMP PROTOCOL

2.1 INTRODUCTION
The ICMP stands for Internet Control Message Protocol. It is a network layer protocol. It is
used for error handling in the network layer, and it is primarily used on network devices
such as routers. As different types of errors can exist in the network layer, so ICMP can be
used to report these errors and to debug those errors.
For example, some sender wants to send the message to some destination, but the router
couldn't send the message to the destination. In this case, the router sends the message to
the sender that I could not send the message to that destination.
The IP protocol does not have any error-reporting or error-correcting mechanism, so it uses
a message to convey the information. For example, if someone sends the message to the
destination, the message is somehow stolen between the sender and the destination. If no
one reports the error, then the sender might think that the message has reached the
destination. If someone in-between reports the error, then the sender will resend the
message very quickly.
2.2 POSITION OF ICMP IN THE NETWORK LAYER

The ICMP resides in the IP layer, as shown in the below diagram.

Figure 7:
Messages
The ICMP messages are usually divided into two categories:

Figure 8: Error-reporting messages
The error-reporting message means that the router encounters a problem when it processes
an IP packet then it reports a message.
o Query messages

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 21 of 167
For Restricted Circulation
JTO Phase-II IT ROLE OF ICMP PROTOCOL

The query messages are those messages that help the host to get the specific
information of another host. For example, suppose there are a client and a server, and the
client wants to know whether the server is live or not, then it sends the ICMP message to
the server.

2.3 ICMP MESSAGE FORMAT
The message format has two things; one is a category that tells us which type of
message it is. If the message is of error type, the error message contains the type and the
code. The type defines the type of message while the code defines the subtype of the
message.
The ICMP message contains the following fields:

Figure 9: ICMP Message Field

o Type: It is an 8-bit field. It defines the ICMP message type. The values range from
0 to 127 are defined for ICMPv6, and the values from 128 to 255 are the
informational messages.
o Code: It is an 8-bit field that defines the subtype of the ICMP message
o Checksum: It is a 16-bit field to detect whether the error exists in the message or
not.

Note: The ICMP protocol always reports the error messages to the original source. For
example, when the sender sends the message, if any error occurs in the message then the
router reports to the sender rather than the receiver as the sender is sending the message.

2.4 TYPES OF ERROR REPORTING MESSAGES
The error reporting messages are broadly classified into the following
categories:

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 22 of 167
For Restricted Circulation
JTO Phase-II IT ROLE OF ICMP PROTOCOL

Figure 10: Error Reporting

o Destination unreachable
The destination unreachable error occurs when the packet does not reach the
destination. Suppose the sender sends the message, but the message does not reach the
destination, then the intermediate router reports to the sender that the destination is
unreachable.

The above diagram shows the message format of the destination unreachable
message. In the message format:
Type: It defines the type of message. The number 3 specifies that the destination is
unreachable.
Code (0 to 15): It is a 4-bit number which identifies whether the message comes
from some intermediate router or the destination itself.
Note: If the destination creates the destination unreachable message then the code
could be either 2 or 3.
Sometimes the destination does not want to process the request, so it sends the
destination unreachable message to the source. A router does not detect all the problems
that prevent the delivery of a packet.
Source quench
There is no flow control or congestion control mechanism in the network layer or
the IP protocol. The sender is concerned with only sending the packets, and the sender does
not think whether the receiver is ready to receive those packets or is there any congestion
occurs in the network layer so that the sender can send a lesser number of packets, so there
is no flow control or congestion control mechanism. In this case, ICMP provides feedback,
i.e., source quench. Suppose the sender resends the packet at a higher rate, and the router is

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 23 of 167
For Restricted Circulation
JTO Phase-II IT ROLE OF ICMP PROTOCOL

not able to handle the high data rate. To overcome such a situation, the router sends a
source quench message to tell the sender to send the packet at a lower rate.

The above diagram shows the message format of the source quench message. It is a
type 4 message, and code is zero.
Note: A source quench message informs the sender that the datagram has been
discarded due to the congestion occurs in the network layer.
So, the sender must either stop or slow down the sending of datagrams until the
congestion is reduced. The router sends one source-quench message for each datagram that
is discarded due to the congestion in the network layer.
Time exceeded
Sometimes the situation arises when there are many routers that exist between the
sender and the receiver. When the sender sends the packet, then it moves in a routing loop.
The time exceeded is based on the time-to-live value. When the packet traverses through
the router, then each router decreases the value of TTL by one. Whenever a router
decreases a datagram with a time-to-live value to zero, then the router discards a datagram
and sends the time exceeded message to the original source.
Each of the MAC layers has different data units. For example, some layers can
handle upto 1500 data units, and some can handle upto 300 units. When the packet is sent
from a layer having 1500 units to the layer having 300 units, then the packet is divided into
fragments; this process is known as fragmentation. These 1500 units are divided into 5
fragments, i.e., f1, f2, f3, f4, f5, and these fragments reach the destination in a sequence. If
all the fragments are not reached to the destination in a set time, they discard all the
received fragments and send a time-exceeded message to the original source.
In the case of fragmentation, the code will be different as compared to TTL. Let's
observe the message format of time exceeded.

