What is DNS?

DNS is the abbreviation for Domain Name System. The Domain Name System converts domain names, which can be read by humans, into IP addresses, which in turn can be read by machines. This makes the DNS the “telephone book of the internet” because it is a directory that enables users to access the IP addresses associated with specific addresses in their browsers.

At one look

  1. 1. Definition of what DNS is
    1. 2. What types of DNS servers are there?
      1. 3. How does a DNS query work?
        1. 4. Criticism of DNS
          1. 5. DNS extensions
            1. 6. What are the risks of the DNS?
              1. 7. DNS: What you need to know
                /

                01

                Definition of what DNS is

                While human users use domain names such as www.myrasecurity.com to access websites, browsers and servers interact via IP addresses. The Domain Name System enables users to access websites without having to know the associated IP address. The DNS is used to associate the domain with the appropriate IP address.

                DNS servers distributed throughout the world convert domain names into IP addresses, thereby taking control of which server a user can access via a specific domain.

                02

                What types of DNS servers are there?

                The Domain Name System employs different servers at different points.

                DNS root servers

                DNS root servers are responsible for Top Level Domains. As the last instance, they are only queried if the name server does not respond. Since it links the domain and IP address, a root server is the central interface between users and content on the internet.

                ICANN (Internet Corporation for Assigned Names and Numbers) coordinates the work of the root name servers. There are 13 such root servers throughout the world.

                Authoritative name servers

                Authoritative name servers have authority for a specific zone, which means that they only answer queries from their area of responsibility, and their details are binding.

                If an authoritative name server is unable to respond to a client request, the root name server takes over at this point.

                Non-authoritative name servers

                Non-authoritative name servers are not responsible for a specific DNS zone. Instead, they collect information on specific DNS zones using recursive or iterative DNS queries.

                Caching servers

                Caching servers temporarily store information from other name servers for a specific period of time. The authoritative name server determines the duration of this storage.

                Forwarding servers

                Forwarding servers have only one function: They forward DNS queries to another DNS server.

                Resolvers

                Resolvers are not authoritative DNS servers but perform name resolution locally in the computer or router.

                /

                03

                How does a DNS query work?

                A DNS query is always required when the computer does not have the address information necessary for accessing a web page in its cache and the internet service provider’s preconfigured DNS service is also unable to resolve the name. In detail, a DNS query takes place according to the following pattern:

                1. The user enters the URL of a website (e.g., www.google.com) in his or her browser.

                2. The resolver sends a query to a DNS root server.

                3. The root server tells the resolver the top-level domain under which it can find information for the website. For www.google.com, this is the .com Top Level Domain.

                4. The resolver sends a query to the relevant Top Level Domain.

                5. The Top Level Domain server returns the relevant name server’s IP address. At this point, the resolver sends a request to the name server.

                6. The name server returns the IP address of the relevant domain to the resolver, which passes it on to the browser.

                7. The browser then accesses the website by sending an HTTP request to the IP address. The server accessed this way transmits the web page files to the browser so that its content can be parsed and displayed.

                04

                Criticism of DNS

                The DNS has been criticized from some quarters, including the following aspects:

                Censorship:

                Both associations and commercial providers complain that the DNS censors domains. It is also possible for censors to manipulate the system, a practice employed in Iran, China, Indonesia, and Greece, for example. This discussion is taking place in the context of general debates on internet content blocking and censorship. As a result, providers such as the Chaos Computer Club, digitalcourage, and the company OpenDNS have developed their own alternatives to DNS, which, according to their claims, are free of censorship.

                No encryption:

                The DNS is, for the most part, unencrypted. Devices on a local wireless network and internet providers can thus join in and sniff DNS queries. Since this poses a risk to privacy, a few solutions for DNS encryption are now available. IT security professionals typically employ DNS over TLS (DoT) or DNS over HTTPS (DoH). The DNSCrypt network protocol also encrypts traffic between computers and name servers.

                05

                DNS extensions

                Various internet standards extend the DNS with other mechanisms, such as in the area of security.

                Dyn DNS

                Dyn DNS is the abbreviation for “dynamic Domain Name System.” These services enable users to assign a fixed hostname to dynamic IP addresses. Running a web server with a dynamic IP address is one of its applications.

                Extension mechanisms for DNS

                Extension mechanisms for DNS (EDNS) enables DNS data to be sent in UDP packets. Extensions of the DNS packet format proved necessary in the 1990s because the restrictions in DNS packets were no longer able to meet modern needs.

                DNSSEC

                DNSSEC describes a series of security extensions for the DNS, which guarantee the authenticity and integrity of the data transmitted via the system. Encrypting data transmissions in the DNS ensures user privacy and data security.

                /

                06

                What are the risks of the DNS?

                The Domain Name System can become a victim of cyberattacks. There are many relevant hazards:

                • DDoS attacks on name servers: A Distributed Denial of Service attack (DDoS attack) overloads a server with so many queries that it is no longer accessible or only to a limited extent. Name servers are also victims of these attacks, such as the attack on the DNS infrastructure of the company Dyn in October 2016. Many globally popular websites such as Twitter and PayPal were unavailable for several hours. Redundant infrastructure and appropriate security measures are important means of prevention.

                • DNS amplification attacks: In a DNS amplification attack, hackers misuse incorrectly configured name servers to amplify their attacks. This is a specific type of DDoS attack. Attackers take advantage of the fact that many name servers will respond to queries from any clients.

                • DNS spoofing: DNS spoofing or cache poisoning introduces corrupt data into the DNS resolver’s cache. As a result, hackers can divert web users to any other website and gain access to their data.

                07

                DNS: What you need to know

                The Domain Name System is the underlying mechanism enabling internet users to access websites from their domain names by establishing the association between the domain name and the IP address of a website. Because the DNS is so essential to the operation of the internet, it is an appealing target for hackers. Therefore, it is especially important for companies to rely on IT security and to secure data transmission over the DNS.

                Myra DDoS Protection uses Myra Secure DNS to protect the resolution of your company domain name from attacks and ensure the availability of your systems and services.

                Find out more about Myra Secure DNS

                © Myra Security GmbH 2023, alle Rechte vorbehalten

                Responsible DisclosureGlossarImpressumDatenschutzAGB