DNS
DNS is the acronym for Domain Name System. Originally created for name mapping, DNS today also defines technical settings for its core mapping service. In addition, DNS may set up functionality for the emails using MX records and texts using TXT records.
Contents
Functionality
Name mapping
- First of all, DNS is a hierarchical and decentralized system that maps human-readable names, called hostnames, and digital addresses such as IP addresses of the resources connected to a network such as the Internet.
- On the Internet, DNS stores both hostnames and IP addresses together for the purpose of mapping any hostname to one or more IP addresses or, vice versa, mapping an IP addresses to its hostname.
- For instance, a user may request its web browser to display some website, while providing this browser with some hostname (also known as domain name). DNS is responsible for locating the sought website in the Internet and granting the user's web browser with the right IP address.
- To decentralize, DNS designates authoritative nameservers for each host or host device connected to the network. This structure provides distributed and fault-tolerant service and was designed to avoid a single large central database.
Naming arrangements
- In addition to name mapping, DNS defines the DNS protocol, which is the model of the data structures and communication exchanges including TTLs that are used to propagate DNS records through the system.
Email and text functions
- Finally, DNS is used to set up properties for:
- SMTP mail exchangers using MX records. DNS may be particularly useful in combating unsolicited email messages known as spam by storing a real-time blackhole list (RBL);
- Human-readable texts about the resource and/or machine-readable data using TXT records. This data can be used for verification of domain ownership, email owner verification, and much more.
Hostnames
- Main wikipage: Hostname
On the Internet, a hostname is a human-readable alias that is assigned to a particular IP address. This alias is used to identify the IP address of the needed device in various forms of electronic communication, such as the World Wide Web and emails. Earlier, a hostname was often called a domain name; these two terms can be used interchangeably. The hostname is the central part of any URL.
Purpose
- Computer networks usually assign those computing devices that are connected to that network some numerical addresses. However, these addresses are rarely convenient for human being to use.
- DNS has been created in order to help human beings to identify a particular computer, called a host device or, simply, host, in a network, most notably, on the Internet, using some names that those human beings can recognize. DNS supplements a numerical address such as
176.056.230.964
of the host device with some human-readable, human-recognizable hostname (also known as domain name) such aswiki.friendsofcnm.org
that may contain not necessarily just digits and computer symbols, but also letters, words, or some combinations of those.
Right-to-left label hierarchy
- Every hostname consists of two or more labels separated by dots. Those labels are ranged hierarchically from right to left. Each label on the left is classified as a subdomain of the label to its right. For instance, in the hostname,
wiki.friendsofcnm.org
:
Domain name wiki
. friendsofcnm
. org
Description The label for the third level domain, which could also be defined as the second level subdomain. Separator (a dot) The label for the second level domain or, in other words, the TLD subdomain. Separator (a dot) The label for the top level domain (TLD) Directing‑to server Host TLD Root Managing server Host Host TLD
Name requirements
- Technically, there is no limit on the number of the levels; however, there are some other restrictions. According to the DoD Host Table Specification, in order to be able to serve as a hostname, some combination of labels shall be associated with one or more IP addresses and comply with the following rules:
- A hostname must be a text string consisting of only the letters A through Z (upper or lower case), digits 0 through 9, the minus sign (-), and the period (.);
- No hostname can contain any spaces;
- The first character must be an alphabetic character or a digit;
- The last character cannot be a minus sign or a period;
- The recommended length for a hostname is up to 24 characters.
- If the hostname is completely specified, including a top-level domain of the Internet, then the hostname is said to be a fully qualified domain name (FQDN).
Registrars and ISPs
Delivery scheme
A delivery scheme is an officially organized plan for delivery.
Unicast
- Unicast is a delivery scheme that routes transfer from one source address to a single specified destination address. Unicast is the dominant form of delivery on the Internet.
Broadcast
- Broadcast is a delivery scheme that routes transfer from one source address to all destination addresses in the network.
Multicast
- Multicast is a delivery scheme that routes transfer from one source address to a group of destination addresses, usually the ones that have expressed interest in receiving the deliverable.
Anycast
- Main wikipage: Anycast
- Anycast is a delivery scheme that routes transfer from one source address to any one out of a group of destination addresses, selected based on some algorithm and/or criteria. The selected route is often the one that is the nearest and/or fastest accessible to the source.
