DNS articles Brad Templeton Home Brad Ideas (My Blog) ClariNet
|
DNS as postcards
Here's an even simpler but quite accurate analog to understand the DNS process, based on postcards. In fact, the whole internet can be understood as very fast postcards, known as packets, which have a destination address, a return address and some content, as well as a sequence number when a series of postcards represent a stream of data. So imagine you want to look up where to send postcards to a domain name like foo.example.com. Turns out when you set up to use the internet, you get a series of pre-printed address labels for some companies that perform "root" directory service. You pick out one of your root address labels, and your own return address label and you put it on the postcard. Then you write "Where can I find www.example.com." Later, a postcard arrives. It has your address on it, and the root service's return address. It says, "I can tell you that for .com names, use the following address... By the way, it's good for 2 days" If you're smart, you make a note to remember that address for .com names for the 2 days so you don't have to re-ask for your next .com name. So you mail off another postcard to the address you were told for .com names, again asking for www.example.com. Later comes back a postcard that says. "I can tell you that for example.com, use the following address... It's good for 7 days." You don't quite have enough, so you mail off another postcard to the address for example.com, asking where to find www.example.com. This time the postcard comes back with the real address of www.example.com. Now you can print out labels with that address and send it messages. You can also initiate "sessions" which are done with postcards underneath, but are analogized a bit more like phone calls, because they are bi-directional and send multiple bits of data over a period of time. Thus, you might imagine that the request for www.example.com also gave you a phone number. You could call that number and say "I want the web page at www.example.com" or "I have e-mail for www.example.com" and engage in a two-way dialogue to make that happen. The postcard analogy will help you understand some of the security issues on the internet. The addresses are not much more authenticated than the return addresses on real paper postcards. One tricky attack is to wait until you think somebody might be asking for the address of www.example.com and in advance, send them an answer, out of the blue, with a fake return address. They will often take that answer (even if it came before they asked) and remember it for the amount of time it says to remember it. Then, they won't bother to ask, and will send traffic to the fake address the trickster provided. Likewise, some postcards are lost by the postal service. So the system has ways to deal with this, like sending another postcard when an answer card doesn't come back right away, or sending the request to two different servers and hoping at least one will get an answer back. When it comes to DNS, you see that there is no real central power structure. The choice of how it works comes down to the set of address labels you use to send off root requests. You could at any time, replace those with another set, and be using a new root directory company. Today, we all agree to use the ones laid out by ICANN, but that is not mandated by any law, it's due to a natural monopoly. |