26 Resource Records in DNS and Introduction to FTP
Prof. Bhushan Trivedi
Introduction
We will begin this module with an introduction to resource records and then learn about how File Transfer Protocol (FTP) works. We have looked at DNS and variety of resource records it possesses. Now it is the time for us to learn a bit more about resource records. We will look at types of resource records, especially those which are more intrinsic in nature like CNAME and see their usages. We will look at typical zone file to an emphasis on how those resource records can be stored in a database. We have seen a very simplified version of a DNS database in the previous module and here we will look at a more detailed description of how an address is stored. We will also throw some light on storing resource records for securing the DNS. In the second part of this module, we will learn about an interesting application layer protocol FTP which is used to download and upload files. This is a protocol which requires authentication, runs two different types of parallel TCP connections to get its job done and remain stateful so keeps track of every active user. We will see passive FTP extension which enables the file transfer process for a client behind a firewall and also throw some light on an issue of NAT being used with FTP.
Resource records
We know that resource records hold DNS records that we are discussing in the previous module. A resource record contains five different fields, domain name indicating the name of the domain, time to live which indicate the time for which the record is valid so one can cache the resource record for that period1, class which is always IN for DNS, Type indicating one of the few types of resource records and Value indicates the value of the record.
Types of resource records
The most used types of resource records are A (IPv4 Address) and AAAA (IPv6 address). The other type of record is NS or name server. It stores the information about the name of authoritative name servers of the domain. At least two such entries are there as it is mandatory to have at least one backup name server for every name server. The two entries that one usually finds are known as primary and backup domain servers. When the domain is large, additional name servers are used. It is interesting to note that when there are multiple name servers, the DNS system plays a simple trick to make sure each name servers
1 Most resource records have time to live value as 172800 seconds, that is two days. So one can cache them and continue using it for at least two days.
get equal share of queries. Whenever there is a query for a name server, it goes to a server whose job is to load share. The complete list of the name server is sent by this server, upon any query, every time shuffled to make sure the name at top is different every time. In the usual case, the client picks up the topmost name server for sending its further queries. When a different server name is kept on the top, every query goes to the next server in sequence. That way, every server gets an equal number of queries and the load is shared2. Another type of RR is known as PTR or pointer (also known as inverse) entry. Such a resource record returns the domain name from an IP address. Such a system is used for IP-based authentication schemes. For example, whenever a student come to a university website, inverse query reveals him to be the student belongs to the university domain and allowed. Intrusion detection systems also use inverse queries to learn about identities of IP addresses observed in the packets being monitored.
MX records
The MX or mail exchanger records contain the mail server’s information. There is a value, called preference value, also is part of the MX record. The preference value indicates the domain’s preference for the user to use the typical machine as a mail server. For example, if the domain has 3 mail servers with preferences 10,20 and 30, it indicates the first mail server (with value 10) has the highest priority and should be preferred. Only when it is not reachable then the second should be tried and then the third one. When a client gets these MX records, the SMTP server tries to establish the TCP connection to the first mail server, if it cannot, it will try to have a TCP connection to the second mail server and so on. The number 10,20 30 itself does not signify anything, only the order is important. Thus one can use 15,25,35 or 20,30,40 preference values instead and the result is same.
Resource records for security
There are some resource records used by DNSsec. The first such record is DNSkey. DNSkey is the RR which stores the public key of the domain. Only using this public key other records can be decoded and read. As the records can only be encrypted using private key, it helps
2 In some other cases the server sends back the geographically nearest server’s address. This makes sure that the server which is nearest to user gets subsequent queries and network latency is reduced.
authenticate the signee when the record is successfully opened using his public key. RRSIG is a digital signature which checks if the record is modified in an unauthorized fashion. It is equivalent to a manual signature for a conventional document. IF the content is modified, the digital signature won’t match and the receiver learns about modification. SPF or Sender Policy Framework indicates if the server is the authoritative server for sending the specified mail. SPF is useful for catching SPAMs. If SPF indicates that the server is not authoritative, the mail is sent by somebody else and likely to be a SPAM.