- On the Internet, anycast is the network addressing and routing technique that assures that one IP address has multiple routing paths and the best ones are chosen for every single delivery. This type of redundancy serves two main purposes:
- To ensure speedy responses to DNS queries (by providing network-topologically best routes to the root nameservers); and
- To minimize the likelihood of an outage of the entire DNS system.
- DNS resolvers select the desired path on the basis of number of hops, distance, lowest cost, latency measurements, or based on the least congested route. Anycast networks are widely used for content delivery network (CDN) products to bring their content closer to the end user.
Geocast
- Geocast is a delivery scheme that routes transfer from one source address to a group of destination addresses based on geographic location.
System structure
Domain levels
- The DNS hierarchy is built of three levels:
- The root domains are responsible for locating TLD nameservers;
- The top level domains (TLDs) are responsible for locating host nameservers;
- The host domains are responsible for any DNS records beyond TLD.
Infrastructure
- Main wikipage: DNS infrastructure
- DNS infrastructure is designed in a distributed manner. The infrastructure consists of four actors -- DNS resolvers, root nameservers, TLD nameservers, and host nameservers -- that accommodate the process from entering a human readable hostname into a web browser to pointing this web browser to the exact IP address.
Resolvers
- Main wikipage: DNS resolver
- DNS resolvers moderate any process of translating (resolving) human readable hostnames into IP addresses that are used in communication between Internet hosts. DNS resolvers receive requests in the form of a hostname from a web browser and request the needed data from root nameservers, which are the highest in the hierarchy, if DNS resolvers haven't already cached that data. Indeed, DNS resolvers not only redirect requests, but also cache the data needed to identify IP addresses.
Protocol
Any DNS protocol is the model of the data structures and communication exchanges including TTLs that are used to propagate DNS records through the system. The traditional DNS protocol doesn't address security challenges. The security-sensitive protocol is DNSSEC.
Non-secured mapping
- The complete name-to-IP-address process can be described in the following way:
- When the user enters a hostname into a web browser, this browser queries their Internet Service Provider's (ISP) DNS resolver asking for the IP address.
- The DNS resolver asks the root nameserver where it can find details for that hostname, unless the resolver already has its IP address data cached.
- If it is asked, the root nameserver responds what TLD nameserver handles this data.
- The DNS resolver asks the TDL nameserver where it can find details for the entered hostname, unless it already has the data cached.
- If it is asked, the TLD nameserver responds that this data can be found at the host nameservers.
- The DNS resolver asks the host nameservers where it can find details for the needed IP address, unless it already has the data cached.
- If it is asked, the host nameservers have this data and respond with a DNS record containing the IP address for the entered hostname.
- The ISP's DNS resolver sends the identified data back to the web browser. The name-to-IP-address process has been accomplished. Based on its results, the web browser points its request to the exact IP address in order to establish communication between this browser and that domain.
Data structures
Communication exchanges
Servers
- Main wikipage: Nameserver
Nameservers are servers that respond to DNS requests using appropriate protocol. DNS-сервер, host nameserver — приложение, предназначенное для ответов на DNS-запросы по соответствующему протоколу. Также DNS-сервером могут называть хост, на котором запущено соответствующее приложение.
Roles
- Different nameservers are responsible for different operations and play different roles:
- DNS resolvers moderate any process of translating (resolving) human readable hostnames into IP addresses that are used in communication between Internet hosts. DNS resolvers cache some data and request the data that they haven't cached from other servers.
- Root nameservers redirect requests to TLD nameservers based on the data for TLD nameservers that root nameservers handle;
- TLD nameservers redirect requests to host nameservers based on the data for host nameservers that TLD nameservers handle.
- Host nameservers handle all data for IP addresses and other DNS records for everything beyond the top-level domains.
Functions
- With regard to their functions, nameservers can be divided in several types; however, one nameserver can perform several functions:
- Authoritative nameserver is any nameserver that provides its DNS zone with definitive DNS name resolution based on the data that is stored within the nameserver. These nameservers can be primary nameservers (alternatively known as "master nameservers") or secondary nameservers (or "slave nameservers").
- Recursive nameserver is any nameserver that provides DNS name resolution based on its requests to authoritative nameservers. Alternatively known as "DNS cache", "caching-only nameserver".
