il/ilnmors-homelab
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
ilnmors-homelab/docs/theories/network/dns.md
il a7365da431 1.0.0 Release IaaS
2026-03-15 04:41:02 +09:00

7.1 KiB
Raw Permalink Blame History

DNS (Domain Name System)

In the beginning of the internet, there were a few hosts on networks. It was possible to manage all hosts on network via IP address or domain name in /etc/hosts file in each servers. However, it is hard for people to match and remember what IP addresses means. When the internet environment became bigger and bigger, the complex of route the target server would be harder. To solve this problem, the DNS emerged as a translator between IP address and domain name. In modern internet environment, DNS has hierarchy structure from root to TLD, TLD to authoritative server for efficiency.

Structure of DNS

Communication

  • DNS: 53 tcp/udp

DNS communication basically uses 53/udp port. However, in the modern internet environment; which means complex environment sometimes the size of packet is above 512 bytes. In this case, DNS uses 53/tcp too. The vulnerability of DNS is that all communication is on plain data. Everyone can conduct sniffing attack towards DNS packet.

  • DoT (DNS over TLS): 853 tcp

DoT was developed to encrypt DNS query. DoT uses TLS to request query. This protocol uses TLS. Moreover, because of TLS, nobody can do sniffing attack towards DoT. However, it uses specific port 853. If ISP block the 853 or analyze 853 port, the pattern of usage will be analyzed or even you cannot use DoT itself. Additionally, there is also DNS over DTLS which uses 853 udp.

  • DoH (DNS over HTTPS): 443 tcp/udp

DoH is very similar with DoT. It uses TLS, and it was developed to encrypt DNS query. there is just one difference. This uses https(443 tcp/udp) instead of 853 tcp. https is standard of web protocol, so it is hard to analyze someone sends DNS request or common web packets. It means, ISP or government cannot block 443 port itself or analyze the pattern of DNS query. Since 2022, there's the new standard DNS over HTTP/3 which uses 443 udp port.

  • DNSSEC (DNS SECurity extensions)

Originally, client couldn't verify integrity of the response from DNS server. If malicious attacker could get authority of cache DNS server to change their records, all clients would get affected. (i.e. pharming attack). DNSSEC is a protocol to guarantee integrity of DNS record. DNSSEC protocol adds some records in zone, RRSIG(Resource Record Signature), DNSKEY, DS, NSEC, CDNSKEY, CDS. All resolver DNS verify integrity of their records to authoritative DNS with these records. This process is similar to PKI, the chain of trust.

  • ECH (Encrypted Client Hello)

Basically, client hello packet has SNI (Server Name Indication). Even though all communication under TLS is encrypted, but to start session the packet has to contain the SNI to identify server. To encrypt this information, SNI the ESNI(Encrypted SNI) was developed in 2018 based on TLS 1.3. However, ESNI just could encrypt SNI information. Now, since 2020, the new standard ECH was developed to supersede ESNI. ECH not only encrypt SNI but also encrypt all client hello process. ECH is latest protocol, and it has a lot of dependency in DNS server, service server and client. When all of them supports ECH, then user can use ECH. Because when ECH encrypts client hello data client need the target server's public key (certificate), it has to look up from encrypted DNS (DoH or DoT).

Zone

DNS server has zones; Forward zone and Reverse zone.

  • Forward zone

Forward zone has basically information of the pair of domain and IP address. The role of this zone is change domain name to IP address. The domains are managed by IANA, TLD is already reserved. (i.e. .com, .org, etc...) For private network, .home.arpa or .internal are reserved.

  • Reverse zone

Reverse zone also has basically information of the pair of IP address and domain. The role of this zone is change IP address to domain name. To change domain to IP address it uses specific domain name. [reversed_ip_address].in_addr.arpa (i.e. 1.168.192.in-addr.arpa)

Records

Each zone has their record type. If zone were a kind of DB, record would be a data of DB. There is basic records type below.

  • SOA type

Information of ZONE management. Every zone has this SOA type record.

  • NS type

Designate authoritative name server of domain zone

  • A type

Mapping domain to IPv4 address

  • AAAA type

Mapping domain to IPv6 address

  • PTR type

Mapping IP address to domain

  • CNAME type

Mapping domain to domain. CNAME type is kind of alias of domain. It can't have IP address value. The query acts recursively, and it gets IP address at the end.

Key

There is the keys to control DNS records or zone, even DNS server itself.

  • rndc key

This key is to control DNS server itself. When rndc key set on DNS server, client can control DNS server with this key like, reboot server, load or unload zone. rndc key is basically generated by rndc-confgen command and it is defined on rndc.conf and named.conf.

  • tsig key

This key is to guarantee integrity when the server syncronize zone data between other servers (usually master-slave server). It is possible update records via this key depending on the setting. Therefore, tsig key is usually used for DDNS or DNS-01 challenge. The key is generated in the DNS server, and it defined in named.conf.

DNS Server type

DNS server basically separated as authoritative DNS and recursive DNS.

Authoritative DNS

Authoritative DNS has literally authority of domain zone. It doesn't ask recursive queries towards other DNS server in case of the query that is in its authoritative zone. It is necessary to use DNS-01 challenge (ACME protocol).

Recursive DNS

Recursive DNS oppositely doesn't have authority of the records in its zone. When it gets query request, it ask recursive query towards authoritative DNS. It can store the information of records (cache) and give response towards client with the cache.

Split Horizon DNS

Split Horizon DNS means getting different IP address depending on where the client exists. For instance, if there were the domain example.com. This domain has its own private IP address, simultaneously own public IP address (from NAT). When client request the query example.com in the private network, private DNS would respond its private IP address. However, when the client request the query in the WAN network, public DNS would respond its public address. Client can access example.com in both case, but the IP address which client respond are different. To use this protocol, the network route will be efficient because the packet doesn't have to go out to the WAN area in private network. Basically, it is implemented internal authoritative DNS and recursive DNS. Recursive DNS decides where to send the query based on domain.

DDNS (Dynamic DNS)

Public IP address can be changed by ISP at any time. It is hard (or expensive) to get static public IP address by ISP. However, the service (server) always guarantee their availability regardless what is their IP. DDNS is basically the protocol to change A or AAAA (or CNAME) records in DNS as server's current IP. Server keeps checking their current public IP and when it changes the server send the request to change its A or AAAA records to public authoritative DNS server with authentication with API key or tsig key.

Reference in New Issue View Git Blame Copy Permalink