What is DNS and how does it work?
The Domain Name System (DNS) is one of the foundations of the internet, working in the background to match the names of web sites that people type into a search box with the corresponding IP address, a long string of numbers that no one could be expected to remember.
It’s still possible for someone to type an IP address into a browser to reach a website, but most people want an internet address to consist of easy-to-remember words, called domain names. (For example, Network World.)
In the 1970s and early 80s, the task of matching domain names and IP addresses was assigned to one person – Elizabeth Feinler at Stanford Research Institute, who maintained a master list of every internet-connected computer. This was obviously unsustainable, given the rapid growth of the internet, and, in 1983, Paul Mockapetris developed DNS, an automated, scalable system that handles domain-name-to-IP-address translation.
There are currently more than 342 million registered domains, so keeping all those names in a single directory would be cumbersome. Like the internet itself, the directory is distributed around the world on domain name servers that communicate with each other on a regular basis to provide updates and eliminate redundancies.
Another reason for the creation of a distributed system is to boost performance. For example, imagine if all of the requests coming in at the same time all over the world to resolve the domain name Google with the underlying IP address were being handled in a single location. To address this issue, DNS information is shared among many servers.
That means a single domain can have more than one IP address. For example, the physical server that your laptop or smartphone reaches when you enter www.google.com is different from the server that someone in another country would reach by typing the same site name into their browser. But DNS still gets you to the right place, no matter where you are in the world.
How does DNS work? Recursive resolvers and root, top-level, and name servers
When your computer wants to find the IP address associated with a domain name, it first makes its DNS query via a DNS client, typically in a Web browser. The query then goes to a recursive DNS server, also known as a recursive resolver. A recursive resolver is typically operated by an Internet Service Providers (ISP), such as AT&T or Verizon (or some other third-party), and it knows which other DNS servers it needs to ask to resolve the name of a site with its IP address. The servers that actually have the needed information are called authoritative name servers.
DNS is organized in a hierarchy. An initial DNS query for an IP address is made to a recursive resolver. This search first leads to a root server, which has information on top-level domains (.com, .net, .org), as well as country domains. Root servers are located all around the world, so the DNS system routes the request to the closest one.
Once the request reaches the correct root server, it goes to a top-level domain server (TLD nameserver), which stores information for the second-level domain, which is the words that you type into a search box. The request then goes to a domain nameserver, which looks up the IP address and sends it back to the DNS client device so it can visit the appropriate website. All of this takes mere milliseconds.
What is DNS caching?
Chances are that you use Google several times a day. Instead of your computer querying the DNS nameserver for the IP address every time you enter the domain name, that information is saved on your personal device so that it doesn’t have to access a DNS server to resolve the name with the IP address.
Additional caching can occur on the routers used to connect clients to the internet, as well as on the servers of the user’s ISP. With so much caching going on, the number of queries that actually make it to the DNS name servers is significantly reduced, which helps with the speed and efficiency of the system.
How does the DNS numbering system work?
Every device that connects to the internet needs to have a unique IP address in order to have traffic properly routed to it. DNS translates human queries into numbers using a system known as IPv4 or IPv6. With IPv4, the numbers are 32-bit integers that are expressed in decimal notation.
The string of numbers is divided into sections, which include the network component, the host and the subnet, not dissimilar to a telephone number that might have a country code, an area code, etc. The network part of the number designates the class and category of network that is assigned to that number. The host identifies the specific machine on the network. The subnet part of the number is optional but is used to navigate the sometimes extremely large number of subnets and other partitions within a local network.
IPv6, which was created to address concerns about the internet running out of IPv4 addresses, uses 128-bit-sized numbers, compared to 32-bit numbers with IPv4. There are 340 trillion trillion possible IPv6 addresses.
Who assigns IP addresses?
In 1998, the U.S. government handed the task of assigning IP addresses over to the Internet Corporation for Assigned Numbers and Names (ICANN). The not-for-profit organization has managed that function ever since without any notable disruptions. ICANN develops policies on things like the creation of new top-level domains (such as .io).
For the most part, ICANN takes a neutral and advisory role. For example, anyone who wants to register a domain on the internet today can go to any number of ICANN-accredited registrars, which basically decentralizes the already decentralized DNS system. Once registered, new domains can populate and be reached worldwide via DNS servers in a matter of minutes.
Is DNS secure?
Cybercriminals are extremely clever when it comes to identifying vulnerabilities that can be exploited in just about any system, and DNS has certainly come in for its fair share of attacks. A 2021 IDC survey of more than 1,100 organizations in North America, Europe and Asia-Pacific, showed that 87% had experienced DNS attacks.
The average cost of each attack was around $950,000 for all regions and about $1 million for organizations in North America. The report noted that organizations across all industries averaged 7.6 attacks during the previous year.
The COVID-related shift to off-premises work and the response by companies to move resources to the cloud to make them more accessible have provided new targets for attackers, the report said.
The researchers also found a sharp rise in data theft via DNS, with 26% of organizations reporting that sensitive customer information was stolen, compared with 16% in 2020.
Common types of DNS attacks include DNS amplification, DNS spoofing or cache poisoning, DNS tunneling, and DNS hijacking or DNS re-direction.
What is DNSSec?
DNSSec is a security protocol devised by ICANN to help make communication among the various levels of servers involved in DNS lookups more secure. It addresses weaknesses in the communication between DNS top-level, second-level, and third-level directory servers that would allow hackers to hijack lookups.
This hijacking allows attackers to respond to requests for lookups to legitimate sites by directing users to a malicious site. These sites could upload malware to users or carry out phishing attacks.
DNSSec addresses this by having each level of DNS server digitally sign its requests, ensuring that requests sent by end users aren’t commandeered by attackers. This creates a chain of trust so that at each level of the lookup, the integrity of the request is validated.
DNSSec also can determine if a domain name really exists, and if it doesn’t, prevents a fraudulent domain from being delivered to innocent requesters seeking to have a domain name resolved.
What is DNS over HTTPS (DoH)?
While DNSSec addresses potential vulnerabilities within the distributed network of DNS servers, it certainly hasn’t stopped DNS-based cyberattacks that use some form of deception to inject malicious code into the DNS system.
In one of the biggest shifts in the long history of DNS, Google, Mozilla, and others are encouraging a move to DNS over HTTPS or DoH, an IETF standard that encrypts DNS requests in the same way that the HTTPS protocol already protects most web traffic.
The shift to DoH, however, is not without controversy. By encrypting DNS requests, DoH could get in the way of enterprise IT being able to monitor the web activity of employees, and parents have complained that it could block them from implementing parental controls over their children’s internet usage.
Uptake of DNS over HTTPS has been slow. On the client side, DoH comes with the latest version of Google Chrome and Mozilla Firefox, but it can be turned off by the end user. Organizations, that try to have some measure of control over which browsers and browser versions are used by employees, have the option to simply disable it. On the ISP side, many of the leading ISPS have not yet enabled DoH on their end.
How to find my DNS server
Generally speaking, the DNS server that you use will be established automatically by your ISP when you connect to the internet. If you want to see which servers are your primary name servers, there are web utilities that can provide information about your current network connection, such as browserleaks.com.
While your ISP will set a default DNS server, you’re under no obligation to use it. Some users may have reason to avoid their ISP’s DNS, for example, if the ISP uses their DNS servers to redirect requests for nonexistent addresses to pages with advertising.
As an alternative, you can point your computer to a public DNS server that will act as a recursive resolver. One of the most prominent public DNS servers is Google’s. The IP address is 8.8.8.8.
Copyright © 2022 IDG Communications, Inc.