The Bits and Bytes of Computer Networking (Week 4)
A TLD is the last part of any domain name
.com
Virtual private networks or VPNs
VPN are a technology that allows for the extension of a private or local network to host that might not work on that same local network.
VPNs are a tunneling protocol, which means
VPNs are a tunneling protocol, which means they provision access to something not locally available.
reverse lookup zone files.
reverse lookup zone files. These let DNS resolvers ask for an IP, and get the FQDN associated with it returned. These files are the same as zone files except, instead of A and quad A records, which resolve names to IPs, you'll find mostly pointer resource record declarations.
There are lots of other DNS resource record types in common use like
the NS or SOA records which are used to define authority information about DNS zones.
proxy service
A proxy service is a server that acts on behalf of a client in order to access another service. Proxies sit between clients and other servers, providing some additional benefit, anonymity, security, content filtering, increased performance, a couple of other things.
DNS in practice operates with a set of defined resource record types. These allow for different kinds of DNS resolutions to take place. the most common is?
A record. An A record is used to point a certain domain name at a certain IPv4 IP address.
what can fit inside of a single UDP datagram,
A single DNS request and its response can usually fit inside of a single UDP datagram, making it an ideal candidate for a connectionless protocol.
Although you rarely see fully qualified domain names with that many levels.
DNS can technically support up to 127 levels of the domain in total for a single fully qualified domain name. There are some other restrictions in place for how your domain name can be specified. Each individual section can only be 63 characters long and a complete FQDN is limited to a total of 255 characters
DNS is a great example of
DNS is a great example of an application layer service that uses UDP for the transport layer instead of TCP.
If the MAC address isn't found,
If the MAC address isn't found, the DHCP server might fall back to automatic or dynamic allocation, or it might refuse to assign an IP altogether.
The process of using DNS to turn a domain name into an IP address is known as?
Name Resolution.
For a computer to operate on a modern network, they need to have a certain number of things configured.
Remember, that MAC addresses are hard-coded and tied to specific pieces of hardware. IP address, subnet mask, and gateway for a host must be specifically configured, a DNS server is the fourth and final part of the standard modern network configuration.
A record type very similar to the MX record is
SRV stands for service record, and it's used to define the location of various specific services. It serves the exact same purpose as the MX resource record type except for one thing, while MX is only for mail services, an SRV record can be defined to return the specifics of many different service types.
the DHCPDISCOVER message
So the DHCPDISCOVER message is encapsulated in a UDP datagram with a destination port of 67 and a source port of 68. This is then encapsulated inside of an IP datagram with a destination IP of 255.255.255.255, and a source IP of 0.0.0.0. This broadcast message would get delivered to every node on the local area network. And if a DHCP server is present, it would receive this message.
The text record type is an interesting one. TXT stands for
TXT stands for text and was originally intended to be used only for associating some descriptive text with a domain name for human consumption. But over the years the text record has been increasingly used to convey additional data intended for other computers to process. This text record is often used to communicate configuration preferences about network services that you've entrusted other organizations to handle for your domain.
what happens when your local recursive server needs to perform a full recursive resolution?
The first step is always to contact a root named server, there are 13 total root name servers and they're responsible for directing queries toward the appropriate TLD name server. these 13 root servers are mostly distributed across the globe via anycast.
The root servers will respond to
a DNS lookup with the TLD name server that should be queried. TLD (top-level domain) represents the top of the hierarchical DNS name resolution system.
The biggest takeaway from proxies is?
proxies are any server that act as an intermediary between a client and another server.
A domain is a name commonly used to refer to
A domain is a name commonly used to refer to the second part of a domain name, which would be, google in our example. Domains are used to demarcate where control moves from a TLD name server to an authoritative name server. This is under the control of an independent organization, or someone outside of ICANN. Domains can be registered and chosen by any individual or company, but they must all end in one of the predefined TLDs.
Example of proxy in modern era
A more common use of a web proxy today might be to prevent someone from accessing sites, like Twitter, entirely. A company might decide that accessing Twitter during work hours reduces productivity. By using a web proxy, they can direct all web traffic to it, allow the proxy to inspect what data is being requested, and then allow or deny this request, depending on what site is being accessed.
