www.egiraffe.

at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

RKN Fragenkatalog
Network foundations

What is basically a network?

Nodes and links connecting this nodes.

Why is networking split in layers?

To divide, address and resolve the problems which are arising when building and using networks in
small portions at the „right place“. If you build a machine which does all networking stuff at once
and this machine has got a problem with one of it's functions you need to replace the whole
machine instead of just the one doing the specific task which goes wrong.

How does splitting networking in layers work?

Usually by encapsulation. Every layer takes the whole stuff from the preceding layer as payload,
packs it with some additional header information needed for it's specific task and hands the whole
stuff to the next layer. Unpacking at the receiver side works the same way in the opposite direction.

What are the layers of the OSI model (used for)?

1. Application layer → Actual application data which needs to be transported
2. Presentation layer → e.g. Character encodings
3. Session layer → e.g. resuming downloads, saving states.
4. Transport layer → making sure transport between application endpoints works, packet
retransmission if desired, and so on
5. Network layer → routing packets from one host to another
6. Link layer → handling transport between two nodes directly
7. Physical layer → Cables, electronic standards

What are the layers of the TCP/IP model (used for)?

1. Application layer → OSI 1-3
2. Transport layer → OSI 4
3. Network layer → OSI 5
4. Data Link layer → OSI 6-7

Seite 1/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

What is circuit switching?

Dedicated links between two nodes. Guarantees maximum bandwidth to the nodes communicating
at any time, but has the downside of occupying the channel permanently while the connection is set
up.

What is packet switching?

The communication stream is split into packets and transferred. Downside: Packets need to be
created, splitting must happen. Advantage: No wasted bandwidth if no packets are created. The
channel can be used by someone else meanwhile.

Link layer

What's the purpose of the link layer?

Ensuring direct transport between two nodes next to each other.

What is LLC?
Logical link control. This is the part of the link layer which takes the packets from the network
layer and encapsulates them into Ethernet frames. Packet → Frame

What is MAC?
Media Access Control. This is the part of the link layer which defines how frames from the LLC are
transferred from one network interface to the other. Frame → Signal!

What were the basic ideas of Ethernet?

• Shared cable (to reduce wiring cost)

• Decentralized

• Random access

What is CSMA/CD?
Carrier Sense Multiple Access / Collision Detection. This is the way the MAC protocol handles
frame collisions on the shared cable when two nodes are randomly accessing it.

How does CSMA/CD work?

If no one sends start sending and meanwhile listen for collisions. If a collision occurred, notify the
other(s) using a jam signal, wait some time and retry.

Seite 2/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

Why is CSMA/CD (usually) no longer needed?

Because nowadays switches isolate each Ethernet connection. They do not send every packet
immediately to all their ports. Also: Full-Duplex connections are used.

Why are MAC addresses and IP addresses used at the

same time?
Because IP addresses make routing and together with that communicating with the whole world
possible.

What is the difference between a hub and a switch?

Hub's are just reading the electrical signals on their ports and replying it on all their ports. A switch
analyzes the LLC information of a frame and forwards it only to ports which can make use of it.

What is the SAT?

Source address table. Every switch maintains a table with mac addresses per port. Every node that
sends a frame is added to the table. If a desired node is not in a table, the switch broadcasts the
message to every port.

What's the difference between full and half duplex

connections?
Full-Duplex connections can send and receive at the same time.

What is MAC Flooding?

Spam the SAT of a switch. It will react like a switch sooner or later.

What is MAC Spoofing?

Fake my sender MAC address to be the one of my target. The switch will start sending packets to
me instead to my target as long as the target doesn't send anything.

What is the difference between Ad-Hoc networks and

infrastructure networks?
Infrastructure networks contain a Wi-Fi access point to which all clients connect. Ad-Hoc networks
connect Wi-Fi clients directly with each other.

Seite 3/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

What is the hidden node problem?

Host A does not know when host B is sending and vice versa. Only AP knows of both.

What is CSMA/CA?
Carrier Sense Multiple Access / Collision Avoidance. In Wi-Fi the access point tells every node
when it is allowed to send.

How does attacking WEP basically work?

You read a lot of packets with so called weak initialization vectors. This initialization vectors build
together with the WEP key the key stream which is used to encrypt the traffic. If enough packets
with weak IVs are read, the WEP key can be calculated out of them.