Zones
- Main wikipage: DNS zone
- All DNS data is stored in three types of areas called zones:
Zone What data is stored Nameserver Root DNS All the data needed to locate TLD nameservers Root NS TLD DNS All the data needed to locate host nameservers TLD NS Host DNS All the data related to a particular host, usually in a structured text file that is called the zone file, but other database systems are common as well. Because users can commonly access and host administrators can administer only that data, DNS zone commonly refers to this type of areas Host NS
BIND (NS software)
- As there are a large number of different nameserver software packages, the format of these zone files can vary slightly between different implementations. The most widely-used DNS software on the Internet today is the Berkeley Internet Name Domain (BIND) nameserver.
- Originally written in 1984 by four Berkeley College students as a graduate project, the BIND nameserver was eventually rewritten in 2000 with contributions coming from a number of large organizations including IBM, Hewlett Packard, Compaq, and Sun Microsystems.
- This rewrite was labeled version 9 and is currently still the supported version of the BIND nameserver in use on systems around the world (and also used by the majority of DNS root nameservers themselves). Below is an example of a zone file for the BIND 9 nameserver:
~
$TTL 14400
$ORIGIN example.com.
@ 14400 IN SOA ns1.example.com. admin.example.com. (
2012121902 ;
3600; refresh seconds
600; retry
86400; expire
3600; minimum
);
IN A 12.34.56.78
IN NS ns1.example.com.
IN NS ns2.example.com.
ns1 IN A 11.11.11.11
ns2 IN A 22.22.22.22
www IN CNAME example.com.
ftp IN CNAME example.com.
mail IN MX 10 example.com.
DNS zone file example (BIND nameserver)
Domain level servers
Root servers
- Main wikipage: Root nameserver
- Root nameservers are responsible for the initial delegation of requests received from DNS resolvers to the correct TLD nameservers. The DNS root zone defines 13 hostnames for root nameservers, every of which starts with a letter from
a
tom
and ends in.root-servers.net
. The letters are assigned to different organizations called operators; however, Verisign currently manages botha
andj
:
Letter IPV4 address IPV6 address Operator a 198.41.0.4 2001:503:ba3e::2:30 Verisign b 192.228.79.201 N/A USC-ISI c 192.33.4.12 N/A Cogent Communications d 199.7.91.13 2001:500:2d::d University of Maryland e 192.203.230.10 N/A NASA f 192.5.5.241 2001:500:2f::f Internet Systems Consortium g 192.112.36.4 N/A Defense Information Systems Agency h 128.63.2.53 2001:500:1::803f:235 U.S. Army Research Lab i 192.36.148.17 2001:7fe::53 Netnod j 192.58.128.30 2001:503:c27::2:30 Verisign k 193.0.14.129 2001:7fd::1 RIPE NCC l 199.7.83.42 2001:500:3::42 ICANN m 202.12.27.33 2001:dc3::35 WIDE Project
- 13 hostnames of root nameservers, but a majority of the IP addresses assigned to the root nameserver are anycast addresses. For instance,
l.root-servers.net
, which ICANN manages, is a cluster of over 130 physical servers that have the same IP address, but distributed around the globe.
- The United States Department of Commerce controls the DNS root zone. This department delegated its management to the Internet Assigned Numbers Authority (IANA). The IANA has hired the Internet Corporation for Assigned Names and Numbers (ICANN) to manage DNS root zone, but the United States Department of Commerce still needs to approve any changes proposed for the DNS root zone.
TLD servers
- Main wikipage: TLD nameserver
- TLD nameservers handle DNS records related to top level domains (TLD) such as
.com
,.org
, and.net
.
Host servers
- Main wikipage: Host nameserver
- The configured host nameservers handle DNS records such as hostname (also known as domain name), IP address, hostname aliases, mail server details, for a particular host device. The configured means that someone needs to configure its DNS zone, which are usually bundled into one zone file. The zone file contains DNS records of all domains for which the given nameserver is authoritative.
- Hostname registrars usually provide hostname buyers with default files that often list an A record and NS records, but owners of hostnames can alternate almost any DNS record for their host. The SOA record is the exception; rarely, hostname registrars allow hostname buyers alternating that.
Requests
- Main wikipage: DNS request
A DNS request is a query to obtain DNS records for a particular host device in some network.
Directions
- A forward request is a DNS request made in order to obtain the IP address based on its hostname.
- A reverse request is a DNS request made in order to obtain the hostname based on its IP address.
