Domain Name System (DNS) and Content Distribution Networks (CDNs)
C
o
n
t
e
n
t
D
i
s
t
r
i
b
u
t
i
o
n
N
e
t
w
o
r
k
s
COS 418:
Distributed Systems
Lecture 19
Kyle Jamieson
[
S
e
l
e
c
t
e
d
c
o
n
t
e
n
t
a
d
a
p
t
e
d
f
r
o
m
M
.
F
r
e
e
d
m
a
n
,
B
.
M
a
g
g
s
a
n
d
S
.
S
h
e
n
k
e
r
]
1.
D
o
m
a
i
n
N
a
m
e
S
y
s
t
e
m
(
D
N
S
)
p
r
i
m
e
r
–
A word on DNS security
2.
The Web: HTTP, hosting, and caching
3.
Content distribution networks (CDNs)
T
o
d
a
y
2
D
N
S
h
o
s
t
n
a
m
e
v
e
r
s
u
s
I
P
a
d
d
r
e
s
s
•
D
N
S
h
o
s
t
n
a
m
e
(
e
.
g
.
w
w
w
.
c
s
.
p
r
i
n
c
e
t
o
n
.
e
d
u
)
–
M
n
e
m
o
n
i
c
n
a
m
e
a
p
p
r
e
c
i
a
t
e
d
b
y
h
u
m
a
n
s
–
V
a
r
i
a
b
l
e
l
e
n
g
t
h
,
f
u
l
l
a
l
p
h
a
b
e
t
o
f
c
h
a
r
a
c
t
e
r
s
–
P
r
o
v
i
d
e
s
l
i
t
t
l
e
(
i
f
a
n
y
)
i
n
f
o
r
m
a
t
i
o
n
a
b
o
u
t
l
o
c
a
t
i
o
n
•
I
P
a
d
d
r
e
s
s
(
e
.
g
.
1
2
8
.
1
1
2
.
1
3
6
.
3
5
)
–
N
u
m
e
r
i
c
a
l
a
d
d
r
e
s
s
a
p
p
r
e
c
i
a
t
e
d
b
y
r
o
u
t
e
r
s
–
F
i
x
e
d
l
e
n
g
t
h
,
d
e
c
i
m
a
l
n
u
m
b
e
r
–
H
i
e
r
a
r
c
h
i
c
a
l
a
d
d
r
e
s
s
s
p
a
c
e
,
r
e
l
a
t
e
d
t
o
h
o
s
t
l
o
c
a
t
i
o
n
3
•
Hostname to IP address translation
–
I
P
a
d
d
r
e
s
s
t
o
h
o
s
t
n
a
m
e
t
r
a
n
s
l
a
t
i
o
n
(
r
e
v
e
r
s
e
l
o
o
k
u
p
)
•
H
o
s
t
n
a
m
e
a
l
i
a
s
i
n
g
:
o
t
h
e
r
D
N
S
n
a
m
e
s
f
o
r
a
h
o
s
t
–
A
l
i
a
s
h
o
s
t
n
a
m
e
s
p
o
i
n
t
t
o
c
a
n
o
n
i
c
a
l
h
o
s
t
n
a
m
e
•
E
m
a
i
l
:
L
o
o
k
u
p
d
o
m
a
i
n
’
s
m
a
i
l
s
e
r
v
e
r
b
y
d
o
m
a
i
n
n
a
m
e
M
a
n
y
u
s
e
s
o
f
D
N
S
4
O
r
i
g
i
n
a
l
d
e
s
i
g
n
o
f
t
h
e
D
N
S
•
Per-host file named
/etc/hosts
–
F
l
a
t
n
a
m
e
s
p
a
c
e
:
e
a
c
h
l
i
n
e
=
I
P
a
d
d
r
e
s
s
&
D
N
S
n
a
m
e
–
SRI (Menlo Park, California) kept the master copy
–
Everyone else downloads regularly
•
B
u
t
,
a
s
i
n
g
l
e
s
e
r
v
e
r
d
o
e
s
n
’
t
s
c
a
l
e
–
Traffic implosion (lookups and updates)
–
Single point of failure
•
N
e
e
d
a
d
i
s
t
r
i
b
u
t
e
d
,
h
i
e
r
a
r
c
h
i
c
a
l
c
o
l
l
e
c
t
i
o
n
o
f
s
e
r
v
e
r
s
5
•
A
w
i
d
e
-
a
r
e
a
d
i
s
t
r
i
b
u
t
e
d
d
a
t
a
b
a
s
e
•
Goals:
–
S
c
a
l
a
b
i
l
i
t
y
;
d
e
c
e
n
t
r
a
l
i
z
e
d
m
a
i
n
t
e
n
a
n
c
e
–
R
o
b
u
s
t
n
e
s
s
–
Global scope
•
Names mean the same thing everywhere
–
Distributed updates/queries
–
G
o
o
d
p
e
r
f
o
r
m
a
n
c
e
•
B
u
t
d
o
n
’
t
n
e
e
d
s
t
r
o
n
g
c
o
n
s
i
s
t
e
n
c
y
p
r
o
p
e
r
t
i
e
s
6
D
N
S
:
G
o
a
l
s
a
n
d
n
o
n
-
g
o
a
l
s
D
o
m
a
i
n
N
a
m
e
S
y
s
t
e
m
(
D
N
S
)
•
H
i
e
r
a
r
c
h
i
c
a
l
n
a
m
e
s
p
a
c
e
d
i
v
i
d
e
d
i
n
t
o
c
o
n
t
i
g
u
o
u
s
s
e
c
t
i
o
n
s
c
a
l
l
e
d
z
o
n
e
s
–
Zones are distributed over a collection of DNS servers
•
H
i
e
r
a
r
c
h
y
o
f
D
N
S
s
e
r
v
e
r
s
:
–
R
o
o
t
s
e
r
v
e
r
s
(
i
d
e
n
t
i
t
y
h
a
r
d
w
i
r
e
d
i
n
t
o
o
t
h
e
r
s
e
r
v
e
r
s
)
–
T
o
p
-
l
e
v
e
l
d
o
m
a
i
n
(
T
L
D
)
s
e
r
v
e
r
s
–
A
u
t
h
o
r
i
t
a
t
i
v
e
D
N
S
s
e
r
v
e
r
s
•
Performing the translations:
–
L
o
c
a
l
D
N
S
s
e
r
v
e
r
s
l
o
c
a
t
e
d
n
e
a
r
c
l
i
e
n
t
s
–
R
e
s
o
l
v
e
r
s
o
f
t
w
a
r
e
r
u
n
n
i
n
g
o
n
c
l
i
e
n
t
s
7
T
h
e
D
N
S
n
a
m
e
s
p
a
c
e
i
s
h
i
e
r
a
r
c
h
i
c
a
l
•
H
i
e
r
a
r
c
h
y
o
f
n
a
m
e
s
p
a
c
e
m
a
t
c
h
e
s
h
i
e
r
a
r
c
h
y
o
f
s
e
r
v
e
r
s
•
Set of nameservers answers queries for names within zone
•
Nameservers store names and links to other servers in tree
.
c
o
m
.
g
o
v
.
e
d
u
.
p
r
i
n
c
e
t
o
n
.
e
d
u
.
n
y
u
.
e
d
u
.
f
c
c
.
g
o
v
.
c
s
.
p
r
i
n
c
e
t
o
n
.
e
d
u
.
R
o
o
t
T
L
D
s
:
8
D
N
S
r
o
o
t
n
a
m
e
s
e
r
v
e
r
s
•
13 root servers.
Does this
scale?
B USC-ISI Marina del Rey, CA
L ICANN Los Angeles, CA
E NASA Mt View, CA
F Internet Software
Consortium,
Palo
Alto, CA
I
Autonomica,
Stockholm
K RIPE London
M WIDE Tokyo
A Verisign, Dulles, VA
C Cogent, Herndon, VA
D U Maryland College Park, MD
G US DoD Vienna, VA
H ARL Aberdeen, MD
J Verisign
9
D
N
S
r
o
o
t
n
a
m
e
s
e
r
v
e
r
s
•
13 root servers.
