DNS or Domain Name System is an integral part of Internet, and is quintessential for the web to work altogether — you can think of DNS as the phone book of Internet.
What is DNS?
DNS or Domain Name System is a system, duh, of computers all around the world with the goal of converting Domain Names like google.com into their respective IP Addresses.What is DNS?
You can think of Domain Name System as a computer version of phone book or yellow pages — your browser does not know how to open a website just by the domain name; it needs to know the IP Address of that website to open.
Everything connected to the Internet has a unique IP address which other devices use to connect and find the device — You can check your IP address by clicking here.
To visit a website, you can either type in the IP address like 22.214.171.124 (IPv4) or 2a01:4f8:1c1c:6b4b::1 (IPv6), or just put in the domain name like google.com or techcorpus.com and press enter so that your browser can go find the IP address by using the DNS.
DNS eliminates the need to memorize IP addresses. Everything on the Internet starts with a DNS request — Open a website, an app, send an email, your device first tries to find the IP address of that service.
The program to convert domain names into IP addresses and vice versa is called DNS or Domain Name System, and the computers that run DNS are called DNS servers. Without DNS, we’d have to remember the IP address of all the websites we wanted to connect to — no fun.
How DNS Works?
Domain Name System (DNS) is all about converting a domain name into its IP address, lets follow the path of a DNS lookup as it travels from a web browser, through the DNS lookup process, and back again:
The complete process of querying and connecting to the desired website is a 10-step process, as explained in the diagram above:
Step 1: Everything starts when you type in a URL like example.com or open an app, and the query request is received by the configured DNS Resolver aka Resolving Name Server
Your OS may have the IP address of the URL you are trying to connect in its memory cache or may have been configured already, but i have assumed that’s not the case here so that your OS can make the query request to the configured Resolving Name Server or DNS Resolver.
Step 2: The Resolving Name Server then queries the Root Name Server — the enigmatic (.) at the end of the URL you are trying to connect
Your Resolving Name Server may have the IP address of the URL you are trying to connect in its memory cache, but i have assumed that’s not the case here so that it can make the query to the Root Name Server.
Step 3: The Root Name Server responds to the Resolving Name Server with the address of the Top Level Domain (TLD) Name Servers (such as .com or .net) — which stores information for its domains
Step 4: The Resolving Name Server then queries the TLD Name Server (.com)
Step 5: The TLD Name Server responds to the Resolving Name Server with the address of the Domain’s Name Server aka Authoritative Name Server — example.com.
Step 6: Now, The Resolving Name Server queries the Authoritative Name Server for the IP address of the particular domain (example.com)
Step 7: The Authoritative Name Server responds to the Resolving Name Server with the IP address of that particular website.
Step 8: Now, Your DNS Resolver of Resolving Name Server will respond to the web browser with the IP address of the website.
The DNS lookup is complete here, and now your web browser just needs to connect with the website or the service to receive & send data.
Step 9: Your web browser now makes a HTTP request to the IP address provided by the Resolving Name Server.
Step 10: The Server of the concerned website responds with the web page to be rendered by your web browser.
Woah! — that’s a lot of querying and responding just to open a website, but it all happens in just a few milliseconds. DNS was designed to be extremely fast and efficient, but not for privacy and security. Newer protocols like DNSSEC, DoH, DoT, etc try to solve this problem.
Here’s a cool explainer on DNS I found by DNSMadeEasy:
DNS Server Types
There are basically 4 kinds of DNS servers that are needed to do a DNS lookup, apart from your device and the main server to fetch data:
Resolving Name Server
Resolving Name Server or DNS Resolver or DNS Recursor or Recursive Resolver is the workhorse and the first step of the DNS lookup, it does all the querying and responding for you.
This is the DNS Server that an End User has control over, learn how you can protect your privacy using Encrypted DNS Resolvers.
All Resolving Name Servers have the address of Root Name Servers, and they query the Root, TLD, and the Authoritative Name Server and stores all of that information in its cache so that next time it can respond quickly to your DNS queries.
