What DNS Servers Do

Introduction

DNS servers locate web sites when you are browsing the Internet. They are the most trusted component of your web browsing experience but few people understand how they work or how their security vulnerabilities can cause you problems. This article provides the information you need to understand what DNS servers do before you Find the Best DNS Server or Change DNS Server

There are three sections in this guide.

  1. How we find resources on the Internet: URLs, IP addresses and Domain Names.
  2. DNS Servers resolve Domain Names
  3. Issues with DNS servers

This article was removed from How to Change DNS Server to make that guide more direct. I have deliberately omitted such topics as internal DNS servers, zones and delegation, and denial of service attacks. If you want to find out more or get another viewpoint then there are many overviews of DNS that you can also refer to. Here's a few for you:

Internet Name Systems

The Internet uses names to identify and locate resources.

A name indicates what we seek.
An address indicates where it is.
A route indicates how to get there.

There are two main Internet name systems:

  • The numeric IP Address system.
    The Internet Protocol (IP) is the original standard for communications on the Internet.
    IP addresses identify each device on the Internet. They can be used on other networks so some ranges of IP addresses are reserved for purposes such as private networks and testing.
  • The alphanumeric Domain Name System (DNS)
    DNS was developed so devices with IP addresses could have easy to remember names. The most common meaning of domain name is a label for a device with an IP address.

When you are browsing the Internet and you enter a Uniform Resource Locator (URL) you will usually be using one of these two name systems as shown in the example below 

    URL with domain name URL with  IP address  
  URL http://www.techsupportalert.com http://72.52.134.16  
  URL Scheme http http  
  URL Separator : :  
  Redundant Separator
Omit it and your browser will add it.
// //  
  Host Name www.techsupportalert.com 72.52.134.16  

The URL usually identifies the mechanism to retrieve a name. That is why the URL Scheme is often called a protocol, even though it is not, because it usually corresponds to the protocol used. For example, the URL scheme "http" is commonly but not always accessed using the HyperText Transfer Protocol (HTTP).

The Domain Name System (DNS)

DNS is often said to be similar to a phone directory. When you know the domain name you can find the IP address. Try it for yourself and do a DNS lookup of some domain names to find their IP addresses at WhatsMyIp.org

The domain name techsupportalert.com  is equivalent to the IP address 72.52.134.16

DNS is a hierarchy or tree with numerous branches and levels. DNS name servers work their way through that tree to locate each domain name. It is similar to looking up a phone number in a directory. You would find the correct directory or section of a directory (e.g. white pages, yellow pages, government departments), find the correct organization name or last name of the person, find the correct department or first name, and finally select the appropriate phone number (e.g. home phone, mobile phone, fax).

Using the domain name www.techsupportalert.com again, it is broken down from right to left to locate it in the DNS tree. Note that the periods (".") are separators:

  Root domain
It has no name and is empty
             
 

com is a top level domain.
A subdomain of the root domain.

aero biz cat com ... travel xxx
  techsupportalert is a 2nd level domain.
A subdomain of com.
    ... techsupportalert ...    
  www is an alias of the FQDN techsupportalert.com - these terms are discussed below.     ... www ...    

Fully Qualified Domain Names
A domain name that can be resolved to one specific place in the DNS tree is called a.Fully Qualified Domain Name (FQDN) In other words, there is only one specific interpretation of that DNS name. Note that one FQDN does not have to map to one IP address. Each FQDN can have many IP addesses. Google.com is a good example of an FQDN which is supported by many servers around the world. Of course one server can have many IP addresses so many FQDNs may have the same IP address.

DNS Record Types
An FQDN is the primary record type for resolving DNS queries. In IPv4 it the host is denoted by an "A" and in IPv6 by an "AAAA". You will notice these if you edit any host configuration file that has a list of websites for DNS name resolution such as NameBench's hostname_reference.cfg.

Other DNS record types extend the functions of a DNS server. Again, you can use DNS Lookup at WhatsMyIp.org to check these out:

  • "CNAME" (canonical name) records that record aliases and point towards the real name e.g. lookup www.techsupportalert.com to see it is an alias for the canonical name techsupportalert.com
  • "LOC" records that indicate the geographic location (latitude and longitude) of the DNS server e.g. use the IP location lookup for 72.52.134.16 to find the location of its web hosting service.
  • "MX" (mail transfer) records that indicate the mail server(s) accepting messages on that DNS server e.g. lookup techsupportalert.com to find that there is one mail server techsupportalert.com (the 0 indicates the preference  and is irrelevant with only one mail server)
  • "NS" (name server) records that indicate the authoritative domain name servers e.g. lookup techsupportalert.com to find the authoritative name servers ns1.tastytek.com and ns2.tastytek.com.
  • "PTR" (pointer) records are simply data which is mainly used to record host names for reverse DNS lookups e.g. lookup the PTR record for 72.52.134.16 to find the host server host.tastytek.com.