These resource records are inserted when DNSsec extension is installed.
Zone file example
Let us take a contrived example of one zone file for an organization called abcict.org. The first entry gives an IP address a domain name attached to; the abcict.org. The second CNAME indicates the FTP server runs on a typical machine. Instead of providing A record for (an IP address) for FTP server, it just gives a name of another server. This is an example of indirect addressing. If the machine Vishwanath goes down, the admin might change the machine and this entry, without really bothering anything else. Similar entries are found later with www.abcict.org entries for the web server.
Next two entries indicate name server’s entries. They are primary and backup domain servers. After that, we have two similar entries indicating two different servers, first is the domain server while the second is a mail server. Next two entries which do not have any value in the first column, indicating the previous raw entry, abcict.org to continue. These three entries indicate three different mail servers with different preferences. Few HINFO (Host information) resource records which are only used for providing little more information about the machine is also shown. Figure 28.2 indicates multiple name servers used for oracle.com. Every time a client asks for name server name for oracle.com, it sends this entire list, swapping the first entry to the last.
Load balancing in Name Servers
Figure 28.2 multiple name servers for load balancing
The client uses the first entry it finds and thus servers are getting requests in sequence and thus load is balanced.
Usefulness of CNAME
CNAME or canonical name is used as an alias of some other name. Some of the uses of CNAME are as follows.
1. It can give a simpler name to a complicated, unreadable name normally used by administrators for naming their servers. Kindly look at first entry in figure 28.3.
2. Providing an indirect addressing to a machine admin might change later. The user may continue using the older name. It is more readable form of representation as well. We have already seen that.
3. Sometimes for being fault tolerant when user mistypes entries, look at second and third entries for figure 28.3. Even when the user mistypes, the correct domain name is picked up as a CNAME to incorrect name user typed3.
4. The user may omit obvious terms, for example, www in case of www.abcict.org and just type abcict.org. It is changed to the full name once CNAME is picked up. This is indicated by the last entry of figure 28.3.
5. Sometimes even for indicating that a web server is part of the name server. For example, exactly inverse of the last entry of the 28.3. When www.abcict.org is CNAME to abcict.org, it means both things represent the same machine.
www.oracle.com. | 172800 | IN | CNAME | www.oracle.com.edgesuite.net |
www.gogol.com. | 172800 | IN | CNAME | www.google.com |
www.goggle.com. | 172800 | IN | CNAME | www.google.com |
abcict.org. | 172800 | IN | CNAME | www.abcict.org |
Figure 28.3 Some examples of using CNAME
3 Such a solution can only work for a few well-known and no other mistakes.
File Transfer Protocol
FTP is another application layer protocol. We will brief about FTP in the rest of this module. Some of the features of FTP are quite unique and we will begin with discussing those features. Here is the list.
1. FTP authenticates the user before proceeding further unlike few other Application Layer protocols, for example, HTTP
2. FTP work with two different types of connections, it starts the process by first establish a TCP connection with the other end, known as a control connection. FTP uses this control connection to establish and close a few other TCP connections, for each data transfer job. As and when a file or files are to be uploaded or downloaded, a new TCP connection for data transfer is established and closed thereafter. The control connection closes when the user decides to quit and conclude the session.
3.The control connection is used in parallel with these data connections to transfer control information and commands.
4. When data is separated from control, it makes it easier for the receiver to manage. Unlike other protocols where the control and data are interleaved and the onus is on the receiver to discern what is data and what is control information FTP works in a straightforward manner4.
5. FTP operates by providing an interactive interface between the sender and the receiver. It allows many operations including specifying format for information being downloaded or uploaded, for example, one can specify whether data to be downloaded is of binary or ASCII format.
6. Another critical characteristic of the FTP protocol is that it is stateful, it remembers the state the client is in. It can act accordingly. When a client, for example, types ‘cd <folder>’ it moves him from the current directory to that folder, because it knows where the client is. Stateful servers are good at many services like this but need to store some amount of information for every user and thus there is always a cap on a number of users it can entertain at any given point of time.
