3. ❖ What is DNS ?
❖ DNS Characteristics
❖ DNS Components
➢ Root Servers
➢ Domain and Namespaces
➢ Delegation and Zones
➢ Nameservers
➢ Resolvers
Overview
❖ DNS Resources
Record
❖ DNS Query
❖ DNS Evolution
4. What is DNS ?
❖ Think of Phonebook of Internet
❖ Distributed Hierarchical System for
Translating Objects
❖ One of the Foundations of the
Internet
❖ Critical Piece of the Internet
Infrastructure
❖ Database of Internet Domain Names
9. DNS Characteristics
Globally
Distributed
Multiple DNS servers managed by different operators
Loosely Coherent Even it’s distributed, they’re still part of single global DNS system
Scalable The system can be scaled up and multiple servers can be added
Reliable Critical to the function of the Internet, so it must be reliable
Dynamic Anyone can add domains and records without causing outage
10. RFC
1032
RFC
1034
More about DNS Characteristics
❖ DNS is a client-server application
➢ Client (resolvers) must initiate request
➢ DNS server will responds with requested record
information
❖ Requests and responses are normally sent via UDP port 53
❖ Occasionally uses TCP port 53 for alternative
❖ Also use TCP for larger requests
➢ Eg. Zone transfers
12. ❖ The top of the DNS hierarchy
❖ The root servers contain global list of top level domains
(TLD)
➢ Generic top level domains (gTLD): .com, .net, .org
➢ Country top level domains (cTLD): .us, .id, .au
❖ There are 13 root name servers operated around the world
[a-m].root-servers.net
❖ Actually there are more than 13 physical root nameservers
➢ Each has an instance deployed via anycast
➢ As of 2021, there are more than 1300 instances
DNS Server Components: Root Servers
15. DNS Server Components: Delegation
❖ Administrators can create subdomains to group of hosts
❖ Administrators can delegate responsibility for managing a
subdomain to someone else
❖ The parent domain retains links to the delegated subdomain
❖ Delegation is done by adding NS records
16. DNS Server Components: Zones
❖ Zones are “administrative spaces”
❖ Zone administrators are responsible for portion of
a domain’s namespace
❖ Multiple zones can exists on the same DNS Server
❖ Authority is delegated from parent to child
17. DNS Server Components: Name Servers
❖ Name servers answer DNS Questions / Query
❖ Several types of name servers
➢ Authoritative Servers
■ Primary
■ Secondary
➢ Recursive Servers
■ Caching forwarders
❖ Mixture of functions
18. More about Authoritative Nameserver
❖ Authorized to provide an answer for particular domain
➢ Can be more than one server
❖ Management method types
➢ Primary ( Master )
➢ Secondary ( Slave )
❖ Only one primary nameserver
➢ All changes should be done in the primary
❖ Secondary name servers will retrieve the zone file from primary server periodically
❖ Primary server can “notify” the secondary servers
19. More about Recursive Nameserver
❖ Locate the authoritative nameserver to get back the answer
❖ The process is iterative - starts at the root
❖ Recursive nameservers are also usually caching servers
➢ Cache the answer locally
❖ Prefer a nearby cache
➢ Minimizes latency issues
➢ Reduce traffic
20. DNS Client Components: Resolvers
❖ Part of OS which formats the DNS request into UDP packets
➢ getaddrinfo, gethostbyname
❖ Every OS or host needs resolver
➢ In Linux, this is in /etc/resolv.conf
➢ Generally can be more than one address
❖ Stub Resolver
➢ Tiny DNS proxy server
➢ Doesn't do DNS resolution on it's own, only forward the query
22. DNS Resources Record: Zone file entries
Resources Record Function
LABEL Name substitution for FQDN
TTL Timing parameter, an expiration limit
CLASS IN for Internet, CH for Chaos
TYPE RR Type (A, AAAA, MX, PTR) for different purposes
RDATA Anything after the Type identifier, additional data
event.idnic.net. 300 IN A 116.193.189.4
LABEL TTL CLASS TYPE RDATA
23. DNS Resources Record: Record Types
Record Types Function
A
Maps domain to IPv4 Address
idnic.net ⮕ 116.193.189.4
AAAA
Maps domain to IPv6 Address
idnic.net ⮕ 2406:6cc0:a100:4622:116:193:189:4
MX Defines where to deliver mail for user @ domain
NS Delegating zone to another nameserver
PTR Reverse mapping, IP Address to domain
TXT General purpose contains text information
CNAME Map an alias to domain
26. ❖ DNS requests that forwarded to a designated DNS server for
resolution
❖ Forward DNS maps domain names into numeric IP address
➢ idnic.net ⮕ 116.193.189.4
➢ google.com ⮕ 2404:6800:4003:c05::64
❖ Each of DNS Forwarder usually also caching its requests and
responses
DNS Query: Forward DNS
27. ❖ Opposite of Forward DNS, maps numeric IP address into names
➢ 8.8.8.8 ⮕ 8.8.8.8.in-addr.arpa ⮕ dns.google.
➢ 1.1.1.1 ⮕ 1.1.1.1.in-addr.arpa ⮕ one.one.one.one.
➢ 2001:4860:4860::8888 ⮕
8.8.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arp
a ⮕ dns.google.
❖ Service Denial: Allow access when fully reverse delegated
❖ Spam Identification
❖ Registration responsibilities
DNS Query: Reverse DNS
28. ❖ AAAA IPv6 Record lookup into IPv4 DNS Server run just fine
➢ AAAA Record is same thing with other record
❖ Most of software/client also lookup for AAAA along with A record
DNS Query: IPv6
32. DNS Evolutions: DNSSEC
❖ DNS by itself is not secure
❖ DNSSEC adds a layer of trust on top of DNS by providing authentication.
❖ DNSSEC creates a secure domain name system by adding cryptographic
signatures to existing DNS records.
❖ DNSSEC adds two important features to the DNS protocol
➢ Data origin authentication
➢ Data integrity protection
33. DNS Evolutions: DoT (DNS over TLS)
❖ Encrypt DNS queries and answers via SSL/TLS protocol
❖ It is TCP not UDP
❖ Similar to HTTP ⮕ HTTPS, SMTP ⮕ SMTPS
❖ It also has Authoritative DNS-over-TLS ( ADoT ) and Zone
Transfer-over-TLS
( xfr-over-TLS )
❖ Supported on most of DNS Software
❖ Supported on Android since Android 9 Pie (Private DNS)
34. DNS Evolutions: DoH (DNS over HTTPS)
❖ Run on top of other protocol ( HTTPS )
❖ It has all advantage of the HTTPS protocol
❖ Somewhat more popular than DoT
❖ Some browsers have a built-in DoH client
implementation
❖ Supported on most of DNS Software