1970-01-01 02:00:00
rlp
The Domain Name System (DNS) is one of the foundations of the internet, working
in the background to match the names of web sites that people type into a
search box with the corresponding IP address, a long string of numbers that no
one could be expected to remember.
It's still possible for someone to type an IP address into a browser to reach a
website, but most people want an internet address to consist of
easy-to-remember words, called domain names. (For example, Network World.)
In the 1970s and early 80s, the task of matching domain names and IP addresses
was assigned to one person - Elizabeth Feinler at Stanford Research Institute,
who maintained a master list of every internet-connected computer. This was
obviously unsustainable, given the rapid growth of the internet, and, in 1983,
Paul Mockapetris developed DNS, an automated, scalable system that handles
domain-name-to-IP-address translation.
There are currently more than 342 million registered domains, so keeping all
those names in a single directory would be cumbersome. Like the internet
itself,
the directory is distributed around the world on domain name servers that
communicate with each other on a regular basis to provide updates and eliminate
redundancies.
Another reason for the creation of a distributed system is to boost
performance. For example, imagine if all of the requests coming in at the same
time all
over the world to resolve the domain name Google with the underlying IP address
were being handled in a single location. To address this issue, DNS
information is shared among many servers.
That means a single domain can have more than one IP address. For example, the
physical server that your laptop or smartphone reaches when you
enter www.google.com is different from the server that someone in another
country would reach by typing the same site name into their browser. But DNS
still
gets you to the right place, no matter where you are in the world.
How does DNS work? Recursive resolvers and root, top-level, and name servers
When your computer wants to find the IP address associated with a domain name,
it first makes its DNS query via a DNS client, typically in a Web browser. The
query then goes to a recursive DNS server, also known as a recursive resolver.
A recursive resolver is typically operated by an Internet Service Providers
(ISP), such as AT&T or Verizon (or some other third-party), and it knows which
other DNS servers it needs to ask to resolve the name of a site with its IP
address. The servers that actually have the needed information are called
authoritative name servers.
DNS is organized in a hierarchy. An initial DNS query for an IP address is made
to a recursive resolver. This search first leads to a root server, which has
information on top-level domains (.com, .net, .org), as well as country
domains. Root servers are located all around the world, so the DNS system
routes the
request to the closest one.
Once the request reaches the correct root server, it goes to a top-level domain
server (TLD nameserver), which stores information for the second-level domain,
which is the words that you type into a search box. The request then goes to a
domain nameserver, which looks up the IP address and sends it back to the DNS
client device so it can visit the appropriate website. All of this takes mere
milliseconds.
What is DNS caching?
Chances are that you use Google several times a day. Instead of your computer
querying the DNS nameserver for the IP address every time you enter the domain
name, that information is saved on your personal device so that it doesn't have
to access a DNS server to resolve the name with the IP address.
Additional caching can occur on the routers used to connect clients to the
internet, as well as on the servers of the user's ISP. With so much caching
going
on, the number of queries that actually make it to the DNS name servers is
significantly reduced, which helps with the speed and efficiency of the system.
How does the DNS numbering system work?
Every device that connects to the internet needs to have a unique IP address in
order to have traffic properly routed to it. DNS translates human queries into
numbers using a system known as IPv4 or IPv6. With IPv4, the numbers are 32-bit
integers that are expressed in decimal notation.
The string of numbers is divided into sections, which include the network
component, the host and the subnet, not dissimilar to a telephone number that
might
have a country code, an area code, etc. The network part of the number
designates the class and category of network that is assigned to that number.
The host
identifies the specific machine on the network. The subnet part of the number
is optional but is used to navigate the sometimes extremely large number of
subnets and other partitions within a local network.
IPv6, which was created to address concerns about the internet running out of
IPv4 addresses, uses 128-bit-sized numbers, compared to 32-bit numbers with
IPv4. There are 340 trillion trillion possible IPv6 addresses.
Who assigns IP addresses?