Does this scale?
•
E
a
c
h
s
e
r
v
e
r
i
s
r
e
a
l
l
y
a
c
l
u
s
t
e
r
o
f
s
e
r
v
e
r
s
(
s
o
m
e
g
e
o
g
r
a
p
h
i
c
a
l
l
y
d
i
s
t
r
i
b
u
t
e
d
)
,
r
e
p
l
i
c
a
t
e
d
v
i
a
I
P
a
n
y
c
a
s
t
B USC-ISI Marina del Rey, CA
L ICANN Los Angeles, CA
E NASA Mt View, CA
F Internet Software
Consortium,
Palo
Alto, CA
(and 37 other locations)
I
Autonomica,
Stockholm
(plus 29 other locations)
K RIPE London (plus 16 other locations)
M WIDE Tokyo
plus Seoul, Paris,
San Francisco
A Verisign, Dulles, VA
C Cogent, Herndon, VA (also Los Angeles, NY, Chicago)
D U Maryland College Park, MD
G US DoD Vienna, VA
H ARL Aberdeen, MD
J Verisign (21 locations)
10
10
T
L
D
a
n
d
A
u
t
h
o
r
i
t
a
t
i
v
e
S
e
r
v
e
r
s
•
T
o
p
-
l
e
v
e
l
d
o
m
a
i
n
(
T
L
D
)
s
e
r
v
e
r
s
–
Responsible for com, org, net, edu, etc, and all top-
level country domains: uk, fr, ca, jp
–
Network Solutions
maintains servers for com TLD
–
Educause
non-profit for edu TLD
•
A
u
t
h
o
r
i
t
a
t
i
v
e
D
N
S
s
e
r
v
e
r
s
–
An organization’s DNS servers, providing
authoritative information for that organization
–
May be maintained by organization itself, or ISP
11
11
L
o
c
a
l
n
a
m
e
s
e
r
v
e
r
s
•
Do not strictly belong to hierarchy
•
Each ISP (or company, or university) has one
–
A
l
s
o
c
a
l
l
e
d
d
e
f
a
u
l
t
o
r
c
a
c
h
i
n
g
n
a
m
e
s
e
r
v
e
r
•
When host makes DNS query, query is sent to its local
DNS server
–
Acts as proxy, forwards query into hierarchy
–
Does work for the client
12
12
T
y
p
e
=
C
N
A
M
E
•
n
a
m
e
=
a
l
i
a
s
f
o
r
s
o
m
e
“
c
a
n
o
n
i
c
a
l
”
(
r
e
a
l
)
n
a
m
e
•
v
a
l
u
e
i
s
c
a
n
o
n
i
c
a
l
n
a
m
e
T
y
p
e
=
M
X
(
m
a
i
l
e
x
c
h
a
n
g
e
)
•
n
a
m
e
=
d
o
m
a
i
n
•
v
a
l
u
e
i
s
n
a
m
e
o
f
m
a
i
l
s
e
r
v
e
r
f
o
r
t
h
a
t
d
o
m
a
i
n
T
y
p
e
=
A
(
a
d
d
r
e
s
s
)
•
n
a
m
e
=
h
o
s
t
n
a
m
e
•
v
a
l
u
e
i
s
I
P
a
d
d
r
e
s
s
T
y
p
e
=
N
S
(
n
a
m
e
s
e
r
v
e
r
)
•
n
a
m
e
=
d
o
m
a
i
n
(
e
.
g
.
p
r
i
n
c
e
t
o
n
.
e
d
u
)
•
v
a
l
u
e
i
s
h
o
s
t
n
a
m
e
o
f
a
u
t
h
o
r
i
t
a
t
i
v
e
n
a
m
e
s
e
r
v
e
r
f
o
r
t
h
i
s
d
o
m
a
i
n
D
N
S
r
e
s
o
u
r
c
e
r
e
c
o
r
d
s
•
D
N
S
i
s
a
d
i
s
t
r
i
b
u
t
e
d
d
a
t
a
b
a
s
e
s
t
o
r
i
n
g
r
e
s
o
u
r
c
e
r
e
c
o
r
d
s
•
R
e
s
o
u
r
c
e
r
e
c
o
r
d
i
n
c
l
u
d
e
s
:
(
n
a
m
e
,
t
y
p
e
,
v
a
l
u
e
,
t
i
m
e
-
t
o
-
l
i
v
e
)
13
13
D
N
S
i
n
o
p
e
r
a
t
i
o
n
•
Most queries and responses are UDP datagrams
–
Two types of queries:
•
R
e
c
u
r
s
i
v
e
:
N
a
m
e
s
e
r
v
e
r
r
e
s
p
o
n
d
s
w
i
t
h
a
n
s
w
e
r
o
r
e
r
r
o
r
•
I
t
e
r
a
t
i
v
e
:
N
a
m
e
s
e
r
v
e
r
m
a
y
r
e
s
p
o
n
d
w
i
t
h
a
r
e
f
e
r
r
a
l
14
14
A
r
e
c
u
r
s
i
v
e
D
N
S
l
o
o
k
u
p
Local nameserver
. (root): NS 198.41.0.4
e
d
u
.
:
N
S
1
9
2
.
5
.
6
.
3
0
p
r
i
n
c
e
t
o
n
.
e
d
u
.
:
N
S
6
6
.
2
8
.
0
.
1
4
Client
15
15
w
w
w
.
p
r
i
n
c
e
t
o
n
.
e
d
u
A
1
4
0
.
1
8
0
.
2
2
3
.
4
2
w
w
w
.
p
r
i
n
c
e
t
o
n
.
e
d
u
?
R
e
c
u
r
s
i
v
e
q
u
e
r
y
•
L
e
s
s
b
u
r
d
e
n
o
n
e
n
t
i
t
y
i
n
i
t
i
a
t
i
n
g
t
h
e
q
u
e
r
y
•
M
o
r
e
b
u
r
d
e
n
o
n
n
a
m
e
s
e
r
v
e
r
(
h
a
s
t
o
r
e
t
u
r
n
a
n
a
n
s
w
e
r
t
o
t
h
e
q
u
e
r
y
)
•
M
o
s
t
r
o
o
t
a
n
d
T
L
D
s
e
r
v
e
r
s
w
o
n
’
t
a
n
s
w
e
r
(
s
h
e
d
l
o
a
d
)
–
Local name server
answers recursive
query
I
t
e
r
a
t
i
v
e
q
u
e
r
y
•
M
o
r
e
b
u
r
d
e
n
o
n
q
u
e
r
y
i
n
i
t
i
a
t
o
r
•
Less burden on
nameserver (simply
refers the query to
another server)
R
e
c
u
r
s
i
v
e
v
e
r
s
u
s
i
t
e
r
a
t
i
v
e
q
u
e
r
i
e
s
16
16
$ dig @a.root-servers.net www.freebsd.org +norecurse
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57494
;; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.freebsd.org.
IN
A
;; AUTHORITY SECTION:
org.
172800
IN
NS
b0.org.afilias-nst.org.
org.
172800
IN
NS
d0.org.afilias-nst.org.
;; ADDITIONAL SECTION:
b0.org.afilias-nst.org.
172800
IN
A
199.19.54.1
d0.org.afilias-nst.org.
172800
IN
A
199.19.57.1
17
17
[
O
u
t
p
u
t
e
d
i
t
e
d
f
o
r
c
l
a
r
i
t
y
]
$ dig @
199.19.54.1
www.freebsd.org +norecurse
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39912
;; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;www.freebsd.org.
IN
A
;; AUTHORITY SECTION:
freebsd.org.
86400
IN
NS
ns1.isc-sns.net.
freebsd.org.
86400
IN
NS
ns2.isc-sns.com.
freebsd.org.
86400
IN
NS
ns3.isc-sns.info.
