This document provides an overview of DNS fundamentals including what DNS is, its components and characteristics, how DNS queries work, and how DNS has evolved. Specifically: - DNS is the phonebook of the internet that translates domain names to IP addresses in a globally distributed and hierarchical system that is critical internet infrastructure. - It has components like root servers, domains and namespaces that organize addressing, nameservers that respond to queries, and resolvers on devices that initiate requests. - DNS is distributed, loosely coherent, scalable and reliable by design. It uses ports 53 UDP and TCP to lookup records like A, AAAA, MX, NS, PTR and TXT. - Evolutions

1. DNS Fundamental

2. Andy Hidayat
FreeBSD SysAdmin

3. ❖ What is DNS ?
❖ DNS Characteristics
❖ DNS Components
➢ Root Servers
➢ Domain and Namespaces
➢ Delegation and Zones
➢ Nameservers
➢ Resolvers
Overview
❖ DNS Resources
Record
❖ DNS Query
❖ DNS Evolution

4. What is DNS ?
❖ Think of Phonebook of Internet
❖ Distributed Hierarchical System for
Translating Objects
❖ One of the Foundations of the
Internet
❖ Critical Piece of the Internet
Infrastructure
❖ Database of Internet Domain Names

5. Distributed Hierarchical System for Translating Objects

6. One of the Foundations of the Internet

7. Critical Piece of the Internet Infrastructure

8. DNS Characteristics

9. DNS Characteristics
Globally
Distributed
Multiple DNS servers managed by different operators
Loosely Coherent Even it’s distributed, they’re still part of single global DNS system
Scalable The system can be scaled up and multiple servers can be added
Reliable Critical to the function of the Internet, so it must be reliable
Dynamic Anyone can add domains and records without causing outage

10. RFC
1032
RFC
1034
More about DNS Characteristics
❖ DNS is a client-server application
➢ Client (resolvers) must initiate request
➢ DNS server will responds with requested record
information
❖ Requests and responses are normally sent via UDP port 53
❖ Occasionally uses TCP port 53 for alternative
❖ Also use TCP for larger requests
➢ Eg. Zone transfers

11. DNS Components

12. ❖ The top of the DNS hierarchy
❖ The root servers contain global list of top level domains
(TLD)
➢ Generic top level domains (gTLD): .com, .net, .org
➢ Country top level domains (cTLD): .us, .id, .au
❖ There are 13 root name servers operated around the world
[a-m].root-servers.net
❖ Actually there are more than 13 physical root nameservers
➢ Each has an instance deployed via anycast
➢ As of 2021, there are more than 1300 instances
DNS Server Components: Root Servers

13. Domains are “namespaced”
DNS Server Components: Domains

14. DNS Server Components:
Zones
idnic.net zone doesn’t include
kadabra.idnic.net since it has been
“delegated”

15. DNS Server Components: Delegation
❖ Administrators can create subdomains to group of hosts
❖ Administrators can delegate responsibility for managing a
subdomain to someone else
❖ The parent domain retains links to the delegated subdomain
❖ Delegation is done by adding NS records

16. DNS Server Components: Zones
❖ Zones are “administrative spaces”
❖ Zone administrators are responsible for portion of
a domain’s namespace
❖ Multiple zones can exists on the same DNS Server
❖ Authority is delegated from parent to child

17. DNS Server Components: Name Servers
❖ Name servers answer DNS Questions / Query
❖ Several types of name servers
➢ Authoritative Servers
■ Primary
■ Secondary
➢ Recursive Servers
■ Caching forwarders
❖ Mixture of functions

18. More about Authoritative Nameserver
❖ Authorized to provide an answer for particular domain
➢ Can be more than one server
❖ Management method types
➢ Primary ( Master )
➢ Secondary ( Slave )
❖ Only one primary nameserver
➢ All changes should be done in the primary
❖ Secondary name servers will retrieve the zone file from primary server periodically
❖ Primary server can “notify” the secondary servers

19. More about Recursive Nameserver
❖ Locate the authoritative nameserver to get back the answer
❖ The process is iterative - starts at the root
❖ Recursive nameservers are also usually caching servers
➢ Cache the answer locally
❖ Prefer a nearby cache
➢ Minimizes latency issues
➢ Reduce traffic