The above message format shows that the type of time-exceeded is 11, and the code
can be either 0 or 1. The code 0 represents TTL, while code 1 represents fragmentation. In
a time-exceeded message, the code 0 is used by the routers to show that the time-to-live
value is reached to zero.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 24 of 167
For Restricted Circulation
JTO Phase-II IT ROLE OF ICMP PROTOCOL

The code 1 is used by the destination to show that all the fragments do not reach
within a set time.
Parameter problems
The router and the destination host can send a parameter problem message. This
message conveys that some parameters are not properly set.

The above diagram shows the message format of the parameter problem. The type
of message is 12, and the code can be 0 or 1.

2.5 REDIRECTION

Figure 11: Redirection
When the packet is sent, then the routing table is gradually augmented and updated.
The tool used to achieve this is the redirection message. For example, A wants to send the
packet to B, and there are two routers exist between A and B. First, A sends the data to the
router 1. The router 1 sends the IP packet to router 2 and redirection message to A so that
A can update its routing table.

Note: A redirection message is sent from the router to the host on the same
network.

2.6 ICMP QUERY MESSAGES
The ICMP Query message is used for error handling or debugging the internet. This
message is commonly used to ping a message.

Echo-request and echo-reply message

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 25 of 167
For Restricted Circulation
JTO Phase-II IT ROLE OF ICMP PROTOCOL

A router or a host can send an echo-request message. It is used to ping a message to
another host that "Are you alive". If the other host is alive, then it sends the echo-reply
message. An echo-reply message is sent by the router or the host that receives an echo-
request message.

Key points of Query messages

1. The echo-request message and echo-reply message can be used by the network
managers to check the operation of the IP protocol. Suppose two hosts, i.e., A and
B, exist, and A wants to communicate with host B. The A host can communicate to
host B if the link is not broken between A and B, and B is still alive.
2. The echo-request message and echo-reply message check the host's reachability,
and it can be done by invoking the ping command.

The message format of echo-request and echo-reply message

The above diagram shows the message format of the echo-request and echo-reply
message. The type of echo-request is 8, and the request of echo-reply is 0. The code of this
message is 0.

Timestamp-request and timestamp-reply message

The timestamp-request and timestamp-reply messages are also a type of query
messages. Suppose the computer A wants to know the time on computer B, so it sends the
timestamp-request message to computer B. The computer B responds with a timestamp-
reply message.

Message format of timestamp-request and timestamp-reply

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 26 of 167
For Restricted Circulation
JTO Phase-II IT ROLE OF ICMP PROTOCOL

The type of timestamp-request is 13, and the type of timestamp-reply is 14. The
code of this type of message is 0.

Key points related to timestamp-request and timestamp-reply message

o It can be used to calculate the round-trip time between the source and the
destination, even if the clocks are not synchronized.
o It can also be used to synchronize the clocks in two different machines if the exact
transit time is known.
If the sender knows the exact transit time, then it can synchronize the clock. The
sender asks the time on the receiver's clock, and then it adds the time and propagation
delay. Suppose the time is 1:00 clock and propagation delay is 100 ms, then time would be
1:00 clock plus 100 ms.
2.7 DEBUGGING TOOLS
There are several tools used for debugging. In this topic, we will learn two tools
that use ICMP for debugging. The two tools are ping and traceroute. We have learned
about ping in echo-request and echo-reply messages that check whether the host or a router
is alive or running.
Now we will take a look at the traceroute.
Traceroute is a tool that tracks the route taken by a packet on an IP network from
source to destination. It records the time taken by the packet on each hop during its route
from source to destination. Traceroute uses ICMP messages and TTL values. The TTL
value is calculated; if the TTL value reaches zero, the packet gets discarded. Traceroute
uses small TTL values as they get quickly expired. If the TTL value is 1 then the message
is produced by router 1; if the TTL value is 2 then the message is produced by router 2, and
so on.
Let's understand the traceroute through an example.
Suppose A and B are two different hosts, and A wants to send the packet to the host
B. Between A and B, 3 routers exist. To determine the location of the routers, we use the
traceroute tool.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 27 of 167
For Restricted Circulation
JTO Phase-II IT ROLE OF ICMP PROTOCOL

TTL value =1: First, host A sends the packet to router 1 with TTL value 1, and
when the packet reaches to router 1 then router reduces the value of TTL by one and TTL
values becomes 0. In this case, router 1 generates the time-exceeded message and host A
gets to know that router 1 is the first router in a path.

TTL value=2: When host A sends the packet to router 1 with TTL value 2, and
when the packet reaches to router 1 then the TTL value gets decremented by 1 and the TTL
value becomes 1. Then router 1 sends the packet to router 2, and the TTL value becomes 0,
so the router generates a time-exceeded message. The host A gets to know that router 2 is
the second router on the path.

