DNS stands for Domain Name System. The DNS is a service that receives user-friendly domain names like google.com and returns a computer-friendly IP address such as 64.233.160.0. The IP address enables the browser to locate the server with the requested content. The pairing of the hostname and the IP address is called a namespace.

The Domain Name System is a hierarchical distributed database with each database holding a portion of the information leading to a specific website or device. The Domain Name System is an essential part of the TCP/IP networking protocol that powers the Internet and private networks.

The DNS is the busiest database in the world handling requests from billions of devices. A single page request may result in 50 or more DNS requests. While surfing the web, you may generate thousands of DNS queries. When you consider the billions of people and devices (Internet of Things) doing the same thing, the quantity of requests handled by the DNS servers is staggering, but the DNS handles the traffic perfectly fine and resolves domain names in microseconds.

How does DNS work?

The process of using a hostname (e.g., google.com) to get an IP address (e.g., 64.233.160.0) is called resolving. Resolving a hostname is invisible to the user that types the hostname into the browser’s address bar, but during those few microseconds between the request and resolve a lot happens requiring four different DNS server types.

DNS server types

Four different DNS servers work together to get you to the content that you need.

DNS Recursor

Typically the ISP (Internet Service Provider) provides the DNS recursor or recursive DNS server. This server acts as a sort of concierge by taking client requests for resolving hostnames to IP addresses, does the legwork, and returns the IP address to the client.

The recursive resolver first checks its cache to see if it already has the IP address requested, if not the recursive resolver will contact the Root Server.

Root nameserver

When the DNS Recursor doesn’t have a cached response, it contacts the DNS Root Nameserver.  The DNS Root Nameservers operate at the top of the hierarchy of the zones called the root zone. The root zone is the topmost point in the DNS hierarchy that directs requests to the proper zone.

There are 13 root zone servers ran by 12 independent organizations. These thirteen servers respond to the recursive server with the IP address to the appropriate Top Level Domain(TLD) nameservers.

TLD nameserver

The Top Level Domain nameservers keep the information for the domain names that share the same common domain name extensions such as .com, .gov, .net, and .edu. The TLD nameservers respond to the recursive server with the IP address of the authoritative nameserver that has the needed domain information.

Authoritative nameserver

The authoritative nameserver has all of the information for the specific domain name such as google.com. The authoritative nameserver resolves the name to the appropriate IP address, sends it back to the resolver where it is most likely cached, and passed back to the client’s browser. The browser then accesses the site using the IP address.

The process for resolving a hostname sounds like it would take a while, but it actually happens most times nearly instantaneously with most resolution times under a microsecond. The initial response from the host often contains additional URLs to additional content, so a single webpage may require dozens of DNS resolutions.

What is round-robin DNS

You may hear the term round-robin DNS from time to time. A round-robin DNS is an authoritative nameserver that has multiple queued entries for a single hostname. A request comes in, the nameserver pulls the first DNS entry for the hostname and returns the IP address. That record then goes to the back of the queue. The next time a DNS recursor sends the hostname for resolution, the authoritative nameserver responds with the next DNS entry in the queue.

This method is used to provide load balancing to a site with multiple redundant servers. Problems with this method include:

  • The nameserver may not know a server has gone offline and continues to send requests to the server. Some nameservers do have built in fail safes to check the availability of the IP address before responding.
  • The DNS recursor may cache the IP sending every request to the same IP. Setting a short time to live (see DNS caching below) can reduce the number of requests going to the same IP address but not prevent the problem entirely.

DNS caching

Caching of a namespace may happen at any level of the DNS hierarchy; although it is most common on the DNS resolver. Rather than go through the entire resolution process over and over again for the same IP address, the servers hold the information for a hostname briefly just in case they need the information again. For example, the first response from an IP address will most likely contain URLs to the same IP address for additional content, so If the DNS recursor didn’t cache the IP address, the recursor would have to resolve the namespace for each of these requests.

The cache may exist directly on your computer, on the router, at your ISP, or anywhere on any of the DNS servers. These caches become stale very quickly, so each DNS entry includes an expiration. The expiration is known as time to live (TTL). This setting tells the DNS server how long it should keep the DNS entry in its cache before deletion.

Cache poisoning

DNS caching does lead to vulnerabilities in the Domain Name System. This vulnerability is known as cache poisoning. A DNS cache becomes poisoned or polluted when invalid IP addresses get inserted into the cache. Poisoning is usually the result of viruses and malware with the intention of directing requests to a phishing site or other site.

DNS Records (Zone files)

So, we know that the DNS is a huge distributed hierarchical system that turns human-readable domain names into computer-friendly IP addresses. Most times when you hear someone refer to the DNS, what they are really referring to is the DNS records or zone file for a single domain kept on the authoritative nameservers.

Each entry in the DNS has multiple fields that provide specific information about the domain. The DNS has 40 different record types (get the full list). Below we discuss the eight most commonly used DNS record types.