Ports
- According to RFC 1035 standard, all nameservers respond using port 53 TCP and UDP. Early versions of BIND used the same port for requesting, but contemporary servers use any available non-registered ports.
Query methods
Any DNS request, either forward or reverse, can be resolved using one or more methods.
Recursive query
- Any recursive query is the DNS query that the nameserver resolves completely, while asking other nameservers when the requested server needs more data. In other words, any recursive query expects the final answer from the requested server. That server is supposed to accomplish any research if that research is needed.
- However, nameservers are not required to fully resolve recursive queries.
Non-recursive query
- Any non-recursive query is the DNS query that the nameserver resolves, without asking other nameservers when the requested server needs more data. In other words, any recursive query expects the partial, but quick answer from the requested server. That server is not supposed to accomplish any research. This nameserver may resolve that query:
- Completely if this nameserver is authoritative and responsible for the requested zone;
- Probably if this nameserver and/or the requesting DNS resolver has some cached data;
- Negatively if neither this nameserver nor the requesting DNS resolver has any cached data.
Iterative query
- Any iterative query is the DNS query that the DNS resolver continues while querying one or more nameservers in chain until the request has been resolved completely by the authoritative server that is responsible for the particular zone.
Method combinations
- The resolution process may combine various methods, which may be used simultaneously.
- Some nameservers allows for working using different methods or combinations of methods in different segments. This feature is called "view" in BIND. For instance, local IP addresses such as 10.0.0.0/8 can receive local addresses of host devices, while DNS requests from the outside of the network would be resolved using external addresses;
- A nameserver may also be authoritative for a particular zone for a particular range of IP addresses. For example, the server located at 10.0.0.0/8 announces itself authoritative for the internal zone; so, any request from the external servers to get data on the internal zone would be resolved as "unknown."
Records
Any DNS record (officially known as resource record or RR) is a critical property assigned to a hostname. Each DNS record is stored in a zone file. While being initially created as a name-to-IP address mapping database, DNS also allows for more details that DNS records provide. They may include email addresses, aliases, anti-spam data, and other data.
SOA record
- Main wikipage: SOA record
- The SOA record is a mandatory DNS record for any DNS zone that states that this particular nameserver is the authoritative server for the requested hostname. SOA stands for Start Of Authority. An example record is as follows:
friendsofcnm.org. 14400 IN SOA ns1.friendsofcnm.org. admin.opplet.net. (
2019021701; serial number
86460; refresh seconds
600; retry seconds
86400; expire seconds
3600; minimum TTL seconds );
- There are many forms of the SOA record. The same example can be written in a shorter form:
@ 14400 IN SOA ns1.friendsofcnm.org admin.opplet.net 2019021701 86460 600 86400 3600
, where:
Sample code Field Description Values @
Current origin A free standing "@" encodes the name of the host in which this record is located. Hostname 14400
TTL The number of seconds for which the record may be cached by client side programs. If it is set as 0, it indicates that the record should not be cached. From 0 to 2147483647 IN
Class The Internet or intranet; other options are all outdated. IN SOA
Record SOA stands for SOA record and sets up the start of authority Stable ns1.friendsofcnm.org
Nameserver The nameserver in which the zone file is located; this is the primary nameserver for the host device. Assigned admin.opplet.net
Email address The administrative email contact for the DNS zone. This record indicates the responsible party for the host. The actual email contact in this example is admin@opplet.net
. The "." replaces the "@" symbol in DNS zone because the "@" symbol encodes the current origin.Vary 2019021701
Serial number The "serial number" value is created in the YYYYMMDDNN (YYYY for a year, MM for a month, DD for a date, and NN for a sequential number) format for version control. This control is vital because of the need to configure multiple nameservers. The value in the example is made up from the year of 2019, February (month #02), 17th (for a day), and revision number 01. This serial number is a timestamp that changes whenever the host is updated. Automatic 86460
Refresh The number of seconds before the zone should be refreshed. This value sets up how long a secondary nameserver shound wait before checking whether updates have been made on the primary nameserver. When checking, the secondary nameserver will check the serial number of the zone on the master server, and if different will request a zone transfer to update its local copy. The same value of the sample can be written as 24h1m
since 86,460 seconds are equal to 24 hours and one minute.Usually, from 6 to 24 hours 600