DNS Servers

DNS server are more correctly called DNS name servers as they are any computer registered to join the Domain Name System. As DNS is a highly decentralized hierarchy there are currently 242 root level servers that must be used to access any authoritative name servers for the top level domains. The last statistics I saw said that there were nearly 20 million DNS servers for over 220 million domain names.

There are two main types of DNS server:

Authoritative name servers are the ultimate repository or host for any registered domain name. Authoritative name servers are by definition non-recursive (don't have to use an algorithm to query any other servers) for the domain names registered with them.

Resolving name servers find the IP address for a domain name. In more technical terms, they find a solution to a DNS query. Most resolving name servers use two methods to resolve names:

  • Recursive name servers use an algorithm or repeating procedure to work through the DNS tree to find the authoritative name server for the requested domain name. There is an example of this at the end of this section.

  • Caching name servers resolve the IP address from their cached database of domain names.  This cache is more efficient because the DNS server does not have to find the authoritative name server every time. Each domain name has a specified lifetime, time-to-live (TTL). When that lifetime expires the caching server must get the domain details from the authoritative name server. TTLs are usually seconds or hours, sometimes days,, and occasionally weeks.

There are two further categories of DNS server that you should know about:

We distinguish Public or Open resolving DNS Servers which anyone can use from private resolving DNS servers which are restricted to specific users. Some public servers are limited geographically, for example, to users in the United States. This can be done because blocks of IP addresses are allocated to different regions.

IPv6 DNS Servers are relatively uncommon but will increasingly replace IPv4 DNS servers. At the moment we are at the start of a transition that will take many year. IPv6 will eventually replace IPv4 because we can have many more IPv6 addresses. So IPv6 addresses are much longer, e.g. 1003:8bd0:3a85:0000:0000:e2a8:0730:4337 which reduces to 1003:8bd0:3a85:0:0:e2a8:730:4337 by removing leading zeroes.

DNS on your PC

Your PC will need to know how to find its DNS server and so its has its own DNS Resolver with a DNS name cache.

  • Your System DNS Server (aka local DNS server, configured DNS server) is the DNS server that your system is currently configured to use. Typically there are at least two as you don't wan't to lose internet access when your primary DNS server is not available.
  • The operating system will have a DNS resolver with its own DNS name cache. For example, Microsoft Windows TCP/IP has a DNS name cache that reads in the Hosts file and caches DNS query results.
  • Your web browser will also have a DNS resolver with its own DNS name cache.
  • A Hosts file is a text file that contains a list of DNS names with the corresponding IP address. The names can be FQDN but may also include aliases such as abbreviated shortcuts. Hosts files can also be used to block dangerous sites by redirecting to a non-existent or harmless IP address.

An example of DNS resolution

Finally, we can look at how a system finds the domain name www.techsupportalert.com assuming that there is no DNS caching in operation. Eight DNS queries and resolutions are sent and received. As most sites are cached this is the worst case for finding a valid address.

  1. Your system DNS resolver sends a query to locate the "A" record for www.techsupportalert.com to the system DNS server        
  Your system DNS server gets the addresses of a root level DNS server from a list that it is configured with.        
  2. Your system DNS server sends a query to a root level server asking for the DNS server for the top level domain (TLD) com        
  3. The root level server returns the address of the TLD server for com aero biz cat com
  4. Your system DNS server sends a query to the com TLD server asking for the DNS server for techsupportalert.com        
 

5. The TLD server for com returns the address 72.52.134.216 for the authoritative DNS server NS1.TASTYTEK.COM

... techsupportalert
  6. Your system DNS server sends a query to NS1.TASTYTEK.COM for www.techsupportalert.com.        
 

7. The DNS server NS1.TASTYTEK.COM finds the CNAME alias for www.techsupportalert.com and returns the CNAME record

    ... www
 

Your system DNS server now starts a new DNS query to get the "A" record for the canonical name (CNAME alias) techsupportalert.com. The original query could have specified a CNAME record in which case that would be returned.
The results of the previous query are now cached so all steps are not repeated.

       
 

8.Your system DNS server sends a query to NS1.TASTYTEK.COM for the FQDN techsupportalert.com.

       
  9. The DNS server NS1.TASTYTEK.COM finds the "A" record for techsupportalert.com and returns it.        
  10. Your system DNS server sends the "A" record for techsupportalert.com to your system DNS resolver.        
  The browser can now connect to techsupportalert.com web server.        
           

General issues

Global DNS server networks

There are advantages to using a global provider such as Google or OpenDNS.