Administration and definition of TLDs is handled by
Administration and definition of TLDs is handled by a non-profit organization known as ICANN, or the Internet Corporation for Assigned Names and Numbers ICANN is a sister organization to the IANA, and together they help define and control both the global IP spaces, along with the global DNS system.
The networking stack on the client computer can now use the configuration information presented to it by the DHCP server to set up its own network layer configuration.
All of this configuration is known as DHCP lease as it includes an expiration time. A DHCP lease might last for days or only for a short amount of time.
How does the DHCP client respond to the DHCPOFFER message
DHCP client would respond to the DHCPOFFER message with a DHCPREQUEST message. This message essentially says, yes, I would like to have an IP that you offer to me. Since the IP hasn't been assigned yet, this is again sent from an IP of 0.0.0.0, and to the broadcast IP of 255.255.255.255. the DHCP server receives the DHCPREQUEST message and responds with a DHCPACK or DHCP acknowledgment message.
the process of NAT hiding the IP of computer 1 from computer 2. This is known as?
IP masquerading. IP masquerading is an important security concept. The most basic concept at play here is that no one can establish a connection to your computer if they don't know what IP address it has. To the outside world, the entire address space of network A is protected and invisible. This is known as one-to-many NAT
DHCP functions are?.
With DHCP, a machine can query a DHCP server when the computer connects to the network and receive all the networking configuration in one go. Not only does DHCP reduce the administrative overhead of having to configure lots of network devices on a single network, but it also helps address the problem of having to choose what IP to assign to what machine.
finally
the DNS lookup could be redirected at the authoritative server for weather.com which would finally provide the actual IP of the server in question.
Zones are configured through what is known as zone files,
zone files, simple configuration files that declare all resource records for a particular zone.
What technique allows for inbound traffic through a NAT?
Port forwarding
Port preservation
Port preservation is a technique where the source port chosen by a client, is the same port used by the router.
the IANA has primarily been responsible with assigning address blocks to the five regional internet registries or RIRs. The five RIRs are?
- AFRINIC, which serves the continent of Africa, - ARIN serves the United States, Canada & parts of the Caribbean. - APNIC: Asia, Australia & New Zealand & Pacific Island nations. - LACNIC covers Central and South America and any parts of the Caribbean not covered by ARIN. - RIPE, which serves Europe, Russia & the Middle East & portions of Central Asia. These five RIRs have been responsible for assigning IP address blocks to organizations within their geographic areas and most have already run out.
more people and devices are needed to connect to iPv6 but without IP addresses to assign, a workaround is needed.
- NAT and non-routable address space. - non-routable address space was defined in RFC1918 and consists of several different IP ranges that anyone can use. An unlimited number of networks can use non-routable address space internally because internet routers won't forward traffic to it. This means there's never any global collision of IP addresses when people use those address spaces.
Network address translation takes one IP address and translates it into another why?
- security safeguards - preserving the limited amounts of available IPv4 space.
The process by which a client configured to use DHCP attempts to get network configuration information is known as
DHCP discovery.
Along with things like IP address, a primary gateway, you could also use DHCP to assign things like?
DHCP to assign things like NTP servers. NTP stands for Network Time Protocol and is used to keep all computers on a network synchronized in time.
DNS, or domain name system
DNS, or domain name system, comes into play. DNS is a global and highly distributed network service that resolves strings of letters into IP addresses for you.
The DHCP discovery process has four steps.
First, server discovery step. The DHCP clients send what's known as a DHCP discovery message out onto the network. Since the machine doesn't have an IP and it doesn't know the IP of the DHCP server, a specially crafted broadcast message is formed instead.
what it would look like for a full DNS lookup to take place via TCP.
First, the host making the DNS resolution request would send a SYN packet to the local name server on port 53, which is the port that DNS listens on. This name server would then need to respond with a SYN ACK packet, which means the original host would have to respond with an ACK in order to complete the three-way-handshake.
Recursive name servers
Recursive name servers are ones that perform full DNS resolution requests.
