How does DNS work ? A big picture

https://i.pcmag.com/imagery/articles/07CSW87UwsoIIArA9sMZXft-6..1569491760.jpg

Plan

  • DNS Requests
  • DNS Zone file records
  • DNS Security
  • Useful commands / tool

DNS Main architecture

Figure 1: DNS in a nutshell
Figure 2: The 13 root servers

Root Servers

  • Verisign (x2)
  • Cogent
  • US Army Research Lab
  • RIPE NCC

The root servers are supervised by the ICANN.
Useful informations regarding these root ‘servers’ can be found here: https://root-servers.org/

TLDs ?

  • “.fr” belongs to “Association Française pour le Nommage Internet en Coopération” (A.F.N.I.C.)
  • “.apple” belongs to the company Apple

Different types of TLDs:
gTLD — Generic Top-Level Domain (.com, .net, .org, …)
sTLD — Sponsored Top-Level Domain (.edu, .gov, .museum, …)
ccTLD — Country Code Top-Level Domain (.fr, .de, .cd, …)
→ Infrastructure Top-Level Domain (only .arpa)

Lot of useful informations regarding TLDs can be found here:
https://www.iana.org/domains/root/db

Figure3: DNS Architecture

DNS Requests

Figure 4: DNS request steps

DNS public zone records

  • AAA = IPv6
  • NS = identifies the authoritative DNS server for a zone (whenever changed, the registrar will have to update the parent TLD registry)
  • MX = specifies a mail server for the zone
  • CNAME (canonical name) = specifies an alias for another name (doesn’t work for root though)
  • ALIAS record (virtual DNS record type) is akin to CNAME except it accepts root (so use it when you can)
  • PTR (pointer) = A reverse DNS record, resolving an IP to a fully qualified hostname. How to use PTR ? “dig -x [IP]” → it will return one of the authoritative NameServer
  • SPF = related to email to avoid being classified as SPAM
  • SOA (Start of authority): stores informations about DNS zones and zone records: TTL, Expiry, Retry, Refresh, Last update time
    Used for domain transfers.

DNS security

DNSSEC

DNS confidentiality

  • Use a VPN
  • DoT — DNS over TLS (2016): TCP port 853. A firewall may block this traffic 😭
  • DoH — DNS over HTTPS (2018): hard to block as it uses the 443 TCP port

“As both DoT and DoH are relatively new, they are not universally deployed yet. On the server side, major public resolvers including Cloudflare’s 1.1.1.1 and Google DNS support it.”

Useful commands / tools

How to create my own DNS server ?
→ use BIND (Berkley Internet Domain Name)
It’s freely available under the BSD License.
BIND DNS servers are believed to be providing about 80 percent of all DNS services.
Include Primary and secondary NS (aka master and slave) and caching
On Ubuntu: “sudo apt-get install -y bind9”

Alternatives to BIND: “PowerDNS”, “dnsmasq” (used by PiHole), “djbdns”
Once installed, the domain name administrator has to manage the different zones.

Important DNS related files on Ubuntu
/etc/hosts = contains default hosts (such as localhost to 127.0.0.1). It has the highest priority.

/etc/resolv.conf = contains a list of recursive DNS resolvers (such as Google, Cloudflare, ISP servers) which will be used by the kernel to make DNS queries.

Using DIG
Installing dig on Ubuntu: “sudo apt-get install dnsutils”

DIG will use the default resolver (/etc/resolv.conf)
However, it is possible to explicitly tell dig to use another one by adding “@[IP]” in any command.

dig google.com = returns the A record
dig google.com +short = shorten the output
dig google.com +noall +answer = gives more details
dig google.com ANY = returns all records
dig google.com +trace = lists each different server
dig -x 172.217.14.238 = Search PTR record

References

I write my own computer science “cheatsheets” and “big pictures” as posts here. I mainly do it for myself but it may benefit others

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store