DNS Security & Vulnerabilities: Part 1 — The basics of DNS and how it works
DNS is all around us. We use it everyday day even when we don’t realize it. It has become the foundation of everything we do.
The purpose and goal of DNS was one thing when it was created back in the 1980s before the idea of security was a thing, and that was to make navigating to locations easier by remembering a phrase of words over a string of random numbers.
To this day, DNS is the 2nd most widely used protocol after HTTP/S and over the past several years the types of attacks going after and using DNS have skyrocketed higher and faster. Just a simple search in GitHub will bring back several tools and ways on how to abuse and use the DNS protocol to your advantage.
DNS is also complex and always changing. If you were to look at the features from the start to now you will see that they have constantly been evolving.
With that said, lets move on to some terminology. URL vs Domain Name and how they differ and what Domain Name actually means.
What is a URL or URI? Both URLs and URIs follow the same specification: RFC 3986. However, while URLs allow you to locate a resource, a URI simply identifies a resource. This means that a URI is not necessarily intended as an address to get a resource. It is meant just as an identifier.
DNS, or the Domain Name System, translates human readable domain names. The figure below will shows the full anatomy of a URL. URL/URIs have a /path/ associated to them, while a DNS does not.
Another term to remember is FQDNN which stands for Fully Qualified Domain Name. This is known as the complete name and is unique in nature.
DNS also opperates with a trailing dot(.) at the end of the Domain Name. If you ever work with actual domain name services like BIND for example, seeing a dot(.) at the end of the domain is normal. This is how you define the end of the domain. You can also expect to see this in logs and other sources that contain Domain Names in them.
Finally, there are some key components of the Domain Name System or DNS. Understanding what these are and how they each work will help you when dealing with cyber threats.
Authoritative Servers
Authoritative DNS servers are the last place a DNS query is sent. They store the most up-to-date information about domains and their associated IP addresses. Authoritative servers provide the final answer to DNS queries, such as the IP address of a mail server or website. They are like directories for web addresses.
Recursive Resolvers
Recursive DNS servers are domain name system (DNS) servers that respond to users’ DNS queries. When a user types a website name into a browser, the request is sent to a recursive resolver. The recursive resolver then checks the records from authoritative DNS servers to find the IP address associated with the domain name. The recursive resolver may use cached data to respond or may attempt to discover the answer by looking at what is stored on the authoritative DNS servers.
Recursive DNS is used by every device or system that accesses the internet. When a user types a website name into a browser, performs a web search, or attempts to access an internet-based application, the request is sent from the user’s machine to a recursive resolver.
Recursive DNS is different from iterative DNS, where the client communicates directly with each DNS server involved in the lookup.
Resource Records
A resource record (RR) is a DNS data record that maps a domain to an IP address. RRs are the building blocks of host-name and IP information and are used to resolve all DNS queries. They are stored in zone files as physical text files written in DNS syntax.
RRs are used to answer DNS client queries. They contain important information about the domain’s IP address and request handling. They are used to specify various types of information about a domain, such as its IP address, the servers that handle its email, and other related information.
RRs come in a variety of types to provide extended name-resolution services. Some common types include:
领英推荐
Namespaces
The DNS namespace is the set of all domain names registered in the Domain Name System (DNS). The DNS namespace is organized into a tree-like structure with a unique root and many sub-trees. The root domain is at the top of the tree and is designated by a period or dot. Below the root domain are a number of top-level domains, such as .com and .net.
A DNS zone is a portion of the DNS namespace that is managed by a specific organization or administrator. For example, a company could operate truv.is, truvis.cat and truvis.local and its namespace would consist of all 3 domains.
Stub Resolvers
A DNS stub resolver is a component of the DNS that acts as an intermediary between applications and a recursive DNS resolver. Stub resolvers are located on devices, hosts, or computers and process DNS queries for the operating system. They are like a liftboy, taking you where you need to go, without executing the work itself.
Stub resolvers can be either a library or a DNS server. They don’t know how to resolve DNS names themselves. They just forward DNS queries to the “real” DNS resolver.
The below example shows the complete process of a domain being resolved from an endpoint.
In the next part, we will talk about how Malware uses DNS.
—
? Like what you read? Did it help?you?
Send some coffee and love https://buymeacoffee.com/truvis?:) Your support helps pay for licenses, research & development, and other costs that allow me to bring you new guides and content!
?If you are new to my content, be sure to follow/connect with me on all my other socials for new ideas and solutions to complicated real world problems and jump start your career! New content drops daily/weekly along with tips and tricks?:)
?? W: https://truv.is