DNS: The hearth of our Internet
We depend on DNS, when we use Internet services, like social media, email, videos, streams or play games we use DNS. But what is DNS exactly. Basically every device connected to the internet has an IP address. DNS just connects an easy to remember name like google.com with the IP address of that server, for example 172.217.16.110. When you connect to google.com the browser sends a request to a DNS server and asks for the IP of google.com. This is called a request / question. Then the server sends the IP back to the browser, this is called a response / answer.
The protocol
DNS runs on port 53 udp, and it can fallback to port 53 tcp. It sends hex bytes that need to be parsed in order to get data out of it. It's clear text, meaning that anyone can change/look at the request/response your getting. There's DNS over TLS, but it's new tech and DNS over HTTPS which translates DNS to HTTPS using a google DNS lookup webservice.
DNS request/response pairs must have identical Transaction IDs. Transaction ID is the first 2 bytes of the packet.
Every DNS packet looks the same, they just have a different bit set for request/response. The 3rd and the 4th byte of the DNS packet represents the Flags, inside there you have the first bit set to 0 if it's a question or 1 if it's an answer.
Requests
The packet has the question count set to 1 or more. This is just a count, that indicates how many questions we have.
Next we have a questions section, which lists the questions asked by the browser.
A question has the following values:
Namethe IP address or Name to lookupTypethe type of the questionClassthis pretty much has a constant value of 0x0001 the IN (Internet) class
Some of the question types:
| Question type | Description |
|---|---|
A | IPv4 Address Lookup |
NS | Get the address of the authoritative name servers in the zone |
CNAME | Get the domain name from a domain name (domain name -> domain name redirects) |
SOA | Get information about the current zone |
PTR | Get the hostname of an IP address |
MX | Mail Exchange, get the domain name of the mailing server from a domain name |
AAAA | IPv6 Address Lookup |
TXT | Additional information about the DNS record |
Responses
After the browser requests a domain name, the server needs to respond to that query. In the response flags you can find the opcode which should say 0x0000 (success).
Here are some of the opcodes:
| OpCode | Description |
|---|---|
0 | Success |
1 | Bad Format, the request is probably corrupted |
2 | Server fail, this is a server side error, like HTTP 500 |
3 | Non existent domain, probably invalid domain name |
4 | Not implemented, query type is not implemented on this server |
5 | Query Refused, just denying to query the domain name |
The DNS response should reinclude the question, and should append one or more answers to the answers section. The answer count gives information about how many answers did the server have.
An answer has the following values:
Namethe IP address or domain name to lookupTypethe type of the lookupClass, the class of the lookup, usually it's 0x0001 the IN (Internet) ClassTTL, time to liveData Length, how many bytes are the response domain / ip addressDomain Name, the result of the lookup (can be a domain name in case of a PTR lookup)
Authority Request Records
This returns a trusted server where you can double check if the results are correct. You need this, because you don't directly talk to the DNS server of the domain name. Here is the path of the packet:
Your router(DNS Relay) > Your IPSs DNS Server > .... > The DNS server of the domain name
DNS Services
There are paid / free DNS services out there. From a free service you can get A, MX records, which may be enough for some users. But if you want to operate a mail server, spam free, and not get blacklisted, then you need to buy a DNS service. It's good practice to set *.example.com as a CNAME to example.com, this will redirect all sub-domains to your main domain. Also setup a PTR record to point your domain name to the IP address of your machine.
Attacks against DNS
DNS is clear text remember? So anyone on the same network can modify your traffic. Basically this can be used to execute phising attacks, redirecting users from one DNS to another IP with the same/identical website. This is hard to detect since the browser will print the original address at the address bar regardless of the returned IP.
DNS Is Fast and small
Fast
Because it's clear text it's fast, since it doesn't have to deal with decryption/encryption. Plus there is DNS caching which stores the results of queries for a specified amount of time.
Small
DNS Never repeats the same domain name/IP address twice inside a packet. If it has to, it puts labels that point to the start of the domain name/IP address.
Summary
This was just a quick overview of the DNS protocol. This is a setup to my upcoming mail server tutorials using all sorts of new technologies requiring simple DNS knowledge. Check out DNS over HTTPS and DNS Over TLS. Supporting these protocols will require server side changes too, but it can take back a lot of control from ISPs and from anyone spying/editing our DNS packets.
If you're intrested in more details you can fire up wireshark and do an nslookup google.com in your cmd. In wireshark on the top field where it says filter type in dns and press enter. Now you can look at the hex bytes structure of your packet, and you can look at the details of DNS packets.