SlideShare a Scribd company logo
1 of 19
Download to read offline
Presented by
Venkatesh Jambulingam
Cloud Security Expert
27-Jun-2021
Domain Name System
| 27-Jun-2021 | Venkatesh Jambulingam |
▶DNS Introduction
▶DNS Hierarchy
▶DNS Resolution Process
▶DNS Components
▶DNS Types
▶DNSSEC
▶DNS over TLS (DoT) & HTTPS (DoH)
▶Oblivious DNS (ODoH)
2
Contents
| 27-Jun-2021 | Venkatesh Jambulingam |
▶Domain Name System (DNS) is a special software running on a computer server that
contains a mapping of hostnames / server names and their associated IP address
▶It is very similar to a phone book or telephone directory. Technically, DNS can be considered
as DNS address book stored in key-value format.
▶DNS translates domain names to IP addresses for browsers / apps to load internet /intranet
resources.
▶DNS servers run special software and communicate with each other using special protocols
to resolve the name.
▶DNS has been designed to use both UDP and TCP port 53 from the start, with UDP being the
default and fallback to TCP.
3
DNS Introduction
Image Credit: Cloudflare
| 27-Jun-2021 | Venkatesh Jambulingam |
▶There are 13 root name servers are operated by 13 independent organizations using anycast
routing method and these root name servers are governed by ICANN
▶A root server accepts a recursive resolver’s query, responds by directing it to a TLD nameserver,
based on the extension of that domain
▶A TLD nameserver maintains information for all the domain names ending with their domain
extension. These are operated by the respective TLD name sponsor & TLD registry.
▶Generic Top Level Domain (gTLD- .com, .net), country code top level domain (ccTLD- .in, .uk, .jp)
▶Contains information specific to the domain name it serves
▶Provides IP address of the domain found in the DNS A record
▶Provides an alias domain if the domain has a CNAME record
▶It is the first stop in a DNS query and acts as a middleman between a client and a DNS
nameserver. It is also known as a DNS recursor.
▶If it receives a domain alias from ANS, it will initiate a recursive DNS query for the new domain
4
DNS Hierarchy
Recursive
Resolver
TLD
Servers
Root
Servers
Authoritative
Name Servers
| 27-Jun-2021 | Venkatesh Jambulingam | 5
DNS Resolution Process
1. What is the IP address
of www.google.com? 2. What is the IP address of
.COM TLD name server?
3. IP address of .COM TLD
name server is x.x.x.x
4. What is the IP address of ANS of google.com?
5. IP address of ANS of google.com is y.y.y.y
6. What is the IP address of google.com?
7. IP address of google.com is z.z.z.z
8. IP address of
google.com is z.z.z.z
z.z.z.z
Google.com DNS
Resolver
1.1.1.1
8.8.8.8
DNS
Root Servers
x.x.x.x
TLD Name
Servers
y.y.y.y
Authoritative
Name Servers
9.
https
request
10.
https
response
Client
| 27-Jun-2021 | Venkatesh Jambulingam | 6
DNS Components
Root Name Servers
HOSTNAME IP ADDRESSES OPERATOR
a.root-servers.net 198.41.0.4, 2001:503:ba3e::2:30 Verisign, Inc.
b.root-servers.net 199.9.14.201, 2001:500:200::b University of Southern California,
Information Sciences Institute
c.root-servers.net 192.33.4.12, 2001:500:2::c Cogent Communications
d.root-servers.net 199.7.91.13, 2001:500:2d::d University of Maryland
e.root-servers.net 192.203.230.10, 2001:500:a8::e NASA (Ames Research Center)
f.root-servers.net 192.5.5.241, 2001:500:2f::f Internet Systems Consortium, Inc.
g.root-servers.net 192.112.36.4, 2001:500:12::d0d US Department of Defense (NIC)
h.root-servers.net 198.97.190.53, 2001:500:1::53 US Army (Research Lab)
i.root-servers.net 192.36.148.17, 2001:7fe::53 Netnod
j.root-servers.net 192.58.128.30, 2001:503:c27::2:30 Verisign, Inc.
k.root-servers.net 193.0.14.129, 2001:7fd::1 RIPE NCC
l.root-servers.net 199.7.83.42, 2001:500:9f::42 ICANN
m.root-servers.net 202.12.27.33, 2001:dc3::35 WIDE Project
▶IANA administers the data in the root zone,
which form the top of the hierarchy in Domain
name system (DNS) tree
▶This task involves liaising with top-level domain
"Registrar-of-Record"s, the root nameserver
operators, and ICANN's policy making team.
▶It also performs Root DNS Key signing ceremony
for enabling DNSSEC at the root zone
▶There are 13 DNS root servers using anycast IP
address in operation multiple physical servers
▶Root servers are not queried very frequently, as
computers on the network cache the address of