How does attacking WPA basically work?

You capture the 4-way handshake which is done when a client connects to the Wi-Fi. Then you try
to brute force the pre shared key to get the same results as in the captures 4-way handshake.

How does attacking WPS basically work?

You just try every possible PIN against the router. Only works if tries are not limited somehow.

Between Link and Network Layer

What is the purpose of the network layer?

Addressing across different networks, routing! (“Connect two different LANs”)

Seite 4/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

What is ARP?
Address Resolution Protocol. This protocol finds out which MAC address corresponds to a desired
IP address. It connects the link and network layer.

What is the ARP cache?

If a request for the MAC address corresponding to an IP is resolved, this gets stored in the clients
ARP cache. It will not ask for the MAC address again every time it needs to send a packet to that IP.

What is ARP Poisioning?

This targets not switches directly but the hosts which are connected to a switch. You place yourself
between e.g. the router and the victim, by telling the victim your MAC address corresponds to the
routers IP and telling the router your MAC address corresponds to the victims IP.

What are Gratuitous ARP messages?

ARP answers which was never asked for. This is basically what you are sending when you're trying
to do ARP Poisoning.

Network Layer – IPv4

What was the main idea when IPv4 was developed?

Move intelligence to hosts. Make routers as simple/cheap as possible. They only forward packets to
the desired host.

Important IPv4 Header fields and their use?

• Version → Obvious

• Internet Header Length → Header Length

• Total Length → Total length of the fragmented data which shall be transferred

• Identification → Packet ID (stays the same for each fragment!)

• Flags → Some flags like “Don't fragment” or “More fragments”

• Fragment Offset → Offset of current fragment relative to unfragmented packet.

• Time to Live → Nowadays: Hop Count.

• Protocol → Names the protocol which is on the next layer/handles the payload of the IP
packet.
• Header checksum → Verified by routers. Drop if wrong

Seite 5/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

• Source IP Address

• Destination IP Address

What is an IP subnet?
Every IP address consists of a network and host part. The size of this parts is specified by the subnet
mask or CIDR number. Hosts sharing the same subnet do not need a router to communicate. They
can use the link layer instead. Routers can connect different subnets.

Specify the subnet mask for the IP 192.168.0.1 with

192.168.0.0 as the network and 1 as the host? How
many hosts can communicate with each other in that
network?
255.255.255.0 or CIDR number 24. (=Number of set bits)
Normally 256, but 192.168.0.0 is reserved as network address and 192.168.0.255 as broadcast
address, so 254.

What are private IP networks?

The IP ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 are reserved for private use in LANs and
not routed on the Internet.

What is NAT?
Network Address Translation. This technique is implemented by routers which are connected to the
Internet in order to share that connection with all their clients on the LAN. The router rewrites the
source IP address and Port to it's own and rewrites the answer packets before transmitting them to
the client again. A remote server only sees the router communicating with him.

What is the MTU?

Maximum Transmission Unit. This number defines the maximum amount of bytes which can be
transferred by the data link. Hosts or routers can fragment IP packets as long as the “Don't
fragment” Bit is not set in the flags. Reassembly is usually done at the receiving host side.

What is MTU Path Discovery?

It makes sense to do fragmentation of IP packets only one time for the whole path to save resources.
To know the right MTU, so called MTU Path Discovery is used. Hosts send IP packets to the
desired host with the “Don't fragment” Flag set and different MTUs. By trial and error they find out
about the best MTU they can use.

Seite 6/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

What is ICMPv4?
Internet Control Message Protocol Version 4. It is used to send error and other information about IP
connections using IP messages.

What is IP Unicasting?
One-to-One connection.

What is IP Multicasting?
One-to-Some connection. Send data to interested receivers.

What is IP Broadcasting?
One-to-All connection. Send data to all receivers on the subnet.

What is IP Anycasting?
One-to-Closest connection. Send data to the closest host with that IP. This is used for load
balancing.

What is BGP?
Borderless Gateway Protocol. Used by ISPs to specify routes to be used by their hardware.

Network Layer – IPv6

Why is IPv6 going to be used?

Because we run out of IPv4 addresses and want to leave some problems of IPv4 behind.

Important IPv6 header fields and their use?

