Domain Name System (DNS)
The Domain Name System (DNS) allows a computer presented with a textual name to convert or map it to the numeric IP address of another computer with which it needs to communicate, say to fetch a web page or deliver an e-mail. The process is called DNS resolution.
There are also occasions where the reverse is required and a known IP address needs to be resolved to the corresponding domain name. Such reverse lookups are often performed as part of an automated security check. Mail exchangers are a common example. For further information on Reverse Delegations, see Section 4: IP Addresses.
The DNS was originally conceived as a worldwide database capable of storing many types of data. There is no single authority responsible for the entire database. To enable manageability and distributed administration, domains are broken into separately managed units known as zones. A domain encompasses both the parent zone (e.g. ac.uk) and all child zones (e.g. site1.ac.uk, site2.ac.uk). The maintainer of the parent domain can delegate authority for a child zone to an individual or organisation, which then becomes responsible for the child zone's data.
The DNS is made up of a collection of Resource Records, containing all the Internet addresses and names in the world, together with two types of computer program that process these records and convert between them: nameservers and resolvers. There are various types of Resource Record:
- Address (name to number)
- PoinTeR (number to name)
- Mail-eXchanger (identifies a mail server)
- NameServer (identifies a nameserver)
- Start-Of-Authority (SOA; contains information about a set of resource records).
The Janet Technical Guide The Domain Name System is a good starting point if you want to know more about the DNS, or are considering setting up your own.
Nameservers
Nameservers are server programs, often running on dedicated computers, which hold the primary copies of information about the names and addresses within a particular Internet domain (for example yoursite.ac.uk). Their main purpose is to let other people look up the names of computers within your domain (e.g. the name of your web server, mail server, etc.) and convert them into the numeric IP addresses that let their computers communicate with yours. Programs such as web browsers running on computers outside your network will find where your nameservers are from the Janet nameservers for ac.uk, and will send simple requests to your primary or secondary nameservers for the DNS records they hold (but for no other records).
Primary and secondary nameservers
The nameserver that holds the primary copy of a zone file in which changes can be made to records is called the primary nameserver for that zone. The zone file contains the most accurate information about a specific domain over which this server has authority. Copies of the zone file will usually also be held on one or more other nameservers, known as secondary nameservers, which automatically update their information from the primary server when the zone file is changed. Consequently, both primary and secondary nameservers can answer queries about the domain with authority, so they are referred to as authoritative nameservers.
To apply for the JANET primary and secondary nameserver services, please go to:
https://community.ja.net/library/janet-services-documentation/primary-na...
and
https://community.ja.net/library/janet-services-documentation/secondary-...
Before an organisation sets up its nameservers, it needs to choose a domain name and agree it with the administrators of the parent zone. This can be found by looking up the SOA record for the parent domain. If the domain is immediately under ac.uk — for example, yoursite.ac.uk — then the parent zone is JANET(UK)'s responsibility. If the domain is under another site — for example, physicsdepartment.yoursite.ac.uk — then the organisation itself is responsible for the relevant parent zone.
A domain only becomes visible to the Internet when its name has been registered and the parent domain contains the delegation (pointers) to its nameservers.
For information on obtaining a domain name, see the section Obtaining Domain Names.
Off-site Resolver
Resolvers are programs that handle the other end of the DNS resolution process. A client program, such as a web browser, will contact a resolver with a request for a lookup, for example to find the numeric IP address equivalent to a given Internet name. The role of the resolver is to formulate a DNS query that will answer the client's request and send that query to the appropriate nameserver to find the required information. When the resolver receives the answer to the query, it returns the information to the original client computer. Every computer on a local network must be able to contact a resolver before it can look up information in the DNS; the IP address of the resolver (and possibly also a backup resolver) must be entered into the computer as part of its initial configuration. Resolvers must be able to contact nameservers elsewhere on the Internet so they can follow any referrals and work through the tree of Internet names to find the nameserver able to answer each individual query.
Resolver activity is therefore quite different from authoritative nameserver activity, though the two functions can often be provided by a single computer. If a primary or secondary nameserver is within the local network then it may be possible to have it act as a resolver for local clients. It is not recommended to allow a local nameserver to act as a general resolver for external clients as this may conflict with its most important function, and subject the server to possible spoofing attacks as described in the next section.
To apply for the JANET Off-site Resolver Service please go to https://community.ja.net/library/janet-services-documentation/site-resol...
Security Matters and the DNS
A malicious third party that compromises an organisation's nameserver could modify DNS resource records, causing traffic to the organisation's other servers (e.g. web and mail) to be redirected elsewhere. This redirection would probably be to hosts under the control of the attacker. All network managers should ensure that they receive security advisories from Janet CSIRT and from their operating system manufacturers, and that operating systems are patched in accordance with the manufacturer's guidelines. Apart from these general precautions, there are several actions that may be taken to improve the security of your nameservers.
- Restrict Zone Transfers. A nameserver should never accede to a request for a zone transfer from just any device on the Internet. Generally speaking, a primary server should only perform zone transfers with its secondary. A secondary nameserver should not be configured to respond to any zone transfers requests at all.
- Restrict Dynamic Updates. A nameserver that is exposed to the Internet should not generally accept dynamic updates. If this is unavoidable for some reason, then the server should never accept updates from an unknown source.