18
18
[
O
u
t
p
u
t
e
d
i
t
e
d
f
o
r
c
l
a
r
i
t
y
]
$ dig @ns1.isc-sns.net www.freebsd.org +norecurse
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17037
;; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;www.freebsd.org.
IN
A
;; ANSWER SECTION:
www.freebsd.org.
3600
IN
A
69.147.83.33
;; AUTHORITY SECTION:
freebsd.org.
3600
IN
NS
ns2.isc-sns.com.
freebsd.org.
3600
IN
NS
ns1.isc-sns.net.
freebsd.org.
3600
IN
NS
ns3.isc-sns.info.
;; ADDITIONAL SECTION:
ns1.isc-sns.net.
3600
IN
A
72.52.71.1
ns2.isc-sns.com.
3600
IN
A
38.103.2.1
ns3.isc-sns.info.
3600
IN
A
63.243.194.1
19
19
[
O
u
t
p
u
t
e
d
i
t
e
d
f
o
r
c
l
a
r
i
t
y
]
•
Performing all these queries takes time
–
A
n
d
a
l
l
t
h
i
s
b
e
f
o
r
e
a
c
t
u
a
l
c
o
m
m
u
n
i
c
a
t
i
o
n
t
a
k
e
s
p
l
a
c
e
•
C
a
c
h
i
n
g
c
a
n
g
r
e
a
t
l
y
r
e
d
u
c
e
o
v
e
r
h
e
a
d
–
The top-level servers very rarely change
•
Popular sites visited often
–
Local DNS server often has the information cached
•
How DNS caching works
–
A
l
l
D
N
S
s
e
r
v
e
r
s
c
a
c
h
e
r
e
s
p
o
n
s
e
s
t
o
q
u
e
r
i
e
s
–
Responses include a time-to-live (TTL) field
•
Server deletes cached entry after TTL expires
D
N
S
c
a
c
h
i
n
g
20
20
P
l
a
y
s
a
k
e
y
r
o
l
e
i
n
C
D
N
(
A
k
a
m
a
i
)
l
o
a
d
b
a
l
a
n
c
i
n
g
1.
Domain Name System (DNS) primer
–
A
w
o
r
d
o
n
D
N
S
s
e
c
u
r
i
t
y
2.
The Web: HTTP, hosting, and caching
3.
Content distribution networks (CDNs)
T
o
d
a
y
21
21
A
w
o
r
d
o
n
D
N
S
s
e
c
u
r
i
t
y
•
Implications of subverting DNS:
1.
Redirect victim’s web traffic to rogue servers
2.
Redirect victim’s email to rogue email servers (MX
records in DNS)
•
Does Secure Sockets Layer (SSL) provide protection?
–
Y
e
s
―
u
s
e
r
w
i
l
l
g
e
t
“
w
r
o
n
g
c
e
r
t
i
f
i
c
a
t
e
”
i
f
S
S
L
e
n
a
b
l
e
d
–
N
o
―
S
S
L
n
o
t
e
n
a
b
l
e
d
o
r
u
s
e
r
i
g
n
o
r
e
s
w
a
r
n
i
n
g
s
–
N
o
―
h
o
w
i
s
S
S
L
t
r
u
s
t
e
s
t
a
b
l
i
s
h
e
d
?
O
f
t
e
n
,
b
y
e
m
a
i
l
!
22
22
•
As you sip your latte and surf the Web, how does your
laptop find google.com?
•
A
n
s
w
e
r
:
i
t
a
s
k
s
t
h
e
l
o
c
a
l
D
N
S
n
a
m
e
s
e
r
v
e
r
–
Which is run by the coffee shop or their contractor
–
And can return to you any answer they please
•
How can you know you’re getting correct data?
–
Today, you can’t. (Though HTTPS site helps.)
–
One day, hopefully: DNSSEC extensions to DNS
S
e
c
u
r
i
t
y
P
r
o
b
l
e
m
#
1
:
C
o
f
f
e
e
s
h
o
p
23
23
•
Y
o
u
r
e
c
e
i
v
e
r
e
q
u
e
s
t
t
o
r
e
s
o
l
v
e
w
w
w
.
f
o
o
b
a
r
.
c
o
m
&
r
e
p
l
y
:
24
24
S
e
c
u
r
i
t
y
P
r
o
b
l
e
m
#
2
:
C
a
c
h
e
p
o
i
s
o
n
i
n
g
;; QUESTION SECTION:
;www.foobar.com. IN A
;; ANSWER SECTION:
www.foobar.com. 300 IN A 212.44.9.144
;; AUTHORITY SECTION:
foobar.com. 600 IN NS dns1.foobar.com.
foobar.com. 600 IN NS google.com.
;; ADDITIONAL SECTION:
google.com. 5 IN A 212.44.9.155
A
f
o
o
b
a
r
.
c
o
m
m
a
c
h
i
n
e
,
n
o
t
g
o
o
g
l
e
.
c
o
m
•
O
k
a
y
,
b
u
t
h
o
w
d
o
y
o
u
g
e
t
t
h
e
v
i
c
t
i
m
t
o
l
o
o
k
u
p
w
w
w
.
f
o
o
b
a
r
.
c
o
m
i
n
t
h
e
f
i
r
s
t
p
l
a
c
e
?
•
Perhaps you connect to their mail server and send
–
HELO www.foobar.com
–
Which their mail server then looks up to see if it
corresponds to your source address (anti-spam
measure)
•
P
e
r
h
a
p
s
y
o
u
s
e
n
d
m
a
n
y
s
p
a
m
o
r
p
h
i
s
h
i
n
g
e
m
a
i
l
s
c
o
n
t
a
i
n
i
n
g
a
l
i
n
k
t
o
w
w
w
.
f
o
o
b
a
r
.
c
o
m
D
N
S
c
a
c
h
e
p
o
i
s
o
n
i
n
g
(
c
o
n
t
’
d
)
25
25
•
L
o
c
a
l
n
a
m
e
s
e
r
v
e
r
i
g
n
o
r
e
s
a
n
y
R
R
n
o
t
i
n
o
r
u
n
d
e
r
s
a
m
e
z
o
n
e
a
s
q
u
e
s
t
i
o
n
–
Widely deployed since
ca.
1997
•
B
u
t
,
o
t
h
e
r
a
t
t
a
c
k
s
a
r
e
p
o
s
s
i
b
l
e
(
e
.
g
.
K
a
m
i
n
s
k
y
p
o
i
s
o
n
i
n
g
)
26
26
M
i
t
i
g
a
t
i
o
n
:
B
a
i
l
i
w
i
c
k
c
h
e
c
k
i
n
g
;; QUESTION SECTION:
;www.foobar.com. IN A
;; ANSWER SECTION:
www.foobar.com. 300 IN A 212.44.9.144
;; AUTHORITY SECTION:
foobar.com. 600 IN NS dns1.foobar.com.
foobar.com. 600 IN NS google.com.
;; ADDITIONAL SECTION:
google.com. 5 IN A 212.44.9.155
1.
Domain Name System (DNS) primer
2.
T
h
e
W
e
b
:
H
T
T
P
,
h
o
s
t
i
n
g
,
a
n
d
c
a
c
h
i
n
g
3.
Content distribution networks (CDNs)
T
o
d
a
y
27
27
•
Web page =
HTML file +
embedded images/objects
•
S
t
o
p
-
a
n
d
-
w
a
i
t
a
t
t
h
e
g
r
a
n
u
l
a
r
i
t
y
o
f
o
b
j
e
c
t
s
:
–
C
l
o
s
e
t
h
e
n
o
p
e
n
n
e
w
T
C
P
c
o
n
n
e
c
t
i
o
n
f
o
r
e
a
c
h
o
b
j
e
c
t
•
I
n
c
u
r
s
a
T
C
P
r
o
u
n
d
-
t
r
i
p
-
t
i
m
e
d
e
l
a
y
e
a
c
h
t
i
m
e
–
Each TCP connection
may stay in “slow start”
A
n
a
t
o
m
y
o
f
a
n
H
T
T
P
/
1
.