TTL value=3: When host A sends the packet to router 1 with TTL value 3, then the
router decrements its value by one, and the TTL value becomes 2. Then, router 1 sends the
packet to router 2, and the TTL value becomes 1. Then, router 2 sends the packet to router
3, and the TTL value becomes 0. As TTL value becomes 0, router 3 generates a time-
exceeded message. In this way, host A is the third router on a path.
2.8 WHAT IS ICMP USED FOR?
The primary purpose of ICMP is for error reporting. When two devices connect
over the Internet, the ICMP generates errors to share with the sending device in the event
that any of the data did not get to its intended destination. For example, if a packet of data
is too large for a router, the router will drop the packet and send an ICMP message back to
the original source for the data.
A secondary use of ICMP protocol is to perform network diagnostics; the
commonly used terminal utilities traceroute and ping both operate using ICMP. The
traceroute utility is used to display the routing path between two Internet devices. The
routing path is the actual physical path of connected routers that a request must pass
through before it reaches its destination. The journey between one router and another is
known as a „hop,‟ and a traceroute also reports the time required for each hop along the
way. This can be useful for determining sources of network delay.
The ping utility is a simplified version of traceroute. A ping will test the speed of
the connection between two devices and report exactly how long it takes a packet of data to
reach its destination and come back to the sender‟s device. Although ping does not provide
data about routing or hops, it is still a very useful metric for gauging the latency between

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 28 of 167
For Restricted Circulation
JTO Phase-II IT ROLE OF ICMP PROTOCOL

two devices. The ICMP echo-request and echo-reply messages are commonly used for the
purpose of performing a ping.
Unfortunately network attacks can exploit this process, creating means of disruption
such as the ICMP flood attack and the ping of death attack.

2.9 HOW DOES ICMP WORK?
Unlike the Internet Protocol (IP), ICMP is not associated with a transport layer
protocol such as TCP or UDP. This makes ICMP a connectionless protocol: one device
does not need to open a connection with another device before sending an ICMP message.
Normal IP traffic is sent using TCP, which means any two devices that exchange data will
first carry out a TCP handshake to ensure both devices are ready to receive data. ICMP
does not open a connection in this way. The ICMP protocol also does not allow for
targeting a specific port on a device.
2.10 HOW IS ICMP USED IN DDOS ATTACKS?
ICMP flood attack
A ping flood or ICMP flood is when the attacker attempts to overwhelm a targeted
device with ICMP echo-request packets. The target has to process and respond to each
packet, consuming its computing resources until legitimate users cannot receive service.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 29 of 167
For Restricted Circulation
JTO Phase-II IT ROLE OF ICMP PROTOCOL

Figure 12: ICMP flood attack:

Ping of death attack
A ping of death attack is when the attacker sends a ping larger than the maximum
allowable size for a packet to a targeted machine, causing the machine to freeze or crash.
The packet gets fragmented on the way to its target, but when the target reassembles the
packet into its original maximum-exceeding size, the size of the packet causes a buffer
overflow.
The ping of death attack is largely historical at this point. However, older
networking equipment could still be susceptible to it.
Smurf attack
In a Smurf attack, the attacker sends an ICMP packet with a spoofed source IP
address. Networking equipment replies to the packet, sending the replies to the spoofed IP
and flooding the victim with unwanted ICMP packets. Like the 'ping of death,' today the
Smurf attack is only possible with legacy equipment.
ICMP is not the only network layer protocol used in layer 3 DDoS attacks.
Attackers have also used GRE packets in the past, for instance.
Typically, network layer DDoS attacks target networking equipment and
infrastructure, as opposed to application layer DDoS attacks, which target web
properties. Cloudflare Magic Transit is one way to defend against network layer DDoS
attacks.
2.11 SUMMARY
The Internet Control Message Protocol (ICMP) is a network layer protocol used by
network devices to diagnose network communication issues. ICMP is mainly used to
determine whether or not data is reaching its intended destination in a timely manner.
Commonly, the ICMP protocol is used on network devices, such as routers. ICMP is
crucial for error reporting and testing, but it can also be used in distributed denial-of-
service (DDoS) attacks.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 30 of 167
For Restricted Circulation
JTO Phase-II IT Domain Name System

3 DOMAIN NAME SYSTEM
3.1 INTRODUCTION
There are several applications in the application layer of the Internet model that
follow the client/server paradigm. The client/server programs can be divided into two
categories: those that can be directly used by the user, such as e-mail, and those that
support other application programs. The Domain Name System (DNS) is a supporting
program that is used by other programs such as e-mail. Figure 1 shows an example of how
a DNS client/server program can support an e-mail program to find the IP address of an e-
mail recipient. A user of an e-mail program may know the e-mail address of the recipient;
however, the IP protocol needs the IP address. The DNS client program sends a request to
a DNS server to map the e-mail address to the corresponding IP address.

Figure 13: Example of using the DNS service
To identify an entity, TCPIIP protocols use the IP address, which uniquely
identifies the connection of a host to the Internet. However, people prefer to use names
instead of numeric addresses. Therefore, we need a system that can map a name to an
address or an address to a name. When the Internet was small, mapping was done by using
a host file. The host file had only two columns: name and address. Every host could store
the host file on its disk and update it periodically from a master host file. When a program
or a user wanted to map a name to an address, the host consulted the host file and found the
mapping. Today, however, it is impossible to have one single host file to relate every
address with a name and vice versa. The host file would be too large to store in every host.
In addition, it would be impossible to update all the host files every time there was a
change.
One solution would be to store the entire host file in a single computer and allow
access to this centralized information to every computer that needs mapping. But we know

