What is DNS and how does it work?

The Domain Name System (DNS) is one of the foundations of the Internet, yet most non-web-savvy people probably don't know that they use it every day to work, check email, or waste time on their smartphones.

At its core, DNS is a directory of names that are matched to numbers. Those numbers, in this case, are IP addresses, which computers use to communicate with each other. Most descriptions of DNS use the metaphor of a phone book, which is fine for people over 30 because they know what a phone book is.

If you're under 30, think of DNS as your smartphone's contact list, matching people's names to their phone numbers and email addresses, and that contact list is as large as the number of people on Earth.

[[341674]]

A brief history of DNS

When the Internet was very, very small, it was easy to associate a specific IP address with a specific computer, but as more and more devices and people joined the growing network, that simplicity didn't last long. You can still type a specific IP address into your browser to reach a website, but then, as now, people wanted an address made up of easy-to-remember words, the kind of domain names we recognize today (like linux.cn). In the 1970s and early 1980s, these names and addresses were assigned by a single person, Elizabeth Feinler at Stanford University, who maintained a master list of every computer connected to the Internet in a text file called HOSTS.TXT.

As the Internet grew, it became clear that this situation was unsustainable, especially since Feinler would only process requests before 6pm California time and would be off for Christmas. In 1983, Paul Mockapetris, a researcher at the University of Southern California, was tasked with coming up with a compromise between the various proposals for dealing with this problem. He largely ignored all of the suggestions and instead developed his own system, which he called the DNS. While it's obviously changed a lot since then, at a fundamental level it still works the same way it did nearly 40 years ago.

How DNS Servers Work

The DNS directory that matches names to numbers isn’t entirely hidden away in some dark corner of the internet. As of the end of 2017, it recorded more than 332 million domain names, which would be a very large directory indeed. Like the internet itself, the directory is distributed around the world and stored on domain name servers (commonly referred to as DNS servers), which all communicate with each other very regularly to provide updates and redundancy.

Comparison of authoritative and recursive DNS servers

When your computer wants to find the IP address associated with a domain name, it first makes a request to a recursive DNS server (also called a recursive resolver). A recursive resolver is a server, usually operated by an ISP or other third-party provider, that knows which other DNS servers to ask to resolve a website's name and its IP address. The server that actually has the required information is called an authoritative DNS server.

DNS Servers and IP Addresses

Each domain name can correspond to more than one IP address. In fact, some websites have hundreds or even more IP addresses corresponding to a domain name. For example, the server that your computer reaches when visiting www.google.com is likely to be completely different from the server that someone in another country reaches when entering the same website name into their browser.

Another reason for the distributed nature of the directory is that if the directory was only in one location, shared among millions, possibly billions of people looking for information at the same time, it would take a lot longer to get a response when you were looking for a website - it would be like waiting in a long line to use the phone book.

What is DNS Cache?

To get around this, DNS information is shared among many servers. But information about recently visited sites is also cached locally on client computers. Chances are you use google.com several times a day. Instead of your computer querying a DNS name server for the IP address of google.com each time, this information is saved on your computer so it doesn't have to go to a DNS server to resolve the IP address for this name. Additional caches may also be present on the routers used to connect clients to the internet, and on the servers of the user's internet service provider (ISP). With all this cache going on, the number of queries to the DNS name servers is actually much smaller than it might seem.

How do I find my DNS server?

Generally speaking, the DNS servers you use will be automatically established by your network provider when you connect to the internet. If you want to see which servers are your primary name servers (generally recursive resolvers, as mentioned above), there are network utilities that can provide information about your current network connection. Browserleaks.com is a great tool that provides a lot of information, including your current DNS servers.

Can I use 8.8.8.8 DNS?

But remember that while your ISP will set a default DNS server, you are under no obligation to use it. Some users may have reasons to circumvent their ISP's DNS -- for example, some ISPs use their DNS servers to redirect requests for non-existent addresses to pages with advertisements.

If you want an alternative, you can point your computer to a public DNS server to use it as a recursive resolver. One of the most well-known public DNS servers is Google's, which has the IP addresses 8.8.8.8 and 8.8.4.4. Google's DNS service tends to be fast, and while there is some skepticism about Google's ulterior motives for providing a free service, they can't really get any more information from you than they can from the Chrome browser. Google has a page with detailed instructions on how to configure your computer or router to connect to Google's DNS.

How DNS improves efficiency

The organizational structure of DNS helps keep things running quickly and smoothly. To illustrate this, let's assume you want to visit linux.cn.