• Version → Obvious

• Flow Label → Identifies streams. Routers can chose one route per stream to avoid
reordering on the receiver side
• Payload Length → Total Length of IPv4

• Next Header → Protocol Header of IPv4

• Hop Limit → (TTL of IPv4)

Seite 7/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

What are the major differences of IPv6 to IPv4?

• Next Header can specify some more header data of IPv6, not only other protocols. Last Next
Header in such a chain must be underlying protocol.
• Routers never fragment. Clients must either support MTU Path Discovery or use the
minimum required MTU of 1280 for IPv6.
• IP header checksum was removed

• No broadcast address any more. Only Multicast addresses.

What are the rules of IPv6 notation?

128 Bit as Hexadecimal numbers separated by : to 8x16Bit pieces.
A set of consecutive null blocks can be spared with :: like:
201a::0945:daa2:5eff:fe8e:e553
If addressing via IP and port is needed:
https://[201a::945:daa2:5eff:fe8e:e553]:443
IP Subnets are noted using CIDR:
2001:0db8:1234::/48

What are IPv6 address scopes?

One network interface can be available via multiple IPv6 addresses with different scopes:
• Global: Globally valid, routed via Internet.

• Unique Local: Valid in small private subnets.

• Link Local: Valid on the local network. (Not routable!)

What is the Loopback address in IPv6?

::1/128

What is the mandatory Link Local Address in IPv6?

fe80::/10
This addresses are not routable, but can be used to communicate inside a LAN.

What is the IP range reserved for global use up to now

in IPv6?
2000::/3

Seite 8/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

What is NDP?
Neighbor Discovery Protocol. Replaces ARP of IPv4 and provides auto configuration of addresses
(SLAAC).

What is SLAAC?
Stateless Address Auto Configuration. A mechanism of NDP to configure IPv6 Addresses. An
interface can obtain an IPv6 address without a router/server. The interface derives a link local
address from it's MAC address and checks for potential doubles on the network. After that it tries to
get another IPv6 address with a greater scope from a local router.

Transport Layer

What's the main purpose of the transport layer?

Providing data channels for different applications on the same host. Applications are distinguished
using ports. These can be compared to the doors of a block of flats, if the real world post address is
compared to the IP address.

What are other purposes of the transport layer which

are not implemented by every protocol which
implements the transport layer?
• Reliability → Error detection and packet reordering.

• Flow Control and Congestion Avoidance

What are the two most famous protocol

implementations of the transport layer? What are the
main differences between them?
TCP (=Transmission Control Protocol) and UDP (=User Datagram Protocol).
TCP is connection oriented, UDP is not. TCP is reliable, but “heavy weight”. UDP is light weight,
but does unlike TCP not provide congestion control, ordered delivery, error detection or
retransmission.

What are the header fields of UDP?

• Source Port

• Destination Port

• Total Length (Payload + Header)

Seite 9/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

• Checksum (Header + Data)

What's a UDP reflection attack?

An attacker sends UDP requests with the Source Address set to the victims IP address. The UDP
answers will be directed to the victims IP address.

What are the header fields of TCP?

• Source Port

• Destination Port

• Sequence Number (For reordering support)

• Acknowledge Number (For retransmit support)

• Data Offset (because of variably sized options)

• Flags (Connection Setup/Teardown, Acknowledgement)

• Window Size (Flow Control Mechanism, Indicates how many bytes the sender is allowed to
send without overloading the receiver.)
• Checksum (Header + Data)

What is Port scanning?

One way to scan for open TCP ports works by asking a SYN-Message to every port. If the port is
open, the host will answer with SYN-ACK, if it is closed it will answer with RST.

What is Syn Flooding?

An attacker sends a lot of SYN-Messages to a host. The host answers with SYN-ACK and allocates
a lot of memory, but the attacker stays silent. This way the host runs out of memory.

How does error handling in TCP work?

It is the senders task to detect whether something got lost or not. The receiver sends ACK messages
containing the acknowledgement number of the last byte up to which he received everything
correctly. The sender will retransmit all data beginning with the last acknowledged byte +1 if a
corresponding ack is not received within a certain time.

How does flow control in TCP work?

The sender will send as many bytes (also multiple packets) as allowed by the window size, before
actually waiting for an ACK message. The receiver tells the sender the windows size to use in it's
ACK messages.

