Introduction
|
DNS servers locate web sites when you are browsing the Internet. They are the most trusted component of your web browsing experience but few people understand how they work or how their security vulnerabilities can cause you problems. This article provides the information you need to understand what DNS servers do before you Find the Best DNS Server or Change DNS Server. There are three sections in this guide.
This article was removed from How to Change DNS Server to make that guide more direct. I have deliberately omitted such topics as internal DNS servers, zones and delegation, and denial of service attacks. If you want to find out more or get another viewpoint then there are many overviews of DNS that you can also refer to. Here's a few for you:
|
Internet Name SystemsThe Internet uses names to identify and locate resources. A name indicates what we seek. There are two main Internet name systems:
The URL usually identifies the mechanism to retrieve a name. That is why the URL Scheme is often called a protocol, even though it is not, because it usually corresponds to the protocol used. For example, the URL scheme "http" is commonly but not always accessed using the HyperText Transfer Protocol (HTTP). The Domain Name System (DNS)DNS is often said to be similar to a phone directory. When you know the domain name you can find the IP address. Try it for yourself and do a DNS lookup of some domain names to find their IP addresses at WhatsMyIp.org The domain name techsupportalert.com is equivalent to the IP address 72.52.134.16 DNS is a hierarchy or tree with numerous branches and levels. DNS name servers work their way through that tree to locate each domain name. It is similar to looking up a phone number in a directory. You would find the correct directory or section of a directory (e.g. white pages, yellow pages, government departments), find the correct organization name or last name of the person, find the correct department or first name, and finally select the appropriate phone number (e.g. home phone, mobile phone, fax). Using the domain name www.techsupportalert.com again, it is broken down from right to left to locate it in the DNS tree. Note that the periods (".") are separators:
Fully Qualified Domain Names DNS Record Types Other DNS record types extend the functions of a DNS server. Again, you can use DNS Lookup at WhatsMyIp.org to check these out:
|
DNS ServersDNS server are more correctly called DNS name servers as they are any computer registered to join the Domain Name System. As DNS is a highly decentralized hierarchy there are currently 242 root level servers that must be used to access any authoritative name servers for the top level domains. The last statistics I saw said that there were nearly 20 million DNS servers for over 220 million domain names. There are two main types of DNS server: Authoritative name servers are the ultimate repository or host for any registered domain name. Authoritative name servers are by definition non-recursive (don't have to use an algorithm to query any other servers) for the domain names registered with them. Resolving name servers find the IP address for a domain name. In more technical terms, they find a solution to a DNS query. Most resolving name servers use two methods to resolve names:
There are two further categories of DNS server that you should know about: We distinguish Public or Open resolving DNS Servers which anyone can use from private resolving DNS servers which are restricted to specific users. Some public servers are limited geographically, for example, to users in the United States. This can be done because blocks of IP addresses are allocated to different regions. DNS on your PCYour PC will need to know how to find its DNS server and so its has its own DNS Resolver with a DNS name cache.
An example of DNS resolutionFinally, we can look at how a system finds the domain name www.techsupportalert.com assuming that there is no DNS caching in operation. Eight DNS queries and resolutions are sent and received. As most sites are cached this is the worst case for finding a valid address. |
1. Your system DNS resolver sends a query to locate the "A" record for www.techsupportalert.com to the system DNS server | |||||
Your system DNS server gets the addresses of a root level DNS server from a list that it is configured with. | |||||
2. Your system DNS server sends a query to a root level server asking for the DNS server for the top level domain (TLD) com |
3. The root level server returns the address of the TLD server for com | aero | biz | cat | com | |
4. Your system DNS server sends a query to the com TLD server asking for the DNS server for techsupportalert.com |
5. The TLD server for com returns the address 72.52.134.216 for the authoritative DNS server NS1.TASTYTEK.COM |
... | techsupportalert |
6. Your system DNS server sends a query to NS1.TASTYTEK.COM for www.techsupportalert.com. | |||||
7. The DNS server NS1.TASTYTEK.COM finds the CNAME alias for www.techsupportalert.com and returns the CNAME record |
... | www | |||
Your system DNS server now starts a new DNS query to get the "A" record for the canonical name (CNAME alias) techsupportalert.com. The original query could have specified a CNAME record in which case that would be returned. |
|||||
8.Your system DNS server sends a query to NS1.TASTYTEK.COM for the FQDN techsupportalert.com. |
|||||
9. The DNS server NS1.TASTYTEK.COM finds the "A" record for techsupportalert.com and returns it. | |||||
10. Your system DNS server sends the "A" record for techsupportalert.com to your system DNS resolver. | |||||
The browser can now connect to techsupportalert.com web server. | |||||
General issuesGlobal DNS server networks There are advantages to using a global provider such as Google or OpenDNS.
