2. About Me
• Omkar Kumbhar
• Currently working as Associate Solution Advisor for Deloitte
• Worked as a Salesforce Developer for past 4+ years.
• @kumbharomkar07
• https://www.linkedin.com/in/omkar-kumbhar-b1219499/
3. What is DNS
Domain Name System – Provides naming structure for online resources,
maps domain names to respective addresses (IPv4, IPv6) and vice-versa.
e.g. www.example.com 192.168.30.1
Created by Paul Mockapetris at UC Irvine in 1983. Before DNS, people used
to map names to IP addresses by sharing big text file called ‘hosts.txt’
Generally uses UDP protocol and listens on port no. 53. Sometime use TCP if
content is > 512 bytes. (e.g. zone transfer)
4. “.”
com edu net
example
dev api staging
FQDN: www.api.example.com.
Root Domain
Top Level Domains
Second Level Domains
Sub-domains
www hostname
DNS Hierarchy
5. DNS Query Types
• Forward
• Asks for IP address for given domain name
• Reverse
• Asks for domain name for given IP address
• Recursive
• Client asks server to do all the resolution work on client’s behalf and
interested only in the answer.
• Iterative
• Opposite of recursive queries
• DNS server tells client where to look next.
6. DNS Response Types
• Authoritative
• The response comes directly from nameserver which has authority for the
record in question.
• e.g. example.com’s DNS server is directly providing you answer.
• Non-authoritative
• The responses comes from another server or from cache.
• e.g. If local DNS server is giving answer for example.com domain
10. DNS Cache vs. DNS Server vs. DNS Resolver
• DNS Cache – The list of domain names and IPs that has been resolved
recently.
• DNS Server – Serves DNS requests to clients. It can be cache which
just performs recursive queries or it can hold authoritative answers
for particular domain/zone.
• DNS Resolver – DNS Clients. They make iterative or recursive queries.
11. DNS Server Configurations
• Cache-only DNS Server
• Doesn’t hold any authoritative information of its own, it relies on information
obtained by recursion.
• Authoritative DNS Server (Master-slave)
• Holds authoritative information for certain resources
• Primary Server
• Master server which holds all the data related to particular zone.
• Secondary Server
• Pulls zone information from master server for backup and redundancy.
13. 1. Enters www.example.com in
browser
2. Checks cache
3. Checks hosts.txt
5. Checks cache
Root Name Server
.com Name Server
example.com Name Server
6. Iterative query to root name server
7. Name server for .com
8. Iterative query to .com server
9. Name server for example.com
Local DNS server 11. Ip address for www.example.com
10. Iterative query to example.com server
4. recursive query to
local DNS server 12. Requested IP Address
Client ( Laptop/Desktop)
example.com
drive www
A.B.C.D
mail
Get root name server info from named.ca file
14. Resource Records
Unit of information entry in DNS zone files.
Owner TTL Class Type RDATA
example.com 600 IN A 192.168.30.1
• [Owner] – Domain name
• [Time to live]: How long is a zone record valid
• [Class] – represents protocol family
• Type – Type of resource the RR is representing
• RDATA – Resource data.
15. DNS Record Types
• A – IPv4 address
• AAAA – IPv6 address
• CNAME – Canonical name, alias of one name to another
• MX – Mail transfer agents for the domain
• NS – Authoritative name servers
• PTR – Pointer record. Used for reverse lookup
• SOA – Source of Authority. Authoritative information about a DNS
zone.
• AXFR – Authoritative zone transfer
16. What is Zone Transfer?
• The process of retrieving zone data from another authoritative server
(master server)
• Initiated by secondary/slave server for backup and redundancy
purpose.
• Take place over TCP because the data is usually greater than 512
bytes
• Client sends query of AXFR
• Security risk involved if anyone can transfer zone from DNS server.
• Zone transfer should only be allowed by approved systems.
18. DNS Security
• DNS Spoofing/DNS Cache poisoning – Attacker redirects victim to
malicious website by inserting false information into a DNS cache.
• Typically there is no way to verify the DNS data in their cache.
Information remains until the TTL expires or removed manually.
• More secure DNS protocol DNSSEC aims to solve these problems but
it has not been widely adopted yet.
19. What is DNSSEC?
• Short for DNS Security Extensions
• DNSSEC attempts to add layer of security to original design of DNS.
• It protects DNS clients from populating false/forged information in
their cache.
• All answers in DNSSEC are digitally signed using public-key
cryptography.
20. DNSSEC Terminologies
• RRSet (Resource Record Set) – Group of records with same type.
e.g Multiple A records can be grouped into single A record set.
• Zone-Signing Keys (ZSK) – Used to sign/verify each RRSet in the zone.
• RRSig (Resource Record Signature) – Record containing an RRSet’s digital
signature.
• Key-Signing Keys (KSK) – Used to sign/verify zone’s keys.
• Fingerprint – Hash/digest of public keys.
• DS (Delegation of Signing) – A record containing the hash of child zone’s
pubKSK (public KSK)
22. Root Name Server
Local DNS server
Client
Recursive query
to local caching
DNS server
Root zone’s
DNSKEY
record
• Root
pubZSK
• Root
pubKSK
RRSig of
DNSKEY
(signed
with root
PvtKSK)
DS Record
for .com
zone
(hash of
.com zone’s
pubKSK)
RRSig of
DS Record
(signed
with root
PvtZSK)
Referral to .com
name server
Root pubKSK
Verify
zone
23. Root Name Server
Local DNS server
Client
Recursive query
to local caching
DNS server
.com zone’s
DNSKEY
RRSet
• .com
pubZSK
• .com
pubKSK
RRSig of
DNSKEY
(signed
with .com
PvtKSK)
DS Record for
“example”
zone
(hash of
example
zone’s
pubKSK)
RRSig of DS
Record for
“example”
zone
(signed
with .com
PvtZSK)
Referral to
example.com
name server
Verify
zone
.com Name Server
DS record for .com zone
Hash of .com zone’s pubKSK
24. Root Name Server
Local DNS server
Client
Recursive query
to local caching
DNS server
example.com
zone’s “A” RRSet
192.X.X.X
RRSig of
“A” RRSet
(signed
with
“example”
PvtZSK)
“example” zone’s
DNSKEY RRSet
• “example” pubZSK
• “example” pubKSK
RRSig of
DNSKEY
(signed with
“example”
PvtKSK)
Verify
zone
.com Name Server
DS record for “example” zone
Hash of example zone’s pubKSK
example.com Name Server
Sends Requested IP
Address to local resolver
25. Root Name Server
Local DNS server
Client
Recursive query
to local caching
DNS server
.com Name Server
example.com Name Server
www. example.com Web Server