Domain Name System, Simplified!

Internet is now oblivious and obvious to our digital presence, everything that is connected and must be found has been via DNS, the Domain Name System. It’s a massive network of decentralized and distributed naming service running around the globe via hierarchical topology to help get each connected web hosted service identified and thus reachable over IP network. Think of the DNS as an index that to up to date in real time and serves millions and millions of requests in fraction of time. Internet as we know is a connected web and knows all connected entities via unique IP addresses, yet we humans remember all websites or web services by names such as www.xyz.com , a service that translates these names to IP addresses and maintains these relationship records in searchable order is vital and running the internet in “Always On” mode is DNS and the records that run the DNS is called registry or directory. These records are distributed across multiple DNS servers who keep communicating with each other regularly for updates and search-ability thereof.

DNS started evolving from a single source of truth when host entries on computers were collated manually way back in 70’s as Host Naming Registry in ARPANET era. Subsequently The?Internet Engineering Task Force ?published the original specifications in RFC 882 and RFC 883 in November 1983, when?Paul Mockapetris proposed the DNS architecture and wrote the first DNS implementation (then called "Jeeves") for the?TOPS-20 ?operating system running on mainframe computers. Later it was written and used as?the first?Unix ?name server implementation for the Berkeley Internet Name Domain, commonly referred to as?BIND , finally in 1997 it made it as a mainstream DNS protocol via several RFCs as a standard specification.

How does it work?

Internet is a vast collection of connected entities i.e. websites, web based applications, search engines, smart devices, sensors and whole array of infrastructure and digital services that keeps internet running. Most of these entities does require ‘search-ability’ and DNS plays a very important role, here is a broader understanding on the way it works..

1. Your Browser is the DNS client, when you need to reach to a particular page, site or application, your browser does what is called a DNS lookup – This is called forward lookup where you know the name but you don’t know the IP address to establish a session..
2. As a first step browser checks the Local Cache and if you have visited the same recently and any records are created against it, else it does to the operating system and checks the Hosts Files for the entry, typically hosts files are updated with known entries of frequently used addresses of certain applications. Both these activities are local to your system or device you are trying to access the particular address i.e. page, site or application.
3. if the browser still not able to resolve the address then it forwards the query to the Local DNS, this is a default entry for all local area networks as part of the network your system belongs, the Local DNS is a service running on either s dedicated server or as part of the management network running. Other services such as active directory or LDAP etc. The Local DNS checks the cache for the entry, and if found returns the address to the browser else suggested to forward the query to the Resolving Name Servers or DNS Resolvers as Recursive Query, a query that is used to search hierarchical information, since the DNS record consist of multiple hierarchies such as domains and sub domains and thus a browser must keep using recursive steps until it get the particular address resolved.
4. The DNS Resolver then checks its Cache for an entry and if not found refers Root Name Server for that Zone. The DNS resolver may be external to your network and running as part of the larger distributed DNS system, and the Root Name Server is predesignated service running as part of the some that your browser belongs to as a logical grouping of internet entities, typically geographically mapped.?
5. The Root Name Servers parsing the query get the domain extension and responds with IP address of Top Level Domain Server ( Read, TLD) holding that respective domain such as dot com or dot Edu etc. this is where the buck stops when it comes to the highest level of domain name entry, it knows all the domains listed under its zone for the particular domain extension.
6. Top Level Domain – TLD Servers are maintained by the Internet Corporation for Assigned Names and Numbers (ICANN ) looks after most top-level domain. It operates the Internet Assigned Numbers Authority (IANA) and is responsible for maintaining the DNS root zone. Once the query reaches the TLD server it points the query to the right Authoritative Name Server ( read, NS Server) holding the record of that particular domain, typically maintained by the domain registrars who are the owner of record in the Registry. The NS server returns the right IP address as return value for this recursive query.
7. Once the exact IP address is returned to the browser, it sends session request to that application or web server of that web site, henceforth directly communicating with the particular destination IP address.
8. While the process consist of multiple steps and back and forth communication, it may happen in fraction of a second since the entire DNS system is distributed and remembers the most popular addresses or top level domains in their respective cache, the next query originating from your own network will be faster since the local DNS cache will hold the entry and pass the same without repeating entire process
9. On the other hand if your browser is searching for non-existing domain, then the query is returned with a NXDOMAIN : Host not found response.

Need for Secure DNS

As we understand the working of the DNS, we can observe that none of the recursive queries are encrypted and designed with security and privacy in mind, any resourceful intermediatory can intercept or redirect the your browser’s DNS requests, and can respond with false information. Typically what we witness when we search for unknown domains and the pages pop up redirecting us to domain registries etc. There are few more serious vulnerabilities commonly known as DNS exploits such as DNS hijacking and/or man in the middle attacks or DNS cache poisoning are getting prevalent. Attackers redirect the genuine requests to fake sites collecting sensitive user information and exploiting the same for unlawful purposes or exploit the DNS cache with incorrect entries to redirect the traffic to unwarranted sites. The vulnerabilities for DNS, so called exploits can be used in various ways by attackers..

IETF, the Internet engineering task force in 1997-1999 timeframe conceptualized secure DNS authentication via RFC 2535 as The?Domain Name System Security Extensions? (DNSSEC), a suite of extension specifications for securing data exchanged in the?Domain Name System ?(DNS) in?Internet Protocol ?(IP) networks. Using this protocol All answers from DNSSEC protected zones are?digitally signed . By validating the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server enabling cryptographic authentication ?of data, authenticated denial of existence, and data integrity. As mentioned by ICANN , DNSSEC adds two important features to the DNS protocol:

• Data origin authentication?allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated.
• Data integrity protection?allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key.

Further, DNS-based Authentication of Named Entities (DANE ) allows the publication of Transport Layer Security (TLS) keys in zones for applications such as mail transport. DANE provides a way to verify the authenticity of public keys that does not rely on certificate authorities taking the next step towards secure DNS. There are other ways being practices such as The DNS over HTTP (DoH) that intends to increase user privacy and security by preventing eavesdropping and manipulation of DNS data or DNS over TLS (DoT ), encrypting and wrapping?Domain Name System ?(DNS) queries and answers via the?Transport Layer Security ?(TLS) protocol too and the merits of either depend on the specific use case. In 2017 there were ideas around DoQ — DNS over QUIC, a new standard being drafted for DNS protocol taking advantage of the QUIC transport layer protocol?to use for transmitting DNS requests and the list goes on..

In Summary, As the Internet grows and we set forth the transition from Ipv4 to Ipv6 the role of DNS will continue to remain as important as it was and keeps evolving to ensure data integrity and authenticity. ?By nature of queries and the information involved, it is evident that there is no charity on operating free DNS service but to fathom the queries and responses that are collected, packaged, analysed, profiled as the first free bytes of the data easily available and share the pie of value.

Few governments like EU have taken the notice of these issues and are building its own recursive DNS service that will be made available to EU institutions and the general public for free with built-in filtering capabilities to block DNS name resolutions for malware, phishing sites, or other cybersecurity threats. While there are numerous innovations and ideas being tested and deployed to make the DNS more secure and trustworthy, with growing use of the DNS it will not be far that the right solution gets widely adopted and incorporated in principle to upheld data privacy and information security, isn’t it?

***

Jan 2022. Compilation from various publicly available internet sources, authors views are personal.

#DNS #Rootservers #DNSSEC #DANE #NameServers #DoH