7. FTP allows users based on their credentials, they are disallowed to access the content of the folder they do not have access to, they are disallowed to add a file to a folder they do not have write access to and so on. This is another reason why FTP is designed as a stateful protocol, it also user’s access rights.
8. For every incoming user, a new process (or thread sometimes) with a new TCP connection is established, for every file transfer process, another process is spawned for handling that transfer.
Normal Connection in FTP
Look at figure 27.4 and 27.5. It describes the roles of control and data connections together. Control connection opens when user is successfully authenticated to the system. The client
4 Landline and mobile phones also use separate control channels.
opens the data port for data transfer and sends a command for data transfer. In this case, the data port is chosen as 2222. Once the command is sent, the server connects to the port number specified by the client.
If this connection is successful, the user specified process (file upload or download or file listing by ls etc.) begins on the data connection next. Once that gets over, the data connection is closed and control connection resumes its operation. When the client or server wants to stop, they send the request to disconnect the control connection. When the control connection is disconnected, client and server FTP connection are over. If some data connections are open, they are closed when the control connection is closed.
Control and data connections
Let us see how to control and data connections are carried out using two more figures. Fig 28.6 shows how the server starts with opening a passive TCP connection at port 21 and how client connects to it. Figure 28.9 indicates how the client opens a data port 2222 and send that information to the server over the control connection. It is kind of a request “I have opened a data connection at port 2222, kindly connect to it and transfer the data I requested”. The server obliges with the request and opens a server port 20, establish another TCP connection from that port to 2222 at the client and complete the transfer process. The job was done.
How the communication between two control processes carried out is depicted in figure 28.5. The client chooses an unused port at the machine it is running. This port number is provided by the operating system which keeps track of all port numbers assigned or otherwise and ready to provide an unused port number whenever asked for. This job is normally done using socket API which we are not going to discuss here. However, reference 1 has some description which can help to learn how that job is done. Once that unused port is obtained, the client sends that information over the control connection. The server sends the ack by “Port command successful” message, which followed the process we have already described before. Unfortunately, this simple FTP process runs into trouble when the computers are behind firewall. The next section describes the problem and the solution provided by an FTP extension.
Problem with conventional TCP connection and Passive FTP extension
When the computers are behind firewall, the firewall dictates a few things, including the connections that you establish. A firewall is a typical server running at the periphery of the network, regulating traffic to and fro. It is like a security guard, allowing and disallowing packets based on administrator’s choice. For example, if a client is behind a firewall, and it would like to establish the connection to a third party outside the firewall, and if the administrators have not sanctioned that party as a valid receiver, a client cannot establish connection to it. Many times though, the firewall rules are not that strict for outgoing packets and arbitrary connection to an outside entity is allowed. Firewalls are more stringent on incoming traffics. Unless the party outside is in the whitelist of the administrator provided list, it is not allowed to have a connection with any internal node. Usually, a firewall allows outside parties connecting only their specified servers like FTP, HTTP and SMTP servers which provide services to the outside world and nobody else. Thus a normal node stands no chance to be connected from outside by any third party. This is really good for security a node of the network as nobody from outside can connect to and transfer malicious information to it but it comes in between the functioning of FTP.
The FTP runs into trouble when the client is behind the firewall when the server opens its port at 21 and tries to connect to the initiator node behind the firewall. When such arbitrary nodes are not allowed to accept connections from outside, conventional FTP just cannot work.
The designers of FTP solved this problem by a simple trick. Instead of the client receiving a connection request, now he is sending connection request to the FTP server at port 21 for data transfer. This reversal of direction suits firewall and thus FTP data connection is now possible.
This extension to FTP is known as Passive FTP extension. It is called passive because the server remains passive during data connection establishment process, unlike the conventional case.