Seite 10/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

How does congestion control in TCP work?

If the network is overloaded routers drop packets. So they don't get transmitted and no ACK
messages come back. The sender handles a congestion window which increases if ACKs are
received and decreases if no ACK is received / retransmission happens.
This window is maintained by the TCP stack of the sender, not by the protocol header!

HTTP

What is the HTTP GET method used for?

Receive headers and content from the server.

What is the HTTP POST method used for?

Not idempotent writes to the server → Sending the same request twice will change stuff two times
and lead to two changes on the server.

What is the HTTP PUT method used for?

Idempotent writes to the server → Sending the same request twice will NOT lead to two changes on
the server, but only to the same change/will have the same output.

What is the HTTP CONNECT method used for?

Use an HTTP proxy as TCP packet forwarder/proxy. This is also used by clients of HTTP proxies to
access HTTPS websites.

What is the HTTP HEAD method used for?

Same as GET, but only retrieves headers.

What is the HTTP OPTIONS method used for?

Receiving the methods a server is providing to a supplied ressource.

What is the HTTP TRACE method used for?

Debugging. It echoes the request.

What's the basic structure of an HTTP request?

GET /path.html <CR><LF>
HeaderKey: HeaderValue<CR><LF>
AnotherHeaderKey: HeaderValue<CR><LF>

Seite 11/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

<CR><LF>

What's the basic structure of an HTTP response?

HTTP/1.0 200 OK<CR><LF>
Content-Type: text/html; charset=utf-8<CR><LF>
Content-Length: 15824<CR><LF>
AnotherHeader: AnotherValue<CR><LF>
<CR><LF>
Content ASDF FDSA
<CR><LF>

What is Chunked Encoding?

This enables the server to stream data of which he does not know it's total length yet. The Content-
Length header is omitted and every chunk in the content is preceded with a chunk length.

What is HTTP Keep Alive?

One TCP connection is used for multiple requests instead of just one.

What is REST?
Representational State Transfer. APIs are called RESTful if they use HTTP requests for
communication.

Why do we need HTTP/2?

Because HTTP/1.1 has limitations in parallelism and a high protocol overhead.

What is Server Push of HTTP/2?

The server can send data, which the client has not yet requested.

What is AJAX?
Asynchronous Javascript and XML. A technique which makes the client browser request stuff
dynamically (without) user interaction.

What is COMET?
AJAX with so called “Long polling”. The server does not answer, until it has finished something.
This was used by servers to notify the clients about asynchronous events before HTTP/2 Server
Push and WebSockets.

Seite 12/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

What are WebSockets?

Web sockets upgrade a HTTP connection to a bidirectional connection. This can also be used by the
server to inform the client about asynchronous events.

What is HTML5 postMessage?

An asynchronous messaging pipeline/system which can be used by HTML5 website
windows/iframes to interact with each other. This would normally not be possible because of SOP
(=Same Origin Policy). The system also provides information about the sender and receiver of
messages. Always check them. Not doing so leads to security problems! Any included code could
inject messages to the system!

What are HTTP sessions?

The HTTP protocol is basically stateless. Users are (re-)identified using Session IDs. They are a
temporary key to the users resources. Whoever has the session key has access to the resource.

Why is it a bad idea to store the session key in the

URL?
• Web servers log request

• Users Copy URLs

• Browser History

• Referrer header would expose session key to the next page

What are HTTP cookies?

Set by server using the HTTP header “Set-Cookie” in the response. The client stores that cookie and
sends it back to the server when revisiting that domain.

What are bearer tokens?

They implement the Session ID cookie in a better way:
• They overcome domain limitations, which makes Single Sign on Systems easier to
implement.
• They can contain meta data of the user.

• They can be signed by the server. (Server Authenticity and Integrity)

Seite 13/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

Web technologies

What is SOP?
Same Origin Policy. Documents can only include stuff from the same Origin if this header is set by
the web server. An Origin consists of the Scheme, Host, Port triple. In practice it is hard to use that
feature, because of the inclusion of remote APIs (Maps, Dropbox, Facebook).

What is the default setting of the SOP?

Requests to other origins are allowed for img, script, iframe and all other remaining tags. Only
direct DOM access to other windows and AJAX Requests to other origins are not allowed.

