How does DNS work ? A big picture
- DNS Main architecture
- DNS Requests
- DNS Zone file records
- DNS Security
- Useful commands / tool
DNS Main architecture
Root ‘servers’ are owned by different companies:
- Verisign (x2)
- US Army Research Lab
- RIPE NCC
The root servers are supervised by the ICANN.
Useful informations regarding these root ‘servers’ can be found here: https://root-servers.org/
TLDs are owned by companies / governments / universities.
- “.fr” belongs to “Association Française pour le Nommage Internet en Coopération” (A.F.N.I.C.)
- “.apple” belongs to the company Apple
Different types of TLDs:
→ gTLD — Generic Top-Level Domain (.com, .net, .org, …)
→ sTLD — Sponsored Top-Level Domain (.edu, .gov, .museum, …)
→ ccTLD — Country Code Top-Level Domain (.fr, .de, .cd, …)
→ Infrastructure Top-Level Domain (only .arpa)
Lot of useful informations regarding TLDs can be found here:
DNS public zone records
- A = IPv4
- AAA = IPv6
- NS = identifies the authoritative DNS server for a zone (whenever changed, the registrar will have to update the parent TLD registry)
- MX = specifies a mail server for the zone
- CNAME (canonical name) = specifies an alias for another name (doesn’t work for root though)
- ALIAS record (virtual DNS record type) is akin to CNAME except it accepts root (so use it when you can)
- PTR (pointer) = A reverse DNS record, resolving an IP to a fully qualified hostname. How to use PTR ? “dig -x [IP]” → it will return one of the authoritative NameServer
- SPF = related to email to avoid being classified as SPAM
- SOA (Start of authority): stores informations about DNS zones and zone records: TTL, Expiry, Retry, Refresh, Last update time
Used for domain transfers.
- Regular DNS traffic over port 53 is plaintext so any requests made will be visible to your ISP or MITM.
DNSSEC does not provide confidentiality of data, only authentification (“informations come from the right place and has not been modified”).
- Use a VPN
- DoT — DNS over TLS (2016): TCP port 853. A firewall may block this traffic 😭
- DoH — DNS over HTTPS (2018): hard to block as it uses the 443 TCP port
“As both DoT and DoH are relatively new, they are not universally deployed yet. On the server side, major public resolvers including Cloudflare’s 22.214.171.124 and Google DNS support it.”
Useful commands / tools
How to check the DNS local cache on a computer ?
→ On Windows: “ipconfig /displaydns”
→ On Linux: depends on version and system used (systemd ?)
How to create my own DNS server ?
→ use BIND (Berkley Internet Domain Name)
It’s freely available under the BSD License.
BIND DNS servers are believed to be providing about 80 percent of all DNS services.
Include Primary and secondary NS (aka master and slave) and caching
On Ubuntu: “sudo apt-get install -y bind9”
Alternatives to BIND: “PowerDNS”, “dnsmasq” (used by PiHole), “djbdns”
Once installed, the domain name administrator has to manage the different zones.
Important DNS related files on Ubuntu
/etc/hosts = contains default hosts (such as localhost to 127.0.0.1). It has the highest priority.
/etc/resolv.conf = contains a list of recursive DNS resolvers (such as Google, Cloudflare, ISP servers) which will be used by the kernel to make DNS queries.
Installing dig on Ubuntu: “sudo apt-get install dnsutils”
DIG will use the default resolver (/etc/resolv.conf)
However, it is possible to explicitly tell dig to use another one by adding “@[IP]” in any command.
→ dig google.com = returns the A record
→ dig google.com +short = shorten the output
→ dig google.com +noall +answer = gives more details
→ dig google.com ANY = returns all records
→ dig google.com +trace = lists each different server
→ dig -x 126.96.36.199 = Search PTR record
Iterative vs recursive DNS
Dig command for DNSSEC