a top-level domain. But they are an essential
element of the Internet architecture
▶The operators of the root servers are able to
remain largely autonomous. However, they still
need to work with each other and ICANN
https://root-servers.org/
| 27-Jun-2021 | Venkatesh Jambulingam | 7
DNS Components
TLD Name Servers & Registry
ns0.wikimedia.org
ns1.no-ip.com
ns-981.awsdns-58.net
ns-802.awsdns-36.net
ns-787.awsdns-34.net
ns1.dnsmadeeasy.com
dnsdel.mantraonline.com
ns1.vodafoneidea.com
pdns4.ultradns.org
ns1.google.com
a.ns.facebook.com
a.ns.apple.com
TLD name
server
TLD name
server
TLD name
server
TLD name
server
google.com
142.250.193.164
facebook.com
157.240.228.35
apple.com
104.97.28.211
slideshare.net
54.157.136.190
speedtest.net
151.101.130.219
sourceforge.net
216.105.38.13
wikipedia.org
103.102.166.224
apache.org
95.216.26.30
python.org
45.55.99.72
airtel.in
125.16.74.90
myvi.in
103.75.249.62
amazon.in
52.95.120.67
Authoritative
name server
| 27-Jun-2021 | Venkatesh Jambulingam |
▶DNS Resolvers are generally provided by internet service provider or mobile service provider who provides the data connectivity
▶There are few ISP agnostic DNS resolver providers available for everyone to use.
8
DNS Components
Recursive Resolvers
8.8.8.8
8.8.4.4
1.1.1.1
1.0.0.1
208.67.222.222
208.67.220.220
| 27-Jun-2021 | Venkatesh Jambulingam |
▶A DNS zone is a portion of the DNS namespace that is managed by a specific
organization or administrator
▶DNS zone can contain multiple subdomains and multiple zones can exist on the
same server.
▶DNS zones are not necessarily physically separated from one another, zones are
strictly used for delegating control.
▶DNS records (aka zone files) are instructions that live in authoritative name servers
▶Records consist of a series of text files written in what is known as DNS syntax.
▶DNS syntax is just a string of characters used as commands that tell the DNS server
what to do.
9
DNS Components
DNS Zones
Root Zone
.net TLD
Zone
cybervattam.com Zone
www.cybervattam.com
blog.cybervattam.com
mail.cybervattam.com
.com TLD
Zone
.org TLD
Zone
tamil.cybervattam.com
Zone
| 27-Jun-2021 | Venkatesh Jambulingam |
▶ A record - The record that holds the IP address of a domain
▶ AAAA record - The record that holds the IPv6 address of a domain
▶ CNAME record - Forwards one domain or subdomain to another domain, does NOT provide an IP address
▶ MX record - Directs mail to an email server
▶ TXT record - Lets an admin store text notes in the record
▶ NS record - Stores the name server for a DNS entry
▶ SOA record - Stores admin information about a domain
▶ SRV record - Specifies a port for specific services
▶ PTR record - Provides a domain name in reverse-lookups
DNSSEC Specific Records
▶ RRSIG - Contains a cryptographic signature
▶ DNSKEY - Contains a public signing key
▶ DS - Contains the hash of a DNSKEY record
▶ NSEC and NSEC3 - For explicit denial-of-existence of a DNS record
▶ CDNSKEY and CDS - For a child zone requesting updates to DS record(s) in the parent zone.
10
DNS Components
DNS Records
| 27-Jun-2021 | Venkatesh Jambulingam | 11
DNS Types
A DNS query is reverse
query to retrieve a domain
name associated with a
given IP address by looking
at PTR (pointer) record.
PTR records store IP
addresses with their
segments reversed and they
append domain name to
that
Logging software employs
reverse lookups in order to
provide users with human-
readable domains in their
log data
A method of automatically
updating a name server, often
in real time, with the active
DDNS configuration of its
configured host names,
addresses, other information
Dynamic DNS is an integral part
of Microsoft Active Directory,
because domain controllers
register their network service
types in DNS so that other
computers in the domain (or
forest) can access them
Reverse DNS
A DNS server that
contains a mapping
of host names /
server names and
their externally
routable public IP
address
A DNS server that
contains a mapping
of host names /
server names and
their internal
private IP address
within an
organizations
network
Internal DNS External DNS Dynamic DNS
| 27-Jun-2021 | Venkatesh Jambulingam |
▶DNSSEC aims to create a secure domain name system by adding cryptographic signature of DNS data to existing DNS records.
▶The data is signed by the owner of the data