When a computer requests an IP,
When a computer requests an IP, the DHCP server looks for its MAC address in a table and assigns the IP that corresponds to that MAC address.
Another example of a proxy is a reverse proxy.
A reverse proxy is a service that might appear to be a single server to external clients, but actually represents many servers living behind it. A good example of this is how lots of popular websites are architected today. Very popular websites, like Twitter, receive so much traffic that there's no way a single web server could possibly handle all of it. A website that popular might need many, many web servers in order to keep up with processing all incoming requests. Another way that reverse proxies are commonly used by popular websites is to deal with decryption. More than half of all traffic on the Web is now encrypted and encrypting and decrypting data is a process that can take a lot of processing power.
NAT addresses concerns over the dwindling IPv4 address space by ___________________.
allowing computers using non-routable address space to communicate with the Internet.
Every single computer on a modern TCP/IP based network needs to have at least four things specifically configured.
An IP address, the subnet mask for the local network, a primary gateway and a name server.
Authoritative name servers
Authoritative name servers are responsible for the last two parts of any domain name which is the resolution at which a single organization may be responsible for DNS lookups.
Automatic allocation is very similar to dynamic allocation, how?
Automatic allocation is very similar to dynamic allocation, in that a range of IP addresses is set aside for assignment purposes. The main difference here is that, the DHCP server is asked to keep track of which IPs it's assigned to certain devices in the past.
The process by which a client configured to use DHCP attempts to get network configuration information is known as _________________.
DHCP Discovery
DHCP (Dynamic Host Configuration Protocol)
DHCP is an application layer protocol that automates the configuration process of hosts on a network.
Which port does DHCP listen on, which port is DHCP discovery messages sent from?
DHCP listens on UDP port 67 and DHCP discovery messages are always sent from UDP port 68.
MX record.
MX record. MX stands for mail exchange and this resource record is used in order to deliver e-mail to the correct server. Many companies run their web and mail servers on different machines with different IPs, so the MX record makes it easy to ensure that email gets delivered to a company's mail server, while other traffic like web traffic would get delivered to their web server.
Most VPNs work by using the
Most VPNs work by using the payload section of the transport layer to carry an encrypted payload that actually contains an entire second set of packets. The network, the transport and the application layers of a packet intended to traverse the remote network.
how do NAT works and how it can provide additional security measures to a network?
NAT is a technology that allows a gateway, usually a router or firewall, to rewrite the source IP of an outgoing IP datagram while retaining the original IP in order to rewrite it into the response.
Next, the DHCP server would examine its own configuration and would make a decision on what, if any, IP address to offer to the client.
Next, the DHCP server examines its own configuration and makes a decision on what, if any, IP address to offer to the client. This would depend on if it's configured to run with dynamic, automatic or fixed address allocation. The response would be sent as a DHCPOFFER message with a destination port of 68, a source port of 67, a destination broadcast IP of 255.255.255.255, and its actual IP as the source.
One of the easiest ways to keep a network secure is?
One of the easiest ways to keep network secure is to use various securing technologies, so only devices physically connected to their local area network can access these resources.
How are Reverse proxies now implemented?
Reverse proxies are now implemented in order to use hardware built specifically for cryptography, to perform the encryption and decryption work. So that the web servers are free to just serve content.
That www portion of this is known as
That www portion of this is known as the subdomain, sometimes referred to as a host name if it's been assigned to only one host. When you combine all these parts together, you have what's known as a fully qualified domain name, or FQDN.
But if the underlying IP address ever changes, we need to change it in two places how would you know that clients pointing at either domain would get the new IP address?
The A records for both nicrosoft.com and www.microsoft.com. By setting up a CNAME that points microsoft.com at www.microsoft.com, you'd only have to change the A record for www.microsoft.com.
the example of an employee who needs to access company resources while not in the office.
The employee could use a VPN client to establish a VPN tunnel to their company network. This would provide their computer with what's known as a virtual interface with an IP that matches the address space of the network they've established a VPN connection to. By sending data out of this virtual interface, the computer could access internal resources just like if it was physically connected to the private network.
