2.4 Domain Name System(DNS)

Overview of DNS

  • DNS (Domain Name System) functions as the "phonebook of the Internet," translating human-readable hostnames into machine-readable IP addresses.

  • It is an application layer protocol that primarily utilizes UDP for standard queries and TCP for zone transfers or large responses, typically on port 5353.

  • It is critical for modern internet functionality, enabling users to access services without memorizing complex numerical addresses.

DNS Structure and Services

  • DNS is a distributed, hierarchical database designed to handle billions of queries daily.

  • Core Functions:

    • IP Address Translation: Mapping hostnames (e.g., www.example.com) to IP addresses.

    • Host Aliasing: Providing a canonical (real) name for complex aliases.

    • Mail Server Aliasing: Identifying the correct mail servers via MX records.

    • Load Distribution: Mapping a single hostname to a set of IP addresses for traffic balancing across multiple servers.

Design Philosophy

  • Decentralization: Avoids a centralized database to prevent a single point of failure, traffic congestion, and maintenance bottlenecks.

  • Scalability: The distributed nature allows the system to scale efficiently as the number of devices on the internet grows.

  • Low Latency: Queries are often resolved locally or regionally, minimizing delay.

DNS Hierarchy

  1. Root DNS Servers: The top level of the hierarchy. There are 1313 logical root name servers (labeled A through M) managed by various organizations, utilizing IP Anycast for global distribution.

  2. Top-Level Domain (TLD) Servers: Responsible for top-level domains such as generic TLDs (.com, .org, .net) and country-code TLDs (.uk, .jp, .ca). Managed by organizations like Verisign and ICAAN.

  3. Authoritative Name Servers: These belong to organizations (e.g., universities or corporations) and provide definitive mappings for specific hostnames to IP addresses.

  4. Local DNS Servers (Resolvers): Generally provided by ISPs. When a host makes a DNS query, it is sent to the local DNS server which acts as a proxy, forwarding the query into the DNS server hierarchy.

Query Resolution and Caching

  • Iterative Queries: The queried server provides the best answer it has (often a reference to another DNS server) back to the local DNS server.

  • Recursive Queries: The queried server takes on the responsibility of resolving the name entirely by querying other servers and returning the final IP address to the requester.

  • DNS Caching: Once a server learns a mapping, it stores it in a cache. This speeds up subsequent requests and reduces traffic on higher-level servers.

    • TTL (Time to Live): Each cached record has a expiration period, after which the record is discarded to ensure data freshness.

Resource Records (RR)

DNS stores resource records in a format: (Name,Value,Type,TTL)(Name, Value, Type, TTL).

  • Type A: $Name$ is the hostname, $Value$ is the IPv4 address.

  • Type AAAA: $Name$ is the hostname, $Value$ is the IPv6 address.

  • Type NS: $Name$ is a domain, $Value$ is the hostname of the authoritative name server.

  • Type CNAME: $Name$ is an alias for a "canonical" (real) name, $Value$ is the canonical name.

  • Type MX: $Value$ is the name of the mail server associated with the $Name$ domain.

  • Type TXT: Used for arbitrary text, often for security protocols like SPF and DKIM.

DNS Messages

  • DNS messages use a uniform header structure (1212 bytes) containing:

    • Identification: A 1616-bit number to match queries with replies.

    • Flags: Include indicators for query/reply, recursion desired, recursion available, and authoritative answer.

    • Sections: Question (target name and type), Answer (resource records), Authority (authoritative servers), and Additional (helpful extra information).

Registering and Setting Up

  • Domains must be registered through a Registrar (accredited by ICANN).

  • To launch a site, you provide the registrar with the names and IP addresses of your primary and secondary authoritative name servers.

  • The registrar inserts Type NS and Type A records into the TLD servers.

DNS Security and Extensions

  • Vulnerabilities: DNS is susceptible to Cache Poisoning (spoofing records) and DDoS attacks (amplification attacks).

  • DNSSEC (DNS Security Extensions): Provides data integrity and authentication by digitally signing DNS records, ensuring that the response received is legitimate and hasn't been tampered with.