seela logo

SOC Analyst

Networks

DNS (Domain Name System) course

Protect and Surf Safely: The Power of DNS - Cybersecurity Explorations

Discover the crucial importance of the Domain Name System (DNS) in modern cybersecurity with our crash course. Dive into the intricacies of DNS to understand its central role in Internet navigation, and learn how to protect it from malicious attacks. Strengthen your security skills by exploring key DNS concepts, common vulnerabilities and best practices for secure online browsing. Join us now to master the art of DNS protection and management, and become a digital security expert.

75 minutes

4.8/5

4,8/5

dns logo

Contents

📡 DNS - Introduction

DNS (Domain Name System) finds its usefulness in the fact that users prefer to give assets names that are pronounceable and easy to remember, rather than IP addresses that are more difficult to remember (especially in IPv6), but above all liable to change over time.

DNS helps direct Internet traffic by connecting domain names to physical Web servers. All you have to do is provide a valid domain name in your request, and it's translated into the IP address of the Web server you want to reach. The same goes for obtaining an e-mail address.

The role of DNS is to map physical addresses in the network to logical addresses.

DNS is a basic Internet service, without which it would be difficult to use the Web.

DNS is a distributed, decentralized database of unique domain names. DNS is thus a hierarchical, redundant and distributed system. Each site is master of its own data.

DNS is also a protocol for :

  • Finding an IPv4 or IPv6 address by domain name
  • Reverse resolution, name according to IP address 
  • Retrieve mail relay addresses

Domain names are case insensitive.

DNS was introduced in 1984.

DNS specifications have evolved considerably since 1983. The first specifications were based on [RFC 1034] and [RFC 1035] from 1987. 

RFC 8499], published in 2019, reformulates and clarifies DNS terminology.

A domain name is an identifier consisting of a tree-like naming system with a root followed by a TLD (Top-Level Domain) or top-level domain(ccTLD for country code Top-Level Domain) (for example: .fr, .org, .com, .net, ...) followed by a second-level domain, a third-level domain, etc. The number of levels is limited to 127.

TLD

Examples : en.wikipedia.org, silicom.fr, gmail.com, nationalcrimeagency.gov.uk 

The number of components or domain levels making up a domain name can be any number.

Since 2009, the IDN (Internationalized Domain Name) technique in Unicode has enabled people who normally use accented or non-ASCII character sets (Arabic, Chinese, Indian, etc.) to use the Internet in their own language. Right-to-left scripts are also taken into account, depending on the language used for writing domain names.

It's possible to set up local servers for personal TLDs, but they'll only be of local use, so they won't be of much interest from the point of view of the Internet in general.

🌳 DNS tree structure

DNS tree structure

FQDN (Fully Qualified Domain Name) is a fully qualified domain name [RFC 819].

The DNS tree is made up of nodes. A node name may not exceed 255 characters, and each level is limited to 63 characters. RFC 1032] recommends limiting this length to 12 characters. 

A node contains :

  • Information for finding child nodes
  • Node-specific information: list of machines
  • As in a directory: subdirectories and files

Node names can be identical if they are from different domains. Each node can be managed by different entities.

🌏 DNS ecosystem

    • Domain name registrars.
  • Root servers: They know all the 260 TLDs, of which there are 13 worldwide. The U.S. government took control of the root in 1998. ICANN (Internet Corporation for Assigned Names and Numbers) manages the root on a day-to-day basis on behalf of the US government.
  • Authoritative servers: DNS servers that know the contents of a domain. This type of server includes TLDs. There are several TLD registries, such as Verisign for .com, AFNIC (Association Française pour le Nommage Internet en Coopération) for .fr, Afilias for .org, etc. Each authoritative server sets its own lifetime for the records it holds.
  • Name resolvers (also known as recursive DNS): DNS servers that know nothing but ask authoritative servers questions and store their answers.
  • DNS records that associate a domain with a Web service.
  • Web services hosting websites. A type A (IPv4) or AAAA (IPv6) record must be added to a domain's name servers to associate that domain with the Web servers hosting the website.

Domain name registrars

This is the RRR system [registry -registar -registrant].

Today, there are some 400 registrars accredited by AFNIC (which manages the .fr domain name) offering .fr, .re, .yt, .pm, .wf and .tf domain names.

Directory of registrars : https://www.afnic.fr/fr/votre-nom-de-domaine/comment-choisir-et-creer-mon-nom-de-domaine/annuaire-des-bureaux-d-enregistrement/ 

All the domain name regist rars listed below support 2-factor authentication.

  • Cloudflare
  • Enom
  • GoDaddy
  • Google Domains
  • Hover
  • Name.com
  • Namecheap
  • OVH
  • ...

Domain name maintenance is subject to a subscription period with the domain name registrar. Registry and registrar databases can be queried using whois, RDAP (Registration Data Access Protocol).

TLDs

Top-Level Domains ( TLDs ) are managed byICANN , which has 2 groups of domains:

  • gTLDs (generic TLDs) numbering 13 (grouping together around 120 physical machines) and belonging to the root-servers.net domain. The master server A.root-servers.netis managed by Verisign Global Registry Services, while the other servers are mirrors under the name [B..M]. root-servers.net.
  • ccTLDs (country code TLDs), which are two-character codes based on ISO 3166-1. They are managed by regional organizations (Registries) and marketed by private organizations (Registrars).
Top-Level Domains (TLDs)

Anycast, from IPv6, is a technique that allows several geographically dispersed machines to use the same IP address. This means that any request to an anycast address is routed to the nearest authoritative server.

