DNS (Domain Name System) - secuguru/security-terms GitHub Wiki

DNS Overview

DNS (Domain Name System) is a system that translates human-readable domain names (like www.example.com) into IP addresses (like 192.0.2.1) that computers use to identify each other on the network. Since IP addresses are difficult for humans to remember, DNS acts like the internet’s phonebook, allowing users to type domain names instead of complex strings of numbers.

Key Components of DNS

  1. Domain Names: These are easy-to-remember names for websites and services, such as google.com or yahoo.com.
  2. IP Addresses: Each device on the internet has an IP address, either in IPv4 or IPv6 format, that allows it to communicate with other devices.
  3. DNS Servers: DNS servers store domain name records and respond to queries, converting domain names into corresponding IP addresses.

How DNS Works

  1. DNS Query: When a user types a domain name into their browser, a DNS query is initiated to find the corresponding IP address.
  2. Recursive DNS Resolver: This is the DNS server responsible for handling the user’s query. It first checks if it has the IP address cached. If not, it forwards the query to the DNS hierarchy.
  3. Root DNS Servers: The recursive resolver contacts the root DNS servers, which point it to the appropriate TLD (Top-Level Domain) server, like .com or .org.
  4. TLD DNS Servers: The TLD server provides information about which Authoritative DNS Server holds the specific domain’s IP address.
  5. Authoritative DNS Server: This server contains the actual IP address for the domain and sends it back to the recursive resolver.
  6. Response: The resolver returns the IP address to the user’s browser, which then establishes a connection to the website using that IP address.

Types of DNS Records

  1. A Record (Address Record): Maps a domain name to an IPv4 address.
  2. AAAA Record: Maps a domain name to an IPv6 address.
  3. CNAME Record (Canonical Name Record): Redirects one domain name to another domain name.
  4. MX Record (Mail Exchange Record): Specifies the mail server responsible for receiving emails for the domain.
  5. NS Record (Name Server Record): Specifies which DNS server is authoritative for a domain.
  6. TXT Record: Stores arbitrary text data, often used for email verification or security purposes.
  7. SOA (Start of Authority) Record: Defines key administrative details about a DNS zone, including the authoritative DNS server and settings for zone transfers and record caching.
  8. PTR (Pointer) Record: Used for reverse DNS lookups, allowing an IP address to be mapped back to a domain name. This is crucial for email server validation and network diagnostics.

DNS Cache

DNS resolvers and local machines often store or “cache” DNS results to improve speed and reduce load on the DNS infrastructure. Cached entries have a TTL (Time to Live), after which they expire and must be refreshed.

Importance of DNS

DNS is crucial for the functioning of the internet, as it makes navigating the web more user-friendly by allowing people to use domain names rather than IP addresses. Without DNS, users would have to remember long strings of numbers to access websites.

However, DNS can also be a target for cyberattacks, such as DNS spoofing or DNS DDoS attacks, which can disrupt network operations. Therefore, securing DNS infrastructure is a critical component of internet security.

How DNS Works with UDP

When DNS queries are made, they often use the UDP (User Datagram Protocol). UDP is a lightweight, connectionless protocol, which means it does not establish a connection before sending data, nor does it ensure the data reaches its destination. This makes it faster than connection-based protocols like TCP (Transmission Control Protocol), but less reliable.

Why DNS Uses UDP:

  1. Speed: UDP is faster because it doesn’t require establishing and maintaining a connection. For most DNS queries, which involve small amounts of data (usually less than 512 bytes), the overhead of TCP is unnecessary. This makes DNS queries using UDP more efficient.
  2. Low Latency: DNS queries happen frequently as users navigate the web, and using UDP helps reduce the time it takes to resolve a domain name into an IP address.

UDP in DNS Query Process

  1. DNS Query: When a user enters a domain name into their browser, the DNS query is usually sent using UDP over port 53. The user’s device sends the query to a DNS resolver (often provided by the ISP or a public service like Google DNS or Cloudflare DNS).
  2. Response: The DNS resolver queries the necessary DNS servers (root, TLD, and authoritative) to find the corresponding IP address for the domain name. Once the IP address is found, the response is sent back to the user’s device using UDP.

In most cases, a single UDP packet is sufficient to handle both the query and response. If the response exceeds the typical UDP packet size limit (512 bytes in older systems, but up to 4096 bytes with EDNS), DNS may switch to TCP to handle larger data transmissions, like when dealing with DNSSEC (DNS Security Extensions) or zone transfers.

When DNS Uses TCP Instead of UDP

  1. Larger Responses: If a DNS query response is too large to fit in a single UDP packet, the protocol falls back to TCP to ensure reliable delivery.
  2. Zone Transfers: For tasks like DNS zone transfers between DNS servers (AXFR/IXFR), which require large amounts of data, TCP is used for its reliability and ability to handle larger data streams.
  3. DNS Security: Some DNS security measures, such as DNSSEC, can result in larger responses that also use TCP to ensure data integrity.

DNS Query Steps (UDP Context)

  1. DNS Resolver: The user’s device sends a UDP query to the recursive DNS resolver (also called a caching DNS server). If the resolver already has the IP address cached, it responds immediately.
  2. Root DNS Servers: If the resolver doesn’t have the answer, it sends a UDP query to a root DNS server, which directs it to the correct TLD (Top-Level Domain) server.
  3. TLD Servers: The resolver sends a UDP query to the TLD server, which then directs it to the authoritative DNS server for the specific domain.
  4. Authoritative DNS Server: The authoritative server responds to the recursive resolver with the correct IP address for the domain.
  5. Response: The recursive resolver returns the IP address to the user’s device, allowing the browser to connect to the website.

Why UDP is Ideal for DNS

  • Efficiency: DNS queries are frequent and typically small, so the speed of UDP makes it ideal for resolving names quickly.
  • Minimal Overhead: UDP has less overhead because it doesn’t need to establish a connection like TCP, making it faster in low-latency networks.

DNS and UDP Vulnerabilities

Using UDP with DNS has some potential security concerns:

  1. DNS Spoofing/Poisoning: Attackers can inject false responses into a DNS query, redirecting users to malicious websites. Since UDP is connectionless, it’s more susceptible to this type of attack than TCP.
  2. DDoS Attacks: DNS services can be targeted with Distributed Denial of Service (DDoS) attacks that flood servers with UDP packets, overwhelming them with traffic.

Summary of DNS and UDP Relationship

  • DNS typically uses UDP over port 53 because it’s lightweight and fast, ideal for simple queries.
  • For large queries or zone transfers, DNS may switch to TCP.
  • The combination of DNS and UDP is highly efficient for day-to-day web browsing, but it also introduces security challenges, which can be mitigated with additional measures like DNSSEC.

In conclusion, DNS heavily relies on UDP for speed and efficiency, but it also uses TCP in cases where larger or more secure data transfers are required.