What is DNS and how does it work?

What is DNS and how does it work?

The Domain Name System (DNS) serves as a crucial element of the internet, working silently in the background to efficiently match user-entered website names with their corresponding IP addresses. These IP addresses, comprising complex strings of numbers, are not easily memorable.


While it remains possible for individuals to directly enter an IP address into a browser for website access, most people prefer the simplicity of internet addresses through easily memorable domain names, such as Network World.


In the early stages of the internet's development, Elizabeth Feinler at Stanford Research Institute undertook the responsibility of matching domain names to IP addresses. She maintained a master list of all internet-connected computers. However, as the internet rapidly expanded, this approach became unsustainable. In 1983, Paul Mockapetris devised DNS, an automated and scalable system that efficiently translates domain names to IP addresses.


Managing an enormous count of 342 million registered domains necessitates a distributed approach for the DNS directory. Multiple domain name servers worldwide communicate with one another regularly to share updates and eliminate redundancies.


Apart from scalability, the distributed nature of the DNS system also provides performance advantages. If all requests to resolve the domain name "Google" and its underlying IP address were managed in a single location, the system would suffer from increased traffic congestion. To prevent this, DNS information is shared among numerous servers.



Consequently, a single domain can have multiple IP addresses, which means that the server accessed when entering www.google.com on your laptop or smartphone may differ from the server accessed by someone in another country using the same site name. Nonetheless, DNS ensures that users are directed to the correct location, regardless of their geographical location.


So, how does DNS truly function? When your computer seeks to find the IP address associated with a domain name, it initiates a DNS query through a DNS client, often found in web browsers. This query is then sent to a recursive DNS server (a recursive resolver), operated by an Internet Service Provider (ISP) like AT&T or Verizon. The recursive resolver knows which other DNS servers it needs to consult to translate the domain name to an IP address. These servers, responsible for storing the necessary information, are known as authoritative name servers.


DNS operates within a hierarchical structure. Initially, a DNS query for an IP address is directed to a recursive resolver, which guides the search to a root server containing information about top-level domains (e.g., .com, .net, .org) as well as country domains. Since root servers are distributed globally, the DNS system routes requests to the closest one.


Once the request reaches the appropriate root server, it is then forwarded to a top-level domain server (TLD nameserver) that stores information for the second-level domain (i.e., the words users input into search boxes). Subsequently, the request reaches a domain nameserver, which retrieves the IP address and sends it back to the DNS client device, enabling users to visit the desired website. All of this happens within milliseconds.


How does DNS work


Now, let's discuss DNS caching. Considering how frequently users access popular websites like Google, the need for repetitive DNS queries to retrieve the associated IP address can be minimized. This is achieved through caching, which stores the information on personal devices, eliminating the necessity for multiple trips to a DNS server.


Caching can also occur on routers used to connect clients to the internet and on servers employed by Internet Service Providers (ISPs). These caching mechanisms considerably reduce the number of queries sent to DNS name servers, thereby increasing the overall speed and efficiency of the DNS system.


The Domain Name System (DNS) numbering system ensures proper internet traffic routing by assigning unique IP addresses to every device connected to the internet. DNS relies on either the IPv4 or IPv6 system to translate human queries into numerical values. In the case of IPv4, the numbers are expressed as 32-bit integers in decimal notation.


With IPv4, the string of numbers is divided into sections, similar to a telephone number comprising a country code, area code, and other components. These sections include the network component, host, and subnet. The network segment indicates the class and category of the assigned network, while the host identifies the specific machine on the network. The subnet section, though optional, assists in navigating the numerous subnets and partitions within a local network.



To tackle the issue of limited available IPv4 addresses, IPv6 was introduced as a solution. Utilizing 128-bit-sized numbers, IPv6 provides a significantly larger address space in comparison to the 32-bit numbers of IPv4. In fact, the sheer magnitude of possible IPv6 addresses is mind-boggling, reaching a staggering 340 trillion trillion.


Since 1998, the responsibility of IP address assignment has been entrusted to the Internet Corporation for Assigned Numbers and Names (ICANN), following its transfer from the U.S. government. As a not-for-profit organization, ICANN has effectively managed this crucial function without any major disruptions. Moreover, ICANN plays a neutral and advisory role, allowing individuals to register domains through various ICANN-accredited registrars. This decentralizes the already decentralized DNS system, enabling swift global access to newly registered domains through DNS servers.