- Restrict Recursive Queries. An Internet-visible nameserver is vulnerable to spoofing attacks if it answers recursive queries from any source. In this type of attack, the cracker directs a query about a zone under his control to the nameserver he wishes to compromise. The target nameserver is then forced to query the cracker's server and receives bogus data, which it stores in its cache. Sites may also wish to protect their network resources by prohibiting their nameserver from acting as a general resolver for anybody on the Internet.
Further, more detailed information is available in the JANET Technical Guide The Domain Name System in the section 'Securing a Public DNS Server'.
Obtaining Domain Names
Each Janet customer is entitled to one free name registration under a .uk domain as part of the connection package. The majority of organisations connected to Janet have at least one name registered in the ac.uk domain, if they are eligible, and may also have names registered in other domains, e.g. org.uk. The Janet Service Desk is responsible for administering this service for Janet.
All organisations connecting to Janet are required to indicate whether they wish to register a new domain name on the JCUR, which is then submitted to the Janet Service Desk for processing.
Eligibility for an ac.uk Domain Name
Choosing a Domain Name
An eligible organisation may register as many names within the ac.uk domain as it wishes, provided payment is received for all but the first name registered and the following rules about the format of the name are met:
- a request will not be allowed if it is for a name that is either one or two characters in length
- a request will not be allowed if it is for a name that is currently a second level domain name under the .uk domain or a top level domain name in the DNS: e.g. a name such as org.ac.uk is not allowed because 'org' is both a second level domain name within the .uk country code [org.uk], as well as being a generic top level domain name [.org]. Similarly, com.ac.uk is not allowed because 'com' is also a generic top level domain name [.com]
- the domain name must, in JANET(UK)'s opinion, be representative of the requesting organisation's name; if not, a detailed explanation is required
- the name requested must also be unlikely to present a substantial risk of confusion with other similarly named organisations or activities already registered under ac.uk
- organisations requesting generic domain names that could be applicable to a number of eligible sites must provide evidence that they have the backing and approval from the majority of relevant members of the UK academic and/or research community, in order to be permitted to have that generic domain name
- a project or service must be centrally funded and of wide relevance to the ac.uk community; it must be of at least two years duration and be UK-based
- internationalised domain names that start with the characters 'xn- -' (ie. 'xn' followed by two hyphens) may not be registered
- domain names must not coincide with internet protocols such as ‘www’, ‘ftp’, ‘dns’ or ‘whois’.
Subject to these constraints, names will be approved on a 'first come, first served' basis.
Registering Additional Domain Names
Once an organisation has connected to JANET, it may need to register additional domain names. All such requests must be channelled through the computing services department at the organisation to avoid confusion. The standard procedure is outlined on the JANET web site at https://community.ja.net/library/janet-services-documentation/domain-nam...
Note that a fee will be charged for each successful request for registration.
Additional Names under ac.uk
Each name request should be made on the standard template that may be found on the JANET web site at https://community.ja.net/library/janet-services-documentation/register-acuk.
The template should be returned to naming@ja.net
JANET customers are charged a one-off standard fee for additional domain names and are not required to register for the biennial maintenance charge applied to commercial hosts of ac.uk domains, for as long as they remain connected to JANET. They will also not be charged for any modifications provided that the changes made keep the domain name within the JANET network. These special arrangements exist because the JANET Service Desk handles the day-to-day administration of the ac.uk domain. The Janet Service Desk will accept payments by cheque (made payable to JANET(UK)), credit card or BACS, and will also be able to answer any queries. Customers are advised of the outcome of their request within five working days. Information about the current fees for ac.uk name registrations may be found at https://community.ja.net/library/janet-services-documentation/payments-a....
An example of a completed domain name request template may be found in Appendix 7 .
Additional Names under .uk
Janet can arrange additional name registrations for Janet customers under other .uk domains, e.g. org.uk. All requests should be submitted on the standard template that is available at https://community.ja.net/library/janet-services-documentation/register-acuk
Completed templates should be sent by e-mail to naming@ja.net.
Please note that JANET(UK) will add a handling charge to the standard fee for these domain names and it would therefore be cheaper for JANET sites to apply directly to Nominet. Details of the current handling charge may be obtained from the Janet Service Desk.
Amending Domain Name Details
It may sometimes become necessary for an organisation to change the names or IP addresses of the nameservers that it uses. In these circumstances a member of the computing services department should complete the modification template at https://community.ja.net/library/janet-services-documentation/modify-dns-entries
The template should be returned to naming@ja.net.
The JANET Service Desk will notify the individual who requested the change once the domain records have been updated.
If a third party has been running an organisation's nameservers and that arrangement is to be terminated, details of the new nameservers should be sent by e-mail using the same modification template to naming@ja.net.
In addition, a fax or scanned email with an original signature must also be sent to the Janet Service Desk on the organisation's headed paper to authorise the move to the new nameservers.
A domain name does not become active until it is matched to an IP address and that cannot happen until the Janet Service Desk are provided with full details of the nameservers, as specified on the template, and those nameservers are correctly set up. FE and specialist colleges may contact their JISC RSC if they require assistance with this process. All other organisations should contact the Janet Service Desk for advice.