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 31 of 167
For Restricted Circulation
JTO Phase-II IT Domain Name System

that this would create a huge amount of traffic on the Internet. Another solution, the one
used today, is to divide this huge amount of information into smaller parts and store each
part on a different computer. In this method, the host that needs mapping can contact the
closest computer holding the needed information. This method is used by the Domain
Name System (DNS).
3.2 NAME SPACE
To be unambiguous, the names assigned to machines must be carefully selected
from a name space with complete control over the binding between the names and IP
addresses. In other words, the names must be unique because the addresses are unique. A
name space that maps each address to a unique name can be organized in two ways: flat or
hierarchical.
3.3 FLAT NAME SPACE
In a flat name space, a name is assigned to an address. A name in this space is a
sequence of characters without structure. The names may or may not have a common
section; if they do, it has no meaning. The main disadvantage of a flat name space is that it
cannot be used in a large system such as the Internet because it must be centrally controlled
to avoid ambiguity and duplication.
3.4 HIERARCHICAL NAME SPACE
In a hierarchical name space, each name is made of several parts. The first part can
define the nature of the organization, the second part can define the name of an
organization, and the third part can define departments in the organization, and so on. In
this case, the authority to assign and control the name spaces can be decentralized. A
central authority can assign the part of the name that defines the nature of the organization
and the name of the organization. The responsibility of the rest of the name can be given to
the organization itself. The organization can add suffixes (or prefixes) to the name to define
its host or resources. The management of the organization need not worry that the prefix
chosenfor a host is taken by another organization because, even if part of an address is the
same, the whole address is different.
3.5 DOMAIN NAME SPACE
To have a hierarchical name space, a domain name space was designed. In this
design the names are defined in an inverted-tree structure with the root at the top. The tree
can have only 128 levels: level 0 (root) to level 127.

Figure 14: Domain Name Space

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 32 of 167
For Restricted Circulation
JTO Phase-II IT Domain Name System

Each node in the tree has a label, which is a string with a maximum of 63 characters. The
root label is a null string (empty string). DNS requires that children of a node (nodes that
branch from the same node) have different labels, which guarantees the uniqueness of the
domain names.
3.6 DOMAIN NAME
Each node in the tree has a domain name. A full domain name is a sequence of
labelsseparated by dots (.). The domain names are always read from the node up to the
root.The last label is the label of the root (null). This means that a full domain name
alwaysends in a null label, which means the last character is a dot because the null string
isnothing. Figure 3 shows some domain names.
Figure 3 Domain names and labels

Figure 15: Domain Name

3.7 FULLY QUALIFIED DOMAIN NAME
If a label is terminated by a null string, it is called a fully qualified domain name
(FQDN). An FQDN is a domain name that contains the full name of a host. It contains all
labels, from the most specific to the most general, that uniquely define the name of the
host. For example, the domain name challenger.ate.tbda.edu. is the FQDN of a computer
named challenger installed at the Advanced Technology Centre (ATC) at De Anza College.
A DNS server can only match an FQDN to anaddress. Note that the name must end with a
null label, but because null means nothing, the label ends with a dot (.).
3.8 PARTIALLY QUALIFIED DOMAIN NAME
If a label is not terminated by a null string, it is called a partially qualified domain
name (PQDN). A PQDN starts from a node, but it does not reach the root. It is used when
the name to be resolved belongs to the same site as the client. Here the resolver can supply
the missing part, called the suffix, to create an FQDN. For example, if a user at the
jhda.edu. site wants to get the IP address of the challenger computer, he or she can define
the partial name Challenger. The DNS client adds the suffix atc.jhda.edu. before passing
the address to the DNS server. The DNS client normally holds a list of suffixes. The null
suffix defines nothing. This suffix is added when the user defines an FQDN.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 33 of 167
For Restricted Circulation
JTO Phase-II IT Domain Name System

Figure 16: PQDN & FQDN
A domain is a subtree of the domain name space. The name of the domain is the
domain name of the node at the top of the subtree. A domain may itself be divided into
domains (or subdomains as they are sometimes called).

3.9 DISTRIBUTION OF NAME SPACE
The information contained in the domain name space must be stored. However, it is
very inefficient and also unreliable to have just one computer store such a huge amount of
information. It is inefficient because responding to requests from all over the world places
a heavy load on the system. It is not unreliable because any failure makes the data
inaccessible.

3.10 HIERARCHY OF NAME SERVERS
The solution to these problems is to distribute the information among many
computers called DNS servers. One way to do this is to divide the whole space into many
domains based on the first level. In other words, we let the root stand alone and create as
many domains (subtrees) as there are first-level nodes. Because a domain created in this
way could be very large, DNS allows domains to be divided further into smaller domains
(subdomains). Each server can be responsible (authoritative) for either a large or a small
domain. In other words, we have a hierarchy of servers in the same way that we have a
hierarchy of names (see Figure 5.5).

Since the complete domain name hierarchy cannot be stored on a single server, it is
divided among many servers. What a server is responsible for or has authority over is

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 34 of 167
For Restricted Circulation
JTO Phase-II IT Domain Name System

called a zone. We can define a zone as a contiguous part of the entire tree. If a server
accepts responsibility for a domain and does not divide the domain into smaller domains,
the domain and the zone refer to the same thing. The server makes a database called a zone
file and keeps all the information for every node under that domain. However, if a server
divides its domain into subdomains and delegates part of its authority to other servers,
domain and zone refer to different things. The information about the nodes in the
subdomains is stored in the servers at the lower levels, with the original server keeping
some sort of reference to these lower-level servers. Of course the original server does not
free itself from responsibility totally: It still has a zone, but the detailed information is kept
by the lower-level servers (see Figure 5). A server can also divide part of its domain and
delegate responsibility but still keep part of the domain for itself. In this case, its zone is
made of detailed information for the part of the domain that is not delegated and references
to those parts that are delegated.