0
w
e
b
p
a
g
e
f
e
t
c
h
C
l
i
e
n
t
S
e
r
v
e
r
28
28
H
T
T
P
/
1
.
0
w
e
b
p
a
g
e
f
e
t
c
h
:
T
i
m
e
l
i
n
e
•
Fetch 8.5 Kbyte page with 10 objects, most < 10 Kbyte
B
y
t
e
s
r
e
c
e
i
v
e
d
T
i
m
e
(
m
i
l
l
i
s
e
c
o
n
d
s
)
29
29
•
K
n
o
w
n
a
s
H
T
T
P
k
e
e
p
a
l
i
v
e
•
S
t
i
l
l
s
t
o
p
-
a
n
d
-
w
a
i
t
a
t
t
h
e
g
r
a
n
u
l
a
r
i
t
y
o
f
o
b
j
e
c
t
s
,
a
t
t
h
e
a
p
p
l
i
c
a
t
i
o
n
l
a
y
e
r
–
HTTP response fully
received before next HTTP
GET dispatched
•
≥ 1 RTT per object
30
30
L
e
t
t
i
n
g
t
h
e
T
C
P
c
o
n
n
e
c
t
i
o
n
p
e
r
s
i
s
t
T
C
P
S
Y
N
C
l
i
e
n
t
S
e
r
v
e
r
T
C
P
F
I
N
…
H
T
T
P
K
e
e
p
a
l
i
v
e
a
v
o
i
d
s
T
C
P
s
l
o
w
s
t
a
r
t
s
I
n
c
u
r
o
n
e
s
l
o
w
s
t
a
r
t
,
b
u
t
s
t
o
p
-
a
n
d
-
w
a
i
t
t
o
i
s
s
u
e
n
e
x
t
r
e
q
u
e
s
t
B
y
t
e
s
r
e
c
e
i
v
e
d
T
i
m
e
(
m
i
l
l
i
s
e
c
o
n
d
s
)
31
31
H
T
T
P
/
1
.
0
f
i
n
i
s
h
•
I
d
e
a
:
P
i
p
e
l
i
n
e
H
T
T
P
G
E
T
s
a
n
d
t
h
e
i
r
r
e
s
p
o
n
s
e
s
•
M
a
i
n
b
e
n
e
f
i
t
s
:
1.
A
m
o
r
t
i
z
e
s
t
h
e
R
T
T
a
c
r
o
s
s
m
u
l
t
i
p
l
e
o
b
j
e
c
t
s
r
e
t
r
i
e
v
e
d
2.
R
e
d
u
c
e
s
o
v
e
r
h
e
a
d
o
f
H
T
T
P
r
e
q
u
e
s
t
s
,
p
a
c
k
i
n
g
m
u
l
t
i
p
l
e
r
e
q
u
e
s
t
s
i
n
t
o
o
n
e
p
a
c
k
e
t
•
Implemented in HTTP/1.1
P
i
p
e
l
i
n
i
n
g
w
i
t
h
i
n
H
T
T
P
S
Y
N
S
Y
N
+
A
C
K
C
l
i
e
n
t
S
e
r
v
e
r
H
T
T
P
G
E
T
i
m
g
1
.
j
p
g
H
T
T
P
R
e
s
p
o
n
s
e
H
T
T
P
G
E
T
i
m
g
2
.
j
p
g
H
T
T
P
R
e
s
p
o
n
s
e
F
I
N
…
…
P
i
p
e
l
i
n
e
d
H
T
T
P
r
e
q
u
e
s
t
s
o
v
e
r
l
a
p
R
T
T
s
•
M
a
n
y
H
T
T
P
r
e
q
u
e
s
t
s
a
n
d
T
C
P
c
o
n
n
e
c
t
i
o
n
s
a
t
o
n
c
e
•
O
v
e
r
l
a
p
s
R
T
T
s
o
f
a
l
l
r
e
q
u
e
s
t
s
B
y
t
e
s
r
e
c
e
i
v
e
d
T
i
m
e
(
m
i
l
l
i
s
e
c
o
n
d
s
)
K
e
e
p
-
a
l
i
v
e
f
i
n
i
s
h
H
T
T
P
/
1
.
0
f
i
n
i
s
h
H
T
T
P
/
1
.
1
f
i
n
i
s
h
1.
Domain Name System (DNS) primer
2.
T
h
e
W
e
b
:
H
T
T
P
,
h
o
s
t
i
n
g
,
a
n
d
c
a
c
h
i
n
g
–
H
a
n
d
l
i
n
g
h
e
a
v
y
l
o
a
d
s
3.
Content distribution networks (CDNs)
T
o
d
a
y
34
34
•
P
r
o
b
l
e
m
:
O
v
e
r
l
o
a
d
e
d
p
o
p
u
l
a
r
w
e
b
s
i
t
e
–
R
e
p
l
i
c
a
t
e
t
h
e
s
i
t
e
a
c
r
o
s
s
m
u
l
t
i
p
l
e
m
a
c
h
i
n
e
s
•
Helps to handle the load
•
Want to direct client to a particular replica. Why?
–
B
a
l
a
n
c
e
l
o
a
d
a
c
r
o
s
s
s
e
r
v
e
r
r
e
p
l
i
c
a
s
•
S
o
l
u
t
i
o
n
#
1
:
M
a
n
u
a
l
s
e
l
e
c
t
i
o
n
b
y
c
l
i
e
n
t
s
–
Each replica has its own site name
–
Some Web page lists replicas (
e.g.
, by name,
location), asks clients to click link to pick
H
o
s
t
i
n
g
:
M
u
l
t
i
p
l
e
m
a
c
h
i
n
e
s
p
e
r
s
i
t
e
35
35
H
o
s
t
i
n
g
:
L
o
a
d
-
b
a
l
a
n
c
e
r
a
p
p
r
o
a
c
h
•
S
o
l
u
t
i
o
n
#
2
:
S
i
n
g
l
e
I
P
a
d
d
r
e
s
s
,
m
u
l
t
i
p
l
e
m
a
c
h
i
n
e
s
–
Run multiple machines behind a single IP address
–
E
n
s
u
r
e
a
l
l
p
a
c
k
e
t
s
f
r
o
m
a
s
i
n
g
l
e
T
C
P
c
o
n
n
e
c
t
i
o
n
g
o
t
o
t
h
e
s
a
m
e
r
e
p
l
i
c
a
Load Balancer
64.236.16.20
36
36
•
S
o
l
u
t
i
o
n
#
3
:
M
u
l
t
i
p
l
e
I
P
a
d
d
r
e
s
s
e
s
,
m
u
l
t
i
p
l
e
m
a
c
h
i
n
e
s
–
Same DNS name but different IP for each replica
•
DNS server returns IP addresses “round robin”
37
37
H
o
s
t
i
n
g
:
D
N
S
r
e
d
i
r
e
c
t
i
o
n
a
p
p
r
o
a
c
h
DNS
64.236.16.20
173.72.54.131
12.1.1.1
•
Load-balancer approach
–
No geographical diversity
✘
–
TCP connection issue
✘
–
Does not reduce network traffic
✘
•
DNS redirection
–
No TCP connection issues
✔
–
Simple round-robin server selection
•
May be less responsive
✘
–
Does not reduce network traffic
✘
38
38
H
o
s
t
i
n
g
:
S
u
m
m
a
r
y
W
e
b
c
a
c
h
i
n
g
•
M
a
n
y
c
l
i
e
n
t
s
t
r
a
n
s
f
e
r
t
h
e
s
a
m
e
i
n
f
o
r
m
a
t
i
o
n
–
G
e
n
e
r
a
t
e
s
r
e
d
u
n
d
a
n
t
s
e
r
v
e
r
a
n
d
n
e
t
w
o
r
k
l
o
a
d
–
A
l
s
o
,
c
l
i
e
n
t
s
m
a
y
e
x
p
e
r
i
e
n
c
e
h
i
g
h
l
a
t
e
n
c
y
Origin server
Clients
Backbone
ISP
ISP-1
ISP-2
39
39
•
M
o
t
i
v
a
t
i
o
n
f
o
r
p
l
a
c
i
n
g
c
o
n
t
e
n
t
c
l
o
s
e
r
t
o
c
l
i
e
n
t
:
–
U
s
e
r
g
e
t
s
b
e
t
t
e
r
r
e
s
p
o
n
s
e
t
i
m
e
•
Content providers get happier users
–
N
e
t
w
o
r
k
g
e
t
s
r
e
d
u
c
e
d
l
o
a
d
•
Why does caching work? Exploits locality of reference
•
How well does caching work?