A record

The A record is the IPv4 version of the IP Address. The IPv4 version is a 32-bit address.  IPv4 has been the standard for IP addresses since the start of the Internet, but the small number of available addresses (4.29 billion) has already become a problem.   To handle the burgeoning number of needed IP addresses, a slow but progressive move towards 128-bit IPv6 addresses has been going on for some time.

AAAA record

If a site supports IPv6 128-bit addresses, the AAAA record holds the IP address. In numeric terms, there are 2128 or over 340-undecillion available addresses.

CNAME record

The “C” in CNAME stands for “canonical.”  Instead of returning an IP address a CNAME record returns an alias for the request. For example, if you were to change your hostname from mysite.com to mywebsite.com, you could update the CNAME to “mywebsite.com.” When a request for mysite.com comes into the authoritative nameserver, the response is mywebsite.com. The resolver then knows to request the IP address for mywebsite.com instead.

MX record

MX stands for “mail exchange.” When the resolver asks for the MX record, it is asking how to route the mail for the domain using SMTP (Simple Mail Transfer Protocol).

NS record

The NS stands for nameserver. The NS record tells the resolver which nameserver is the primary for the domain. Additional NS records indicate backup nameservers with the domain’s information. Specifying backup servers provides redundancy in the case of a failure in the primary server (provided they are hosted separately) and  

SOA record

SOA stands for “start of authority.” This record provides domain level information such as the administrator’s email. An important value frequently monitored is the Serial number. Each time you update a DNS record the DNS updates the serial number by incrementing it by 1. Watching the SEO number for changes can let you know if anyone has tampered with your DNS records.

SRV record

SRV stands for “service.” The service record gives the host and port for a service such as instant messaging.

TXT record

TXT is short for “text.” These records are plain text entries that you may use for notes. Mail servers may use TXT records for Sender Policy Framework codes that enable an email server to verify the source of an email.

Why monitor your DNS records?

As you have learned above, any communication over the Internet lives and dies by the DNS. DNS records are a favorite of hackers and often fall victim to human error. Besides hacking into your ISP account and changing the values directly, here are two primary ways that hackers use DNS to bring down a site.

DNS poisoning

We mentioned this earlier in the DNS caching section. A DNS poisoning occurs when someone inserts false information into the DNS cache on a server. That one server with the poisoned entry for a site then responds from its cache for a request. Other servers and routers cache the poisoned record, and the poison spreads. These attacks typically reroute users to a spoofed site where the hackers collect user credentials and other information such as credit card information.

Poisoning may also occur because of human error. One such case in California and Chile when the DNS routed users of Facebook, Twitter, and YouTube to Chinese sites. The problem was the result of an ISP routing requests to a root server in China where the Chinese government blocks these channels and reroutes them to government-controlled sites.

DDoS and DoS attacks

DDoS (Distributed Denial of Service) and DoS (Denial of Service) attacks occur when one (Dos) or more (DDoS) computers begin hitting the DNS and a site in fast progression in an attempt to bring down the supporting infrastructure of a site due to the excessive requests. These attacks come in many forms trying to use up all of the available connections overwhelming the servers with data affecting performance or bringing them down completely.

Monitoring can help you stop a DNS attack in its tracks

Monitoring your DNS entries should be at the top of your priority list. If anything goes wrong with your DNS records, it could compromise your entire system and bring down your brand reputation. To keep an eye on your DNS consider monitoring the following aspects of your DNS.

IP address(s)

This one is simple; a DNS query retrieves the IP address from the system and compares it to the IP addresses you provide (one or more addresses using a regular expression). If the IP address doesn’t match, your monitoring notifies you. If you support IPv4 and IPv6 you should monitor both the A record (IPv4) and the AAAA record (IPv6), for it is possible for one to fail but not the other.

SOA Record

Your SOA record has a serial number that the system updates each time a change happens anywhere on your DNS entry. Although watching the number doesn’t tell you what changed, knowing that something has changed may help you stave off an attack.

MX record and SRV record

Imagine that suddenly your company’s emails and messages became lost or began bouncing for anyone that tried to reach you. Or worse, what if someone hacked the system and routed messages and emails elsewhere? Monitoring your MX and SRV records can help you prevent a loss of crucial communication pathways.

NS record and root servers

You may want to Test your NS records to make sure nobody has tampered with your primary and backup nameserver records. Also, you may want to test those nameservers directly to make sure they respond with the correct information. Monitoring is a great way to make sure that your DNS records stay safe and respond reliably.

Test your DNS from everywhere

Often, you’ll find that DNS errors are localized and only affect a portion of your user base. Using a third-party monitoring service with a large network of testing locations can help you capture even the most granular localized issues quickly.

Conclusion

IP network and Internet communications all rely on the DNS. Actively monitoring your records can help you forestall a DNS attack or outage. You’ll always be the first to know rather than waiting for customer complaints or compromised accounts.