Figure 17: Zones and domains

3.11 ROOT SERVER
A root server is a server whose zone consists of the whole tree. A root server
usually does not store any information about domains but delegates its authority to other
servers, keeping references to those servers. There are several root servers, each covering
the whole domain name space. The servers are distributed all around the world.

3.12 PRIMARY AND SECONDARY SERVERS
DNS defines two types of servers: primary and secondary. A primary server is a
server that stores a file about the zone for which it is an authority. It is responsible for
creating, maintaining, and updating the zone file. It stores the zone file on a local disk. A
secondary server is a server that transfers the complete information about a zone from
another server (primary or secondary) and stores the file on its local disk. The secondary
server neither creates nor updates the zone files. If updating is required, it must be done by
the primary server, which sends the updated version to the secondary. The primary and
secondary servers are both authoritative for the zones they serve. The idea is not to put the
secondary server at a lower level of authority but to create redundancy for the data so that
if one server fails, the other can continue serving clients. Note also that a server can be a
primary server for a specific zone and a secondary server for another zone. Therefore,
when we refer to a server as a primary or secondary server, we should be careful to which
zone we refer.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 35 of 167
For Restricted Circulation
JTO Phase-II IT Domain Name System

3.13 DNS IN THE INTERNET
DNS is a protocol that can be used in different platforms. In the Internet, the
domain name space (tree) is divided into three different sections: generic domains, country
domains, and inverse domain.
3.14 GENERIC DOMAINS
The generic domains define registered hosts according to their generic behaviour.
Each node in the tree defines a domain, which is an index to the domain name space
database.

Table 4. Generic Domains
3.15 COUNTRY DOMAINS
The country domains section uses two-character country abbreviations (e.g., in for
India). Second labels can be organizational, or they can be more specific designations.
3.16 INVERSE DOMAIN
The inverse domain is used to map an address to a name. This may happen, for
example, when a server has received a request from a client to do a task. Although the
server has a file that contains a list of authorized clients, only the IP address of the client
(extracted from the received IP packet) is listed. The server asks its resolver to send a query
to the DNS server to map an address to a name to determine if the client is on the
authorized list. This type of query is called an inverse or pointer (PTR) query. To handle a
pointer query, the inverse domain is added to the domain name space with the first-level
nodecalled arpa (for historical reasons). The second level is also one single node named in-
addr (for inverse address). The rest of the domain defines IP addresses.
The servers that handle the inverse domain are also hierarchical. This means the
netid part of address should be at a higher level than the subnetid part, and the subnetid part
higher than the hostid part. In this way, a server serving the whole site is at a higher level
than the servers serving each subnet. This configuration makes the domain look inverted

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 36 of 167
For Restricted Circulation
JTO Phase-II IT Domain Name System

when compared to a generic or country domain. To follow the convention of reading the
domain labels from the bottom to the top, an IP address such as 132.34.45.121 (class B
address with netid 132.34) is read as 121.45.34.132.in-addr. arpa.

3.17 RESOLUTION
Mapping a name to an address or an address to a name is called name-address
resolution.
RESOLVER
DNS is designed as a client/server application. A host that needs to map an address
to a name or a name to an address calls a DNS client called a resolver. The resolver
accesses the closest DNS server with a mapping request. If the server has the information,
it satisfies the resolver; otherwise, it either refers the resolver to other servers or asks other
servers to provide the information. After the resolver receives the mapping, it interprets the
response to see if it is a real resolution or an error, and finally delivers the result to the
process that requested it.
MAPPING NAMES TO ADDRESSES
Mostly,the resolver gives a domain name to the server and asks for the
corresponding address. In this case, the server checks the generic domains or the country
domains to find the mapping.If the domain name is from the generic domains section, the
resolver receives a domain name such as "chal.atc.jhda.edu.". The query is sent by the
resolver to the local DNS server for resolution. If the local server cannot resolve the query,
it either refers the resolver to other servers or asks other servers directly. If the domain
name is from the country domains section, the resolver receives a domain name such as
"ch.jhda.cu.ca.us.". The procedure is the same.
MAPPING ADDRESSES TO NAMES
A client can send an IP address to a server to be mapped to a domain name. As
mentioned before, this is called a PTR query. To answer queries of this kind, DNS uses the
inverse domain. However, in the request, the IP address is reversed and the two labels in-
addr and arpa are appended to create a domain acceptable by the inverse domain section.
For example, if the resolver receives the IF address 132.34.45.121, the resolver first inverts
the address and then adds the two labels before sending. The domain name sent is
"121.45.34.132.in-addr.arpa." which is received by the local DNS and resolved.
RECURSIVE RESOLUTION
The client (resolver) can ask for a recursive answer from a name server. This means
that the resolver expects the server to supply the final answer. If the server is the authority
for the domain name, it checks its database and responds. If the server is not the authority,
it sends the request to another server (the parent usually) and waits for the response. If the
parent is the authority, it responds; otherwise, it sends the query to yet another server.
When the query is finally resolved, the response travels back until it finally reaches the
requesting client. This is called recursive resolution.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 37 of 167
For Restricted Circulation
JTO Phase-II IT Domain Name System

Figure 18: Recursive resolution
ITERATIVE RESOLUTION
If the client does not ask for a recursive answer, the mapping can be done
iteratively. If the server is an authority for the name, it sends the answer. If it is not, it
returns (to the client) the IP address of the server that it thinks can resolve the query. The
client is responsible for repeating the query to this second server. If the newly addressed
server can resolve the problem, it answers the query with the IP address; otherwise, it
returns the IP address of a new server to the client. Now the client must repeat the query to
the third server. This process is called iterative resolution because the client repeats the
same query to multiple servers. In Figure the client queries four servers before it gets an
answer from the mcgraw.com server.

