Protocols: DNS

by Jeremiah Wenzel Posted on

The Domain Name System (DNS) is a fundamental component of the internet, acting as its directory service. It translates human-readable domain names, like www.example.com, into numerical IP addresses, such as 192.168.1.1, which computers use to communicate. This process is crucial for nearly every online activity, from web Browse to email.

How DNS Works: A Quick Look

DNS is a hierarchical and globally distributed system, meaning no single entity manages all domain name information. This distributed nature is key to its resilience and ability to handle the internet’s massive scale.

When you type a domain name into your browser, a multi-step process called DNS resolution begins:

  1. User Query: Your device’s operating system (stub resolver) sends a query to a recursive DNS resolver (often provided by your ISP or a public service like Google’s 8.8.8.8).
  2. Recursive Resolver to Root: If the recursive resolver doesn’t have the information cached, it queries a root nameserver.
  3. Root to TLD: The root server directs the resolver to the appropriate Top-Level Domain (TLD) nameserver (e.g., for “.com” or “.org”).
  4. TLD to Authoritative: The TLD server points the resolver to the authoritative nameserver for the specific domain.
  5. Authoritative Response: The authoritative nameserver provides the IP address (or other requested record) for the domain.
  6. Resolver to Client: The recursive resolver sends the IP address back to your device and caches it for future requests.

DNS queries can be recursive (the resolver does all the work to find the final answer) or iterative (each server refers the resolver to the next server in the chain).

Key Players in DNS Resolution:

  • Recursive Resolvers: Act as intermediaries, performing lookups on behalf of clients and caching results.
  • Root Nameservers: Sit at the top of the hierarchy, directing queries to TLD servers. There are 13 logical root IP addresses, implemented by hundreds of servers globally using Anycast routing for speed and resilience.
  • TLD Nameservers: Manage domains sharing a common TLD (e.g., all “.com” domains).
  • Authoritative Nameservers: Hold the definitive DNS records for specific domains.

Understanding DNS Records

DNS records are the actual data stored in DNS, providing various instructions. Each record typically includes a name, TTL (Time-To-Live), class (usually “IN” for Internet), type, and resource data (the actual value). Common record types include:

  • A Record: Maps a hostname to an IPv4 address.
  • AAAA Record: Maps a hostname to an IPv6 address.
  • CNAME Record: Creates an alias, pointing one domain to another.
  • MX Record: Specifies mail servers for a domain.
  • NS Record: Delegates a DNS zone to specific authoritative nameservers.
  • TXT Record: Allows administrators to associate arbitrary text, used for verification and email authentication (SPF, DKIM, DMARC).
  • SOA Record: Contains administrative information about a zone.

The Time-To-Live (TTL) is crucial, indicating how long a resolver should cache a record. Lower TTLs mean faster updates but more load on servers, while higher TTLs reduce load but slow down propagation of changes.

Speeding Things Up: DNS Caching

DNS caching temporarily stores query results closer to users, improving performance and reducing server load. Caching occurs at multiple levels:

  • Browser Cache: Stores records for a short period.
  • Operating System (OS) Cache: Holds records longer and serves all applications.
  • Recursive Resolver Cache: Maintains a large, shared cache.

Caching leads to faster resolution, reduced network traffic, and improved reliability.

DNS Insecurities and How to Address Them

The original DNS design didn’t prioritize security, leading to vulnerabilities:

  • DNS Spoofing/Cache Poisoning: Attackers inject forged DNS data into a resolver’s cache, redirecting users to malicious sites.
  • DDoS Attacks on DNS: Overwhelming DNS servers with traffic to make them unavailable. This includes DNS flood attacks and amplification/reflection attacks.
  • DNS Hijacking: Gaining unauthorized control over a domain’s DNS settings.
  • DNS Tunneling: Abusing DNS to exfiltrate data or for command-and-control channels.

To combat these threats, several security measures have been developed:

  • DNS Security Extensions (DNSSEC): Adds a layer of security by digitally signing DNS data, allowing resolvers to verify its authenticity and integrity. It uses records like RRSIG (signatures), DNSKEY (public keys), and DS (delegation signer to create a chain of trust). DNSSEC helps prevent spoofing but doesn’t encrypt queries.
  • DNS over TLS (DoT) and DNS over HTTPS (DoH): Encrypt DNS traffic to enhance privacy and security.
    • DoT uses TLS encryption over dedicated port 853.
    • DoH encapsulates DNS queries within HTTPS traffic on port 443, making it harder to distinguish from web traffic. The adoption of DoH has sparked debate regarding network visibility and control versus user privacy.
  • Protective DNS: Uses DNS services with security capabilities to block access to known malicious domains.
  • Best Practices: Include regular patching, restricting recursion on resolvers, using rate limiting, firewalls, strong authentication for management interfaces, and monitoring for anomalies. NIST provides detailed guidelines for secure DNS deployment.

The Evolving DNS Landscape

DNS has evolved from a simple name-to-address lookup into a complex system critical for service discovery, email, and security. The introduction of DNSSEC, DoT, and DoH demonstrates its ongoing adaptation to new challenges, particularly security threats. Maintaining a secure and reliable DNS requires continuous learning, adherence to best practices, and collaboration within the internet community.

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress | Theme: Journey Blog by Crimson Themes.