Retry The number of seconds before a failed refresh should be retried. This value sets up how long a secondary nameserver will wait to retry a zone transfer in the event the initial attempt fails. This value is not significant. Usually, a fraction of the Refresh 86400
Expire The upper limit in seconds before a zone is considered no longer authoritative. This value sets up how long a secondary nameserver will continue to attempt a zone transfer before giving up. If this value is reached before a successful zone transfer is made, the secondary nameserver will expire its local zone file and stop responding to user queries. Usually, from 14 to 28 days 3600
Minimum TTL The negative result TTL (for example, how long a DNS resolver should consider a negative result for a subdomain to be valid before retrying). This value sets up how long a DNS cache may hold a negative value (e.g. an error message) before requesting fresh copies. In the SOA record, this field is the most important. If your DNS information keeps changing, keep it down to a day or less. Otherwise if your DNS record doesn’t change regularly, step it up between 1 to 5 days. The benefit of keeping this value high, is that your website speeds increase drastically as a result of reduced lookups. Caching servers around the globe would cache your records and this improves site performance. Depends on the need
A record
- Main wikipage: A record
- Any A record is the DNS record that translates a hostname into an IPv4 address. In other words, A records set up relationships between:
- Hostnames, which are human-friendly names, and
- IPv4 addresses, which are IP addresses expressed using the IPv4 standard.
- A PTR record can set up the opposite relationship. The sample of the A record is as follows:
friendsofcnm.org IN A 159.89.93.1
, where:
Sample code Field Description Values friendsofcnm.org
Labels One or more labels of the hostname and TLD name. Selected IN
Class The Internet or intranet; other options are all outdated. IN A
Record A stands for A record and sets up the relationship between hostname labels and IP address Stable 159.89.93.1
IPv4 address The location that the resulting hostname points to. Assigned
AAAA record
- Main wikipage: AAAA record
- Any AAAA record is the DNS record that sets up a relationship between:
- A hostname, which is a human-friendly name, and
- An IPv6 address, which is an IP address expressed using the IPv6 standard.
- AAAA records are similar to A records. The only difference is that A records point to IPv4 addresses and AAAA records do to IPv6 addresses.
NS record
- Main wikipage: NS record
- Any NS record is the DNS record that specifies authoritative nameservers for the hostname. NS is the acronym for name server.
- Each NS record consists of both the hostname and nameserver hostname. It can be formatted as follows:
friendsofcnm.org. IN NS ns1.digitalocean.com
- Two different authorities, hostname registrars or resellers and host owner, can set these records up. Two different values should be configured to match; otherwise, some problems may occur.
CNAME record
- Main wikipage: CNAME record
- Any CNAME record is the DNS record that sets up an alias for another hostname. CNAME is an abbreviation for canonical name. Particularly, CNAME records are useful when several hostnames are located on the same IP address. For instance,
www.friendsofcnm.org. IN CNAME friendsofcnm.org.
would point any visitor ofwww.friendsofcnm.org
tofriendsofcnm.org
(withoutwww.
).
- Each CNAME record shall point to another valid hostname, either within the same domain or even a completely different domain. Preferably, this record shall point to the hostname that is configured in an A record.
MX record
- Main wikipage: MX record
- Any MX record is the DNS record that identifies the server that handles email address for the hostname. MX is an abbreviation for mail exchanger.
- Each MX record contains three pieces of information: the hostname, the priority, and the hostname of the mail server that handles mail for the host device. The sample of the MX record is as follows:
friendsofcnm.org IN MX 10 friendsofcnm.org
, where:
Sample code Field Description Values friendsofcnm.org
Labels One or more labels of the hostname and TLD name. Selected IN
Class The Internet or intranet; other options are all outdated. IN MX
Record MX stands for MX record and sets up the relationship between hostname labels and IP address Stable 10
Priority A numerical value that signifies the priority of this particular MX record and, consequently, for the mail server. The values used for this are only important if more than one mail server is used. The lower the value of the priority field, the higher the priority of the mail server. Assigned mail.friendsofcnm.org
Mail server hostname The hostname of the mail server that handles email for this domain. This hostname is a google address when Google Apps handle emails for this host device. Any mail server hostname should have a validly configured A record in order to receive emails smoothly. Assigned
TXT record
- Main wikipage: TXT record
- Any TXT record is a DNS record that allows for storage of human-readable and machine-readable texts that, if posted, would be assigned to a specific hostname.