▶To facilitate signature validation, DNSSEC adds a few new DNS record types:
–RRSIG - Contains a cryptographic signature
–DNSKEY - Contains a public signing key
–DS - Contains the hash of a DNSKEY record
–NSEC and NSEC3 - For explicit denial-of-existence of a DNS record
–CDNSKEY and CDS - For a child zone requesting updates to DS record(s) in the parent zone
▶Every DNS zone has two public/private key pair. Zone Signing Key (ZSK) Pair & Key Signing Key (KSK) Pair
▶The zone owner uses a resource record set (RRSet) in the zone and generate digital signatures (RRSig) over that data using zone
signing private key. The zone signing public key, however, is published in the zone itself for anyone to retrieve in DNSKEY record.
Any recursive resolver that looks up data in the zone also retrieves the zone's public key, which it uses to validate the authenticity
of the DNS data.
▶A KSK is used to protect the integrity of ZSK
12
DNSSEC
| 27-Jun-2021 | Venkatesh Jambulingam | 13
DNSSEC
DNS Resolver
DNSKEY Public
KSK
DS
DS
DNSKEY Public
KSK
DNSKEY Public
KSK
Root Zone
Authoritative
Nameserver
Zone
TLD Zone
Hashed Public KSK
of ANS zone
Hashed Public KSK
of TLD zone
A
example.com.
A RRSIG
example.com.
DNSKEY ZSK
example.com.
DNSKEY RRSIG
example.com.
DS RRSIG
com.
DNSKEY KSK
com.
DNSKEY ZSK
com.
DNSKEY RRSIG
com.
A RRSIG
.
DNSKEY KSK
.
DNSKEY ZSK
.
DNSKEY RRSIG
.
Private
ZSK
Private
KSK
Private
ZSK
Private
KSK
Private
ZSK
Private
KSK
DNS Client
| 27-Jun-2021 | Venkatesh Jambulingam |
▶DNS over TLS (DoT) is a security protocol for encrypting Domain Name System (DNS) queries and answers via the Transport Layer
Security (TLS) protocol between DNS client and DNS Resolver
▶DNS over HTTPS (DoH) is a security protocol for encrypting Domain Name System (DNS) queries and answers via HTTPs protocol
between DNS client and DNS Resolver
▶The main objective is to protect user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-
the-middle attacks.
14
DNS over TLS (DoT) & DNS over HTTPS (DOH)
DNS Traffic over TLS or HTTPS DNS Resolver
DNS Client
Hacker
Encrypted Tunnel
| 27-Jun-2021 | Venkatesh Jambulingam |
▶ODoH is an emerging protocol being developed at the IETF. It works by adding a layer of public key encryption, as well as a
network proxy between clients and DoH server targets
▶A client can choose a proxy and target of their choice. The combination of these two added elements guarantees that only the user
has access to both the DNS messages and their own IP address at the same time
▶The objective of this protocol is to protect end-user privacy, prevent the ISP providers or DNS resolvers to be able to read the
website’s visited by their respective clients
15
Oblivious DNS (ODoH)
| 27-Jun-2021 | Venkatesh Jambulingam |
▶The target sees only the query and the
proxy’s IP address
▶Only the intended target can decrypt the
content of the query and produce a
response
▶The proxy has cannot see/modify the DNS
query to target or the response being
returned by the target
16
Oblivious DNS (ODoH)
DoH Proxy
x.x.x.x
DoH Target
y.y.y.y
DNS Recursive
Resolver
What is the IP
address of
cybervattam.com?
From: z.z.z.z
Proxy: x.x.x.x
To: DoH Target
From: y.y.y.y
To: x.x.x.x
IP address of
cybervattam.com
is a.a.a.a
From: x.x.x.x
To: y.y.y.y
From: x.x.x.x
To: z.z.z.z
IP address of
cybervattam.com
is a.a.a.a
What is the IP
address of
cybervattam.com?
What is the IP
address of
cybervattam.com?
https
https
DoH
DNS Client
z.z.z.z
| 27-Jun-2021 | Venkatesh Jambulingam |
▶DNS64 describes a DNS server that when asked for a domain's AAAA records, but only finds A records, synthesizes the AAAA
records from the A records.
▶The first part of the synthesized IPv6 address points to an IPv6/IPv4 translator and the second part embeds the IPv4 address from
the A record. The translator in question is usually a NAT64 server.
17
DNS64
Client
IPv6 Network
www.google.com
142.250.193.164
IPv4 Network
Authoritative
Name Server
DNS64
NAT64
www.google.com ?
AAAA ::ffff:8efa:c1a4
www.google.com ?
A 142.250.193.164
SYN 142.250.193.164
Thank you
Creative
Commons
By Non
Commercial
Share
Alike
This document is shared under
CC BY-NC-SA 4.0 license
| 27-Jun-2021 | Venkatesh Jambulingam | 19
About me
Venkatesh Jambulingam
Cloud Security Expert
Email:
cybervattam@gmail.com
cybervattam@outlook.com
Follow me on