The most important takeaway is that VPNs are
The most important takeaway is that VPNs are a technology that uses encrypted tunnels to allow for a remote computer or network to act as if it's connected to a network that it's not actually physically connected to.
Caching and recursive name servers are generally provided by an ISP or your local network. what is their purpose?
Their purpose is to store domain name lookups for a certain amount of time.
All domain names in the global DNS system have a TTL or time to live.
This is a value in seconds, that can be configured by the owner of a domain name for how long a name server is allowed to cache in an entry before it should discard it and perform a full resolution again.
VPNs were one of the first technologies where two-factor authentication became common.
Two-factor authentication is a technique where more than just a username and password is required to authenticate.
how can the IP of a computer be different every time it connects to the network?
Under a dynamic allocation, the IP of a computer could be different almost every time it connects to the network.
Using www.weather.com as an example,
Using www.weather.com as an example, the TLD name server would point a lookup at the authoritative server for Weather.com, which would likely be controlled by the Weather Channel, the organization itself that runs the site.
If we look again at our example of making sure that visitors to both microsoft.com and www.microsoft.com get to the same place.
We could set up identical A records for both microsoft.com and www.microsoft.com domain names,
the term, proxy, used to refer to web proxies.
Web proxies are built explicitly for web traffic. A web proxy can serve lots of purposes. Many years ago, when most Internet connections were much slower than they are today, lots of organizations used web proxies for increased performance. Using a web proxy, an organization would direct all web traffic through it, allowing the proxy server itself to actually retrieve the webpage data from the Internet. It would then cache this data. This way, if someone else requested the same webpage, it could just return the cached data instead of having to retrieve the fresh copy every time.
Even with how large the set of ephemeral ports (49,152 - 65, 535). is, it's still possible for two different computers on a network to both choose the same source port around the same time.
When this happens, the router normally selects an unused port at random to use instead.
Non-routable address space is largely usable today because of technologies like NAT. With NAT,
With NAT, you can have hundreds even thousands of machines using non-routable address space. Yet, with just a single public IP, all those computers can still send traffic to and receive traffic from the internet.
So a zone file has to contain an
a zone file has to contain an SOA, or a Start of Authority resource record declaration. This SOA record declares the zone and the name of the name server that is authoritative for it.
There are a few standard ways that DHCP can operate.
dynamic allocation is the most common, A range of IP addresses is set aside for client devices and one of these IPs is issued to these devices when they request one.
We now have potentially hundreds of responses all directed at the same IP and the router at this IP need to figure out which responses go to which computer. The simplest way to do this is through
port preservation
Another resource record type that's becoming more and more popular is
the Quad A record. (AAAA) A Quad A record is very similar to an A record except that it returns an IPv6 address instead of an IPv4 address.
how many configured things are likely the same on just about every node on the network.
three are likely the same on just about every node on the network. The subnet mask, the primary gateway, and DNS server. But the last item an IP address needs to be different on every single node on the network. That could require a lot of tricky configuration work, and this is where DHCP or Dynamic Host Configuration Protocol comes into play
. What is Anycast?
. Anycast is a technique that's used to route traffic to different destinations depending on factors like location, congestion, or link health.
fixed-allocation policy
Fixed allocation requires a manually specified list of MAC address and their corresponding IPs.
Port Forwarding (port forwarding is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall)
Port forwarding is a technique where specific destination ports can be configured to always be delivered to specific nodes. This technique allows for complete IP masquerading, while still having services that can respond to incoming traffic.
The main difference between automatic and dynamic allocation is that ?
The main difference here is that the DHCP server is asked to keep track of which IPs it's assigned to certain devices in the past.
An authoritative name server is actually responsible for a specific DNS zone. DNS zones are a hierarchical concept.
The purpose of DNS zones is to allow for easier control over multiple levels of a domain
There are five primary types of DNS servers?
caching name servers, recursive name servers, root name servers, TLD name servers, and authoritative name servers.
The CNAME record is also super common.
A CNAME record is used to redirect traffic from one domain to another.
When using Fixed Allocation DHCP, what's used to determine a computer's IP?
A MAC address