DNS: The Internet’s Secret Address Book

Boring sh*t you need to know for cybersecurity

What is DNS? DNS stands for Domain Name Service, and it translates human-readable URL addresses into machine-readable IP addresses. When the internet was young, this service was not necessary. Instead, a host file stored locally on a machine was used to map URL addresses to their corresponding IP addresses. However, this system became impractical as the internet grew. The host file system worked when there were only a few websites, but as the internet expanded, keeping a static file updated became cumbersome. Hence, the Domain Name Service (DNS) system was created to provide a more dynamic way of mapping URLs to their corresponding IP addresses.

The Legacy of Host Files

Despite its limitations, the host file system still exists and can be a vulnerability. Each computer has a host file or recognizes the host file system. In fact, a computer will default to the host file over DNS. If a bad actor alters the host file on a computer, any changes they make will dictate how the computer directs internet traffic.

Every computer has a host file, but its location varies by operating system:

• Windows: C:\Windows\System32\drivers\etc
• Linux: /etc
• macOS: /private/etc

While vulnerable, there are many safeguards within other layers of the internet that protect against this type of attack. However, awareness is important, and it doesn’t hurt to check your host file to ensure it hasn’t been changed.

Here’s an example of a Windows OS host file (macOS and Linux look similar):

Screenshot of a host file on Windows

The main takeaway is that host files were the old way of mapping domain names to IP addresses. While still relevant, they present a potential vulnerability.

The Advent of DNS

In 1983, Paul Mockapetris developed the Domain Name System (DNS), which introduced a dynamic and distributed architecture for mapping domain names to IP addresses. Instead of relying on one file to map domains to IPs, DNS created a hierarchical system with multiple files and servers. This distributed approach made the system redundant and resilient to outages. If one DNS server went down, others could step in to prevent the internet from breaking.

Components of DNS

DNS is composed of several key elements:

DNS Cache

• A list of names and IP addresses that have already been queried, resolved, and cached, reducing the need for network traffic. This can also refer to a DNS server that performs recursive queries and caching without being an authoritative server.

Resolvers

• Any hosts on the internet that need to look up domain information, such as your computer accessing a website.

Name Servers

• Servers that store databases of names and IP addresses and respond to DNS queries from clients and other servers.

Name Space

• The database of IP addresses and their associated names.

Zone Files and Resource Records

DNS configurations are divided into zone files and resource records, which contain specific information about a domain. Key components include:

Zone Files

• Text files that define mappings between domain names and IP addresses or other resources.

Resource Records

• Entries in zone files that define DNS-related data. Examples include:
• SOA Records (Start of Authority): Authoritative information about a DNS zone, including the primary name server and contact details.
• NS Records (Name Server): Specifies the authoritative name servers for the DNS zone.
• A Records (Address): Maps a domain name to an IPv4 address.
• CNAME Records (Canonical Name): Maps one domain name to another, often used for aliases.
• PTR Records (Pointer): Maps an IP address to a domain name (reverse DNS).
• MX Records (Mail Exchange): Specifies mail servers responsible for receiving email for the domain.
• TXT Records: Provide additional information about a domain, such as domain verification or SPF (Sender Policy Framework) records.

How DNS Works

When you type a URL into your browser, a series of steps resolve the name into an IP address so your device can connect to the server hosting the website:

1. Query the DNS Cache: Your computer first checks its local DNS cache to see if the IP address is already stored.
2. Contact the Recursive Resolver: If the address isn’t in the cache, your computer contacts a recursive resolver (usually provided by your ISP or a public DNS service like Google DNS or Cloudflare DNS).
3. Query the Root Name Server: The resolver queries one of the root name servers to locate the authoritative name server for the top-level domain (e.g., .com, .org).
4. Query the Authoritative Name Server: The resolver contacts the authoritative name server for the domain to retrieve the correct IP address.
5. Return the IP Address: The resolver returns the IP address to your computer, which can then connect to the website’s server.

DNS Security Challenges

While DNS is critical to the internet’s functionality, it is also a common target for attacks, such as:

• DNS Spoofing: Attackers alter DNS records to redirect traffic to malicious sites.
• DDoS Attacks: Overwhelming DNS servers with traffic, rendering them unavailable.
• Cache Poisoning: Corrupting a DNS cache to redirect users to fraudulent sites.

To combat these risks, technologies like DNSSEC (Domain Name System Security Extensions) add authentication layers to DNS queries, ensuring data integrity.

Conclusion

DNS is the backbone of the internet, enabling seamless navigation by translating human-readable domain names into machine-readable IP addresses. From its humble beginnings with host files to the sophisticated, distributed system in use today, DNS has evolved to meet the demands of a rapidly expanding and interconnected world. Understanding its components, vulnerabilities, and safeguards can help you better appreciate how the internet works and how to protect yourself in an increasingly digital landscape.