Resolving Name Servers are an integral part of DNS lookup that’s why it’s recommended to use a privacy-respecting encrypted DNS Resolver like the ones recommended in this article.
Root Name Server
Root Name Servers are the ones that have IP addresses of all the TLD name servers like .com, .org, .net, etc — there are 13 root name servers all around the world that are known to each and every DNS Resolver:
These root name servers responds the query with a TLD nameserver, based on the extension of that domain name (.com, .net, .org, etc.). There are multiple copies of each one of the 13 root name servers all over the world, which use Anycast routing for speedy responses.
Root Name Servers are overseen by a non-profit called Internet Corporation for Assigned Names and Numbers (ICANN), and are maintained by various other organizations like Verisign, NASA, etc.
TLD Name Server
TLD Name Servers are the ones that have IP address of the Authoritative Name Servers of all the domain names that share a common domain name extension, such as .com, .net, .org or whatever that comes after the last (.) dot of the URL.
For Example, a query for techcorpus.com will be queried to a .com TLD name server which will then respond with the authoritative name server of that domain (techcorpus.com).
TLD Name Server are maintained by Internet Assigned Numbers Authority (IANA), a branch of ICANN, which breaks up TLD servers into two main groups:
- Generic Top-Level Domains (gTLDs): Domains that are not country specific, like .com, .org, .net, .edu, and .gov, etc.
- Country Code Top-Level Domains (ccTLDs): Domains that are specific to a country or state, like .uk, .us, .ru, and .jp, etc.
There are over 1500 Top-Level domains that anyone can purchase from domain registrars like GoDaddy or Namecheap.
Authoritative Name Servers
Authoritative Name Servers are the ones that have IP addresses of the actual website you are trying to connect, it is the last step of DNS lookup.
These Authoritative Name Servers have all the DNS records like A, NS, CNAME, TXT, etc and the IP address where the website is located.
Authoritative Name Servers are usually maintained either by the domain registrar or the web server provider for the website, the developer or the website owner can also use a third-party DNS hosting provider for better reliability and speed.
This is the DNS Server that Developers & Website owners have control over, learn how you can improve your DNS speed and reliability using DNS hosting providers.
DNS Query Types
DNS queries are classified into 3 types, recursive, non-recursive, and iterative. A DNS lookup may use a combination of these methods for optimized process.
Usually, a DNS client (your device) issue a Recursive Query to a caching recursive DNS server, which then issues Non-Recursive or Iterative Queries to find and send the answer back to the client.
Recursive Queries are made by your device (DNS Client) to the DNS resolver (Resolving Name Server) — the first step of DNS lookup.
In a recursive query, your device wants the answer or the confirmation that the DNS resolver doesn’t know the answer.
Since all the queries made between your device (DNS Client) and the DNS Resolver (Resolving Name Server) are recursive in nature, the DNS Resolvers are also called DNS Recursive Resolver.
Non-Recursive Queries happen when the DNS resolver has the answer of the query made by your device, and responds immediately without querying any other name servers.
This happens when the DNS resolver has the IP address stored in its local cache or because it is the authoritative name server. Usually, DNS resolvers cache name server records to prevent additional bandwidth consumption and load on upstream servers.
In a non-recursive query, your device gets the answer from the DNS resolver directly from its cache.
Iterative Queries happen when the DNS Resolver does not have the answers of the query made by your device in its cache. So, it makes a request to the Root name server, and the Root name servers knows where to find the particular TLD name server, and the TLD name server knows where to find the Authoritative name server.
This is what happens in a typical scenario, as explained in the 10-step DNS lookup process above.
In an iterative query, your device gets the answer from the DNS resolver, which in turn has got the information by querying other name servers iteratively.
DNS Caching, Why, Where?
The whole point of caching (storing) the IP address and other DNS results locally on the browser, or on the operating system, or on the DNS resolver is so that your device doesn’t have to ask for the IP address every time, hence improved performance, and efficiency.