–
V
e
r
y
w
e
l
l
,
u
p
t
o
a
l
i
m
i
t
–
Large overlap in content
–
But many unique requests
W
h
y
w
e
b
c
a
c
h
i
n
g
?
40
40
•
Cache data close to origin server
decrease server load
–
Typically done by content providers
–
Client thinks it is talking to the origin server (the server
with content)
•
D
o
e
s
n
o
t
w
o
r
k
f
o
r
d
y
n
a
m
i
c
c
o
n
t
e
n
t
C
a
c
h
i
n
g
w
i
t
h
R
e
v
e
r
s
e
P
r
o
x
i
e
s
Clients
Backbone ISP
ISP-1
ISP-2
Reverse proxies
Origin server
41
41
•
Cache close to clients
less network traffic, less latency
–
Typically done by ISPs or corporate LANs
–
C
l
i
e
n
t
c
o
n
f
i
g
u
r
e
d
t
o
s
e
n
d
H
T
T
P
r
e
q
u
e
s
t
s
t
o
f
o
r
w
a
r
d
p
r
o
x
y
•
Reduces traffic on ISP-1’s access link, origin server, and
backbone ISP
C
a
c
h
i
n
g
w
i
t
h
F
o
r
w
a
r
d
P
r
o
x
i
e
s
Clients
Backbone ISP
ISP-1
ISP-2
Origin server
Reverse proxies
Forward proxies
42
42
C
a
c
h
i
n
g
&
L
o
a
d
-
B
a
l
a
n
c
i
n
g
:
O
u
t
s
t
a
n
d
i
n
g
p
r
o
b
l
e
m
s
•
Problem
ca.
2002:
How to reliably deliver large
amounts of content to users worldwide?
–
P
o
p
u
l
a
r
e
v
e
n
t
:
“
F
l
a
s
h
c
r
o
w
d
s
”
o
v
e
r
w
h
e
l
m
(
r
e
p
l
i
c
a
t
e
d
)
w
e
b
s
e
r
v
e
r
,
a
c
c
e
s
s
l
i
n
k
,
o
r
b
a
c
k
-
e
n
d
d
a
t
a
b
a
s
e
i
n
f
r
a
s
t
r
u
c
t
u
r
e
–
More rich content: audio, video, photos
•
W
e
b
c
a
c
h
i
n
g
:
D
i
v
e
r
s
i
t
y
c
a
u
s
e
s
l
o
w
c
a
c
h
e
h
i
t
r
a
t
e
s
(
2
5
−
4
0
%
)
43
43
1.
Domain Name System (DNS) primer
2.
The Web: HTTP, hosting, and caching
3.
C
o
n
t
e
n
t
d
i
s
t
r
i
b
u
t
i
o
n
n
e
t
w
o
r
k
s
(
C
D
N
s
)
–
Akamai case study
T
o
d
a
y
44
44
C
o
n
t
e
n
t
D
i
s
t
r
i
b
u
t
i
o
n
N
e
t
w
o
r
k
s
•
P
r
o
a
c
t
i
v
e
c
o
n
t
e
n
t
r
e
p
l
i
c
a
t
i
o
n
–
C
o
n
t
e
n
t
p
r
o
v
i
d
e
r
(
e
.
g
.
C
N
N
)
p
u
s
h
e
s
c
o
n
t
e
n
t
o
u
t
f
r
o
m
i
t
s
o
w
n
o
r
i
g
i
n
s
e
r
v
e
r
•
C
D
N
r
e
p
l
i
c
a
t
e
s
t
h
e
c
o
n
t
e
n
t
–
On many servers spread
throughout the Internet
•
Updating the replicas
–
U
p
d
a
t
e
s
p
u
s
h
e
d
t
o
r
e
p
l
i
c
a
s
w
h
e
n
t
h
e
c
o
n
t
e
n
t
c
h
a
n
g
e
s
O
r
i
g
i
n
s
e
r
v
e
r
i
n
N
.
A
m
e
r
i
c
a
C
D
N
d
i
s
t
r
i
b
u
t
i
o
n
n
o
d
e
C
D
N
s
e
r
v
e
r
i
n
S
.
A
m
e
r
i
c
a
C
D
N
s
e
r
v
e
r
i
n
E
u
r
o
p
e
C
D
N
s
e
r
v
e
r
i
n
A
s
i
a
R
e
p
l
i
c
a
s
e
l
e
c
t
i
o
n
:
G
o
a
l
s
•
L
i
v
e
s
e
r
v
e
r
–
For availability
•
L
o
w
e
s
t
l
o
a
d
–
To balance load across the servers
•
C
l
o
s
e
s
t
–
Nearest geographically, or in round-trip time
•
B
e
s
t
p
e
r
f
o
r
m
a
n
c
e
–
Throughput, latency, reliability…
•
Distributed servers
–
Servers: ~100,000
–
Networks: ~1,000
–
Countries: ~70
•
Many customers
–
Apple, BBC, FOX, GM
IBM, MTV, NASA, NBC,
NFL, NPR, Puma, Red
Bull, Rutgers, SAP, …
•
Client requests
–
20+M per second
–
Half in the top
45 networks
–
20% of all Web traffic
worldwide
A
k
a
m
a
i
s
t
a
t
i
s
t
i
c
s
HTTP
H
o
w
A
k
a
m
a
i
U
s
e
s
D
N
S
c
n
n
.
c
o
m
(
c
o
n
t
e
n
t
p
r
o
v
i
d
e
r
)
D
N
S
T
L
D
s
e
r
v
e
r
1
2
N
e
a
r
b
y
A
k
a
m
a
i
c
l
u
s
t
e
r
G
E
T
i
n
d
e
x
.
h
t
m
l
c
a
c
h
e
.
c
n
n
.
c
o
m
/
f
o
o
.
j
p
g
HTTP
A
k
a
m
a
i
c
l
u
s
t
e
r
A
k
a
m
a
i
g
l
o
b
a
l
D
N
S
s
e
r
v
e
r
A
k
a
m
a
i
r
e
g
i
o
n
a
l
D
N
S
s
e
r
v
e
r
End user
HTTP
H
o
w
A
k
a
m
a
i
U
s
e
s
D
N
S
c
n
n
.
c
o
m
(
c
o
n
t
e
n
t
p
r
o
v
i
d
e
r
)
D
N
S
T
L
D
s
e
r
v
e
r
1
2
N
e
a
r
b
y
A
k
a
m
a
i
c
l
u
s
t
e
r
D
N
S
l
o
o
k
u
p
c
a
c
h
e
.
c
n
n
.
c
o
m
A
k
a
m
a
i
c
l
u
s
t
e
r
3
4
A
L
I
A
S
:
g
.
a
k
a
m
a
i
.
n
e
t
A
k
a
m
a
i
g
l
o
b
a
l
D
N
S
s
e
r
v
e
r
A
k
a
m
a
i
r
e
g
i
o
n
a
l
D
N
S
s
e
r
v
e
r
End user
HTTP
H
o
w
A
k
a
m
a
i
U
s
e
s
D
N
S
c
n
n
.
