|
|
3. Domain Name System (DNS)
|
ON THIS PAGE |
>> |
The Domain Name System (DNS) allows a computer presented with a textual name to convert or map it to the numeric IP address of another computer with which it needs to communicate, say to fetch a web page or deliver an e-mail. The process is called DNS resolution. There are also occasions where the reverse is required and a known IP address needs to be resolved to the corresponding domain name. Such reverse lookups are often performed as part of an automated security check. Mail exchangers are a common example. For further information on Reverse Delegations, see Section 4: IP Addresses. The DNS was originally conceived as a worldwide database capable of storing many types of data. There is no single authority responsible for the entire database. To enable manageability and distributed administration, domains are broken into separately managed units known as zones. A domain encompasses both the parent zone (e.g. ac.uk) and all child zones (e.g. site1.ac.uk, site2.ac.uk). The maintainer of the parent domain can delegate authority for a child zone to an individual or organisation, which then becomes responsible for the child zone's data. The DNS is made up of a collection of Resource Records, containing all the Internet addresses and names in the world, together with two types of computer program that process these records and convert between them: nameservers and resolvers. There are various types of Resource Record:
The JANET Technical Guide The Domain Name System is a good starting point if you want to know more about the DNS, or are considering setting up your own. Nameservers are server programs, often running on dedicated computers, which hold the master copies of information about the names and addresses within a particular Internet domain (for example yoursite.ac.uk). Their main purpose is to let other people look up the names of computers within your domain (e.g. the name of your web server, mail server, etc.) and convert them into the numeric IP addresses that let their computers communicate with yours. Programs such as web browsers running on computers outside your network will find where your nameservers are from the JANET nameservers for ac.uk, and will send simple requests to your primary or secondary nameservers for the DNS records they hold (but for no other records). Primary and secondary nameservers The nameserver that holds the master copy of a zone file in which changes can be made to records is called the primary nameserver for that zone. The zone file contains the most accurate information about a specific domain over which this server has authority. Copies of the zone file will usually also be held on one or more other nameservers, known as secondary nameservers, which automatically update their information from the primary server when the zone file is changed. Consequently, both primary and secondary nameservers can answer queries about the domain with authority, so they are referred to as authoritative nameservers. To apply for the JANET primary and secondary nameserver services, please go to: Before an organisation sets up its nameservers, it needs to choose a domain name and agree it with the administrators of the parent zone. This can be found by looking up the SOA record for the parent domain. If the domain is immediately under ac.uk — for example, yoursite.ac.uk — then the parent zone is JANET(UK)'s responsibility. If the domain is under another site — for example, physicsdepartment.yoursite.ac.uk — then the organisation itself is responsible for the relevant parent zone. A domain only becomes visible to the Internet when its name has been registered and the parent domain contains the delegation (pointers) to its nameservers. For information on obtaining a domain name, see the section Obtaining Domain Names. Resolvers are programs that handle the other end of the DNS resolution process. A client program, such as a web browser, will contact a resolver with a request for a lookup, for example to find the numeric IP address equivalent to a given Internet name. The role of the resolver is to formulate a DNS query that will answer the client's request and send that query to the appropriate nameserver to find the required information. When the resolver receives the answer to the query, it returns the information to the original client computer. Every computer on a local network must be able to contact a resolver before it can look up information in the DNS; the IP address of the resolver (and possibly also a backup resolver) must be entered into the computer as part of its initial configuration. Resolvers must be able to contact nameservers elsewhere on the Internet so they can follow any referrals and work through the tree of Internet names to find the nameserver able to answer each individual query. Resolver activity is therefore quite different from authoritative nameserver activity, though the two functions can often be provided by a single computer. If a primary or secondary nameserver is within the local network then it may be possible to have it act as a resolver for local clients. It is not recommended to allow a local nameserver to act as a general resolver for external clients as this may conflict with its most important function, and subject the server to possible spoofing attacks as described in the next section. To apply for the JANET Off-site Resolver Service please go to: A malicious third party that compromises an organisation's nameserver could modify DNS resource records, causing traffic to the organisation's other servers (e.g. web and mail) to be redirected elsewhere. This redirection would probably be to hosts under the control of the attacker. All network managers should ensure that they receive security advisories from JANET CSIRT and from their operating system manufacturers, and that operating systems are patched in accordance with the manufacturer's guidelines. Apart from these general precautions, there are several actions that may be taken to improve the security of your nameservers.
Further, more detailed information is available in the JANET Technical Guide The Domain Name System in the section 'Securing a Public DNS Server'.
