How DNS works in theory

The hierarchical Domain Name System, organized into zones, each served by a name server

The domain name space consists of a tree of domain names. Each node or leaf in the tree has one or more resource records, which hold information associated with the domain name. The tree sub-divides into zones. A zone consists of a collection of connected nodes authoritatively served by an authoritative DNS nameserver. (Note that a single nameserver can host several zones.)
When a system administrator wants to let another administrator control a part of the domain name space within his or her zone of authority, he or she can delegate control to the other administrator. This splits a part of the old zone off into a new zone, which comes under the authority of the second administrator's nameservers. The old zone becomes no longer authoritative for what goes under the authority of the new zone.
A resolver looks up the information associated with nodes. A resolver knows how to communicate with name servers by sending DNS requests, and heeding DNS responses. Resolving usually entails iterating through several name servers to find the needed information.
Some resolvers function simplistically and can only communicate with a single name server. These simple resolvers rely on a recursing name server to perform the work of finding information for them.

Parts of a domain name

A domain name usually consists of two or more parts (technically labels), separated by dots. For example wikipedia.org.

• The rightmost label conveys the top-level domain (for example, the address en.wikipedia.org has the top-level domain org).
• Each label to the left specifies a subdivision or subdomain of the domain above it. Note that "subdomain" expresses relative dependence, not absolute dependence: for example, wikipedia.org comprises a subdomain of the org domain, and en.wikipedia.org comprises a subdomain of the domain wikipedia.org. In theory, this subdivision can go down to 127 levels deep, and each label can contain up to 63 characters, as long as the whole domain name does not exceed a total length of 255 characters. But in practice some domain registries have shorter limits than that.
• A hostname refers to a domain name that has one or more associated IP addresses. For example, the en.wikipedia.org and wikipedia.org domains are both hostnames, but the org domain is not.

The Domain Name System consists of a hierarchical set of DNS servers. Each domain or subdomain has one or more authoritative DNS servers that publish information about that domain and the name servers of any domains "beneath" it. The hierarchy of authoritative DNS servers matches the hierarchy of domains. At the top of the hierarchy stand the root nameservers: the servers to query when looking up (resolving) a top-level domain name (TLD).
Iterative and recursive queries:

• An Iterative query is one where the DNS server may provide a partial answer to the query (or give an error). DNS servers must support non-recursive queries.
• A recursive query is one where the DNS server will fully answer the query (or give an error). DNS servers are not required to support recursive queries and both the resolver (or another DNS acting recursively on behalf of another resolver) negotiate use of recursive service using bits in the query headers.

Address resolution mechanism

In theory a full host name may have several name segments, (e.g ahost.ofasubnet.ofabiggernet.inadomain.example). In practice, in the experience of the majority of public users of Internet services, full host names will frequently consist of just three segments (ahost.inadomain.example, and most often www.inadomain.example).

A DNS recursor consults three nameservers to resolve the address www.wikipedia.org.

 
For querying purposes, software interprets the name segment by segment, from right to left, using an iterative search procedure. At each step along the way, the program queries a corresponding DNS server to provide a pointer to the next server which it should consult.
As originally envisaged, the process was as simple as:

1. the local system is pre-configured with the known addresses of the root servers in a file of root hints, which need to be updated periodically by the local administrator from a reliable source to be kept up to date with the changes which occur over time.
2. query one of the root servers to find the server authoritative for the next level down (so in the case of our simple hostname, a root server would be asked for the address of a server with detailed knowledge of the example top level domain).
3. querying this second server for the address of a DNS server with detailed knowledge of the second-level domain (inadomain.example in our example).
4. repeating the previous step to progress down the name, until the final step which would, rather than generating the address of the next DNS server, return the final address sought.

The diagram illustrates this process for the real host www.wikipedia.org.
The mechanism in this simple form has a difficulty: it places a huge operating burden on the root servers, with each and every search for an address starting by querying one of them. Being as critical as they are to the overall function of the system such heavy use would create an insurmountable bottleneck for trillions of queries placed every day. The section DNS in practice describes how this is addressed.