c
o
m
(
c
o
n
t
e
n
t
p
r
o
v
i
d
e
r
)
D
N
S
T
L
D
s
e
r
v
e
r
1
2
A
k
a
m
a
i
g
l
o
b
a
l
D
N
S
s
e
r
v
e
r
A
k
a
m
a
i
r
e
g
i
o
n
a
l
D
N
S
s
e
r
v
e
r
N
e
a
r
b
y
A
k
a
m
a
i
c
l
u
s
t
e
r
A
k
a
m
a
i
c
l
u
s
t
e
r
3
4
6
5
A
L
I
A
S
a
7
3
.
g
.
a
k
a
m
a
i
.
n
e
t
D
N
S
l
o
o
k
u
p
g
.
a
k
a
m
a
i
.
n
e
t
End user
HTTP
H
o
w
A
k
a
m
a
i
U
s
e
s
D
N
S
c
n
n
.
c
o
m
(
c
o
n
t
e
n
t
p
r
o
v
i
d
e
r
)
D
N
S
T
L
D
s
e
r
v
e
r
1
2
A
k
a
m
a
i
g
l
o
b
a
l
D
N
S
s
e
r
v
e
r
A
k
a
m
a
i
r
e
g
i
o
n
a
l
D
N
S
s
e
r
v
e
r
N
e
a
r
b
y
A
k
a
m
a
i
c
l
u
s
t
e
r
A
k
a
m
a
i
c
l
u
s
t
e
r
3
4
6
5
8
7
D
N
S
a
7
3
.
g
.
a
k
a
m
a
i
.
n
e
t
A
d
d
r
e
s
s
1
.
2
.
3
.
4
End user
HTTP
H
o
w
A
k
a
m
a
i
U
s
e
s
D
N
S
c
n
n
.
c
o
m
(
c
o
n
t
e
n
t
p
r
o
v
i
d
e
r
)
D
N
S
T
L
D
s
e
r
v
e
r
1
2
A
k
a
m
a
i
g
l
o
b
a
l
D
N
S
s
e
r
v
e
r
A
k
a
m
a
i
r
e
g
i
o
n
a
l
D
N
S
s
e
r
v
e
r
N
e
a
r
b
y
A
k
a
m
a
i
c
l
u
s
t
e
r
A
k
a
m
a
i
c
l
u
s
t
e
r
3
4
6
5
8
7
9
G
E
T
/
f
o
o
.
j
p
g
H
o
s
t
:
c
a
c
h
e
.
c
n
n
.
c
o
m
End user
HTTP
H
o
w
A
k
a
m
a
i
U
s
e
s
D
N
S
c
n
n
.
c
o
m
(
c
o
n
t
e
n
t
p
r
o
v
i
d
e
r
)
D
N
S
T
L
D
s
e
r
v
e
r
1
2
A
k
a
m
a
i
g
l
o
b
a
l
D
N
S
s
e
r
v
e
r
A
k
a
m
a
i
r
e
g
i
o
n
a
l
D
N
S
s
e
r
v
e
r
N
e
a
r
b
y
A
k
a
m
a
i
c
l
u
s
t
e
r
A
k
a
m
a
i
c
l
u
s
t
e
r
3
4
6
5
8
7
9
G
E
T
/
f
o
o
.
j
p
g
H
o
s
t
:
c
a
c
h
e
.
c
n
n
.
c
o
m
1
2
1
1
G
E
T
f
o
o
.
j
p
g
End user
HTTP
H
o
w
A
k
a
m
a
i
U
s
e
s
D
N
S
c
n
n
.
c
o
m
(
c
o
n
t
e
n
t
p
r
o
v
i
d
e
r
)
D
N
S
T
L
D
s
e
r
v
e
r
1
2
A
k
a
m
a
i
g
l
o
b
a
l
D
N
S
s
e
r
v
e
r
A
k
a
m
a
i
r
e
g
i
o
n
a
l
D
N
S
s
e
r
v
e
r
N
e
a
r
b
y
A
k
a
m
a
i
c
l
u
s
t
e
r
A
k
a
m
a
i
c
l
u
s
t
e
r
3
4
6
5
8
7
9
1
2
1
1
1
0
End user
HTTP
H
o
w
A
k
a
m
a
i
W
o
r
k
s
:
C
a
c
h
e
H
i
t
c
n
n
.
c
o
m
(
c
o
n
t
e
n
t
p
r
o
v
i
d
e
r
)
D
N
S
T
L
D
s
e
r
v
e
r
1
2
A
k
a
m
a
i
g
l
o
b
a
l
D
N
S
s
e
r
v
e
r
A
k
a
m
a
i
r
e
g
i
o
n
a
l
D
N
S
s
e
r
v
e
r
N
e
a
r
b
y
A
k
a
m
a
i
c
l
u
s
t
e
r
A
k
a
m
a
i
c
l
u
s
t
e
r
4
3
5
6
End user
M
a
p
p
i
n
g
S
y
s
t
e
m
•
Equivalence classes of IP addresses
–
IP addresses experiencing similar performance
–
Quantify how well they connect to each other
•
C
o
l
l
e
c
t
a
n
d
c
o
m
b
i
n
e
m
e
a
s
u
r
e
m
e
n
t
s
–
Ping, traceroute, BGP routes, server logs
•
e.g.
, over 100 TB of logs per days
–
Network latency, loss, throughput, and connectivity
56
R
o
u
t
i
n
g
c
l
i
e
n
t
r
e
q
u
e
s
t
s
w
i
t
h
t
h
e
m
a
p
•
M
a
p
e
a
c
h
I
P
c
l
a
s
s
t
o
a
p
r
e
f
e
r
r
e
d
s
e
r
v
e
r
c
l
u
s
t
e
r
–
Based on performance, cluster health, etc.
–
Updated roughly every minute
•
S
h
o
r
t
,
6
0
-
s
e
c
D
N
S
T
T
L
s
i
n
A
k
a
m
a
i
r
e
g
i
o
n
a
l
D
N
S
a
c
c
o
m
p
l
i
s
h
t
h
i
s
•
Map
client request to a server in the cluster
–
L
o
a
d
b
a
l
a
n
c
e
r
s
e
l
e
c
t
s
a
s
p
e
c
i
f
i
c
s
e
r
v
e
r
–
e
.
g
.
