Skip to content

What is DNS

homepage-banner

Introduction

DNS stands for Domain Name System. It is a hierarchical naming system that maps domain names to IP addresses. DNS plays a crucial role in the functioning of the internet. In this 30 minutes guide, we will discuss the basics of DNS and how it works.

How DNS Works

When you type a URL into your web browser, it sends a request to a DNS resolver to map the domain name to an IP address. The resolver checks its cache to see if it has the IP address for the domain name. If it doesn’t, the resolver sends a request to a DNS root server. The root server responds with the IP address of the top-level domain server that manages the domain name’s extension.

The resolver then sends a request to the top-level domain server, which responds with the IP address of the authoritative name server for the domain name. The authoritative name server has the IP address for the domain name and responds with it to the resolver. The resolver caches the IP address and sends it to the web browser, allowing it to connect to the website.

the-dns-hierarchy.jpeg

DNS Records

  • A records - An A record maps a domain name to the IP address (Version 4) of the computer hosting the domain. An A record uses a domain name to find the IP address of a computer connected to the internet.

  • AAAA records - DNS AAAA records match a domain name to an IPv6 address. DNS AAAA records are exactly like DNS A records, except that they store a domain’s IPv6 address instead of its IPv4 address.

  • CNAME - The ‘canonical name’ (CNAME) record is used in lieu of an A record, when a domain or subdomain is an alias of another domain. All CNAME records must point to a domain, never to an IP address.

  • MX - A DNS ‘mail exchange’ (MX) record directs email to a mail server. The MX record indicates how email messages should be routed in accordance with the Simple Mail Transfer Protocol (SMTP, the standard protocol for all email). Like CNAME records, an MX record must always point to another domain.

  • TXT - The DNS ‘text’ (TXT) record lets a domain administrator enter text into the Domain Name System (DNS).

  • NS - The DNS ‘name server’ (NS) record is used to point a domain or subdomain to a DNS server. The NS record is used to delegate a DNS zone to use a specific DNS server.

  • SOA - The DNS ‘start of authority’ (SOA) record is used to identify the authoritative name server for a DNS zone, and to specify administrative contact information for the zone.

  • SRV - The DNS ‘service’ (SRV) record is used to specify the location of services (for example, mail servers) and the protocols they support.

  • PTR - The DNS ‘pointer’ (PTR) record is used to map an IP address to a domain name. PTR records are used in reverse DNS lookups.

  • SPF - The DNS ‘sender policy framework’ (SPF) record is used to prevent email spoofing. SPF records are used to identify which mail servers are authorized to send email for a domain.

  • DKIM - The DNS ‘domain keys identified mail’ (DKIM) record is used to prevent email spoofing. DKIM records are used to verify that an email message was sent by a legitimate sender.

  • DMARC - The DNS ‘domain-based message authentication, reporting and conformance’ (DMARC) record is used to prevent email spoofing. DMARC records are used to verify that an email message was sent by a legitimate sender.

DNS Hierarchy

DNS-Hierarchy.png

DNS Security

DNS is vulnerable to several security threats, including DNS spoofing, DNS cache poisoning, and DNS tunneling. DNS spoofing involves redirecting traffic to a fake website by changing the DNS mapping. DNS cache poisoning involves corrupting the DNS cache to redirect traffic to a fake website. DNS tunneling involves using DNS traffic to bypass firewalls and send data outside the network.

To prevent these security threats, DNSSEC (DNS Security Extensions) is used. DNSSEC adds digital signatures to DNS records to ensure that they are authentic and have not been tampered with.

Encrypted-DNS.png

DNS Over TLS (DoT)

The design principle for DNS over TLS (DoT) is simple: Make no changes to the DNS message format, just move everything from UDP port 53 to TCP port 853 and add TLS encryption on top of it. Deploying DoT requires significant coordination and planning, mainly due to the need for using a new TCP port. In addition to having a DoT client and a DoT server, all network devices along the path must open TCP port 853. However, DoT offers advantages for administrators as it is easier to control and block, making it better suited for on-premises private networks.

With DoT, administrators can configure clients to automatically switch to DoT when available (called opportunistic encryption). This means DoT clients can be configured to fall back to Do53 if there is no suitable DoT server. Alternatively, the client can have a strict profile where it must send DNS communications only over DoT. If no DoT servers are available, the client will not perform any DNS resolution.

DNS Over HTTPS (DoH)

The design goal for DNS over HTTPS (DoH) from the start was to make DoH messages indistinguishable from other HTTPS messages. Using DoH is simple for most users because many web browsers and some operating systems already support it. Users can easily enable DoH on the client, point to any public DoH server on the Internet, and start using it because most networks permit outbound traffic on port 443 by default (the same port as HTTPS).

While enabling DoH is easy, routing DNS traffic in this way poses significant problems for security practitioners. The main challenge is that DoH messages cannot be distinguished from other HTTPS traffic. In other words, when using DoH, DNS-specific threat activity cannot be detected, controlled, or blocked. In fact, this is one of the reasons why red teaming tools, such as ColbaltStrike and Silver, make extensive use of DoH.

Domain Registration

ICANN.png

Conclusion

DNS is a crucial component of the internet, and understanding its basics is essential for anyone working in the field of IT. In this 30 minutes guide, we have discussed how DNS works, DNS records, and DNS security. By following the best practices for DNS security, we can ensure the integrity and confidentiality of DNS data and prevent security threats.

Reference

  • https://www.cloudflare.com/learning/dns/dns-records
  • Joshua M Kuo, Ross Gibson J.D., The Hidden Potential of DNS In Security: Combating Malware, Data Exfiltration, and more - The Guide for Security Professionals, 2023
  • https://datatracker.ietf.org/doc/html/rfc7858
  • https://datatracker.ietf.org/doc/html/rfc8484
  • https://outflank.nl/blog/2018/10/25/building-resilient-c2-infrastructues-using-dns-over-https/
Feedback







Disclaimer
  • Welcome to visit the knowledge base of SRE and DevOps!
  • License under CC BY-NC 4.0
  • Made with Material for MkDocs and improve writing by generative AI tools
  • Copyright issue feedback me#imzye.com, replace # with @