Circular dependencies and glue records

Name servers in delegations appear listed by name, rather than by IP address. This means that a resolving name server must issue another DNS request to find out the IP address of the server to which it has been referred. Since this can introduce a circular dependency if the nameserver referred to is under the domain that it is authoritative of, it is occasionally necessary for the nameserver providing the delegation to also provide the IP address of the next nameserver. This record is called a glue record.
For example, assume that the sub-domain en.wikipedia.org contains further sub-domains (such as something.en.wikipedia.org) and that the authoritative nameserver for these lives at ns1.en.wikipedia.org. A computer trying to resolve something.en.wikipedia.org will thus first have to resolve ns1.en.wikipedia.org. Since ns1 is also under the en.wikipedia.org subdomain, resolving ns1.en.wikipedia.org requires resolving ns1.en.wikipedia.org which is exactly the circular dependency mentioned above. The dependency is broken by the glue record in the nameserver of wikipedia.org that provides the IP address of ns1.en.wikipedia.org directly to the requestor, enabling it to bootstrap the process by figuring out where ns1.en.wikipedia.org is located.
This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

IE Domain Registry confirms hijacking of the DNS nameservers

On 9 October 2012, those who tried to visit Google.ie and Yahoo.ie were sent to an Indonesian webserver controlled by hackers.

After having investigated the security incident, the IE Domain Registry (IEDR) confirmed on November 2012 that unauthorised change had been made to the two .ie domains on an independent Registrar’s account which resulted in a change of DNS nameservers.

Nameservers ensure that when users visit a certain domain, they are pointed to the correct website on the correct server. In this case, users, instead of being directed towards Google.ie and Yahoo.ie, were redirected to a fraudulent server. The “hack” page was signed by Hmei7? who is apparently an Indonesian hacker whose “signature” has appeared on thousands of websites defacements, including attacks against Asus and Siemens.

According to IEDR, for a 25 days period starting with 11 September 2012, “the public-facing web server of the IEDR was subjected to repeated attempts at unauthorised access from external sources”. The incident occurred because the hacker had succeeded in exploiting a Joomla (content management system installed on the IEDR website) plugin, uploading malicious PHP web scripts. “PHP scripts were then used to access a backend database and this database access subsequently provided access to the IEDR control panel and permitted unauthorised modifications to an account,” says IEDR statement.

“Luckily there haven’t been any reports of any malware or viruses coming from the two websites. The sites were timing out and we suspect the hacker’s webservers were overwhelmed; they couldn’t cope with the volume of traffic Google and Yahoo would normally receive. Luckily, the IEDR were quick to restore the correct DNS nameservers on both the domain name and minimise the disruption caused. Luckily, other websites like Microsoft.ie which is also managed by MarkMonitor were not affected. It’s all very lucky. It is a security disaster but it could have been much worse. If website visitors had been infected with malware, Google, Yahoo, MarkMonitor and the IEDR could have been dealing with a security catastrophe,” stated Peter Armstrong from Irish webhosting provider Spiral Hosting.

IEDR also confirmed that a criminal investigation by the Gardai Bureau of Fraud Investigation would continue and assured that a recently appointed Technical Services Manager would give more attention to security policies, processes and procedures at the IE Domain Registry. The IEDR’s Joomla website was replaced on 26 October with a new website built using the Drupal content management system which was however criticised for its design and lack of a WHOIS lookup facility. IEDR replied that their priority had been to restore secure services and that they would deal with the other issues in the next future.
Investigation concludes IE Domain Registry website was exploited (9.11.2012)
http://www.domainregistrar.ie/investigation-concludes-ie-domain-registry-website-was-exploited/

Google.ie and Yahoo.ie unavailable after “unauthorised change” to
nameservers (9.10.2012)
http://sociable.co/web/google-ie-and-yahoo-ie-unavailable-after-unauthorised-change-of-nameservers/

Scenes from the history of the IEDR (12.11.2012)
http://www.tjmcintyre.com/2012/11/scenes-from-history-of-iedr.html

Google.ie Hijacked? (9.11.2012)
http://technology.ie/google-ie-hijacked/
Source: EDRi