More Related Content

What's hot (20)

Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
Lesson 6: Dynamic Host Configuration Protocol A
Lesson 6: Dynamic Host Configuration Protocol ALesson 6: Dynamic Host Configuration Protocol A
Lesson 6: Dynamic Host Configuration Protocol A
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp ppt
 
Dns
DnsDns
Dns
 
Basics about IP address, DNS and DHCP.
Basics about IP address, DNS and DHCP.Basics about IP address, DNS and DHCP.
Basics about IP address, DNS and DHCP.
 
6 understanding DHCP
6 understanding DHCP6 understanding DHCP
6 understanding DHCP
 
Domain name system
Domain name systemDomain name system
Domain name system
 
DHCP & DNS
DHCP & DNSDHCP & DNS
DHCP & DNS
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
DNS Record
DNS RecordDNS Record
DNS Record
 
Dns presentation
Dns presentationDns presentation
Dns presentation
 
Dns 2
Dns 2Dns 2
Dns 2
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
 
Dhcp
DhcpDhcp
Dhcp
 
Presentation on dns
Presentation on dnsPresentation on dns
Presentation on dns
 
Dns(Domain name system)
Dns(Domain name system)Dns(Domain name system)
Dns(Domain name system)
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
 
Dhcp presentation 01
Dhcp presentation 01Dhcp presentation 01
Dhcp presentation 01
 
Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name System
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
 

Similar to Domain Name System (DNS)

DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
How to configure dns server(2)
How to configure dns server(2)How to configure dns server(2)
How to configure dns server(2)Amandeep Kaur
 
Dns Configuration
Dns ConfigurationDns Configuration
Dns ConfigurationLohit Ahuja
 
DNSSEC: What a Registrar Needs to Know
DNSSEC:  What a Registrar Needs to KnowDNSSEC:  What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
Dynamic Domain Name System
Dynamic Domain Name SystemDynamic Domain Name System
Dynamic Domain Name SystemRajan Kumar
 
Deploying and configuring dns service
Deploying and configuring dns serviceDeploying and configuring dns service
Deploying and configuring dns servicelatoniasmith
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
Lesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionLesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionMahmmoud Mahdi
 
DNSandDNSSecurity (1).pptx
DNSandDNSSecurity (1).pptxDNSandDNSSecurity (1).pptx
DNSandDNSSecurity (1).pptxAisha Siddiqui
 