,
t
o
m
a
x
i
m
i
z
e
t
h
e
c
a
c
h
e
h
i
t
r
a
t
e
57
A
d
a
p
t
i
n
g
t
o
f
a
i
l
u
r
e
s
•
F
a
i
l
i
n
g
h
a
r
d
d
r
i
v
e
o
n
a
s
e
r
v
e
r
–
Suspends after finishing “in progress” requests
•
F
a
i
l
e
d
s
e
r
v
e
r
–
Another server takes over for the IP address
–
L
o
w
-
l
e
v
e
l
m
a
p
u
p
d
a
t
e
d
q
u
i
c
k
l
y
(
l
o
a
d
b
a
l
a
n
c
e
r
)
•
F
a
i
l
e
d
c
l
u
s
t
e
r
,
o
r
n
e
t
w
o
r
k
p
a
t
h
–
H
i
g
h
-
l
e
v
e
l
m
a
p
u
p
d
a
t
e
d
q
u
i
c
k
l
y
(
p
i
n
g
/
t
r
a
c
e
r
o
u
t
e
)
58
T
a
k
e
-
a
w
a
y
p
o
i
n
t
s
:
C
D
N
s
•
Content distribution is hard
–
Many, diverse, changing objects
–
Clients distributed all over the world
•
M
o
v
i
n
g
c
o
n
t
e
n
t
t
o
t
h
e
c
l
i
e
n
t
i
s
k
e
y
–
Reduces latency, improves throughput, reliability
•
C
o
n
t
e
n
t
d
i
s
t
r
i
b
u
t
i
o
n
s
o
l
u
t
i
o
n
s
e
v
o
l
v
e
d
:
–
Load balancing, reactive caching, to
–
Proactive content distribution networks
59
F
r
i
d
a
y
p
r
e
c
e
p
t
:
How to transition from
Assignment 3 to Assignment 4
M
o
n
d
a
y
t
o
p
i
c
:
Distributed Wireless Networks:
Roofnet
60
60
This lecture delves into the fundamentals of the Domain Name System (DNS), highlighting the differences between DNS hostname and IP address, the various uses of DNS, the original design challenges of DNS, its goals and non-goals, and the hierarchical structure of the DNS. It also covers the role of Content Distribution Networks (CDNs) in efficiently delivering web content.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Content Distribution Networks COS 418: Distributed Systems Lecture 19 Kyle Jamieson [Selected content adapted from M. Freedman, B. Maggs and S. Shenker]
Today 1. Domain Name System (DNS) primer A word on DNS security 2. The Web: HTTP, hosting, and caching 3. Content distribution networks (CDNs) 2
DNS hostname versus IP address DNS host name (e.g. www.cs.princeton.edu) Mnemonic name appreciated by humans Variable length, full alphabet of characters Provides little (if any) information about location IP address (e.g. 128.112.136.35) Numerical address appreciated by routers Fixed length, decimal number Hierarchical address space, related to host location 3
Many uses of DNS Hostname to IP address translation IP address to hostname translation (reverse lookup) Host name aliasing: other DNS names for a host Alias host names point to canonical hostname Email: Lookup domain s mail server by domain name 4
Original design of the DNS Per-host file named /etc/hosts Flat namespace: each line=IP address & DNS name SRI (Menlo Park, California) kept the master copy Everyone else downloads regularly But, a single server doesn t scale Traffic implosion (lookups and updates) Single point of failure Need a distributed, hierarchical collection of servers 5
DNS: Goals and non-goals A wide-area distributed database Goals: Scalability; decentralized maintenance Robustness Global scope Names mean the same thing everywhere Distributed updates/queries Good performance But don t need strong consistency properties 6
Domain Name System (DNS) Hierarchicalname space divided into contiguous sections called zones Zones are distributed over a collection of DNS servers Hierarchy of DNS servers: Root servers (identity hardwired into other servers) Top-level domain (TLD) servers Authoritative DNS servers Performing the translations: Local DNS servers located near clients Resolver software running on clients 7
The DNS namespace is hierarchical Root . TLDs: com. gov. edu. princeton.edu. nyu.edu. fcc.gov. cs.princeton.edu. Hierarchy of namespace matches hierarchy of servers Set of nameservers answers queries for names within zone Nameservers store names and links to other servers in tree 8
DNS root nameservers 13 root servers. Does this scale? A Verisign, Dulles, VA C Cogent, Herndon, VA D U Maryland College Park, MD G US DoD Vienna, VA H ARL Aberdeen, MD J Verisign K RIPE London I Autonomica, Stockholm E NASA Mt View, CA F Internet Software Consortium, PaloAlto, CA M WIDE Tokyo B USC-ISI Marina del Rey, CA L ICANN Los Angeles, CA 9
DNS root nameservers 13 root servers. Does this scale? Each server is really a cluster of servers (some geographically distributed), replicated via IP anycast A Verisign, Dulles, VA C Cogent, Herndon, VA (also Los Angeles, NY, Chicago) D U Maryland College Park, MD G US DoD Vienna, VA H ARL Aberdeen, MD J Verisign (21 locations) K RIPE London (plus 16 other locations) I Autonomica, Stockholm (plus 29 other locations) E NASA Mt View, CA F Internet Software Consortium, PaloAlto, CA (and 37 other locations) M WIDE Tokyo plus Seoul, Paris, San Francisco B USC-ISI Marina del Rey, CA L ICANN Los Angeles, CA 10
TLD and Authoritative Servers Top-level domain (TLD) servers Responsible for com, org, net, edu, etc, and all top- level country domains: uk, fr, ca, jp Network Solutions maintains servers for com TLD Educause non-profit for edu TLD Authoritative DNS servers An organization s DNS servers, providing authoritative information for that organization May be maintained by organization itself, or ISP 11
Local name servers Do not strictly belong to hierarchy Each ISP (or company, or university) has one Also called default or caching name server When host makes DNS query, query is sent to its local DNS server Acts as proxy, forwards query into hierarchy Does work for the client 12
DNS resource records DNSis a distributed database storing resource records Resource record includes: (name, type, value, time-to-live) Type = A (address) name = hostname value is IP address Type = CNAME name = alias for some canonical (real) name value is canonical name Type = NS (name server) name = domain (e.g. princeton.edu) value is hostname of authoritative name server for this domain Type = MX (mail exchange) name = domain value is name of mail server for that domain 13
DNS in operation Most queries and responses are UDP datagrams Two types of queries: Recursive: Nameserver responds with answer or error Client Nameserver www.princeton.edu? Answer: www.princeton.edu A 140.180.223.42 Iterative: Nameserver may respond with a referral Nameserver Client www.princeton.edu? Referral: .edu NS a.edu-servers.net. 14
A recursive DNS lookup . (root) authority 198.41.0.4 edu.: NS 192.5.6.30 com.: NS 158.38.8.133 io.: NS 156.154.100.3 edu. authority 192.5.6.30 princeton.edu.: pedantic.edu.: www.princeton.edu? NS 66.28.0.14 NS 19.31.1.1 Contact 192.5.6.30 for edu. Client Contact 66.28.0.14 for princeton.edu. www.princeton.edu? www.princeton.edu? www.princeton.edu? www.princeton.edu A 140.180.223.42 princeton.edu. authority 66.28.0.14 www.princeton.edu.: A 140.180.223.42 Local nameserver . (root): NS 198.41.0.4 edu.: NS 192.5.6.30 princeton.edu.: NS 66.28.0.14 www.princeton.edu.: A 140.180.223.42 15
Recursive versus iterative queries Recursive query Iterative query Less burden on entity initiating the query More burden on query initiator Moreburden on nameserver (has to return an answer to the query) Less burden on nameserver (simply refers the query to another server) Most root and TLD servers won tanswer(shed load) Local name server answers recursive query 16
$ dig @a.root-servers.net www.freebsd.org +norecurse ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57494 ;; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.freebsd.org. IN A ;; AUTHORITY SECTION: org. org. 172800 IN NS b0.org.afilias-nst.org. 172800 IN NS d0.org.afilias-nst.org. ;; ADDITIONAL SECTION: b0.org.afilias-nst.org. 172800 IN A 199.19.54.1 d0.org.afilias-nst.org. 172800 IN A 199.19.57.1 Glue records [Output edited for clarity] 17
(authoritative for org.) $ dig @199.19.54.1 www.freebsd.org +norecurse ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39912 ;; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.freebsd.org. IN A ;; AUTHORITY SECTION: freebsd.org. freebsd.org. freebsd.org. 86400 IN NS ns1.isc-sns.net. 86400 IN NS ns2.isc-sns.com. 86400 IN NS ns3.isc-sns.info. [Output edited for clarity] 18
(authoritative for freebsd.org.) $ dig @ns1.isc-sns.net www.freebsd.org +norecurse ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17037 ;; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;www.freebsd.org. IN A ;; ANSWER SECTION: www.freebsd.org. 3600 IN A 69.147.83.33 ;; AUTHORITY SECTION: freebsd.org. freebsd.org. freebsd.org. 3600 IN NS ns2.isc-sns.com. 3600 IN NS ns1.isc-sns.net. 3600 IN NS ns3.isc-sns.info. ;; ADDITIONAL SECTION: ns1.isc-sns.net. ns2.isc-sns.com. ns3.isc-sns.info. 3600 IN A 63.243.194.1 3600 IN A 72.52.71.1 3600 IN A 38.103.2.1 [Output edited for clarity] 19