DNS Caching is done for a set amount of time determined by a time-to-live (TTL), and it can be done at 3 levels:
Browser DNS Caching
All modern browsers have built-in caching capability to store or cache DNS records. This is the first place where your browser checks for the IP address of the concerned domain name.
In chrome, you can check your DNS cache by going to chrome://net-internals/#dns
In Firefox, you can check your DNS cache by going to about:networking#dns
Operating System (OS) DNS Caching
Your operating system also caches DNS records — this is the second and last place where your browser checks for the IP address, before sending the query to the resolving name server.
In Windows, you can check your DNS cache by opening command prompt (CMD), and entering ipconfig /displaydns
In macOS, you can check your DNS cache by opening the Console app, selecting your device, and entering: any:mdnsresponder into the search bar. Then, enter: sudo killall -INFO mDNSResponder
In Linux, you can check your DNS cache by opening the command terminal, and running: service nscd status or sudo service nscd status
DNS Resolver DNS Caching
All DNS resolvers have a DNS cache for storing DNS records it knows to use for the next request.
DNS Security Protocols
There are many DNS security protocols that are designed to make DNS queries more private and secure, as well as make the DNS entries more reliable and secure:
DNSSEC stands for “Domain Name System Security Extensions”, it allows registrants to digitally sign information they put into the Domain Name System, protecting you from DNS data that has been corrupted, accidentally or maliciously.
DNSSEC adds a layer of protection by providing authentication as all answers from DNSSEC protected zones are digitally signed:
By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect any data published in the DNS, including text records (TXT) and mail exchange records (MX), and can be used to bootstrap other security systems that publish references to cryptographic certificates stored in the DNS such as Certificate Records, SSH fingerprints, IPSec public keys, and TLS Trust Anchors.DNSSEC on Wikipedia
It’s a great tool created by engineers at Internet Engineering Task Force (IETF) to solve the lack of stronger authentication in DNS. You can learn more about DNSSEC on this ICANN page.
DNS over TLS
DNS over TLS or DoT is the security protocol that encrypts your DNS queries and answers via the Transport Layer Security (TLS) protocol, with the goal of increasing user privacy and security by preventing eavesdropping and manipulation of DNS data.
It uses a dedicated port 853, some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls. DoT adds a layer of protection by providing confidentiality, by doing TLS encryption of UDP DNS queries.
DNS over HTTPS
DNS over HTTPS or DoH, similar to DoT is the security protocol that encrypts your DNS queries and answers via the Hyper Text Transfer Protocol (HTTPS), with the goal of increasing user privacy and security by preventing eavesdropping and manipulation of DNS data.
It uses port 443 making it indistinguishable from the normal HTTPS traffic, hence more difficult to block. DoH adds a layer of protection by providing confidentiality, by doing HTTPS encryption of DNS queries.
DoT encrypts your normal UDP (User Datagram Protocol) DNS queries via TLS, while DoH camouflages your DNS queries as encrypted web queries over HTTPS.
DNSCrypt is another security protocol just like DoT and DoH, designed to protect user privacy and security by preventing eavesdropping and manipulation of DNS data.
It is an older technology and uses the port 443, just like DoH.
Anonymized DNSCrypt is a new lightweight protocol that hides your IP address by using relays to forward encrypted DNS data — it instead of directly reaching the DNS server, encrypts the query, and sends it to a relay to forward the query to the actual DNS server. It is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of relays.
DNSCurve is a proposed alternative to DNSSEC — it uses Curve25519 elliptic curve cryptography to establish keys used by Salsa20, paired with the Message Authentication Code function Poly1305, to encrypt and authenticate DNS packets B/W resolvers and authoritative servers.
It is a very fast protocol designed by Daniel J. Bernstein, with the goal of drastically improve every dimension of DNS security:
- Confidentiality: encrypts all DNS packets
- Integrity: cryptographically authenticates all DNS responses, eliminating forged DNS packets
- Availability: recognizes and discards forged packets, so attackers can’t prevent your DNS data from getting through
In Anycast unlike Unicast, many servers can have a single IP address, allowing for many-to-one instead of one-to-one transmission. There are other routing schemes like Multicast, Broadcast, and Geocast.