20. DNS Client Components: Resolvers
❖ Part of OS which formats the DNS request into UDP packets
➢ getaddrinfo, gethostbyname
❖ Every OS or host needs resolver
➢ In Linux, this is in /etc/resolv.conf
➢ Generally can be more than one address
❖ Stub Resolver
➢ Tiny DNS proxy server
➢ Doesn't do DNS resolution on it's own, only forward the query

21. DNS Resources Record

22. DNS Resources Record: Zone file entries
Resources Record Function
LABEL Name substitution for FQDN
TTL Timing parameter, an expiration limit
CLASS IN for Internet, CH for Chaos
TYPE RR Type (A, AAAA, MX, PTR) for different purposes
RDATA Anything after the Type identifier, additional data
event.idnic.net. 300 IN A 116.193.189.4
LABEL TTL CLASS TYPE RDATA

23. DNS Resources Record: Record Types
Record Types Function
A
Maps domain to IPv4 Address
idnic.net ⮕ 116.193.189.4
AAAA
Maps domain to IPv6 Address
idnic.net ⮕ 2406:6cc0:a100:4622:116:193:189:4
MX Defines where to deliver mail for user @ domain
NS Delegating zone to another nameserver
PTR Reverse mapping, IP Address to domain
TXT General purpose contains text information
CNAME Map an alias to domain

24. DNS Query

25. DNS Query: Lookup Flow

26. ❖ DNS requests that forwarded to a designated DNS server for
resolution
❖ Forward DNS maps domain names into numeric IP address
➢ idnic.net ⮕ 116.193.189.4
➢ google.com ⮕ 2404:6800:4003:c05::64
❖ Each of DNS Forwarder usually also caching its requests and
responses
DNS Query: Forward DNS

27. ❖ Opposite of Forward DNS, maps numeric IP address into names
➢ 8.8.8.8 ⮕ 8.8.8.8.in-addr.arpa ⮕ dns.google.
➢ 1.1.1.1 ⮕ 1.1.1.1.in-addr.arpa ⮕ one.one.one.one.
➢ 2001:4860:4860::8888 ⮕
8.8.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arp
a ⮕ dns.google.
❖ Service Denial: Allow access when fully reverse delegated
❖ Spam Identification
❖ Registration responsibilities
DNS Query: Reverse DNS

28. ❖ AAAA IPv6 Record lookup into IPv4 DNS Server run just fine
➢ AAAA Record is same thing with other record
❖ Most of software/client also lookup for AAAA along with A record
DNS Query: IPv6

29. DNS
Query

30. DNS
Query

31. DNS Evolutions

32. DNS Evolutions: DNSSEC
❖ DNS by itself is not secure
❖ DNSSEC adds a layer of trust on top of DNS by providing authentication.
❖ DNSSEC creates a secure domain name system by adding cryptographic
signatures to existing DNS records.
❖ DNSSEC adds two important features to the DNS protocol
➢ Data origin authentication
➢ Data integrity protection

33. DNS Evolutions: DoT (DNS over TLS)
❖ Encrypt DNS queries and answers via SSL/TLS protocol
❖ It is TCP not UDP
❖ Similar to HTTP ⮕ HTTPS, SMTP ⮕ SMTPS
❖ It also has Authoritative DNS-over-TLS ( ADoT ) and Zone
Transfer-over-TLS
( xfr-over-TLS )
❖ Supported on most of DNS Software
❖ Supported on Android since Android 9 Pie (Private DNS)

34. DNS Evolutions: DoH (DNS over HTTPS)
❖ Run on top of other protocol ( HTTPS )
❖ It has all advantage of the HTTPS protocol
❖ Somewhat more popular than DoT
❖ Some browsers have a built-in DoH client
implementation
❖ Supported on most of DNS Software

35. DNS Playground
★ https://messwithdns.net/
★ https://toolbox.googleapps.com/apps/dig/
★ https://dnschecker.org/
★ https://dnsdumpster.com/
★ https://intodns.com/

36. Questions?

37. APNIC Academy
https://s.id/1cwsb

38. #JagaTAUHID&StayNGOPREK
Thank You