- With regard to machine-readable texts, TXT records may serve multiple purposes, including:
- Sender policy framework (SPF) data storage. This data confirms the actual systems that are authorized to send mail on behalf of the given hostname. This is useful in the prevention of spam emails being sent with a forged sender address originating from the particular host device. RFC 4408 discourages this practice as "not optimal," however, because SPF now has its own DNS resource record type (code 99);
- DomainKeys Identified Mail (DKIM) data. This data allows a receiving mail server to authenticate entities that have signed a specific email message. DKIM is similar to SPF in that it can help reduce spam email from containing forged email addresses originating from your domain, but it also contains a large amount of additional functionality.
PTR record
- Main wikipage: PTR record
- Any PTR record is a DNS record that translates a hostname into an IP address. PTR is an abbreviation for pointer; PTR records point to IP addresses. In comparison with A records, PTR records perform the exact opposite function.
- PTR records use the following format:
<IP address in a reverse order>.in-addr.arpa PTR <hostname>
. For instance,1.93.89.159.in-addr.apra PTR friendsofcnm.org
, where:
Sample code Field Description Values 1.93.89.159
Reversed IP address The IP address of the location that the resulting hostname points to in a reverse order. The actual IP address used in this example is 159.89.93.1
Assigned .in-addr.arpa
Domain The domain name that historically arrived from the times when the Internet was called Arpa. In-addr is an abbreviation for internet address. No other options PTR
Record PTR stands for PTR record and sets up the relationship between IP address and hostname. Stable friendsofcnm.org
Hostname The hostname that points to the IP address. Selected
- PTR records are needed for outgoing mail servers such as Postfix, because most of the mail providers reject or mark as spam messages received by mail servers without valid reverse dns configuration such as a missing PTR record or mismatch with an A record for the hostname.
SRV record
- Main wikipage: SRV record
- Any SRV record is a DNS record that specifies the location, both hostname and port number of servers for specific services. SRV is an abbreviation for service. SRV records can be used to direct certain types of traffic to particular servers.
CAA record
- Main wikipage: CAA record
- Any CAA record is a DNS record that specifies which certificate authorities are permitted to issue certificates for the host. CAA is the acronym for Certification Authority Authorization, which is a method for cross-checking security information on the Internet. CAA records can be used to reduce the risk of unintended certificate mis-issue.
Security threats
Hackers are constantly trying to penetrate DNS primarily because of two reasons. First, DNS is used throughout the whole Internet and, second, the overwhelming majority of host devices utilize the same nameserver software, BIND.
Cache poisoning
- The DNS cache poisoning attack is one of the more common attacks against the DNS protocol. In order to reduce unnecessary Internet traffic, most Internet Service Providers (ISP) configure their nameservers to cache DNS responses for the period defined in the TTL value of the requested record set.
- This allows for all concurrent requests to be served from the local cache at the ISP and not require the series of lookups normally required. This results in faster DNS responses for the end user, as well as a decrease in data costs for the ISP.
- This mechanism, however, is the target for the DNS cache poisoning attack. In this attack, the hacker aims to have their IP address cached by the ISP's DNS resolvers for a record of their choosing.
- For example, the attacker would seek to have the IP address of the hostname "login.example.com" be cached with their own IP address instead of the legitimate IP address. The result of this attack is that anyone using that DNS resolver (typically most of that ISP's customers) would be loading the site "login.example.com" from the hacker's server rather than the legitimate server. Once this is achieved, the hacker could potentially display a fake login page and harvest users" logins and passwords.
Reflection attack
- DNS reflection attacks differ from DNS cache poisoning attacks in that their primary goal is not to compromise the integrity of a DNS resolver's data, but rather to completely flood a system with DNS responses, rendering it unable to respond to legitimate queries. This type of attack is known as a Denial of Service (DoS) attack.
- This attack is conducted by a hacker spoofing the sender IP address of a DNS query to mimic that of the victim"s server. When the DNS resolver then replies to the query, the response will go to the victim"s server rather than the hackers. This attack works due to the fact that a small DNS query can actually return a response that is many times larger than the query itself.
- Hackers leverage this in order to direct a large amount of network (DNS) traffic at the victim"s machine. This results in the victim machine being unable to accept or respond to legitimate traffic.
