Dns

Introduction

Domain Name System (DNS): Application layer protocol translating human-readable domain names to IP addresses. Enables Internet usability: converts symbolic names into numeric IPs. Functions as distributed database with hierarchical structure. Essential for web browsing, email, and other network services. Operates primarily over UDP port 53, with TCP fallback for large queries.

"DNS is the phonebook of the Internet, enabling users to reach websites without memorizing IP addresses." -- Paul Mockapetris, DNS inventor

DNS Architecture

Components

Resolver: client-side agent sending queries. Recursive resolver: handles full query chain resolving. Authoritative server: provides definitive answers for domain zones. Root servers: top-level DNS servers directing queries to TLD servers. TLD servers: manage top-level domains (.com, .org, etc.).

Hierarchy and Distribution

Distributed system: no single point of failure. Hierarchy: root → TLD → authoritative servers. Zones: administrative segments of namespace. Delegation: parent zone directs queries to child zones.

Roles and Responsibilities

Resolvers: initiate queries, cache results. Authoritative servers: store DNS records, answer queries. Root servers: provide referrals to TLDs. TLD servers: direct to domain authoritative zones.

DNS Naming and Hierarchy

Domain Name Structure

Labels separated by dots. Rightmost label: top-level domain (TLD). Left labels: subdomains. Fully Qualified Domain Name (FQDN): absolute name ending with dot.

Levels of Hierarchy

Root: implicit empty label. TLD: .com, .net, .org, country codes. Second-level domain: registered names under TLD. Subdomains: delegated portions under domains.

Zone and Namespace

Zone: portion of DNS namespace served by authoritative server. Namespace: entire domain structure. Zones enable distributed management.

DNS Records and Resource Types

A and AAAA Records

A record: maps domain to IPv4 address. AAAA record: maps domain to IPv6 address.

CNAME and Alias Records

CNAME: canonical name alias, redirects one domain to another. Cannot coexist with other records for same name.

Other Key Records

MX: mail exchange server for domain. NS: name servers authoritative for zone. TXT: arbitrary text, often for SPF, DKIM. SOA: start of authority, zone metadata.

DNS Resolution Process

Recursive Query

Resolver requests full resolution path from server. Server performs queries on behalf of client. Returns final IP answer or error.

Iterative Query

Resolver queries multiple servers stepwise. Each server returns referral or answer. Resolver follows referrals until final answer.

Steps in Resolution

1. Query root server. 2. Root replies with TLD server. 3. Query TLD server. 4. TLD replies with authoritative server. 5. Query authoritative server. 6. Obtain IP or NXDOMAIN.

Resolver Query Flow:Client → Recursive Resolver → Root Server → TLD Server → Authoritative Server → Recursive Resolver → Client

DNS Protocol and Message Format

Transport Layer

Primarily UDP port 53. TCP for zone transfers, large responses. UDP preferred for speed, minimal overhead.

Message Structure

Header: identification, flags, counts. Question: query name, type, class. Answer: resource records. Authority: NS records. Additional: extra info.

Flags and Codes

Flags: QR (query/response), Opcode, AA (authoritative answer), TC (truncated), RD (recursion desired), RA (recursion available). Response codes: NOERROR, NXDOMAIN, SERVFAIL.

DNS Caching and Performance

Purpose of Caching

Reduce latency, decrease network traffic. Minimize load on authoritative servers. Improve user experience.

Time-To-Live (TTL)

TTL: duration resource record cached by resolver. Set by authoritative server. Balances freshness versus efficiency.

Cache Poisoning Risks

Attackers insert false records into cache. Leads to redirection, data interception. Mitigated by DNSSEC, source port randomization.

DNS Security Mechanisms

DNSSEC

Extension providing data integrity and origin authentication. Uses digital signatures for records. Prevents spoofing, cache poisoning.

DNS over HTTPS (DoH) and DNS over TLS (DoT)

Encrypt DNS queries between client and resolver. Protects privacy, prevents eavesdropping and manipulation.

Other Security Measures

Rate limiting, response validation, access controls. Monitoring anomalous DNS traffic patterns.

DNS Zone Management and Delegation

Zone Files

Text files defining DNS records for a zone. Contain SOA, NS, A, MX, and other records. Edited by administrators.

Delegation

Parent zone delegates authority to child zones via NS records. Enables distributed administration of domain subtrees.

Dynamic DNS

Automated updates of DNS records. Supports frequently changing IPs, e.g., DHCP clients. Uses secure update protocols.

DNS Extensions and Modern Features

EDNS (Extension Mechanisms for DNS)

Allows larger packet sizes over UDP. Supports new features without protocol redesign.

Anycast DNS

Multiple servers share same IP address. Improves reliability and load distribution.

DNS over QUIC

Experimental protocol using QUIC transport. Combines encryption with low latency.

Common Issues and Troubleshooting

DNS Propagation Delays

Changes to DNS records take time to propagate due to caching. Can cause temporary resolution failures.

Configuration Errors

Incorrect zone files, wrong NS records, missing records cause resolution failures. Diagnosed with dig, nslookup.

DNS Amplification Attacks

Attackers exploit open resolvers to amplify DDoS attacks. Mitigation includes rate limiting and disabling recursion for public clients.

References

• Mockapetris, P. "Domain names - concepts and facilities." RFC 1034, 1987, pp. 1-33.
• Mockapetris, P. "Domain names - implementation and specification." RFC 1035, 1987, pp. 1-56.
• Arends, R., et al. "DNS Security Introduction and Requirements." RFC 4033, 2005, pp. 1-17.
• Huitema, C. "DNS Security Extensions (DNSSEC)." IEEE Network, vol. 17, no. 1, 2003, pp. 37-43.
• Schlyter, J. "DNS over HTTPS (DoH)." RFC 8484, 2018, pp. 1-10.