Figure 19: Iterative resolution
3.18 CACHING
Each time a server receives a query for a name that is not in its domain, it needs to
search its database for a server IP address. Reduction of this search time would increase
efficiency. DNS handles this with a mechanism called caching. When a server asks for a
mapping from another server and receives the response, it stores this information in its
cache memory before sending it to the client. If the same or another client asks for the
same mapping, it can check its cache memory and solve the problem. However, to inform
the client that the response is coming from the cache memory and not from anauthoritative
source, the server marks the response as unauthoritative.
Caching speeds up resolution, but it can also be problematic. If a server caches a
mapping for a long time, it may send an outdated mapping to the client. To counter this,
two techniques are used. First, the authoritative server always adds information to the

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 38 of 167
For Restricted Circulation
JTO Phase-II IT Domain Name System

mapping called time-to-live (TTL). It defines the time in seconds that the receiving server
can cache the information. After that time, the mapping is invalid and any query must be
sent again to the authoritative server. Second, DNS requires that each server keep a TTL
counter for each mapping it caches. The cache memory must be searched periodically, and
those mappings with an expired TTL must be purged.
3.19 DNS MESSAGES
DNS has two types of messages: query and response. Both types have the same
format. The query message consists of a header and question records; the response message
consists of a header, question records, answer records, authoritative records, and additional
records.
HEADER
Both query and response messages have the same header format with some fields
set to zero for the query messages. The header is 12 bytes, and its format is shown in Fig.
The identification subfield is used by the client to match the response with the query. The
client uses a different identification number each time it sends a query. The server
duplicates this number in the corresponding response. The flags subfield is a collection of
subfields that define the type of the message, the type of answer requested, the type of
desired resolution (recursive or iterative), and so on. The number of question records
subfield contains the number of queries in the question section of the message. The number
of answer records subfield contains the number of answer records in the answer section of
the response message. Its value is zero in the query message. The number of authoritative
records subfield contains the number of authoritative records in the authoritative section of
a response message. Its value is zero in the query message. Finally, the number of
additional records subfield contains the number additional records in the additional section
of a response message. Its value is zero in the query message.
Figure 20: Query and response messages

Figure 21: Header format

Question Section
This is a section consisting of one or
more question records. It is present on both query and response messages. We will discuss
the question records in a following section.
Answer Section
This is a section consisting of one or more resource records. It is present only on
response messages. This section includes the answer from the server to the client
(resolver).

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 39 of 167
For Restricted Circulation
JTO Phase-II IT Domain Name System

Authoritative Section
This is a section consisting of one or more resource records. It is present only on
response messages. This section gives information (domain name) about one or more
authoritative servers for the query.
Additional Information Section
This is a section consisting of one or more resource records. It is present only on
response messages. This section provides additional information that may help the resolver.
For example, a server may give the domain name of an authoritative server to the resolver
in the authoritative section, and include the IP address of the same authoritative server in
the additional information section.
3.20 TYPES OF RECORDS
Question Record
A question record is used by the client to get information from a server. This
contains the domain name.
Resource Record
Each domain name (each node on the tree) is associated with a record called the
resource record. The server database consists of resource records. Resource records are also
what is returned by the server to the client.

REGISTRARS
How are new domains added to DNS? This is done through a registrar, a
commercial entity accredited by ICANN. A registrar first verifies that the requested
domain name is unique and then enters it into the DNS database. A fee is charged. To
register, the organization needs to give the name of its server and the IP address of the
server.
3.21 DYNAMIC DOMAIN NAME SYSTEM (DDNS)
When the DNS was designed, no one predicted that there would be so many address
changes. In DNS, when there is a change, such as adding a new host, removing a host, or
changing an IP address, the change must be made to the DNS master file. These types of
changes involve a lot of manual updating. The size of today's Internet does not allow for
this kind of manual operation. The DNS master file must be updated dynamically. The
Dynamic Domain Name System (DDNS) therefore was devised to respond to this need. In
DDNS, when a binding between a name and an address is determined, the information is
sent, usually by DHCP to a primary DNS server. The primary server updates the zone.
The secondary servers are notified either actively or passively. In active
notification, the primary server sends a message to the secondary servers about the change
in the zone, whereas in passive notification, the secondary servers periodically check for
any changes. In either case, after being notified about the change, the secondary requests
information about the entire zone (zone transfer). To provide security and prevent
unauthorized changes in the DNS records, DDNS can use an authentication mechanism.

