How does DNS work ? A big picture

https://i.pcmag.com/imagery/articles/07CSW87UwsoIIArA9sMZXft-6..1569491760.jpg

Plan

• DNS Main architecture
• DNS Requests
• DNS Zone file records
• DNS Security
• Useful commands / tool

DNS Main architecture

Figure 1: DNS in a nutshell

Figure 2: The 13 root servers

Root Servers

Root ‘servers’ are owned by different companies:

• Verisign (x2)
• Cogent
• US Army Research Lab
• RIPE NCC
• …

The root servers are supervised by the ICANN.
Useful informations regarding these root ‘servers’ can be found here: https://root-servers.org/

TLDs ?

TLDs are owned by companies / governments / universities.

• “.fr” belongs to “Association Française pour le Nommage Internet en Coopération” (A.F.N.I.C.)
• “.apple” belongs to the company Apple

Different types of TLDs:
→ gTLD — Generic Top-Level Domain (.com, .net, .org, …)
→ sTLD — Sponsored Top-Level Domain (.edu, .gov, .museum, …)
→ ccTLD — Country Code Top-Level Domain (.fr, .de, .cd, …)
→ Infrastructure Top-Level Domain (only .arpa)

Lot of useful informations regarding TLDs can be found here:
https://www.iana.org/domains/root/db

Figure3: DNS Architecture

DNS Requests

Figure 4: DNS request steps

DNS public zone records

• A = IPv4
• AAA = IPv6
• NS = identifies the authoritative DNS server for a zone (whenever changed, the registrar will have to update the parent TLD registry)
• MX = specifies a mail server for the zone
• CNAME (canonical name) = specifies an alias for another name (doesn’t work for root though)
• ALIAS record (virtual DNS record type) is akin to CNAME except it accepts root (so use it when you can)
• PTR (pointer) = A reverse DNS record, resolving an IP to a fully qualified hostname. How to use PTR ? “dig -x [IP]” → it will return one of the authoritative NameServer
• SPF = related to email to avoid being classified as SPAM
• SOA (Start of authority): stores informations about DNS zones and zone records: TTL, Expiry, Retry, Refresh, Last update time
  Used for domain transfers.

DNS security

• Regular DNS traffic over port 53 is plaintext so any requests made will be visible to your ISP or MITM.

DNSSEC

DNSSEC does not provide confidentiality of data, only authentification (“informations come from the right place and has not been modified”).

DNS confidentiality

3 options:

• Use a VPN
• DoT — DNS over TLS (2016): TCP port 853. A firewall may block this traffic 😭
• DoH — DNS over HTTPS (2018): hard to block as it uses the 443 TCP port

“As both DoT and DoH are relatively new, they are not universally deployed yet. On the server side, major public resolvers including Cloudflare’s 1.1.1.1 and Google DNS support it.”

Useful commands / tools

How to check the DNS local cache on a computer ?
→ On Windows: “ipconfig /displaydns”
→ On Linux: depends on version and system used (systemd ?)

How to create my own DNS server ?
→ use BIND (Berkley Internet Domain Name)
It’s freely available under the BSD License.
BIND DNS servers are believed to be providing about 80 percent of all DNS services.
Include Primary and secondary NS (aka master and slave) and caching
On Ubuntu: “sudo apt-get install -y bind9”

Alternatives to BIND: “PowerDNS”, “dnsmasq” (used by PiHole), “djbdns”
Once installed, the domain name administrator has to manage the different zones.

Important DNS related files on Ubuntu
/etc/hosts = contains default hosts (such as localhost to 127.0.0.1). It has the highest priority.

/etc/resolv.conf = contains a list of recursive DNS resolvers (such as Google, Cloudflare, ISP servers) which will be used by the kernel to make DNS queries.

Using DIG
Installing dig on Ubuntu: “sudo apt-get install dnsutils”

DIG will use the default resolver (/etc/resolv.conf)
However, it is possible to explicitly tell dig to use another one by adding “@[IP]” in any command.

→ dig google.com = returns the A record
→ dig google.com +short = shorten the output
→ dig google.com +noall +answer = gives more details
→ dig google.com ANY = returns all records
→ dig google.com +trace = lists each different server
→ dig -x 172.217.14.238 = Search PTR record

References

Iterative vs recursive DNS
https://www.slashroot.in/difference-between-iterative-and-recursive-dns-query
DNS anatomy
https://www2.cs.duke.edu/courses/fall16/compsci356/DNS/DNS-primer.pdf
Dig command for DNSSEC
https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/
DNSSEC
https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
BIND definition
https://www.webopedia.com/definitions/berkeley-internet-name-domain/