What is JSONP?
JSON with Padding. By default AJAX Requests to other domains are not allowed. What can be
done is loading a whole javascript file in a script tag. To return an object this way, the data is
padded with a function call. This function must already be available on the website. E.g.:
<script type="text/javascript" src="http://domain.com/Users/1234"></script>
returns:
parseResponse(
{
"Name": "Foo",
"Id": 1234,
"Rank": 7
}
)
The function will be called and can store the data.

What is the security issue of JSONP?

A cookie which is set for account.example.com contains session info.
An attacker at evil.com can request the data at account.example.com, because the browser will use
the cookie containing the session info for that request. So any info exposed by a JSONP API must
be considered as public.

What is CORS?
Cross Origin Resource Sharing. A mechanism to define which origins are allowed to do AJAX
Requests across specified other origins.

How does CORS typically work? What is it's main

purpose?
When an AJAX Request to a remote origin is initiated, the users browser will automatically set the

Seite 14/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

Origin header field in it's request. The server in turn needs to check that field and decide whether
this origin is allowed to request the data or not. It's main purpose is securing APIs on the server
side.

What is CSP?
Content Security Policy. SOP only enables to restrict outgoing connections on the client side.
JavaScript injection is still possible. The server sets a CSP Header field which defines what the
client is allowed to do. It can prohibit loading scripts, images and other tags from other origins than
the defined ones.

What is Session Fixation?

1. Attacker signs in on Website.
2. Server returns session ID.
3. Attacker tricks victim into opening link with that session ID already set.
4. Victim also logs in.
5. Server does not set a new session ID, but uses the one supplied by the attacker and logs
victim in on that ID.

Which possibilities has an attacker when trying to do

Session Hijacking?
• Prediction → If weak sources of randomness are used for the session ID

• Brute Force → If small key space is used for the session ID

• Sniffing → Possibly largest attack vector:

◦ Any kind of MITM attacker

◦ Trying to receive cookie information somehow

What is XSS?
Cross Site Scripting. The attacker tries to inject JavaScript code into the users browser. By e.g.:
authoring content on a dynamic page which the user will later on request/read.

What are the three main XSS types?

• Persistent XSS → Attacker manages to store some code which will be shown to all users on
the server.
• Reflected XSS → Injected code is part of the request URL which will be displayed
(=reflected) on the page. This URL can be sent to specific victims.

Seite 15/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

• DOM-based XSS → Injection into the DOM on client side.

What is CSRF/XSRF?
Cross Site Request Forgery. The victim is currently authenticated at mybank.com. The attacker
tricks the victim into opening the URL https://mybank.com/send?amount=1000&acct=attacker

How can CSRF be mitigated?

The server sets a CSRF token in a form field or in the cookie when he sends a page. This token
must be included and is only valid for the next request from the client.

TLS

What is a TLS Handshake?

The setup of a TLS connection.

In some more detail this typically this works by some scheme like Diffie-Hellman. Both parties
calculate a “pre master secret” out of their private keys and some publicly transmitted information.
This “pre master secret” gets never transmitted, but can be used by both parties to encrypt traffic as
both know it.

What is a X.509 certificate?

Contains the public key and the domain for which it is valid. This info gets hashed and signed by a
so called Certificate Authority. The whole certificate is supplied by the server to the client during
the TLS handshake. The client can verify this signature, because it has already got the public key of
the Certificate Authoritiy in it's local trust store. This initial source of trust comes from e.g. the

Seite 16/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

installation of the browser.

What is a cipher suite?

A cipher suite defines which algorithms are used for specific tasks of the TLS handshake:
• Key exchange

• Authentication

• Hash function / Message Authentication Code (=MAC)

• Encryption algorithm & Key Size.

There is a special order notation for such cipher suites:

1. Key Exchange
2. Authentication
3. Bulk Cipher
4. MAC

Demystify the following cipher suite name:

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDH is the key exchange part → Elyptic Curve Diffie Hellman

• RSA is the authentication part

• AES_128_GCM is the cipher used for encryption → AES 128 Bit in Gallious Counter Mode

• SHA256 is the used MAC / hash function

What is an ephemeral key exchange (DHE or ECDHE)?