In 1998, the U.S. government handed the task of assigning IP addresses over to
the Internet Corporation for Assigned Numbers and Names (ICANN). The
not-for-profit organization has managed that function ever since without any
notable disruptions. ICANN develops policies on things like the creation of new
top-level domains (such as .io).
For the most part, ICANN takes a neutral and advisory role. For example, anyone
who wants to register a domain on the internet today can go to any number of
ICANN-accredited registrars, which basically decentralizes the already
decentralized DNS system. Once registered, new domains can populate and be
reached
worldwide via DNS servers in a matter of minutes.
Is DNS secure?
Cybercriminals are extremely clever when it comes to identifying
vulnerabilities that can be exploited in just about any system, and DNS has
certainly come in
for its fair share of attacks. A 2021 IDC survey of more than 1,100
organizations in North America, Europe and Asia-Pacific, showed that 87% had
experienced
DNS attacks.
The average cost of each attack was around $950,000 for all regions and about
$1 million for organizations in North America. The report noted that
organizations across all industries averaged 7.6 attacks during the previous
year.
The COVID-related shift to off-premises work and the response by companies to
move resources to the cloud to make them more accessible have provided new
targets for attackers, the report said.
The researchers also found a sharp rise in data theft via DNS, with 26% of
organizations reporting that sensitive customer information was stolen,
compared
with 16% in 2020.
Common types of DNS attacks include DNS amplification, DNS spoofing or cache
poisoning, DNS tunneling, and DNS hijacking or DNS re-direction.
What is DNSSec?
DNSSec is a security protocol devised by ICANN to help make communication among
the various levels of servers involved in DNS lookups more secure. It
addresses weaknesses in the communication between DNS top-level, second-level,
and third-level directory servers that would allow hackers to hijack lookups.
This hijacking allows attackers to respond to requests for lookups to
legitimate sites by directing users to a malicious site. These sites could
upload
malware to users or carry out phishing attacks.
DNSSec addresses this by having each level of DNS server digitally sign its
requests, ensuring that requests sent by end users aren't commandeered by
attackers. This creates a chain of trust so that at each level of the lookup,
the integrity of the request is validated.
DNSSec also can determine if a domain name really exists, and if it doesn't,
prevents a fraudulent domain from being delivered to innocent requesters
seeking
to have a domain name resolved.
What is DNS over HTTPS (DoH)?
While DNSSec addresses potential vulnerabilities within the distributed network
of DNS servers, it certainly hasn't stopped DNS-based cyberattacks that use
some form of deception to inject malicious code into the DNS system.
In one of the biggest shifts in the long history of DNS, Google, Mozilla, and
others are encouraging a move to DNS over HTTPS or DoH, an IETF standard that
encrypts DNS requests in the same way that the HTTPS protocol already protects
most web traffic.
The shift to DoH, however, is not without controversy. By encrypting DNS
requests, DoH could get in the way of enterprise IT being able to monitor the
web
activity of employees, and parents have complained that it could block them
from implementing parental controls over their children's internet usage.
Uptake of DNS over HTTPS has been slow. On the client side, DoH comes with the
latest version of Google Chrome and Mozilla Firefox, but it can be turned off
by the end user. Organizations, that try to have some measure of control over
which browsers and browser versions are used by employees, have the option to
simply disable it. On the ISP side, many of the leading ISPS have not yet
enabled DoH on their end.
How to find my DNS server
Generally speaking, the DNS server that you use will be established
automatically by your ISP when you connect to the internet. If you want to see
which
servers are your primary name servers, there are web utilities that can provide
information about your current network connection, such as browserleaks.com.
While your ISP will set a default DNS server, you're under no obligation to use
it. Some users may have reason to avoid their ISP's DNS, for example, if the
ISP uses their DNS servers to redirect requests for nonexistent addresses to
pages with advertising.
As an alternative, you can point your computer to a public DNS server that will
act as a recursive resolver. One of the most prominent public DNS servers is
Google's. The IP address is 8.8.8.8.