DNS History

The practice of using a name as a more human-legible abstraction of a machine's numerical address on the network predates even TCP/IP, and goes all the way to the ARPAnet era. Back then however, a different system was used, as DNS was only invented in 1983, shortly after TCP/IP was deployed. With the older system, each computer on the network retrieved a file called HOSTS.TXT from a computer at SRI (now SRI International). The HOSTS.TXT file mapped numerical addresses to names. A hosts file still exists on most modern operating systems, either by default or through configuration, and allows users to specify an IP address (eg. 192.0.34.166) to use for a hostname (eg. www.example.net) without checking DNS. As of 2006, the hosts file serves primarily for troubleshooting DNS errors or for mapping local addresses to more organic names. Systems based on a hosts file have inherent limitations, because of the obvious requirement that every time a given computer's address changed, every computer that seeks to communicate with it would need an update to its hosts file.
The growth of networking called for a more scalable system: one that recorded a change in a host's address in one place only. Other hosts would learn about the change dynamically through a notification system, thus completing a globally accessible network of all hosts' names and their associated IP Addresses.
At the request of Jon Postel, Paul Mockapetris invented the Domain Name System in 1983 and wrote the first implementation. The original specifications appear in RFC 882 and 883. In 1987, the publication of RFC 1034 and RFC 1035 updated the DNS specification and made RFC 882 and RFC 883 obsolete. Several more-recent RFCs have proposed various extensions to the core DNS protocols.
In 1984, four Berkeley students — Douglas Terry, Mark Painter, David Riggle and Songnian Zhou — wrote the first UNIX implementation, which was maintained by Ralph Campbell thereafter. In 1985, Kevin Dunlap of DEC significantly re-wrote the DNS implementation and renamed it BIND (Berkeley Internet Name Domain, previously: Berkeley Internet Name Daemon). Mike Karels, Phil Almquist and Paul Vixie have maintained BIND since then. BIND was ported to the Windows NT platform in the early 1990s.
Due to BIND's long history of security issues and exploits, several alternative nameserver/resolver programs have been written and distributed in recent years
This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Domain name system

On the Internet, the Domain Name System (DNS) associates various sorts of information with so-called domain names; most importantly, it serves as the "phone book" for the Internet: it translates human-readable computer hostnames, e.g. en.wikipedia.org, into the IP addresses that networking equipment needs for delivering information. It also stores other information such as the list of mail exchange servers that accept email for a given domain. In providing a worldwide keyword-based redirection service, the Domain Name System is an essential component of contemporary Internet use.

Uses

The most basic use of DNS is to translate hostnames to IP addresses. It is in very simple terms like a phone book. For example, if you want to know the internet address of en.wikipedia.org, the Domain Name System can be used to tell you it is 66.230.200.100. DNS also has other important uses.
Pre-eminently, DNS makes it possible to assign Internet destinations to the human organization or concern they represent, independently of the physical routing hierarchy represented by the numerical IP address. Because of this, hyperlinks and Internet contact information can remain the same, whatever the current IP routing arrangements may be, and can take a human-readable form (such as "wikipedia.org") which is rather easier to remember than an IP address (such as 66.230.200.100). People take advantage of this when they recite meaningful URLs and e-mail addresses without caring how the machine will actually locate them.
The Domain Name System distributes the responsibility for assigning domain names and mapping them to IP networks by allowing an authoritative server for each domain to keep track of its own changes, avoiding the need for a central registrar to be continually consulted and updated.

Internationalized domain names

While domain names technically have no restrictions on the characters they use and can include non-ASCII characters, the same is not true for host names.[3] Host names are the names most people see and use for things like e-mail and web browsing. Host names are restricted to a small subset of the ASCII character set that includes the Roman alphabet in upper and lower case, the digits 0 through 9, the dot, and the hyphen. This prevented the representation of names and words of many languages natively. ICANN has approved the Punycode-based IDNA system, which maps Unicode strings into the valid DNS character set, as a workaround to this issue. Some registries have adopted IDNA.

Security issues

DNS was not originally designed with security in mind, and thus has a number of security issues. DNS responses are traditionally not cryptographically signed, leading to many attack possibilities; DNSSEC modifies DNS to add support for cryptographically signed responses. There are various extensions to support securing zone transfer information as well.
Even with encryption it still doesn't prevent the possibility that a DNS server could become infected with a virus (or for that matter a disgruntled employee) that would cause IP addresses of that server to be redirected to a malicious address with a long TTL. This could have far reaching impact to potentially millions of internet users if busy DNS servers cache the bad IP data. This would require manual purging of all affected DNS caches as required by the long TTL (up to 68 years).
Some domain names can spoof other, similar-looking domain names. For example, "paypal.com" and "paypa1.com" are different names, yet users may be unable to tell the difference when the user's typeface (font) does not clearly differentiate the letter l and the number 1. This problem is much more serious in systems that support internationalized domain names, since many characters that are different, from the point of view of ISO 10646, appear identical on typical computer screens.
This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

IN ROMANIA, THE FUNDAMENTAL RIGHT TO WORK IS PROHIBITED!