This means that it is not possible to calculate the pre master secrets used to encrypt data when one
of the private keys get's compromised after some years. The pre master secrets are used to negotiate
temporary keys which are never saved and just used one time.

What is PFS?
Perfect forward secrecy. A cipher suite has perfect forward secrecy support if it uses an ephemeral
key exchange algorithm. This means that if a TLS connection is captured by an evil third party and
this evil third party has access to a private key later on, it is still not able to decrypt the
communication. The key exchange algorithm agreed on some temporary key for encrypting the
communication, which was never stored.

Seite 17/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

What is HSTS?
HTTP Strict Transport Security.
The server can set a HSTS header field in a response. If a client reads this field it will not connect to
that domain without HTTPS any more in the future.

What is HSTS preloading?

If the attacker has control over the initial HTTP request he can just strip the HSTS header from the
response.
Preloading prevents this, by installing lists of domains which support HSTS during the browser
installation, just like the root certificates of CAs.

How does a MITM attack work on HTTPS?

The attacker receives the victims TLS request, generates a (maybe even valid in some cases)
certificate for that domain and supplies it to the victim. He is in turn able to read the complete
request of the victim as the victim communicates to the attacker (instead of the real site) via TLS.

What is HPKP?
HTTP Public Key Pinning. The server sends a HTTP header containing it's public key. This is also a
“Trust after first use” System like HSTS. The browser stores the header supplied pinned key. If the
browser detects, that the stored key is not the same as the one supplied in the certificate it will not
connect to the server.

What is SSLStrip?
A victim intially connects to http://domain.com and would normally be redirected to
https://domain.com. The attacker detects that, connects to https://domain.com itself and supplies it
to the victim as http://domain.com. He is then able to read the communication of the victim and the
server.

DNS

What is DNS?
Domain Name System. This is used for resolving IPs for domain names.

What are the key features of DNS?

• Decentralized → No single point of failure

• Distributed Control → Domain owners can change the settings themselves

Seite 18/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

• Fault tolerance → Robust against attacks

How is the distributed control realized for DNS?

DNS has a tree structure. E.g. The top level domain at. delegates administration of *.tugraz.at to the
server at the ip which is stored for tugraz.at
The hierarchical namespace is therefore broken into so called “zones”.

Which protocol is used by DNS?

UDP, because it spares the TCP connection setup/teardown.

What are DNS root servers?

They are reachable at e.g. a.root-servers.net, b.root-servers.net...
Their IP is placed in a root hints file in DNS servers to bootstrap the DNS system. This file can be
updated by an administrator.

What is a TLD?
Top Level Domain. This are servers at the highest level of the DNS system. e.g. at, com, org, de.

What is a DNS Resource Record?

The DNS system can store various IP addresses and other information per domain for different
protocols. The desired resource record tells the system which information to return. E.g. MX-
Record for domain of mail server, A-Record for IPv4, AAAA-Record for IPv6.

What's the difference between an authoritative name

server and a non authoritative name server?
An authoritative name server is responsible for a zone. It can make changes to the name resolution.
A non authoritative name server is responsible for resolving information for a domain iteratively or
recursively.

What is the difference between iterative and recursive

name resolution?
A iterative resolver asks the root servers for the ip of the desired TLD, then asks the TLD server for
the ip of the desired zone, and so on.
A recursive resolver asks the next resolver to do the work for him. If this next one is also a
recursively working resolver it will also ask the next resolver and so on, until a iterative resolver or
the root servers are reached.

Seite 19/20
 www.egiraffe.at - Rechner- und Kommunikationsnetze - VO

Fragensammlung SS2018

Responses are often stored in caches of resolver servers.

Does a Denial of service attack work against the

distributed DNS system?
In some cases it may. If the DNS server responsible for the zone tugraz.at is made unavailable no
one will be able to connect to tugraz.at any more, but making the whole DNS system unavailable is
impossible.

What is a DNS amplification attack?

Attacker sends a lot of small DNS queries with faked source IP to a DNS server, which will reply
with a big response to the faked IP. This flood of big messages makes the target maybe unavailable
to normal users.

How does DNS cache poisoning work?

An attacker which is in a MITM position can read the DNS request and glue additional records to
the response. This additional requests will get stored by the requesters cache.

Seite 20/20