Pmw2 k3ni 1-2b
Pmw2 k3ni 1-2bPmw2 k3ni 1-2b
Pmw2 k3ni 1-2bhariclant1
 
06 coms 525 tcpip - dhcp and dns
06   coms 525 tcpip - dhcp and dns06   coms 525 tcpip - dhcp and dns
06 coms 525 tcpip - dhcp and dnsPalanivel Kuppusamy
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 

Similar to Domain Name System (DNS) (20)

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
How to configure dns server(2)
How to configure dns server(2)How to configure dns server(2)
How to configure dns server(2)
 
Dns Configuration
Dns ConfigurationDns Configuration
Dns Configuration
 
Configuring Dns
Configuring DnsConfiguring Dns
Configuring Dns
 
DNSSEC: What a Registrar Needs to Know
DNSSEC:  What a Registrar Needs to KnowDNSSEC:  What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
Dynamic Domain Name System
Dynamic Domain Name SystemDynamic Domain Name System
Dynamic Domain Name System
 
Deploying and configuring dns service
Deploying and configuring dns serviceDeploying and configuring dns service
Deploying and configuring dns service
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
Lesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionLesson 5: Configuring Name Resolution
Lesson 5: Configuring Name Resolution
 
DNSandDNSSecurity (1).pptx
DNSandDNSSecurity (1).pptxDNSandDNSSecurity (1).pptx
DNSandDNSSecurity (1).pptx
 
What is dns
What is dnsWhat is dns
What is dns
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
Pmw2 k3ni 1-2b
Pmw2 k3ni 1-2bPmw2 k3ni 1-2b
Pmw2 k3ni 1-2b
 
06 coms 525 tcpip - dhcp and dns
06   coms 525 tcpip - dhcp and dns06   coms 525 tcpip - dhcp and dns
06 coms 525 tcpip - dhcp and dns
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
The History of DNS
The History of DNSThe History of DNS
The History of DNS
 

More from Venkatesh Jambulingam

அடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in Tamilஅடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in TamilVenkatesh Jambulingam
 
அணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access Managementஅணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access ManagementVenkatesh Jambulingam
 
மேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud Computingமேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud ComputingVenkatesh Jambulingam
 
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamilபொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in TamilVenkatesh Jambulingam
 
களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)Venkatesh Jambulingam
 
கட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in Tamilகட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in TamilVenkatesh Jambulingam
 
மறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in Tamilமறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in TamilVenkatesh Jambulingam
 

More from Venkatesh Jambulingam (13)

Identity Management
Identity ManagementIdentity Management
Identity Management
 
அடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in Tamilஅடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in Tamil
 
அணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access Managementஅணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access Management
 
Access management
Access managementAccess management
Access management
 
Cloud computing Introduction
Cloud computing IntroductionCloud computing Introduction
Cloud computing Introduction
 
மேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud Computingமேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud Computing
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
 
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamilபொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
 
களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)
 
Blockchain
BlockchainBlockchain
Blockchain
 
கட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in Tamilகட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in Tamil
 
Cryptography
CryptographyCryptography
Cryptography
 
மறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in Tamilமறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in Tamil
 

Recently uploaded

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfOverkill Security
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 

Recently uploaded (20)

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 

Domain Name System (DNS)