DNSSEC
The original DNS protocol was never designed with security in mind; user access to the nascent Internet was tightly controlled and not open to public access.
The Domain Name System Security Extensions (DNSSEC) are an expansion of the DNS protocol aimed at mitigating a number of security issues that have been identified within the DNS since this time. The DNSSEC provides the ability for DNS clients to determine that the DNS response they are receiving actually comes from the server authoritative for the given hostname. This feature is a direct response to the DNS cache poising attacks described above.
Security RRs
- DNSSEC is implemented by adding a number of additional records to the DNS zone of a domain. These records are as follows:
Record Function RRSIG The signature of the DNS resource record set. This record is returned in the response to any DNS query and can be verified by checking against the public key for the domain. DNSKEY Contains the public key for the domain. DS The "Delegation Signer" record, used in authenticating the DNSKEY for a domain. NSEC Used to prove a name does not exist. NSEC3 An alternative version of the traditional NSEC record also provides proof a name doesn't exist but prevents zonewalking. NSEC3PARAM Parameter record for use with NSEC3.
Setup process
- In order for DNSSEC to be functional in any given DNS query, every authoritative server from the trust anchor (generally the TLD nameservers) all the way down to the domain's nameservers must support DNSSEC and offer signing of record sets. If any of these do not support the extensions, then it is not possible to utilize the benefits of DNSSEC for that query.
- In order to sign a DNS zone with DNSSEC, a private and public key pair is generated by the owner. The public key is listed in the DNS zone in the DNSKEY record whilst the private key is stored securely on the authoritative nameserver. Once this is done, the parent domain server is informed that this zone has been signed.
- Each record in the zone is now digitally signed with the signature of the record set stored in the RRSIG record. This record is the encrypted hash of the original records value. Sent with the response to every DNS query, this RRSIG records allows the client to determine if the value received is the same as the one sent by the server.
- When the client receives the DNS response, it takes the "RRSIG" value, decrypts it with the public key (retrieved from the DNSKEY record) and then compares the result with the hash of the record value received. If these values match, then the record received is identical to the one sent.
- The next feature of DNSSEC is the ability to ensure that the server that sent the record and public key is actually the legitimate authoritative nameserver for that domain. This is achieved using the DS record. This DS record stores a digest of the domain's DNS key in the domain's parent zone that is protected by the parent zones "DNSKEY." This configuration then continues in a hierarchical structure up to the DNS root zone. The data for the DNS root zone is treated as a "Trust Anchor."
- Using this record, and hierarchical authentication method, it is possible to ensure that the "DNSKEY" received for a domain has not been spoofed by an attacker.
Secured mapping
- The DNS request process remains quite similar to the standard process of requesting DNS records, albeit with a few more pieces of data added in order to verify the responses received.
- The following is an example workflow and description of a typical DNS request with DNSSEC enabled. Changes from a normal (non DNSSEC enabled) DNS request are in italics.
- The user queries their Internet Service Provider's (ISP) DNS resolver asking for the IP address for "www.google.com."
- The DNS resolver asks the root nameserver where it can find details for "www.google.com," unless it already has the information cached. It also sets the "DNSSEC OK" (DO) bit to signify that it is requesting the DNSSEC records be returned also.
- If it is asked, the root nameserver responds that this information is handled by the .com nameserver. It also sends the DS record for the .com zone and RRSIG records for any records returned with the result. The resolver would then validate that the DS record value received from the root nameserver matches the digest of the DNSKEY record value for the .com zone.
- The DNS resolver asks the .com nameserver where it can find details for "www.google.com," unless it already has the information cached.
- If it is asked, the .com nameserver responds that this information can be found at the nameservers of google.com. It also sends the DS record for the google.com zone and RRSIG records for any records returned with the result. The resolver would then validate that the DS record value received from the .com nameserver matches the digest of the DNSKEY record value for the google.com zone.
- The DNS resolver asks the google.com nameservers where it can find details for "www.google.com," unless it already has the information cached.
- If it is asked, the google.com nameservers have this information and respond with a DNS record set (RRSET) of all A records configured for "www.google.com." It also sends the RRSIG value for the RRSET that was returned. The ISP"s DNS resolver can then validate that the RRSIG value is indeed the signature of the RRSET that is returned by checking it against the DNSKEY record in the google.com zone. The resolver has now validated that the records themselves have not been tampered with, and also previously validated that the servers that have been involved in receiving the data are trusted by validating the DS records against the associated parent's DNSKEY record.
