The Domain Name System (DNS) is one of the foundations of the internet, yet most people outside of networking probably don’t realize they use it every day to do their jobs, check their email or waste time on their smartphones.
At its most basic, DNS is a directory of names that match with numbers. The numbers, in this case are IP addresses, which computers use to communicate with each other. Most descriptions of DNS use the analogy of a phone book, which is fine for people over the age of 30 who know what a phone book is.
If you’re under 30, think of DNS like your smartphone’s contact list, which matches people’s names with their phone numbers and email addresses. Then multiply that contact list by everyone else on the planet.
When the internet was very, very small, it was easier for people to correspond specific IP addresses with specific computers, but that didn’t last for long as more devices and people joined the growing network. In addition to creating a directory for all of these devices, words were used to let people connect to different sites; for most people, remembering words is easier than remembering specific sets of numbers. It is still possible to type in a specific IP address into a browser to reach a website.
How DNS servers work
The DNS directory that matches name to numbers isn’t located all in one place in some dark corner of the internet. Like the internet itself, the directory is distributed around the world, stored on domain name servers that all communicate with each other on a very regular basis to provide updates and redundancies. With more than 332 million domain names listed at the end of 2017, a single directory would be very large indeed.
Each named site can correspond to more than one IP address. In fact, some sites have hundreds or more IP addresses that correspond with a single domain name. For example, the server your computer reaches for www.google.com is likely completely different from the server that someone in another country would reach by typing the same site name into their browser.
Another reason for the distributed nature of the directory is the amount of time it would take for you to get a response when you were looking for a site if there was only one location for the directory, shared among the millions, probably billions, of people also looking for information at the same time. That’s one long line to use the phone book.
Instead, DNS information is shared among many servers, but is also cached locally on client computers. Chances are that you use google.com several times a day. Instead of your computer querying the DNS name server for the IP address of google.com every time, that information is saved on your computer so it doesn’t have to access a DNS server to resolve the name with its IP address. Additional caching can occur on the routers used to connect clients to the internet, as well as on the servers of the user’s Internet Service Provider (ISP). With so much caching going on, the number of queries that actually make it to DNS name servers is a lot lower than it would seem.
How DNS adds efficiency
DNS is organized in a hierarchy that helps keep things running quickly and smoothly. To illustrate, let’s pretend that you wanted to visit networkworld.com.
The initial request for the IP address is made to a recursive resolver, a server that is usually operated by an ISP or other third-party provider. The recursive resolver knows which other DNS servers it needs to ask to resolve the name of a site (networkworld.com) with its IP address. This search leads to a root server, which knows all the information about top-level domains, such as .com, .net, .org and all of those country domains like .cn (China) and .uk (United Kingdom). Root servers are located all around the world, so the system usually directs you to the closest one geographically.
Once the request reaches the correct root server, it goes to a top-level domain (TLD) name server, which stores the information for the second-level domain, the words used before you get to the .com, .org, .net (for example, that information for networkworld.com is “networkworld”). The request then goes to the Domain Name Server, which holds the information about the site and its IP address. Once the IP address is discovered, it is sent back to the client, which can now use it to visit the website. All of this takes mere milliseconds.
Because DNS has been working for the past 30+ years, most people take it for granted. Security also wasn’t considered when building the system, so hackers have taken full advantage of this, creating a variety of attacks.
DNS reflection attacks
DNS reflection attacks can swamp victims with high-volume messages from DNS resolver servers. Attackers request large DNS files from all the open DNS resolvers they can find and do so using the spoofed IP address of the victim. When the resolvers respond, the victim receives a flood of unrequested DNS data that overwhelms their machines.
DNS cache poisoning
DNS cache poisoning can divert users to malicious Web sites. Attackers manage to insert false address records into the DNS so when a potential victim requests an address resolution for one of the poisoned sites, the DNS responds with the IP address for a different site, one controlled by the attacker. Once on these phony sites, victims may be tricked into giving up passwords or suffer malware downloads.
DNS resource exhaustion
DNS resource exhaustion attacks can clog the DNS infrastructure of ISPs, blocking the ISP’s customers from reaching sites on the internet. This can be done by attackers registering a domain name and using the victim’s name server as the domain’s authoritative server. So if a recursive resolver can’t supply the IP address associated with the site name, it will ask the name server of the victim. Attackers generate large numbers of requests for their domain and toss in non-existent subdomains to boot, which leads to a torrent of resolution requests being fired at the victim’s name server, overwhelming it.
What is DNSSec?
DNS Security Extensions is an effort to make the communication among the various levels of servers involved in DNS lookups more secure. It was devised by the Internet Corporation for Assigned Names and Numbers (ICANN), the organization in charge of the DNS system.
ICANN became aware of weaknesses in the communication between the DNS top-level, second-level and third-level directory servers that could allow attackers to hijack lookups. That would allow the attackers to respond to requests for lookups to legitimate sites with the IP address for malicious sites. These sites could upload malware to users or carry out phishing and pharming attacks.
DNSSEC would address this by having each level of DNS server digitally sign its requests, which insures that the requests sent in by end users aren’t commandeered by attackers. This creates a chain of trust so that at each step in the lookup, the integrity of the request is validated.
In addition, DNSSec can determine if domain names exist, and if one doesn’t, it won’t let that fraudulent domain be delivered to innocent requesters seeking to have a domain name resolved.
As more domain names are created, and more devices continue to join the network via internet of things devices and other “smart” systems, and as more sites migrate to IPv6, maintaining a healthy DNS ecosystem will be required. The growth of big data and analytics also brings a greater need for DNS management.
(Keith Shaw is a former senior editor for Network World and an award-winning writer, editor and product reviewer who has written for many publications and websites around the world.)