  • 1. Presented by Venkatesh Jambulingam Cloud Security Expert 27-Jun-2021 Domain Name System
  • 2. | 27-Jun-2021 | Venkatesh Jambulingam | ▶DNS Introduction ▶DNS Hierarchy ▶DNS Resolution Process ▶DNS Components ▶DNS Types ▶DNSSEC ▶DNS over TLS (DoT) & HTTPS (DoH) ▶Oblivious DNS (ODoH) 2 Contents
  • 3. | 27-Jun-2021 | Venkatesh Jambulingam | ▶Domain Name System (DNS) is a special software running on a computer server that contains a mapping of hostnames / server names and their associated IP address ▶It is very similar to a phone book or telephone directory. Technically, DNS can be considered as DNS address book stored in key-value format. ▶DNS translates domain names to IP addresses for browsers / apps to load internet /intranet resources. ▶DNS servers run special software and communicate with each other using special protocols to resolve the name. ▶DNS has been designed to use both UDP and TCP port 53 from the start, with UDP being the default and fallback to TCP. 3 DNS Introduction Image Credit: Cloudflare
  • 4. | 27-Jun-2021 | Venkatesh Jambulingam | ▶There are 13 root name servers are operated by 13 independent organizations using anycast routing method and these root name servers are governed by ICANN ▶A root server accepts a recursive resolver’s query, responds by directing it to a TLD nameserver, based on the extension of that domain ▶A TLD nameserver maintains information for all the domain names ending with their domain extension. These are operated by the respective TLD name sponsor & TLD registry. ▶Generic Top Level Domain (gTLD- .com, .net), country code top level domain (ccTLD- .in, .uk, .jp) ▶Contains information specific to the domain name it serves ▶Provides IP address of the domain found in the DNS A record ▶Provides an alias domain if the domain has a CNAME record ▶It is the first stop in a DNS query and acts as a middleman between a client and a DNS nameserver. It is also known as a DNS recursor. ▶If it receives a domain alias from ANS, it will initiate a recursive DNS query for the new domain 4 DNS Hierarchy Recursive Resolver TLD Servers Root Servers Authoritative Name Servers
  • 5. | 27-Jun-2021 | Venkatesh Jambulingam | 5 DNS Resolution Process 1. What is the IP address of www.google.com? 2. What is the IP address of .COM TLD name server? 3. IP address of .COM TLD name server is x.x.x.x 4. What is the IP address of ANS of google.com? 5. IP address of ANS of google.com is y.y.y.y 6. What is the IP address of google.com? 7. IP address of google.com is z.z.z.z 8. IP address of google.com is z.z.z.z z.z.z.z Google.com DNS Resolver 1.1.1.1 8.8.8.8 DNS Root Servers x.x.x.x TLD Name Servers y.y.y.y Authoritative Name Servers 9. https request 10. https response Client
  • 6. | 27-Jun-2021 | Venkatesh Jambulingam | 6 DNS Components Root Name Servers HOSTNAME IP ADDRESSES OPERATOR a.root-servers.net 198.41.0.4, 2001:503:ba3e::2:30 Verisign, Inc. b.root-servers.net 199.9.14.201, 2001:500:200::b University of Southern California, Information Sciences Institute c.root-servers.net 192.33.4.12, 2001:500:2::c Cogent Communications d.root-servers.net 199.7.91.13, 2001:500:2d::d University of Maryland e.root-servers.net 192.203.230.10, 2001:500:a8::e NASA (Ames Research Center) f.root-servers.net 192.5.5.241, 2001:500:2f::f Internet Systems Consortium, Inc. g.root-servers.net 192.112.36.4, 2001:500:12::d0d US Department of Defense (NIC) h.root-servers.net 198.97.190.53, 2001:500:1::53 US Army (Research Lab) i.root-servers.net 192.36.148.17, 2001:7fe::53 Netnod j.root-servers.net 192.58.128.30, 2001:503:c27::2:30 Verisign, Inc. k.root-servers.net 193.0.14.129, 2001:7fd::1 RIPE NCC l.root-servers.net 199.7.83.42, 2001:500:9f::42 ICANN m.root-servers.net 202.12.27.33, 2001:dc3::35 WIDE Project ▶IANA administers the data in the root zone, which form the top of the hierarchy in Domain name system (DNS) tree ▶This task involves liaising with top-level domain "Registrar-of-Record"s, the root nameserver operators, and ICANN's policy making team. ▶It also performs Root DNS Key signing ceremony for enabling DNSSEC at the root zone ▶There are 13 DNS root servers using anycast IP address in operation multiple physical servers ▶Root servers are not queried very frequently, as computers on the network cache the address of a top-level domain. But they are an essential element of the Internet architecture ▶The operators of the root servers are able to remain largely autonomous. However, they still need to work with each other and ICANN https://root-servers.org/