DNS caching Performing all these queries takes time And all this before actual communication takes place Caching can greatly reduce overhead The top-level servers very rarely change Popular sites visited often Local DNS server often has the information cached How DNS caching works All DNS servers cache responses to queries Responses include a time-to-live (TTL) field Server deletes cached entry after TTL expires Plays a key role in CDN (Akamai) load balancing 20
Today 1. Domain Name System (DNS) primer A word on DNS security 2. The Web: HTTP, hosting, and caching 3. Content distribution networks (CDNs) 21
A word on DNS security Implications of subverting DNS: 1. Redirect victim s web traffic to rogue servers 2. Redirect victim s email to rogue email servers (MX records in DNS) Does Secure Sockets Layer (SSL) provide protection? Yes user will get wrong certificate if SSL enabled No SSL not enabled or user ignores warnings No how is SSL trust established? Often, by email! 22
Security Problem #1: Coffee shop As you sip your latte and surf the Web, how does your laptop find google.com? Answer: it asks the local DNS nameserver Which is run by the coffee shop or their contractor And can return to you any answer they please How can you know you re getting correct data? Today, you can t. (Though HTTPS site helps.) One day, hopefully: DNSSEC extensions to DNS 23
Security Problem #2: Cache poisoning You receive request to resolve www.foobar.com & reply: ;; QUESTION SECTION: ;www.foobar.com. IN A ;; ANSWER SECTION: www.foobar.com. 300 IN A 212.44.9.144 ;; AUTHORITY SECTION: foobar.com. foobar.com. 600 IN NS dns1.foobar.com. 600 IN NS google.com. ;; ADDITIONAL SECTION: google.com. 5 IN A 212.44.9.155 Evidence disappears five sec. later! A foobar.com machine, not google.com 24
DNS cache poisoning (contd) Okay, but how do you get the victim to look up www.foobar.com in the first place? Perhaps you connect to their mail server and send HELO www.foobar.com Which their mail server then looks up to see if it corresponds to your source address (anti-spam measure) Perhaps you send many spam or phishing emails containing a link to www.foobar.com 25
Mitigation: Bailiwick checking Local nameserver ignores any RR not in or under same zone as question Widely deployed since ca. 1997 But, other attacks are possible (e.g. Kaminsky poisoning) ;; QUESTION SECTION: ;www.foobar.com. IN A ;; ANSWER SECTION: www.foobar.com. 300 IN A 212.44.9.144 ;; AUTHORITY SECTION: foobar.com. foobar.com. 600 IN NS dns1.foobar.com. 600 IN NS google.com. ;; ADDITIONAL SECTION: google.com. 5 IN A 212.44.9.155 26
Today 1. Domain Name System (DNS) primer 2. The Web: HTTP, hosting, and caching 3. Content distribution networks (CDNs) 27
Anatomy of an HTTP/1.0 web page fetch Web page = HTML file + embedded images/objects Server Client Web page Stop-and-waitat the granularity of objects: Close then open new TCP connection for each object Incurs a TCPround-trip- time delay each time Objects Each TCP connection may stay in slow start 28
HTTP/1.0 webpage fetch: Timeline Bytes received HTTP/1.0 finish Object downloads Time (milliseconds) Fetch 8.5 Kbyte page with 10 objects, most < 10 Kbyte 29
Letting the TCP connection persist Known as HTTP keepalive Server Client Still stop-and-wait at the granularity of objects, at the application layer HTTP response fully received before next HTTP GET dispatched 1 RTT per object 30
HTTP Keepalive avoids TCP slow starts Bytes received HTTP/1.0 finish Keep-alive finish Time (milliseconds) Incur one slow start, but stop-and-wait to issue next request 31
Pipelining within HTTP Idea: PipelineHTTPGETs and their responses Server Client Main benefits: 1. Amortizes the RTT across multiple objects retrieved 2. Reducesoverhead of HTTP requests, packing multiple requests into one packet Implemented in HTTP/1.1
Pipelined HTTP requests overlap RTTs Bytes received HTTP/1.0 finish Keep-alive finish HTTP/1.1 finish Time (milliseconds) Many HTTP requests and TCP connections at once Overlaps RTTs of all requests
Today 1. Domain Name System (DNS) primer 2. The Web: HTTP, hosting, and caching Handling heavy loads 3. Content distribution networks (CDNs) 34
Hosting: Multiple machines per site Problem: Overloaded popular web site Replicate the site across multiple machines Helps to handle the load Want to direct client to a particular replica. Why? Balance load across server replicas Solution #1: Manual selection by clients Each replica has its own site name Some Web page lists replicas (e.g., by name, location), asks clients to click link to pick 35
Hosting: Load-balancer approach Solution #2: Single IP address, multiple machines Run multiple machines behind a single IP address Load Balancer 64.236.16.20 Ensure all packets from a single TCP connection go to the same replica 36
Hosting: DNS redirection approach Solution #3: Multiple IP addresses, multiple machines Same DNS name but different IP for each replica DNS server returns IP addresses round robin 12.1.1.1 64.236.16.20 DNS 173.72.54.131 37
Hosting: Summary Load-balancer approach No geographical diversity TCP connection issue Does not reduce network traffic DNS redirection No TCP connection issues Simple round-robin server selection May be less responsive Does not reduce network traffic 38
Web caching Many clients transfer the same information Generates redundant server and network load Also, clients may experience high latency Origin server ISP-1 ISP-2 Backbone ISP Clients 39
Why web caching? Motivation for placing content closer to client: User gets better response time Content providers get happier users Network gets reduced load Why does caching work? Exploits locality of reference How well does caching work? Very well, up to a limit Large overlap in content But many unique requests 40
Caching with Reverse Proxies Cache data close to origin server decrease server load Typically done by content providers Client thinks it is talking to the origin server (the server with content) Does not work for dynamic content Reverse proxies Origin server Backbone ISP ISP-1 ISP-2 Clients 41
Caching with Forward Proxies Cache close to clients less network traffic, less latency Typically done by ISPs or corporate LANs Client configured to send HTTP requests to forward proxy Reduces traffic on ISP-1 s access link, origin server, and backbone ISP Reverse proxies Origin server Backbone ISP ISP-1 ISP-2 Forward proxies Clients 42
Caching & Load-Balancing: Outstanding problems Problem ca. 2002: How to reliably deliver large amounts of content to users worldwide? Popular event: Flash crowds overwhelm (replicated) web server, access link, or back-end database infrastructure More rich content: audio, video, photos Web caching: Diversity causes low cache hit rates (25 40%) 43
Today 1. Domain Name System (DNS) primer 2. The Web: HTTP, hosting, and caching 3. Content distribution networks (CDNs) Akamai case study 44
Content Distribution Networks Proactive content replication Content provider (e.g. CNN) pushes content out from its own origin server Origin server in N. America CDN distribution node CDN replicates the content On many servers spread throughout the Internet Updating the replicas Updates pushed to replicas when the content changes CDN server in S. America CDN server in Asia CDN server in Europe
Replica selection: Goals Live server For availability Requires continuous monitoring of liveness, load, and performance Lowest load To balance load across the servers Closest Nearest geographically, or in round-trip time Best performance Throughput, latency, reliability
Akamai statistics Distributed servers Servers: ~100,000 Networks: ~1,000 Countries: ~70 Client requests 20+M per second Half in the top 45 networks 20% of all Web traffic worldwide Many customers Apple, BBC, FOX, GM IBM, MTV, NASA, NBC, NFL, NPR, Puma, Red Bull, Rutgers, SAP,
How Akamai Uses DNS cnn.com (content provider) DNS TLD server GET index. html Akamai cluster cache.cnn.com/foo.jpg Akamai global DNS server 1 2 HTTP HTTP Akamai regional DNS server Nearby Akamai cluster End user
How Akamai Uses DNS cnn.com (content provider) DNS TLD server DNS lookup cache.cnn.com Akamai cluster Akamai global DNS server 3 1 2 HTTP 4ALIAS: g.akamai.net Akamai regional DNS server Nearby Akamai cluster End user
How Akamai Uses DNS cnn.com (content provider) DNS TLD server DNS lookup g.akamai.net Akamai cluster Akamai global DNS server 5 3 1 2 HTTP 6 4 Akamai regional DNS server ALIAS a73.g.akamai.net Nearby Akamai cluster End user