- The ISP"s DNS resolver then sends the A record for "www.google.com" back to the user. The user then knows what IP address to connect to in order to access "www.google.com."
TLD limitations
Unfortunately, not all top level domains currently support DNSSEC. As was previously mentioned, each server in the chain needs to both support DNSSEC as well as have the appropriate records configured in order for DNSSEC to have any effect. As of April 2013, less than a third of all top level domain servers (including ccTLD's) are configured with the appropriate settings to support DNSSEC. Of the 19 globally assigned top level domains, the following do not currently support DNSSEC: • .aero, • .coop • .int • .jobs • .mobi • .name • .pro • .tel • .travel • .xxx
Issues
Propagation
- The most common problem encountered with the DNS protocol is the situation known as "DNS Propagation." When a change is made to a DNS zone, this change is not immediately seen by the rest of the world.
- The name itself (specifically the "propagation" component) suggests that changes propagate outwards across the Internet away from the server on which the change was made. This is a common misconception: DNS changes do not propagate outwards like ripples. Instead, when a change is made on a DNS zone, the only real automated propagation of that change is to secondary nameservers. Due to the nature of DNS, all DNS queries for a particular domain will follow the hierarchical approach to determining which server has the data for that domain, eventually arriving at the nameserver for the domain.
- As the change to the DNS zone has already occurred on the primary nameserver, the updated values are immediately available and are included in all DNS responses made by that server after the change has been made.
- Once the change has been made on the primary nameserver, each additional authoritative nameserver will update its stored values the next time it attempts a zone transfer.
- The "propagation" effect is actually caused by ISP's DNS resolvers caching the original, now outdated, DNS records and returning that to the end user, rather than the updated value that could be retrieved directly from the domain"s nameservers.
- The TTL value assigned to each record indicates to DNS resolvers how long they should cache the values of the retrieved DNS records.
- Ideally, if a change were made to a DNS record immediately after it was cached by a DNS resolver, the delay before that resolver retrieved the updated record would be at most the value of that record sets TTL.
- While not as common in recent times, not all DNS resolvers adhere to the values contained in the TTL values, with many choosing to implement their own TTL values for cached records (in order to reduce bandwidth use). This is where the "propagation" effect comes from.
- In order to reduce the likelihood of a long DNS propagation time, try this:
- Ensure that the TTL values of all records are set to a low value (e.g. 300).
- Ensure that when changing nameservers both the old and the new nameservers are configured with the same DNS records. This will ensure that regardless of what nameserver the user is directed to, the results they receive will be consistent.
Not found WWW-hostname
- Another common issue with DNS configuration is users' experiencing difficulties accessing their website using "www.example.com" rather than just "example.com."
- The cause of this issue is actually quite simple to diagnose as well as resolve. The ideal configuration of the DNS zone to allow the "www." hostname to work is as follows:
- Ensure that there is an A record for the domain itself. example.com. IN A 192.168.0.1
- Next, create a CNAME record for the "www." hostname. www.example.com. IN CNAME example.com.
- The above steps will (as far as DNS is concerned) ensure that the website is visible on both "www.example.com" as well as "example.com." It is then the responsibility of the web server to determine whether to force redirect the user to one or the other. There are other methods to solve this issue, including adding an A record for both the domain itself as well as the "www." hostname (instead of a CNAME record); however for ease of maintenance, the use of a CNAME record is recommended as if the IP address needs to be changed in future, it only needs to be changed once.
NS redundancy
- For most hostname owners, configuring a domain's nameservers is as simple as entering the values given to them by their web hosting company. For example: ns1.webhost.com and ns2.webhost.com
- It is important to check, however, that your provider"s nameservers are:
- Not located on the same server as the website itself; and
- Located in geographically diverse locations.
- A large number of providers use the web hosting control panel "cPanel" which by default allows the provider to configure the nameservers, web server and mail server to be located on the same physical server. This means that should the server itself go offline for whatever reason, your website and email are completely offline.
- Ideally, you should ensure that your web host has at least its nameservers located on separate physical servers as well as networks to your web server and mail server. This provides a layer of defense in that if the DNS service fails to work on one of your nameservers due to a network or hardware issue, the other nameserver is still able to respond, and the website and mail server will remain unaffected.