Anycast DNS Servers allows your device to get DNS query responses from the DNS Server that is geographically close to your device, hence reducing latency, improving uptime for the DNS resolving service, and protection against DNS flood DDoS attacks.
You can think of Anycast DNS resolvers as CDNs or Content Delivery Networks for your DNS resolver, they spread up the load, and serve your device from the closest server.
DNS Privacy and Security
DNS was not designed with the goal of privacy and security, but speed and efficiency. Most of these DNS exploits can be resolved via newer DNS security protocols like DNSSEC, DoH, DoT, DNSCurve, etc.
Here are some of the most common DNS exploits:
- DNS Cache Poisoning / Spoofing: In DNS Spoofing, Attackers try to inject malicious data into your DNS resolvers’ cache to redirect victims to a malicious website. It can be avoided via DNSSEC or DNSCurve.
- DNS Hijacking / Domain Theft: In DNS Hijacking, Attackers try to redirect DNS queries to a different authoritative name server, hence redirecting victims to a malicious website. ICANN imposes a 60-day waiting period b/w a change in registration information & a transfer to another registrar to mitigate this issue.
- DNS Flood Attack: In DNS Flood Attack, Attackers floods your DNS servers with requests, in an attempt to cause a denial of service for legitimate traffic. You can use a DDoS mitigation provider like Cloudflare or Akamai to mitigate this attack.
- DNS Tunneling: In DNS Tunneling, Attackers use DNS as camouflage to bypass firewalls to pass malware or stolen information into DNS queries.
- NXDOMAIN Attack: In NXDOMAIN Attack, similar to DNS flood attack is also a DDoS attack where attackers flood your DNS servers with requests for records that don’t exist, in an attempt to cause a denial-of-service for legitimate traffic.
- Random Subdomain Attack: In Random Subdomain Attack, Attacker sends DNS queries for several random, non-existent subdomains of your legitimate site with the goal of creating a denial-of-service for the domain’s authoritative nameserver.
- Phantom Domain Attack: In Phantom Domain Attack, similar to NXDOMAIN attack, attackers flood your DNS resolver with “phantom domains” that either respond very slowly or not at all.
- Botnet-based CPE Attack: In this attack, Attacker use compromised devices like CPE switches, routers (botnets) to do Random Subdomain attacks that target all traffic to the site.
These are some better known DNS vulnerabilities, of which most can be mitigated via DNSSEC, Anycast routing, DNS firewalls, and other DNS security protocols.
There are basically two major approaches to try to mediate these DNS privacy and security issues using security protocols like DNSSEC, DoH, DoT, DNSCrypt, and DNSCurve:
Make it Harder to Eavesdrop
Making it harder to eavesdrop on DNS queries by using encryption is the easiest way to prevent most of the security issues. There are encryption protocols like DNS-over-TLS (DoT) and DNS-over-HTTP (DoH) that can be used on the DNS resolver.
Reduce the Information Sent
The other approach is to reduce the information exposure by reducing the amount of information sent in each DNS query. The IETF (Internet Engineering Task Force) proposed an approach to achieve this using a technique called Query Name Minimisation or QNAME minimisation.
- How DNS works: It is a comic that explains what happens when you browse on the internet, how the DNS works, and everything in between.
Domain Name System
Domain Name System is an integral part of internet infrastructure, that is designed to work fast and efficiently as already discussed in this post, newer protocols like DNSSEC, DoH, DNSCurve are trying to make DNS more private and secure.
That’s all Folks!
I will be updating this page frequently with more metadata removal tools and information. You should check out Encrypted DNS Resolvers to get more private and secure Resolving Name Servers, I have also written about DNS Hosting Providers so that you can have reliable Authoritative Name Servers.
Do let me know of any feedback, tips, or suggestions based on privacy and security tools you are using, feel free to drop a comment below!