3.22 SUMMARY
DNS can use either UDP or TCP. In both cases the well-known port used by the
server is port 53. UDP is used when the size of the response message is less than 512 bytes

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 40 of 167
For Restricted Circulation
JTO Phase-II IT Domain Name System

because most UDP packages have a 512-byte packet size limit. If the size of the response
message is more than 512 bytes, a TCP connection is used.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 41 of 167
For Restricted Circulation
JTO Phase-II IT Firewall

4 FIREWALL CONCEPT AND CONFIGURATION OF
FIREWALL
4.1 OBJECTIVES
After completion of this module you will be able to know:
 What is Firewall
 Basics of Firewall
 How Firewall Works
 What is UTM Firewall
 Configuration of Firewall

4.2 FIREWALL INTRODUCTION
All those who have Windows XP/Vista/7 installed in their machine, would have
seen the adjoiningicon.This is the icon of FIREWALL. We all listen this term quite
often, but actually what is Firewall? Is it hardware or software? Do we need it in personal
computer/laptop or is it only needed in organizations? Is it different from anti-virus? So let
us have a closer and deeper look at this very essential needed thing.
BUSTING THE MYTHS
First of all we need to have an open mind and clear certain myths we have
regarding Firewall.
Myth 1: Firewall is software
Answer: No, it can be software as well as hardware. In large business organizations
the functionality is met by hardware and software Firewall. But in small scale
organizations or Personal computers/laptops software solves the functionality.
Myth 2: Personal Computers/Laptops don‟t need Firewall
Answer: If you are connected to a network, it might be local or internet; then you
definitely need a firewall. What is need of the firewall will be discussed later.
Myth 3: Antivirus and firewall are same
Answer: The answer is BIG NO. They both are entirely different thing. Firewall is
for protection from threats from network, whereas anti-virus works against virus on the
local machine where it is installed by scanning everything which is installed or running.
But these days firewall is integrated inside Antivirus (these days antivirus provides real
time scanning which solve purpose of firewall as well), so the need of having a firewall
separately on personal computer/laptop is optional. But in organizations they are quite
essential. We will explore it further later.

4.3 BASICS
Before taking a leap into world of firewall, we need to have little knowledge about
network.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 42 of 167
For Restricted Circulation
JTO Phase-II IT Firewall

Whenever a person clicks on a link or a website then he or she asks the server associated
with the website to send the data to his or her computer. In a organization there is router
whose task is traffic directing. In simple terms whenever a computer asks for resources
from a network, router looks at the address and sends the needed data. The data might be
from internet or from local network of the organization. If data/resources are needed from
internet it goes to modem (modulator demodulator). For sake of simplicity just consider
that modem is a device needed to transmit and receive the digital data easily. This modem
then connects to internet or any other network (which is not local to system) and fetches
the data needed and sends back. It should be noted that we have considered that data is
needed by system, it might be the case that data is sent by system example attachment in
mail or uploaded file.
We also need to understand one more thing. How router/modem does knows that
from where data should be fetched/sent. There needs to be some kind of address. And that
is defined by IP address and port number. IP address is the address of the machine on
internet; this means all the machines connected to internet have IP address which is their
address. A server has a static address. The port number is 16 bit binary number (hence
range is 0-65535) and is part of addressing information. They are type of doors and they
are divided into:
 Well Known ports. (0-1024; example 20 for FTP data, 80 for HTTP)
 Registered Ports. ( 1024-49151; can be used for proprietary server processors or
client process)
 Dynamic Ports/Ephemeral ports( 49152-65535; can be frequently used, are used by
clients temporarily)

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 43 of 167
For Restricted Circulation
JTO Phase-II IT Firewall

So consider an example that if a machine is running FTP server then most probably
it will be on port 20. So if any client wants to connect to it then it will do so at specific IP
address and on a port.
So now we have learnt how connection is established and how data is sent or
fetched from a network, we can now understand the concept of firewall.
A firewall is a hardware device or software that lies between computer and a
network and its task is to analyze the data entering the exiting the network based on the
configuration (set of rules defined to firewall). A firewall acts as a barrier between the
computer and Big Bad World.

4.4 ANALOGY:
In simpler terms consider that internet ports are doors, just like the door to houses;
and the data needed to be present in a house. So now we can say that there are 65535 doors
in the world of internet. Suppose a user wants to download a song say iloveu.mp3. A
website has a link which says that the song is at present at this link. The link is just like
signboard on a road telling the direction of the house we are looking for.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 44 of 167
For Restricted Circulation
JTO Phase-II IT Firewall

Now when a user clicks on a link then it means it knocks on the door of the house.
A user doesn‟t know what is beside the door. It might be house of iloveu.mp3 or it might
be house of virus with nameplate of iloveu.mp3. So the firewall job is to check the rules
defined and see if the data from that house/door is allowed or not permitted to enter the
system. So if not permitted then firewall job is to block the door; that is it will lock the
door to that link and will not allow the process.
This is just one the task performed by firewall. In business organizations firewall is
not only used to prevent intrusions by a hacker/virus/ malware but also to restrict the
members of the organization from accessing the unwanted websites. For example if I want
that people of my company should not be able to use torrents (obviously because it will
burden the network) or facebook (nobody pays for doing facebook) then I will define
certain rules in firewall which will prevent the users from accessing the restricted sites.