  • Speed: They have larger databases which mean each DNS name is more likely to be cached.
  • Reliability: They are less likely to be damaged by a local disaster because they have many different servers located in many different datacentres around the world.
  • Safety: They are more likely to provide filtering or other protection.

Content Distribution Networks CDN)

CDNs place network resources near to the people who need to use them. So a European organization with many customers in Australia can use a third-party CDN in Australia to improve the customer experience there. They are owned or used by many large websites including Google and Microsoft. These servers may even be colocated in ISP datacenters further improving response times.

There is one problem with them. DNS servers normally return the CDN server which is closest to them rather than the closest server to the user. At the moment, this means that some DNS servers should not be used in some countries. In New Zealand many ISPs operate large caches to minimize international traffic. If I use OpenDNS I have problems when its servers in the United States return a US CDN when my ISP returns the webpage from a closer CDN. My web browser is left hanging while it waits for a web page from the United States that never arrives because the cached page came from a closer server.

Public DNS servers can become more private

When you use a public DNS server from an organization that you do not have contract with then the DNS service could be cut off at any time. For example, in New Zealand, the ISP TelstraClear recently announced that after upgrading their DNS network access to its DNS servers will be limited to its customers. There are good reasons to do this just to improve DNS security.

Secondary DNS servers are often slower

Most primary DNS servers have secondary servers to provide redundancy in case the main server fails. Many secondary servers are not as fast as the primary DNS server because their primary purpose is not performance but backup, load-balancing, or supporting a remote location.

Some DNS service providers provide DNS services for other organizations. Often such services are slightly slower. An example of this is Comodo Secure DNS which is provided by UltraDNS.

DNS vulnerabilities and threats 

DNS servers are a central part of the Internet. Your system assumes that the address provided by a DNS server is always correct. That is why DNS servers are an attractive target for malicious enterprise. Any breach of security on your DNS servers can leave your system exposed. So it is worth checking that your DNS servers are reputable and secure. In particular, public or open resolving DNS servers are more vulnerable to these problems because they don't verify the identity of their users. They don't know whether the system asking the question can be trusted.

Impersonating a domain name or IP address

IP address spoofing is the forging of IP addresses to mask the originating IP address and to allow the impersonating of the forged address. DNS spoofing or cache poisoning occurs when a DNS name server has stored data in its cache database that did not originate from the authoritative DNS server for that domain name. This "poisoned" data will then be used to respond to DNS queries with the spoofed IP address.

You can run a DNS Spoof Test to see whether any DNS server is vulnerable.

Masquerading as an internal address on your network

DNS rebinding attacks will try to fool your system into thinking that non-local addresses are part of your local network and thereby avoiding the security checks for external addresses. The ranges of IP addresses reserved for local networks include 10.x.x.x, 127.x.x.x, 172.16.x.x, and 192.168.x.x.

Redirecting when a domain name does not exist

DNS hijacking or redirection occurs when a query for a non-existent domain name is redirected to a different IP address. When a domain name does not exist the NXDOMAIN response should be given. When it is not provided there can be minor or major breakdowns on your system or network particularly if you run a virtual private network (VPN). It can also provide an opening for malicious purposes because your system thinks that the faked IP address is what it was looking for. You can then be redirected to a dangerous site but more commonly you will simply see an advertising page.

You should generally avoid redirecting/hijacking DNS servers but you may decide you want to use a DNS server that has a benign purpose for redirection:

  • correcting typos e.g. the typo "gogole.com" can be changed to "google.com"
  • filtering and blocking e.g. as OpenDNS does

Exploiting the lack of DNSSEC authentication

DNS did not originally have security features so the Domain Name System Security Extensions (DNSSEC) were introduced to authenticate DNS data using public-key cryptography to protect from forgeries. Many DNS servers do not have these extensions enabled so they are more vulnerable to cache poisoning and denial of service attacks (where many systems are used to send a lot of difficult DNS queries to swamp the DNS server).

Related Products and Links

Using DNS servers for security

Products mentioned here

 

Editor

This software category is maintained by volunteer editor Remah.

  "I've used TechSupportAlert and the older Support Alert Newsletter for almost a decade so I have saved hundreds of hours of work and many more dollars by following Gizmo's Freeware recommendations. Thanks for the opportunity to give something back."  

If you have had a similar experience then you should consider becoming a reviewer too.

Change Log

Date

Change

Editor

July 2011

New article extracted from How to Change DNS Server

Remah

Tags

Domain Name System, DNS, DNS server, DNS resolver, DNS query, DNS resolution, DNS name server, Internet name server, DNS issue, DNS security

Back to the top of the article.

 

Share this
4.533335
Average: 4.5 (15 votes)
Your rating: None

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here