  • 7. | 27-Jun-2021 | Venkatesh Jambulingam | 7 DNS Components TLD Name Servers & Registry ns0.wikimedia.org ns1.no-ip.com ns-981.awsdns-58.net ns-802.awsdns-36.net ns-787.awsdns-34.net ns1.dnsmadeeasy.com dnsdel.mantraonline.com ns1.vodafoneidea.com pdns4.ultradns.org ns1.google.com a.ns.facebook.com a.ns.apple.com TLD name server TLD name server TLD name server TLD name server google.com 142.250.193.164 facebook.com 157.240.228.35 apple.com 104.97.28.211 slideshare.net 54.157.136.190 speedtest.net 151.101.130.219 sourceforge.net 216.105.38.13 wikipedia.org 103.102.166.224 apache.org 95.216.26.30 python.org 45.55.99.72 airtel.in 125.16.74.90 myvi.in 103.75.249.62 amazon.in 52.95.120.67 Authoritative name server
  • 8. | 27-Jun-2021 | Venkatesh Jambulingam | ▶DNS Resolvers are generally provided by internet service provider or mobile service provider who provides the data connectivity ▶There are few ISP agnostic DNS resolver providers available for everyone to use. 8 DNS Components Recursive Resolvers 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 208.67.222.222 208.67.220.220
  • 9. | 27-Jun-2021 | Venkatesh Jambulingam | ▶A DNS zone is a portion of the DNS namespace that is managed by a specific organization or administrator ▶DNS zone can contain multiple subdomains and multiple zones can exist on the same server. ▶DNS zones are not necessarily physically separated from one another, zones are strictly used for delegating control. ▶DNS records (aka zone files) are instructions that live in authoritative name servers ▶Records consist of a series of text files written in what is known as DNS syntax. ▶DNS syntax is just a string of characters used as commands that tell the DNS server what to do. 9 DNS Components DNS Zones Root Zone .net TLD Zone cybervattam.com Zone www.cybervattam.com blog.cybervattam.com mail.cybervattam.com .com TLD Zone .org TLD Zone tamil.cybervattam.com Zone
  • 10. | 27-Jun-2021 | Venkatesh Jambulingam | ▶ A record - The record that holds the IP address of a domain ▶ AAAA record - The record that holds the IPv6 address of a domain ▶ CNAME record - Forwards one domain or subdomain to another domain, does NOT provide an IP address ▶ MX record - Directs mail to an email server ▶ TXT record - Lets an admin store text notes in the record ▶ NS record - Stores the name server for a DNS entry ▶ SOA record - Stores admin information about a domain ▶ SRV record - Specifies a port for specific services ▶ PTR record - Provides a domain name in reverse-lookups DNSSEC Specific Records ▶ RRSIG - Contains a cryptographic signature ▶ DNSKEY - Contains a public signing key ▶ DS - Contains the hash of a DNSKEY record ▶ NSEC and NSEC3 - For explicit denial-of-existence of a DNS record ▶ CDNSKEY and CDS - For a child zone requesting updates to DS record(s) in the parent zone. 10 DNS Components DNS Records
  • 11. | 27-Jun-2021 | Venkatesh Jambulingam | 11 DNS Types A DNS query is reverse query to retrieve a domain name associated with a given IP address by looking at PTR (pointer) record. PTR records store IP addresses with their segments reversed and they append domain name to that Logging software employs reverse lookups in order to provide users with human- readable domains in their log data A method of automatically updating a name server, often in real time, with the active DDNS configuration of its configured host names, addresses, other information Dynamic DNS is an integral part of Microsoft Active Directory, because domain controllers register their network service types in DNS so that other computers in the domain (or forest) can access them Reverse DNS A DNS server that contains a mapping of host names / server names and their externally routable public IP address A DNS server that contains a mapping of host names / server names and their internal private IP address within an organizations network Internal DNS External DNS Dynamic DNS
