A look at the concept of DNS, detailing its significance of DNS servers on the internet, how a DNS server works, and finally also exploring the concept of DNS security known as DNSSEC.
Image source – sutilweb.com
Have you ever wondered how you can open a website simply by entering its name in your web browser? Do you imagine how difficult it would be to do this and have to memorize sequences of numbers to be able to open each website?
Every website on the internet is referred to using a sequence of numbers called IP addresses, and remembering the IP address for every different website is quite tedious. It is where the DNS or Domain Name System comes into play to help improve our internet browsing experience.
In this article, I shall be explaining a DNS along with its function and how it helps in day-to-day life by making the user experience much better on the internet.
Table of Contents
How do you use the internet? You open an internet browser such as Firefox, or Safari, enter the website you want to visit, and hit enter. Right?
You don't even need to enter the IP address of the website you want to access or any other complicated numbers. It is made possible by the Domain Name System, or DNS, that maps such website names to their respective IP addresses.
Image source – kinsta.com
Every resource on the internet, be it a website, a service, or servers, have a specific address known as an IP address. To access these resources, it is required for the user to remember such IP addresses, which is quite tedious taking into account the more signification number of websites and such on the internet.
The Domain Name System (DNS), makes it possible to access such internet resources by assigning domain names to them, easily memorized by a user.
The DNS system then translates the domain name into its IP address to access that resource through a process known as DNS lookup. The IP address is then used by the internet servers that hold the resource to allow access to them.
For example, if you enter www.facebok.com into your address bar in your web browser, the DNS then converts this into the IP address 69.63.176.13, which then takes you to the Facebook website.
DNS was introduced in 1983 by Paul Mockapetris as a replacement to the HOSTS.txt file, which is used for mapping between hostnames and addresses. In his paper, Paul points out various issues with the HOSTS.txt file for such mapping.
The DNS system is a globally distributed database that uses Domain Name Servers or DNS servers to map names to a network location. A hierarchical design and aggressive use of caching make DNS quite scalable compared to its predecessor, the HOSTS.txt file.
It allows updates to be distributed globally at a low cost and eliminates file size since it isn’t locally stored.
Image source – geeksforgeeks.org
A DNS recursive resolver is the first DNS server that a DNS lookup query is forwarded for resolution. The recursive resolver is usually a cache DNS server that stores frequently accessed domain names along with their IP address mapping in its cache.
A DNS recursive resolver server is usually managed by the user’s local Internet Service Provider or ISP. Any DNS queries in the network are automatically redirected to the recursive resolver.
A root nameserver is the root of the DNS and stores direct references to other nameservers for forwarding queries. It also has a list of Top-Level Domain or TLD nameservers and authoritative nameservers that can use for different query resolution functions.
There are a total of 13 different root nameservers around the globe, starting from a.root-servers.net up to m.root-servers.net. Each type has multiple copies around the globe that are stored on different DNS servers.
The Top-Level Domain, or TLD nameserver, stores information regarding the addresses of a single type of top-level domains such as .com, .edu, .org, and so on. For example, the .com TLD nameserver will have information about websites ending with .com.
The authoritative DNS nameserver is, put, the source of all DNS records. It stores all the DNS resolution records for all the websites, mapping their domain names to the IP addresses.
The authoritative nameserver stores definitive versions of DNS records for the region, known as start-of-authority or SOA records. These SOA records are then used and cached by other DNS servers for the domain.
A DNS or a DNS server, at its core, takes a domain name entered by a user and converts it into the corresponding IP address. Sound simple? However, there is much more that a DNS server does.
It includes storing databases with mapping functions for domain names to their IPs, handling caches to store frequently accessed resources, and segregating domain-specific information to different servers.
As an example, let us look at how a DNS server resolves a domain name into an IP address. The domain name used here is www.facebook.com, whose IP address is 69.63.176.13 that is needed to access the website.
Image source – appneta.com
The process for the domain name resolution is as described below:
It is impossible to write an article about the DNS system without mentioning its security. It is designed without security in mind -the system does have a lot of flaws and limitations.
These vulnerabilities in the DNS system allow attackers to take advantage of the system to bring harm to and exploit various servers. A few common DNS attacks are listed below.
Image source – imperva.com
Image source – paloaltonetworks.com
Image source – github.com
Such attacks are why we need a DNS security system, which is where DNSSEC or Domain Name System Security Extensions, is introduced. The DNSSEC is a set of protocols or rules that add various cryptographic authentications to the DNS server communication.
DNSSEC has already been adopted by many higher-level organizations for the top-level DNS servers, such as authoritative nameservers and most TLD nameservers. The adoption into local recursive resolvers is still in progress and has quite a lot of ground to cover.
Image source – efficientip.com
The DNSSEC uses public-key cryptography algorithms to create a digital signature for each server involved in the DNS lookup process. If I can confirm that the response I received from the recursive resolver or nameserver is authentic, I can be sure that no attacker has interfered with my access to the internet.
Furthermore, there are also DNS firewalls that can work as rate limiters to prevent any forms of DOS attacks as well. The combination of DNSSEC and such DNS firewalls effectively prevents all DNS attacks making the entire system more secure.
The DNS is a critical system for all purposes of resource access on the internet, whether to access a website or remotely connect to an internet-enabled device that you own. Without a DNS in place, every user would be required to memorize the IP addresses of all these resources.
In this article, we explored the question “What is a DNS” and looked at its working, concluding with the security of a DNS system.
If you enjoyed reading this article, or have any suggestions, consider leaving a comment below to let us know!
Leave a comment