What is DNS and how does it work?

Analysis
03 May 202411 mins
InternetNetworking

The Domain Name System resolves the names of internet sites with their underlying IP addresses, adding efficiency and security in the process.

mobile wireless vehicle
Credit: Shutterstock

What is DNS?

The Domain Name System (DNS) is one of the foundations of the internet, working in the background to match the names of web sites that people type into a search box with the corresponding IP address, a long string of numbers that no one could be expected to remember.

It’s still possible for someone to type an IP address into a browser to reach a website, but most people want an internet address to consist of easy-to-remember words, called domain names. (For example, Network World.)

What is DNS used for?

  • It replaced a manual matching process. In the 1970s and early 80s, the task of matching domain names and IP addresses was assigned to one person: Elizabeth Feinler at Stanford Research Institute, who maintained a master list of every internet-connected computer. This was obviously unsustainable, given the rapid growth of the internet, and, in 1983, Paul Mockapetris developed DNS, an automated, scalable system that handles domain-name-to-IP-address translation.
  • Its distributed design enables multiple servers to share the load. There are currently more than 342 million registered domains, so keeping all those names in a single directory would be cumbersome. Like the internet itself, the directory is distributed around the world on domain name servers that communicate with each other on a regular basis to provide updates and eliminate redundancies.
  • Distributing requests boosts performance. Another reason for the creation of a distributed system is to boost performance. For example, imagine if all of the requests coming in at the same time all over the world to resolve the domain name Google with the underlying IP address were being handled in a single location. To address this issue, DNS information is shared among many servers. That means a single domain can have more than one IP address. For example, the physical server that your laptop or smartphone reaches when you enter www.google.com is different from the server that someone in another country would reach by typing the same site name into their browser. But DNS still gets you to the right place, no matter where you are in the world.

How does DNS work?

When your computer wants to find the IP address associated with a domain name, it first makes its DNS query via a DNS client, typically in a Web browser. The query then goes to a recursive DNS server, also known as a recursive resolver. A recursive resolver is typically operated by an Internet Service Providers (ISP), such as AT&T or Verizon (or some other third-party), and it knows which other DNS servers it needs to ask to resolve the name of a site with its IP address. The servers that actually have the needed information are called authoritative name servers.

DNS is organized in a hierarchy. An initial DNS query for an IP address is made to a recursive resolver. This search first leads to a root server, which has information on top-level domains (.com, .net, .org), as well as country domains. Root servers are located all around the world, so the DNS system routes the request to the closest one.

Once the request reaches the correct root server, it goes to a top-level domain server (TLD nameserver), which stores information for the second-level domain, which is the words that you type into a search box. The request then goes to a domain nameserver, which looks up the IP address and sends it back to the DNS client device so it can visit the appropriate website. All of this takes mere milliseconds.

What is DNS caching?

Chances are that you use Google several times a day. Instead of your computer querying the DNS nameserver for the IP address every time you enter the domain name, that information is saved on your personal device so that it doesn’t have to access a DNS server to resolve the name with the IP address.

Additional caching can occur on the routers used to connect clients to the internet, as well as on the servers of the user’s ISP. With so much caching going on, the number of queries that actually make it to the DNS name servers is significantly reduced, which helps with the speed and efficiency of the system.

How does the DNS numbering system work?

Every device that connects to the internet needs to have a unique IP address in order to have traffic properly routed to it. DNS translates human queries into numbers using a system known as IPv4 or IPv6. With IPv4, the numbers are 32-bit integers that are expressed in decimal notation.

The string of numbers is divided into sections, which include the network component, the host and the subnet, not dissimilar to a telephone number that might have a country code, an area code, etc. The network part of the number designates the class and category of network that is assigned to that number. The host identifies the specific machine on the network. The subnet part of the number is optional but is used to navigate the sometimes extremely large number of subnets and other partitions within a local network.

IPv6, which was created to address concerns about the internet running out of IPv4 addresses, uses 128-bit-sized numbers, compared to 32-bit numbers with IPv4. There are 340 trillion trillion possible IPv6 addresses.

Who assigns IP addresses?

In 1998, the U.S. government handed the task of assigning IP addresses over to the Internet Corporation for Assigned Numbers and Names (ICANN). The not-for-profit organization has managed that function ever since without any notable disruptions. ICANN develops policies on things like the creation of new top-level domains (such as .io).

For the most part, ICANN takes a neutral and advisory role. For example, anyone who wants to register a domain on the internet today can go to any number of ICANN-accredited registrars, which basically decentralizes the already decentralized DNS system. Once registered, new domains can populate and be reached worldwide via DNS servers in a matter of minutes.

Is DNS secure?

Cybercriminals are extremely clever when it comes to identifying vulnerabilities that can be exploited in just about any system, and DNS has certainly come in for its fair share of attacks. A 2021 IDC survey of more than 1,100 organizations in North America, Europe and Asia-Pacific, showed that 87% had experienced DNS attacks.

