Discover our tailor-made Security-as-a-Service solutions for IT infrastructures and web applications.
02
What types of DNS servers are there?
The Domain Name System employs different servers at different points.
DNS root servers
DNS root servers are responsible for Top Level Domains. As the last instance, they are only queried if the name server does not respond. Since it links the domain and IP address, a root server is the central interface between users and content on the internet.
ICANN (Internet Corporation for Assigned Names and Numbers) coordinates the work of the root name servers. There are 13 such root servers throughout the world.
Authoritative name servers
Authoritative name servers have authority for a specific zone, which means that they only answer queries from their area of responsibility, and their details are binding.
If an authoritative name server is unable to respond to a client request, the root name server takes over at this point.
Non-authoritative name servers
Non-authoritative name servers are not responsible for a specific DNS zone. Instead, they collect information on specific DNS zones using recursive or iterative DNS queries.
Caching servers
Caching servers temporarily store information from other name servers for a specific period of time. The authoritative name server determines the duration of this storage.
Forwarding servers
Forwarding servers have only one function: They forward DNS queries to another DNS server.
Resolvers
Resolvers are not authoritative DNS servers but perform name resolution locally in the computer or router.
04
Criticism of DNS
The DNS has been criticized from some quarters, including the following aspects:
Censorship:
Both associations and commercial providers complain that the DNS censors domains. It is also possible for censors to manipulate the system, a practice employed in Iran, China, Indonesia, and Greece, for example. This discussion is taking place in the context of general debates on internet content blocking and censorship. As a result, providers such as the Chaos Computer Club, digitalcourage, and the company OpenDNS have developed their own alternatives to DNS, which, according to their claims, are free of censorship.
No encryption:
The DNS is, for the most part, unencrypted. Devices on a local wireless network and internet providers can thus join in and sniff DNS queries. Since this poses a risk to privacy, a few solutions for DNS encryption are now available. IT security professionals typically employ DNS over TLS (DoT) or DNS over HTTPS (DoH). The DNSCrypt network protocol also encrypts traffic between computers and name servers.
05
DNS extensions
Various internet standards extend the DNS with other mechanisms, such as in the area of security.
Dyn DNS
Dyn DNS is the abbreviation for “dynamic Domain Name System.” These services enable users to assign a fixed hostname to dynamic IP addresses. Running a web server with a dynamic IP address is one of its applications.
Extension mechanisms for DNS
Extension mechanisms for DNS (EDNS) enables DNS data to be sent in UDP packets. Extensions of the DNS packet format proved necessary in the 1990s because the restrictions in DNS packets were no longer able to meet modern needs.
DNSSEC
DNSSEC describes a series of security extensions for the DNS, which guarantee the authenticity and integrity of the data transmitted via the system. Encrypting data transmissions in the DNS ensures user privacy and data security.
Want to learn more about our solutions, use cases and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.