The passive FTP extension process is described in figure 28.8 and 28.9. You can see that now the FTP data connection operates in little different fashion. Compare 28.5 with 28.8 and you will find a difference at a single place. Now data connection is initiated by client rather than server. The rest, initiating a control connection and sending the port number over the line using control connection, opening a data port at 21 etc. works the same. Also, compare 28.6 with 28.9. You can see that the server opens ports 20 and 21 alike in both cases and process is same, except for the second case the client initiating the connection. The arrow of the last horizontal line now changes from client to server to indicate the reversal of direction.
The Port Command issue
Sending the port number over control connection seems to be a very simple solution, but not without problems. Let us discuss one typical problem. There are some solutions proposed to mitigate the shortage of address problems with IPv4. One of the solutions used is known as NAT or network address translation. The NAT acts like a box kept outside the network. In a usual case, a network owner does not have a number of addresses it needs to communicate to the rest of the world for all the machines that it has. For example, it is quite possible that the network owner only has 5 IP address when it actually 200. So, most of the nodes in the network do not have a valid IP address.
The problem occurs when a node, who does not have a valid address, would like to communicate to the rest of the world. The solution provided by NAT is, to convert the node’s address as a sender’s address to one of the valid addresses. When the response comes back, it converts it back to its original IP address so the node does not really have to worry about this translation process. Unfortunately, to make this process transparent, the NAT box must need to match every response with the request that it has forwarded. When multiple senders with different sender address are given the same actual address, the problem becomes more complicated. For example, if a node has an address 1.2.3.4 and another node has an address 1.2.3.5. When their packets go out, the NAT converts both of them to 128.66.202.7.
Now if the response comes back for the destination address 128.66.202.7, how will NAT know that it is a response for 1.2.3.4 or 1.2.3.5? It has no way of knowing. So, NAT plays one more trick. It also changes the sending port numbers of the requests to some unique values. For example, it might choose a sending port number 1000 for the machine 1.2.3.4 and 2000 for the machine 1.2.3.5. Whenever the response comes back, looking at the receiver port number (sender’s port number in a request becomes receiver’s port number in the response), it learns the identity of the actual sender, it replaces both the IP address and port number before passing it to the real sender. The problem is solved!
Wait a minute! FTP port command complicates the matter. Consider the client starts running a data connection on port 1234, and NAT converts that to port 3456. The server, after receiving the port command with port number value 1234, expects the connection from 1234 but the request arrives from port 3456! As the server does not allow connection from an arbitrary port the connection cannot be established. In a way, it fails. The solution to this problem is patching the FTP to provide this information to the NAT box and allow the receiver FTP server to accept connection from this port number. In a way, we want an application layer to poke into the transport layer structure and use that information in decision making. So if later TCP changes its port number place or length etc., this solution won’t work! This is not a very good way to solve this problem but it is working right now and so, used. The very transparency and layer independence that we are so sacredly believing to be the most important part of any networking solution are thrown out of window.
The real solution to this problem is to use a better addressing mechanism where addresses are not limited and we do not need patches like NAT. IPv6 provides an immense number of addresses (almost every atom on earth can be given an address with 128-bit address space of IPv6) so one should start using it and forgo using solutions like NAT based on IPv4. However, most ISPs and organizations continue to use IPv4 and NAT as this is being written.
Summary
We started this module with description of most commonly used Resource Records and describing MX, CNAME and few other important types of resource records. We have seen an abcict.org zone file where we have seen MX records with preferences. We have also seen how CNAME is used for multiple purposes. After completing our discussion on DNS, we switched over to another important application layer protocol, the File Transfer Protocol or FTP. We have seen how FTP uses a control connection throughout the lifetime of the FTP connection as well as a few data connections depending on file download or upload operations carried out. We have narrated complete sequence of operation for FTP with clear roles of a control as well as a data connection. We have concluded the module with the description of how passive FTP provides a solution for a client working behind a firewall. We have also discussed how port command of FTP complicates the matter when solutions like NAT are used.
References
1. Computer Networks by Bhushan Trivedi, Oxford University Press
2. Data Communication and Networking, Bhushan Trivedi, Oxford University Press