The average cost of each attack was around $950,000 for all regions and about $1 million for organizations in North America. The report noted that organizations across all industries averaged 7.6 attacks during the previous year.

The COVID-related shift to off-premises work and the response by companies to move resources to the cloud to make them more accessible have provided new targets for attackers, the report said. The researchers also found a sharp rise in data theft via DNS, with 26% of organizations reporting that sensitive customer information was stolen, compared with 16% in 2020.

What are common DNS attacks?

Common types of DNS attacks include DNS amplification, DNS spoofing or cache poisoning, DNS tunneling, and DNS hijacking or DNS redirection.

As DNS-related attacks continue to rise, many IT organizations are questioning the security of their DNS infrastructure, according to Enterprise Management Associates (EMA). The research firm recently polled 333 IT professionals responsible for DNS, DHCP and IP address management (DDI) and found that only 31% of DDI managers are fully confident in the security of their DNS infrastructure.

EMA asked research participants to identify the DNS security challenges that cause them the most pain. The top response (28% of all respondents) is DNS hijacking. Also known as DNS redirection, this process involves intercepting DNS queries from client devices so that connection attempts go to the wrong IP address. 

The second most concerning DNS security issue is DNS tunneling and exfiltration (20%). Hackers typically exploit this issue once they have already penetrated a network. DNS tunneling is used to evade detection while extracting data from a compromised. Hackers hide extracted data in outgoing DNS queries.

It’s important for security monitoring tools to closely watch DNS traffic for anomalies, like abnormally large packet sizes, according to Shamus McGillicuddy, research director for the network management practice at EMA. (Read more: DNS security poses problems for enterprise IT)

What is DNSSec?

DNSSec is a security protocol devised by ICANN to help make communication among the various levels of servers involved in DNS lookups more secure. It addresses weaknesses in the communication between DNS top-level, second-level, and third-level directory servers that would allow hackers to hijack lookups.

This hijacking allows attackers to respond to requests for lookups to legitimate sites by directing users to a malicious site. These sites could upload malware to users or carry out phishing attacks.

DNSSec addresses this by having each level of DNS server digitally sign its requests, ensuring that requests sent by end users aren’t commandeered by attackers. This creates a chain of trust so that at each level of the lookup, the integrity of the request is validated.

DNSSec also can determine if a domain name really exists, and if it doesn’t, prevents a fraudulent domain from being delivered to innocent requesters seeking to have a domain name resolved.

What is DNS over HTTPS (DoH)?

While DNSSec addresses potential vulnerabilities within the distributed network of DNS servers, it certainly hasn’t stopped DNS-based cyberattacks that use some form of deception to inject malicious code into the DNS system.

In one of the biggest shifts in the long history of DNS, Google, Mozilla, and others are encouraging a move to DNS over HTTPS or DoH, an IETF standard that encrypts DNS requests in the same way that the HTTPS protocol already protects most web traffic.

The shift to DoH, however, is not without controversy. By encrypting DNS requests, DoH could get in the way of enterprise IT being able to monitor the web activity of employees, and parents have complained that it could block them from implementing parental controls over their children’s internet usage.

Uptake of DNS over HTTPS has been slow. On the client side, DoH comes with the latest version of Google Chrome and Mozilla Firefox, but it can be turned off by the end user. Organizations, that try to have some measure of control over which browsers and browser versions are used by employees, have the option to simply disable it. On the ISP side, many of the leading ISPS have not yet enabled DoH on their end.

How to find my DNS server

Generally speaking, the DNS server that you use will be established automatically by your ISP when you connect to the internet. If you want to see which servers are your primary name servers, there are web utilities that can provide information about your current network connection, such as browserleaks.com.

While your ISP will set a default DNS server, you’re under no obligation to use it. Some users may have reason to avoid their ISP’s DNS, for example, if the ISP uses their DNS servers to redirect requests for nonexistent addresses to pages with advertising.

As an alternative, you can point your computer to a public DNS server that will act as a recursive resolver. One of the most prominent public DNS servers is Google’s. The IP address is 8.8.8.8.

keith_shaw
Contributing Writer

The first gadget Keith Shaw ever wanted was the Merlin, a red plastic toy that beeped and played Tic-Tac-Toe and various other games. A child of the '70s and teenager of the '80s, Shaw has been a fan of computers, technology and video games right from the start. He won an award in 8th grade for programming a game on the school's only computer, and saved his allowance to buy an Atari 2600.

Shaw has a bachelor's degree in newspaper journalism from Syracuse University and has worked at a variety of newspapers in New York, Florida and Massachusetts, as well as Computerworld and Network World. He won an award from the American Society of Business Publication Editors for a 2003 article on anti-spam testing, and a Gold Award in their 2010 Digital Awards Competition for the "ABCs of IT" video series.

Shaw is also the co-creator of taquitos.net, the crunchiest site on the InterWeb, which has taste-tested and reviewed more than 4,000 varieties of snack foods.

More from this author

Exit mobile version