The wrong laws and / or their literally application by officials give birth to monsters!

In early 2002 I was appointed administrator at a newly established company.

In the same year, one of the two associates of the company decided to wind up the company and dismissal of all employees, including the administrator, assuming all company documents, stamps, and inventory.

He then suspended business activities without paying taxes to the state.

In 2007, I received an order that the administrator of the company (as the associate did not change him from this position, as promised, amending the Articles of Incorporation regarding the dismissal of the administrator) to pay all outstanding taxes, including related penalties.

Since I could prove until after a trial with witnesses only that I have no more connection with the company, I agreed to pay this amount personally provided my release from office. As a result, between the business associates and me ended with an authenticated record according to which after payment of that amount the administrator is removed from office and relieved of any further liability. I sent the proof of payment and a copy of the minutes with the change from office we made to the Financial Administration, obtaining there a certification indicating that the company no longer has any debt. According to the agreement between the administrator and associates, "the manager is relieved of any further responsibility and is dismissed and the associated business activity is undertaken, following the associates to make all the necessary changes in the company documents and the Trade Register within 30 days of the conclusion of this protocol ".

Because I have found that the business associations have not proceeded under the Romanian law for companies to register in the Trade Register the dismissal of the administrator according to the report (as former administrator, I had no legal possibility to do so), I asked Mehedinţi Trade Register Office by an registered letter to take action against the associates to comply with the law and to make necessary changes according to the documents I attached to the letter.

The officials from the Mehedinţi  Trade Register Office I spoke refused to consider the documents I submitted, stating that I can not be dismissed unless the associates will come in person at the Mehedinţi Trade Register .

In 2011, I was summoned by the Mehedinţi  Trade Register Office as administrator of the company to the Mehedinti Court to dissolve the company. The court decided, based on the documents I have submitted, to certify that I have no more connection with that company and it was admitted the company's dissolution.

Following this decision, the Mehedinţi  Trade Register Office gave firm sued again, this time without being nominated as administrator of the company, according to documents posted online by the Court Mehedinţi. The court decided the removal of the company from the Trade Register.

In august this year, I went to the Mehedinţi  Trade Register Office to register as self-employed. Once I have paid all taxes, after some days, I received a notification that my request to work as self-employed was rejected because the company was declared inactive during the fiscal year 2009 and, according to their database, the company was still registered and I am still the administrator of the company, so I was responsible for the inactivity of the company.

At Mehedinţi Trade Register Office, I was told that in order to be registered as authorized individuals I have to reactivate the fiscal record from the Financial Administration .

At the Financial Administration I was told that they cannot take into consideration the documents submitted by me, their only source for this being the Mehedinţi Trade Register Office, where I still figure in as administrator and the company was not canceled.

In conclusion, the answer that I can not register as self-employed, and therefore I am not allowed to work.

Conclusions drawn by me in this situation is summarized briefly as follows:

1. The owner of a company may dismiss an administrator and then to operate the company the way he likes, the old manager being responsible of all the operations as long as the owner does not make the changes the Trade Registry, even if that manager has legal documents proving his innocence.

2. By refusing a person to register as self-employed, especially during the today crisis, it is denied the fundamental right to work of that person.

My question to the officials with whom I discussed was how I live without any income and without being able to work legally; they shrugged and said they did not comment.

Following this hopeless situation, I sent emails with these issues, asking the cancelation of the prohibition to work, to the Ministry of Finance, Ministry of Economy, Trade and Business Environment, National Agency for Fiscal Administration, and the National Trade Register Office. I am still waiting for an answer from these institutions.

