DNS: The hearth of our Internet

in #technology7 years ago

We depend on DNS, when we use Internet services, like social media, email, videos, streams or play games we use DNS. But what is DNS exactly. Basically every device connected to the internet has an IP address. DNS just connects an easy to remember name like google.com with the IP address of that server, for example 172.217.16.110. When you connect to google.com the browser sends a request to a DNS server and asks for the IP of google.com. This is called a request / question. Then the server sends the IP back to the browser, this is called a response / answer.

The protocol

DNS runs on port 53 udp, and it can fallback to port 53 tcp. It sends hex bytes that need to be parsed in order to get data out of it. It's clear text, meaning that anyone can change/look at the request/response your getting. There's DNS over TLS, but it's new tech and DNS over HTTPS which translates DNS to HTTPS using a google DNS lookup webservice.
DNS request/response pairs must have identical Transaction IDs. Transaction ID is the first 2 bytes of the packet.
Every DNS packet looks the same, they just have a different bit set for request/response. The 3rd and the 4th byte of the DNS packet represents the Flags, inside there you have the first bit set to 0 if it's a question or 1 if it's an answer.

Requests

The packet has the question count set to 1 or more. This is just a count, that indicates how many questions we have.
Next we have a questions section, which lists the questions asked by the browser.
A question has the following values:

  • Name the IP address or Name to lookup
  • Type the type of the question
  • Class this pretty much has a constant value of 0x0001 the IN (Internet) class

Some of the question types:

Question typeDescription
AIPv4 Address Lookup
NSGet the address of the authoritative name servers in the zone
CNAMEGet the domain name from a domain name (domain name -> domain name redirects)
SOAGet information about the current zone
PTRGet the hostname of an IP address
MXMail Exchange, get the domain name of the mailing server from a domain name
AAAAIPv6 Address Lookup
TXTAdditional information about the DNS record

Responses

After the browser requests a domain name, the server needs to respond to that query. In the response flags you can find the opcode which should say 0x0000 (success).
Here are some of the opcodes:

OpCodeDescription
0Success
1Bad Format, the request is probably corrupted
2Server fail, this is a server side error, like HTTP 500
3Non existent domain, probably invalid domain name
4Not implemented, query type is not implemented on this server
5Query Refused, just denying to query the domain name

The DNS response should reinclude the question, and should append one or more answers to the answers section. The answer count gives information about how many answers did the server have.
An answer has the following values:

  • Name the IP address or domain name to lookup
  • Type the type of the lookup
  • Class, the class of the lookup, usually it's 0x0001 the IN (Internet) Class
  • TTL, time to live
  • Data Length, how many bytes are the response domain / ip address
  • Domain Name, the result of the lookup (can be a domain name in case of a PTR lookup)

Authority Request Records

This returns a trusted server where you can double check if the results are correct. You need this, because you don't directly talk to the DNS server of the domain name. Here is the path of the packet:
Your router(DNS Relay) > Your IPSs DNS Server > .... > The DNS server of the domain name

DNS Services

There are paid / free DNS services out there. From a free service you can get A, MX records, which may be enough for some users. But if you want to operate a mail server, spam free, and not get blacklisted, then you need to buy a DNS service. It's good practice to set *.example.com as a CNAME to example.com, this will redirect all sub-domains to your main domain. Also setup a PTR record to point your domain name to the IP address of your machine.

Attacks against DNS

DNS is clear text remember? So anyone on the same network can modify your traffic. Basically this can be used to execute phising attacks, redirecting users from one DNS to another IP with the same/identical website. This is hard to detect since the browser will print the original address at the address bar regardless of the returned IP.

DNS Is Fast and small

Fast

Because it's clear text it's fast, since it doesn't have to deal with decryption/encryption. Plus there is DNS caching which stores the results of queries for a specified amount of time.

Small

DNS Never repeats the same domain name/IP address twice inside a packet. If it has to, it puts labels that point to the start of the domain name/IP address.

Summary

This was just a quick overview of the DNS protocol. This is a setup to my upcoming mail server tutorials using all sorts of new technologies requiring simple DNS knowledge. Check out DNS over HTTPS and DNS Over TLS. Supporting these protocols will require server side changes too, but it can take back a lot of control from ISPs and from anyone spying/editing our DNS packets.
If you're intrested in more details you can fire up wireshark and do an nslookup google.com in your cmd. In wireshark on the top field where it says filter type in dns and press enter. Now you can look at the hex bytes structure of your packet, and you can look at the details of DNS packets.

Sources

DNS RFC
My own DNS MITM Attack Tool