Each JANET customer is entitled to one free name registration under a .uk domain as part of the connection package. The majority of organisations connected to JANET have at least one name registered in the ac.uk domain, if they are eligible, and may also have names registered in other domains, e.g. org.uk. The JANET Technical Administration Group is responsible for administering this service for JANET(UK). All organisations connecting to JANET are required to indicate whether they wish to register a new domain name on the JCUR, which is then submitted to the JANET Service Desk for processing. Eligibility for an ac.uk Domain Name Not all organisations connecting or connected to JANET are eligible for a domain name under ac.uk. Since JANET(UK) administers the domain for the whole of the UK, the rules determining eligibility are strictly applied and no exceptions may be made for organisations on the basis that they are connected to JANET. An organisation may register one or more names in the ac.uk domain provided that it has a permanent physical presence in the UK and that the majority of its activities are publicly funded by UK government funding bodies, OR it is a Learned Society. The organisation’s primary function must also satisfy at least one of the following criteria: i. it has central government funding to provide teaching at a tertiary level. Eligible organisations would be:
Tertiary education is defined as a programme of learning provided to persons over the age of 16, which is intended to lead to the acquisition of publicly recognised qualifications, such as:
OR OR OR Where necessary, the assessment that the 'core activities' or 'primary purpose' fits one or more of the categories above will be determined from the organisation’s Articles of Association, prospectus or equivalent documentation. Applications for domain names should include clear and concise information detailing the eligibility of the organisation requesting the domain name and how it qualifies for registration in the ac.uk domain. Applications with insufficient information will be rejected by the Naming Committee. The following are not eligible for an ac.uk domain name:
The JANET Technical Administration Group can advise whether an organisation is likely to be eligible for a name under ac.uk but the final decision rests with the Naming Committee. Further information may be found at: Note: there is a domain sch.uk which may be used by teaching establishments that are not eligible to use ac.uk as a result of the criteria above. Schools, including sixth forms attached to schools, are not eligible for registration under ac.uk but may register under sch.uk, which is administered by Nominet: An eligible organisation may register as many names within the ac.uk domain as it wishes, provided payment is received for all but the first name registered and the following rules about the format of the name are met:
Subject to these constraints, names will be approved on a 'first come, first served' basis. Precendents – Should these rules be revised at a later date, existing registrations will remain valid even if they would otherwise fall outside the revised rules. These names are regarded as exceptional and should not be regarded as setting a precedent. Full information on obtaining names may be found at: Registering Additional Domain Names Once an organisation has connected to JANET, it may need to register additional domain names. All such requests must be channelled through the computing services department at the organisation to avoid confusion. The standard procedure is outlined on the JANET web site at: Note that a fee will be charged for each successful request for registration. Additional Names under ac.uk Each name request should be made on the standard template that may be found on the JANET web site at: The template should be returned to naming-ac@ja.net JANET customers are charged a one-off standard fee for additional domain names and are not required to register for the biennial maintenance charge applied to commercial hosts of ac.uk domains, for as long as they remain connected to JANET. They will also not be charged for any modifications provided that the changes made keep the domain name within the JANET network. These special arrangements exist because the JANET Technical Administration Group handles the day-to-day administration of the ac.uk domain. The JANET Technical Administration Group will accept payments by cheque (made payable to JANET(UK)), credit card or BACS, and will also be able to answer any queries. Customers are advised of the outcome of their request within five working days. Information about the current fees for ac.uk name registrations may be found at: An example of a completed domain name request template may be found in Appendix 7 . Additional Names under .uk JANET(UK) can arrange additional name registrations for JANET customers under other .uk domains, e.g. org.uk. All requests should be submitted on the standard template that is available at: Completed templates should be sent by e-mail to naming-admin@ja.net. Please note that JANET(UK) will add a handling charge to the standard fee for these domain names and it would therefore be cheaper for JANET sites to apply directly to Nominet. Details of the current handling charge may be obtained from the JANET Technical Administration Group. It may sometimes become necessary for an organisation to change the names or IP addresses of the nameservers that it uses. In these circumstances a member of the computing services department should complete the modification template at: The template should be returned to naming-admin@ja.net. The JANET Technical Administration Group will notify the individual who requested the change once the domain records have been updated. If a third party has been running an organisation's nameservers and that arrangement is to be terminated, details of the new nameservers should be sent by e-mail using the same modification template to naming-admin@ja.net. In addition, a fax must also be sent to the JANET Technical Administration Group on the organisation's headed paper to authorise the move to the new nameservers. A domain name does not become active until it is matched to an IP address and that cannot happen until the JANET Technical Administration Group are provided with full details of the nameservers, as specified on the template, and those nameservers are correctly set up. FE and specialist colleges may contact their JISC RSC if they require assistance with this process. All other organisations should contact the JANET Technical Administration Group for advice.
|
<< |
MANUAL CONTENTS
|
|
|
© The JNT Association - Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0SG. Tel: 01235 822200 Fax: 01235 822399