RFC 3258] authorizes the duplication of DNS servers. As a result, several physical servers can be attached to the same root DNS server. This distribution reduces the load on each physical machine, increasing performance and resistance to DoS (Deny of Service) or DDoS (Distributed DoS) attacks.

Anycast technology renders obsolete the notion of the geographical location of authoritative servers.

A root server(gTLD) is hosted in France by SFINX (Service for French Internet eXchange) and split into 2 geographical locations (Paris and Aubervilliers) for redundancy, and managed by RENATER (Réseau national de télécommunications pour la technologie, l'enseignement et la recherche).

  • F.root-servers.net (Europe zone) maintained by the American company ISC (Internet Systems Consortium).

📼 DNS records

There are several types of DNS records:

  • NS (name) corresponds to the active DNS zone. Several DNS zones can be registered with different domain name registrars.
  • A or AAAA: Used to point a domain or sub-domain to an IPv4 or IPv6 address.
  • CNAME (canonical name): Allows you to associate a sub-domain with the primary or canonical domain. This type of rule is commonly used to associate a www sub-domain with the primary domain, such as www.silicom.fr with silicom.fr.
  • MX (mail exchange) : Used to associate a domain with a mail service.
  • PTR (pointer): associates an IP address with a domain name record. It is the reverse of the A or AAAA record.
  • SOA (Start Of a zone of Authority) gives information about the zone, including a serial number versioning the zone, so you know if secondary servers in the domain need to update.
  • SRV (server): domain servers for a given application. Generalizes MX record.
  • TXT TXT records: allow you to associate a text field with a domain. TXT records are most often used for :
    • The SPF (Sender Policy Framework) will set rules for sending e-mails. For example, for a contact form to send e-mails to a server, you need to tell the SPF that the server authorizes sending.
    • TXT can also take into account a character string useful for certain external web services. The most common example of this is companies offering third-party solutions. In fact, to link their solutions to the web site, we sometimes have to put a file on the FTP or create a TXT record, which is mandatory in both cases to prove that we are the owners of the site.
  • NAPTR (Name Authority Pointer Record) gives access to information rewriting rules, enabling correspondences between a domain name and a resource. [RFC 3403]
  • LOC (location) indicates the physical location (longitude and latitude) of a host. [RFC 1876]
  • HINFO (hardware information) is an information record comprising 2 elements: The first is hardware information, and the second is software information.
  • Glue records : When a domain is delegated to a name server that belongs to this sub-domain, it is necessary to also provide the IP address of this server to avoid circular references.
    This derogates from the general principle that domain information is not duplicated elsewhere in the DNS.

In this course, only the main DNS records are listed. In fact, there are many: see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml section Resource Record (RR) TYPEs. 

⚖️ DNS pay vs. free

Paid DNS offer features that free DNS do not:

  • Faster domain name resolution, even if it only takes a few milliseconds
  • Enhanced reliability
  • Better safety
  • Improved availability, especially in the face of DDoS (Distributed Deny of Service) attacks

🎬 Conclusion

The DNS system is essential to the smooth running of the Internet, because without it, little or nothing works.

Distribution is by domain name and not by IP address, and even if this works for the home page of the Web site to be consulted, or if the server hosting the Web application to be consulted has several applications, then we'll have a default page and the first time we click on a link on this site, we'll be back to the problem of the link containing a domain name to be resolved.

DNS is one of the largest distributed databases in the world.

Want to know more about DNS?

Start your cybersecurity training!

Launch your career in cybersecurity and train for the job that fits you. Our online platform allows you to train at your own pace for a quick and efficient increase in skills.

100% online

Theory & Practice

Customized by level

Start your cybersecurity training

Training

Career

Cybersecurity

100% online

Breathe new life into your career with our cybersecurity training courses

TCP/IP OSI model illustration

Course OSI and TCP/IP models

Dive into our specialized course on the OSI and TCP/IP Models and master the essential fundamentals of network architecture. Learn in detail about the layers and protocols of these models, and understand how data is exchanged and routed across a network.

Read the course "

DNS is a domain name system that translates domain names (e.g. .com) into machine-readable IP addresses.

DNS is essential for Internet browsing, as it facilitates the resolution of domain names into IP addresses, enabling users to access websites using easy-to-remember names.

 Common DNS record types include A (IP address), CNAME (alias), MX (mail server), NS (name server), and TXT (text).

When a user enters a domain name in their browser, the system sends a DNS query to resolve the name into an IP address. This query is sent to a DNS server, which looks up the corresponding record and returns the associated IP address.

The main threats to DNS security include DNS hijacking, cache poisoning, DNS spoofing and DDoS attacks targeting DNS servers.

To protect DNS, we recommend using secure DNS servers, setting up firewalls to block suspicious DNS requests, regularly updating DNS software and monitoring for abnormal activity.

Best practices for DNS configuration include using strong passwords for DNS administration accounts, limiting access permissions, setting up logging and monitoring, and regularly updating DNS records.

icon lockcadenas

Content reserved for subscribers

Register for the full course and start your cybersecurity training!

  • Over 700 hours of content available
  • 6 training paths
  • Certification courses
  • 100% online and autonomous

Mail

information@seela.io