As mentioned above, the initial request for an IP address is made to a recursive resolver. The recursive resolver knows which other DNS servers it needs to ask to resolve the name of a website (linux.cn) to its IP address. This search is passed to the root servers, which know information about all top-level domains, such as .com, .net, .org, and all national domains, such as .cn (China) and .uk (United Kingdom). Root servers are located all over the world, so the system will usually direct you to the geographically closest one.

Once the request reaches the correct root server, it goes to a top-level domain (TLD) name server, which stores information about second-level domains, i.e. the words that come before you write .com, .org, .net (e.g. the information for linux.cn is "linux"). The request then goes to a domain name server, which holds the website's information and IP address. Once the IP address is found, it is sent back to the client, who can now use it to access the website. All of this takes just a few milliseconds.

Because DNS has been working for the past 30+ years, most people take it for granted. Security was not considered when the system was built, so hackers took full advantage of this and created all kinds of attacks.

DNS reflection attack

A DNS reflection attack can overwhelm a victim with a flood of information from a DNS resolver server. The attacker uses an IP address masquerading as the victim to request large amounts of DNS data from all open DNS resolvers they can find. When the resolvers respond, the victim receives a large amount of unrequested DNS data, overwhelming it.

DNS cache poisoning

DNS cache poisoning can redirect users to malicious websites. Attackers manage to insert fake address records into the DNS so that when a potential victim requests to resolve the address of one of the poisoned websites, the DNS responds with the IP address of another website controlled by the attacker. Once visiting these fake websites, victims may be tricked into revealing passwords or downloading malware.

DNS resource exhaustion

A DNS exhaustion attack can clog an ISP's DNS infrastructure, preventing the ISP's customers from accessing websites on the Internet. The attacker registers a domain name and implements this attack by making the victim's name server the authoritative server for the domain name. Therefore, if the recursive resolver cannot provide the IP address associated with the website name, it will query the victim's name server. The attacker will generate a large number of requests for the domain name he registered and query non-existent subdomains, which will cause a large number of resolution requests to be sent to the victim's name server, overwhelming it.

What is DNSSec?

DNS Security Extensions are designed to make the communication between servers at all levels involved in DNS queries more secure. It was designed by the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for the DNS system.

ICANN is aware of a weakness in the communication between the top-level, second-level, and third-level DNS directory servers that could allow an attacker to hijack queries. This would allow an attacker to respond to queries from legitimate websites with the IP addresses of malicious websites. These websites could potentially upload malware to users, or conduct phishing and spoofing attacks.

DNSSec will solve this problem by having each level of DNS servers digitally sign their requests, which ensures that the requests sent in by the end user cannot be exploited by attackers. This establishes a chain of trust so that at each step of the query, the integrity of the request is verified.

Additionally, DNSSec can determine if a domain name exists, and if not, it will prevent the fraudulent domain name from being delivered to an innocent requester seeking domain name resolution.

As more domain names are created, more devices continue to join the web through IoT devices and other "smart" systems, and as more websites migrate to IPv6, a healthy DNS ecosystem will need to be maintained. The growth of big data and analytics also brings greater demand for DNS management.

SIGRed: Worm-infected DNS vulnerability reappears

Recently, with the discovery of a Windows DNS server flaw, the world saw the chaos that weaknesses in DNS can cause. Dubbed SIGRed, the potential security hole requires a complex attack chain, but exploiting an unpatched Windows DNS server could potentially install and execute arbitrary malicious code on the client side. The vulnerability is "wormable," meaning it can spread from computer to computer without human intervention. The vulnerability was considered alarming enough that U.S. federal agencies were given a few days to install a patch.

DNS over HTTPS: The new privacy landscape

As of this writing, DNS is on the verge of the biggest shift in its history. Google and Mozilla, which together control a large share of the browser market, are encouraging a move toward DNS over HTTPS (DoH), in which DNS requests are encrypted with the HTTPS protocol that already protects most web traffic. In Chrome's implementation, the browser checks if the DNS server supports DoH, and if not, reroutes DNS requests to Google's 8.8.8.8.

It’s a move that’s not without controversy. Paul Vixie, who did much of the early work on the DNS protocol back in the 1980s, called the move a “disaster” for security: for example, it will be harder for corporate IT departments to monitor or direct DoH traffic traversing their networks. Still, Chrome is ubiquitous, and DoH will soon be turned on by default, so we’ll see.