(Source)

Domain name registry

A domain name registry, also referred to as Network Information Centre (NIC), is part of the Domain Name System (DNS) of the Web which converts domain names to IP addresses. It truly is an organisation that manages the registration of Domain names within the top-level domains for which it is actually responsible, controls the policies of domain name allocation, and technically operates its top-level domain.

Domain names are managed under a hierarchy headed by the online world Assigned Numbers Authority (IANA), which manages the top rated on the DNS tree by administrating the information inside the root nameservers.

IANA also operates the .int registry for intergovernmental organisations, the .arpa zone for protocol administration purposes, and other essential zones for instance root-servers.net.

IANA delegates all other domain name authority to other domain name registries for example VeriSign.

Country code top-level domains (ccTLD) are delegated by IANA to national registries such as DENIC in Germany, or Nominet in the United Kingdom.

Operation

Some name registries are government departments (e.g., the registry for the Vatican www.nic.va ). Some are co-operatives of world wide web service companies (like DENIC) or not-for profit corporations (which include Nominet UK). Other individuals operate as commercial organizations, for instance the US registry (www.nic.us).

The allocated and assigned domain names are created obtainable by registries by use on the Whois method and by way of their Domain name servers.

Some registries sell the names directly (like SWITCH in Switzerland) and other people rely solely on registrars to sell them.

Policies

Allocation policies

Frequently, domain name registries operate a first-come-first-served program of allocation but may well reject the allocation of certain domains on the basis of political, religious, historical, legal or cultural motives.

As an example, inside the United states, between 1996 and 1998, InterNIC automatically rejected domain name applications depending on a list of perceived obscenities.

Registries may perhaps also control matters of interest to their nearby communities: by way of example, the German, Japanese and Polish registries have introduced internationalized domain names to let use of local non-ASCII characters.

Dispute policies

Domains that are registered with ICANN normally need to use the Uniform Domain-Name Dispute-Resolution Policy (UDRP), nevertheless, DENIC involves persons to work with the German civil courts, and Nominet UK offers with Intellectual House and also other disputes through its own dispute resolution service.

Expense of registration

The price of domain registration is set by every individual registry.

Second-level domains

Domain name registries may possibly also impose a system of second-level domains on users. DENIC, the registry for Germany (.de), will not impose second level domains. AFNIC, the registry for France (.fr), has some second level domains, but not all registrants must use them, and Nominet UK, the registry for the United Kingdom (.uk), involves all names to have a second level domain.

Registrants of second-level domains often act as a registry by offering sub-registrations to their registration. For example, registrations to .fami.ly are provided by the registrant of fami.ly and not by GPTC, the registry for Libya (.ly).
This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Hostname

A hostname (sometimes also, a sitename) is the exceptional name by which a network-attached device (which could consist of a laptop or computer, file server, network storage device, fax machine, copier, cable modem, etc.) is recognized on a network. The hostname is utilized to identify a specific host in various forms of electronic communication like the Globe Wide Internet, e-mail or Usenet.

Online, the terms "hostname" and "domain name" are usually used interchangeably, but you will discover subtle technical variations among them.

Hostnames are employed by several naming systems, NIS, DNS, SMB, etc., and so the which means on the word hostname will vary based on naming system in question, which in turn varies by sort of network. A hostname meaningful to a Microsoft NetBIOS workgroup might be an invalid World wide web hostname. When presented having a hostname and no context, it really is generally protected to assume that the network could be the Online and DNS is definitely the hostname's naming program.

Host names are commonly employed in an administrative capacity and may possibly appear in computer system browser lists, active directory lists, IP address to hostname resolutions, e mail headers, and so on. They may be human-readable nick-names, which ultimately correspond to special network hardware MAC addresses. In some situations the host name might contain embedded domain names and/or places, non-dotted IP addresses, and so on.

On a uncomplicated local place network, a hostname is usually a single word: as an example, an organization's CVS server could be named "cvs" or "server-1".

RFC

• RFC 952 - "DoD Internet host table specification."
• RFC 1034 - "DOMAIN NAMES - CONCEPTS AND FACILITIES" (In particular, section 3.5)
• RFC 1035 - "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" (In particular, section 2.3.1)
• RFC 1123 - "Requirements for Internet Hosts - Application and Support."
• RFC 1178 - "Choosing a Name for Your Computer"
• RFC 3696 - "Application Techniques for Checking and Transformation of Names"

This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.