Content Distribution Networks CDN) CDNs place network resources near to the people who need to use them. So a European organization with many customers in Australia can use a third-party CDN in Australia to improve the customer experience there. They are owned or used by many large websites including Google and Microsoft. These servers may even be colocated in ISP datacenters further improving response times. There is one problem with them. DNS servers normally return the CDN server which is closest to them rather than the closest server to the user. At the moment, this means that some DNS servers should not be used in some countries. In New Zealand many ISPs operate large caches to minimize international traffic. If I use OpenDNS I have problems when its servers in the United States return a US CDN when my ISP returns the webpage from a closer CDN. My web browser is left hanging while it waits for a web page from the United States that never arrives because the cached page came from a closer server. Public DNS servers can become more private When you use a public DNS server from an organization that you do not have contract with then the DNS service could be cut off at any time. For example, in New Zealand, the ISP TelstraClear recently announced that after upgrading their DNS network access to its DNS servers will be limited to its customers. There are good reasons to do this just to improve DNS security. Secondary DNS servers are often slower Most primary DNS servers have secondary servers to provide redundancy in case the main server fails. Many secondary servers are not as fast as the primary DNS server because their primary purpose is not performance but backup, load-balancing, or supporting a remote location. Some DNS service providers provide DNS services for other organizations. Often such services are slightly slower. An example of this is Comodo Secure DNS which is provided by UltraDNS. DNS vulnerabilities and threatsDNS servers are a central part of the Internet. Your system assumes that the address provided by a DNS server is always correct. That is why DNS servers are an attractive target for malicious enterprise. Any breach of security on your DNS servers can leave your system exposed. So it is worth checking that your DNS servers are reputable and secure. In particular, public or open resolving DNS servers are more vulnerable to these problems because they don't verify the identity of their users. They don't know whether the system asking the question can be trusted. Impersonating a domain name or IP address IP address spoofing is the forging of IP addresses to mask the originating IP address and to allow the impersonating of the forged address. DNS spoofing or cache poisoning occurs when a DNS name server has stored data in its cache database that did not originate from the authoritative DNS server for that domain name. This "poisoned" data will then be used to respond to DNS queries with the spoofed IP address. You can run a DNS Spoof Test to see whether any DNS server is vulnerable. Masquerading as an internal address on your network DNS rebinding attacks will try to fool your system into thinking that non-local addresses are part of your local network and thereby avoiding the security checks for external addresses. The ranges of IP addresses reserved for local networks include 10.x.x.x, 127.x.x.x, 172.16.x.x, and 192.168.x.x. Redirecting when a domain name does not exist DNS hijacking or redirection occurs when a query for a non-existent domain name is redirected to a different IP address. When a domain name does not exist the NXDOMAIN response should be given. When it is not provided there can be minor or major breakdowns on your system or network particularly if you run a virtual private network (VPN). It can also provide an opening for malicious purposes because your system thinks that the faked IP address is what it was looking for. You can then be redirected to a dangerous site but more commonly you will simply see an advertising page. You should generally avoid redirecting/hijacking DNS servers but you may decide you want to use a DNS server that has a benign purpose for redirection:
Exploiting the lack of DNSSEC authentication DNS did not originally have security features so the Domain Name System Security Extensions (DNSSEC) were introduced to authenticate DNS data using public-key cryptography to protect from forgeries. Many DNS servers do not have these extensions enabled so they are more vulnerable to cache poisoning and denial of service attacks (where many systems are used to send a lot of difficult DNS queries to swamp the DNS server). |
Related Products and Links
|
Using DNS servers for security
Products mentioned here |
This software category is in need of an editor. If you would like to give something back to the freeware community by taking it over, check out this page for more details. You can then contact us from that page or by clicking here |
Date |
Change |
Editor |
---|---|---|
July 2011 |
New article extracted from How to Change DNS Server |
Remah |
Domain Name System, DNS, DNS server, DNS resolver, DNS query, DNS resolution, DNS name server, Internet name server, DNS issue, DNS security |
Back to the top of the article.