Despite its critical role, the DNS system is not immune to cyber threats. Malicious actors have targeted DNS, seeking to exploit vulnerabilities within the system. A recent survey conducted by IDC in 2021 examined over 1,100 organizations across North America, Europe, and Asia-Pacific, revealing that a staggering 87% of them had fallen victim to DNS attacks.


These attacks come with a hefty price tag, averaging around $950,000 across all regions and approximately $1 million for organizations in North America. In the past year alone, organizations across various industries faced an average of 7.6 attacks each. Significantly, the shift to remote work and the migration of resources to the cloud due to the pandemic have opened up new opportunities for attackers.


The IDC survey also highlighted a substantial increase in data theft through DNS attacks. In 2021, 26% of organizations reported incidents of sensitive customer information being stolen, a notable increase from the 16% reported in 2020.



Various types of DNS attacks pose significant threats, including DNS amplification, DNS spoofing or cache poisoning, DNS tunneling, and DNS hijacking or redirection.


The alarming rise in DNS-related attacks has sparked concerns about the security of DNS infrastructure among numerous IT organizations. A recent survey conducted by Enterprise Management Associates (EMA) targeted 333 IT professionals responsible for DNS, DHCP, and IP address management. Worryingly, only 31% of DDI managers expressed full confidence in the security of their DNS infrastructure.


What is DNS over HTTPS (DoH)?


Participants were asked to identify the most challenging DNS security issues they faced, and DNS hijacking emerged as the top concern, cited by 28% of respondents. DNS hijacking, also known as DNS redirection, involves intercepting DNS queries from client devices and redirecting connection attempts to incorrect IP addresses.


The second most concerning DNS security issue identified by 20% of respondents is DNS tunneling and exfiltration. Hackers exploit this method after infiltrating a network, allowing them to extract data while evading detection by concealing the extracted information within outgoing DNS queries.


To safeguard DNS infrastructure, security monitoring tools should diligently scrutinize DNS traffic for abnormalities, such as unusually large packet sizes, as advised by Shamus McGillicuddy, research director for network management practice at EMA.


ICANN developed Dnssec, a security protocol intended to enhance the security of communication among different levels of DNS servers involved in DNS lookups. Its purpose is to address vulnerabilities in the communication between DNS top-level, second-level, and third-level directory servers, which could potentially lead to lookup hijacking by hackers.


Hijacking allows attackers to redirect users to malicious sites when they request lookups for legitimate sites. These malicious sites can then upload malware or carry out phishing attacks.


To mitigate these threats, DNSSec employs a mechanism where each level of DNS server digitally signs its requests, ensuring that requests from end users cannot be manipulated by attackers. This establishes a chain of trust, validating the integrity of the request at each level of the lookup.


Aside from bolstering security, DNSSec also verifies the existence of domain names, preventing the delivery of fraudulent domains to unsuspecting requesters seeking to resolve domain names.


DNS over HTTPS (DoH), an IETF standard, encrypts DNS requests similarly to how the HTTPS protocol safeguards most web traffic. While DNSSec addresses vulnerabilities within the distributed network of DNS servers, it has not completely eradicated DNS-based cyberattacks that exploit various forms of deception to inject malicious code into the DNS system.



The relinquishment of DoH represents a significant shift in the history of DNS. Major players like Google and Mozilla promote the use of DoH to  cover DNS requests. still, there are ongoing debates  girding DoH due to its implicit impact on enterprise IT monitoring capabilities and maternal controls over internet  operation.   The uptake of DNS over HTTPS has been gradational. DoH is integrated into the  rearmost  performances of Google Chrome and Mozilla Firefox, but  druggies have the option to disable it. Organizations seeking control over cybersurfer  operation among  workers can also choose to disable DoH. On the other hand, several leading ISPs haven't yet enabled DoH.   Chancing your DNS garçon is  generally automated by your ISP when you connect to the internet. 


Web  serviceability likebrowserleaks.com can  give information regarding your primary name  waiters and current network connection.   Although ISPs assign a  dereliction DNS garçon,  druggies aren't obliged to use it. Some  druggies may have reasons to avoid their ISP's DNS,  similar as when the ISP redirects requests for absent addresses to advertising  runners using their DNS  waiters.   Alternately,  druggies can configure their computers to use public DNS  waiters that act as recursive  purposefulness. Google's public DNS garçon, with the IP address8.8.8.8, is one of the most prominent options available.