4.5 WHAT HAPPENS BEHIND THE SCENES?
Now we understand what is the role of firewall, but how does is work. So let us find
the missing piece.
Firewalls use one or more of three methods to control traffic flowing in and out of
the network:
Packet Filtering: Whenever data is sent through internet then it is first broken into
small chunks known as packets, then this packet is sent. Every packet is having a header
which contains the information associated with packet eg. Its source and destination
etc. We know in firewall (whether hardware or software) the super-user defines some
rules/guidelines which should be followed. So whenever the packet enters or leaves the
filter checks whether it meets the rules defined. If it meets then it passes otherwise deny it
the permission.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 45 of 167
For Restricted Circulation
JTO Phase-II IT Firewall

Proxy Service: One can think of this as a intermediate stage between the network and
computer. They are specialized application or programs (servers) which run on firewall.
They disallow a connection between internet/network and a computer directly. These
programs take user request for services (services might be downloading, sending mail etc.)
and forward them to actual server which connects to internet. They forward the request
only if it meets the rules and regulations defined to firewall. So we can say they act as a
Gateway to services. It should be noted that they are different from filters because they
provide an additional layer which forwards request to actual server, whereas it checks the
package receive or sent and not the request.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 46 of 167
For Restricted Circulation
JTO Phase-II IT Firewall

Stateful inspection: The two methods described above are being replaced by this
method which increases protection and also reduces the overhead. It doesn‟t examine the
content of each packet (because it consumes time and also header information is can‟t be
the basis for verification always) but contains certain important integral parts of the packet
to a database of trusted information. Whenever a request is made either for sending or
receiving, information associated with the request is monitored. So when the incoming
information comes, the characteristics of information associated with request are
compared. If it matches it allows otherwise disallows.
Application Gateway: Applies security mechanisms to specific applications, such
as FTP and Telnet servers. This is very effective, but can impose a performance
degradation.
Circuit-level Gateway: Applies security mechanisms when
a TCP or UDP connection is established. Once the connection has been made, packets can
flow between the hosts without further checking.
BUT…
So simply we can say that a firewall prevents users of a organization to access few
websites (torrents, social networking etc.) and keep anonymous users away from the
resources/data associated with a system connected to a network; but we still need
ANTIVIRUS because at time virus may enter as an attachment from email – which might
be a trusted source. So be safe and keep safe…

4.6 WHAT ARE IDS?
An IDS is an Intrusion Detection System. An Intrusion Detection System sends
alarms due to unexpected behaviors of network traffic and standard protocol behavior. The
change of behavior of determined protocol activates an alarm and an action is taken by the

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 47 of 167
For Restricted Circulation
JTO Phase-II IT Firewall

IDS. As an example, the arrival of a packet with FYN flag activated with a source IP that
does not have an initiated connection could cause an alarm, as consequence of an
unexpected behavior of the TCP protocol, as well as in the capacity of recognize
determined type of attacks, analyzing the traffic and comparing it with different attack
types that are stored in a database2. Now we have an idea about what are an IDS, I will
explain now how the Netscreen firewall 5xp Elite can help us in an easily and shortly
manner, because it is a firewall and also has a basic IDS characteristics.

4.7 NEXT GENERATION FIREWALL (NGFW)
Firewalls called next generation firewalls (NGFW), work by filtering network and
Internet traffic based upon the applications or traffic types using specific ports. Next
Generation Firewalls (NGFWs) blend the features of a standard firewall with quality of
service (QoS) functionalities in order to provide smarter and deeper inspection.

4.8 UNIFIED THREAT MANAGEMENT (UTM)
Unified threat management (UTM) or unified security management (USM), is the
evolution of the traditional firewall into an all-inclusive security product able to perform
multiple security functions within one single system:
Features of UTM Firewall
 network firewalling
 network intrusion detection/prevention (IDS/IPS)
 gateway antivirus (AV)
 gateway anti-spam
 VPN
 content filtering
 load balancing
 data loss prevention,
 Hot Spot Management
 Logging and reporting.

4.9 HOW THE COMPANY WORKS AND HOW THE PROBLEM
BEGAN
The “Developer” company has as primary function to develop computer programs
for educational purpose. They advertise their developed applications through Internet using
their own web server; their communication to Internet is through a 1Mb link. The company
has public IPs for their 3 servers and the 20 workers that develop the educational software.
This company never took in consideration the security of its data until they started to
realize strange activities in their servers and desktop computers. The first thing that we
have to do is plan a proposal to start securing the company network, so I choose to cover
the proposal en 3 steps.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 48 of 167
For Restricted Circulation
JTO Phase-II IT Firewall

Figure 22: Company Network Unsecured

1st Change of IPs to private type
It is important to hide the private network of the company, servers and desktop
computers to avoid their complete access from the Internet. At first instance, our data such
as our fileserver will only be accessed by the company personal integrated at the same
LAN. We also have to publish our web and mail server just with 80, 110, 443 and 25 ports
open, and in our servers we have to check if there are some other ports opened by a default
installation.
2nd Firewall Installation
For the firewall installation, we will take in consideration the following; first it will
be placed physically between the ISP router and the internal switch of the company. This
will have the NAT services configured to avoid external users to access directly the
internal computers and secure the firewall with an implicit policy, which establishes that all
that is not expressively authorized, is prohibited. So if we do not define a policy of access
from the exterior to the interior, no packet will be allowed to enter our internal network.
However, we have to establish a policy to publish our web services and mail services. It is
also necessary for the traffic that travels from the interior to the exterior of the company to
be allowed only the strictly and necessary services. By doing this, we will avoid the use of
programs that can expose our internal network. This rule will deny the use of messaging
programs, transference of files with peer-to-peer programs, use of IRC programs, etc. This
will only allow the use of http, mail, DNS and FTP. It is important to notice that allowing
the strictly n