  • 12. | 27-Jun-2021 | Venkatesh Jambulingam | ▶DNSSEC aims to create a secure domain name system by adding cryptographic signature of DNS data to existing DNS records. ▶The data is signed by the owner of the data ▶To facilitate signature validation, DNSSEC adds a few new DNS record types: –RRSIG - Contains a cryptographic signature –DNSKEY - Contains a public signing key –DS - Contains the hash of a DNSKEY record –NSEC and NSEC3 - For explicit denial-of-existence of a DNS record –CDNSKEY and CDS - For a child zone requesting updates to DS record(s) in the parent zone ▶Every DNS zone has two public/private key pair. Zone Signing Key (ZSK) Pair & Key Signing Key (KSK) Pair ▶The zone owner uses a resource record set (RRSet) in the zone and generate digital signatures (RRSig) over that data using zone signing private key. The zone signing public key, however, is published in the zone itself for anyone to retrieve in DNSKEY record. Any recursive resolver that looks up data in the zone also retrieves the zone's public key, which it uses to validate the authenticity of the DNS data. ▶A KSK is used to protect the integrity of ZSK 12 DNSSEC
  • 13. | 27-Jun-2021 | Venkatesh Jambulingam | 13 DNSSEC DNS Resolver DNSKEY Public KSK DS DS DNSKEY Public KSK DNSKEY Public KSK Root Zone Authoritative Nameserver Zone TLD Zone Hashed Public KSK of ANS zone Hashed Public KSK of TLD zone A example.com. A RRSIG example.com. DNSKEY ZSK example.com. DNSKEY RRSIG example.com. DS RRSIG com. DNSKEY KSK com. DNSKEY ZSK com. DNSKEY RRSIG com. A RRSIG . DNSKEY KSK . DNSKEY ZSK . DNSKEY RRSIG . Private ZSK Private KSK Private ZSK Private KSK Private ZSK Private KSK DNS Client
  • 14. | 27-Jun-2021 | Venkatesh Jambulingam | ▶DNS over TLS (DoT) is a security protocol for encrypting Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol between DNS client and DNS Resolver ▶DNS over HTTPS (DoH) is a security protocol for encrypting Domain Name System (DNS) queries and answers via HTTPs protocol between DNS client and DNS Resolver ▶The main objective is to protect user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in- the-middle attacks. 14 DNS over TLS (DoT) & DNS over HTTPS (DOH) DNS Traffic over TLS or HTTPS DNS Resolver DNS Client Hacker Encrypted Tunnel
  • 15. | 27-Jun-2021 | Venkatesh Jambulingam | ▶ODoH is an emerging protocol being developed at the IETF. It works by adding a layer of public key encryption, as well as a network proxy between clients and DoH server targets ▶A client can choose a proxy and target of their choice. The combination of these two added elements guarantees that only the user has access to both the DNS messages and their own IP address at the same time ▶The objective of this protocol is to protect end-user privacy, prevent the ISP providers or DNS resolvers to be able to read the website’s visited by their respective clients 15 Oblivious DNS (ODoH)
  • 16. | 27-Jun-2021 | Venkatesh Jambulingam | ▶The target sees only the query and the proxy’s IP address ▶Only the intended target can decrypt the content of the query and produce a response ▶The proxy has cannot see/modify the DNS query to target or the response being returned by the target 16 Oblivious DNS (ODoH) DoH Proxy x.x.x.x DoH Target y.y.y.y DNS Recursive Resolver What is the IP address of cybervattam.com? From: z.z.z.z Proxy: x.x.x.x To: DoH Target From: y.y.y.y To: x.x.x.x IP address of cybervattam.com is a.a.a.a From: x.x.x.x To: y.y.y.y From: x.x.x.x To: z.z.z.z IP address of cybervattam.com is a.a.a.a What is the IP address of cybervattam.com? What is the IP address of cybervattam.com? https https DoH DNS Client z.z.z.z
  • 17. | 27-Jun-2021 | Venkatesh Jambulingam | ▶DNS64 describes a DNS server that when asked for a domain's AAAA records, but only finds A records, synthesizes the AAAA records from the A records. ▶The first part of the synthesized IPv6 address points to an IPv6/IPv4 translator and the second part embeds the IPv4 address from the A record. The translator in question is usually a NAT64 server. 17 DNS64 Client IPv6 Network www.google.com 142.250.193.164 IPv4 Network Authoritative Name Server DNS64 NAT64 www.google.com ? AAAA ::ffff:8efa:c1a4 www.google.com ? A 142.250.193.164 SYN 142.250.193.164
  • 18. Thank you Creative Commons By Non Commercial Share Alike This document is shared under CC BY-NC-SA 4.0 license
  • 19. | 27-Jun-2021 | Venkatesh Jambulingam | 19 About me Venkatesh Jambulingam Cloud Security Expert Email: cybervattam@gmail.com cybervattam@outlook.com Follow me on