Show notes
  • DNS stands for Domain Name System.
  • The most common usage of DNS is to translate domain names to IP addresses.
    • Internet slow distributed key value store
  • This is required because we can only address devices (like servers) by their IP address.
  • DNS: https://tools.ietf.org/html/rfc1034 - 1987
  • Domain names: https://tools.ietf.org/html/rfc882 - 1983

4 types of DNS servers

Recursive server

The DNS recursor is a server designed to receive queries from client machines through applications such as web browsers. Typically the recursor is then responsible for making additional requests in order to satisfy the client’s DNS query.

  • Normally those servers are in your ISP network.
  • You can manually change your DNS server to use public ones like Google’s 8.8.8.8 or cloudflare’s 1.1.1.1.

Root nameserver

  • There’s 13. There’s a limitation in the protocol that prevents us from having more root servers.
  • When a request is not cached, the recursive server will first hit a root server.
  • It parses the domain name and redirect to the TLD server managing the TLD (eg. .com).

Ultimate authority over the root zone belongs to the National Telecommunications and Information Administration (NTIA), which is a part of the US Department of Commerce. The NTIA delegates management of the root zone to the Internet Corporation for Assigned Names and Numbers (ICANN).

ICANN operates servers for one of the 13 IP addresses in the root zone and delegates operation of the other 12 IP addresses to various organizations including NASA, the University of Maryland, and Verisign, which is the only organization that operates two of the root IP addresses.

  • The DNS protocol is strongly controlled by the US.

TLD nameserver

  • Top level domains (TLDs) like .com are controlled by corporations. For example, .com is controlled by Verisign.
  • Country code TLDs (ccTLD), 2 letter TLDs, are normally controlled by government entities.
    • Normal TLDs obey international regulations.
    • ccTLDs are regulated by the countries.
    • .eu is not for a single country.
  • Will redirect to an authoritative nameserver.

Authoritative nameserver

  • The authoritative nameserver is the nameserver that “owns” the domain name.
  • It’s the final one that you set when administering your domain.
  • It’s possible to have multiple servers in the form of primary and secondaries.

Problems

  • Too much load on a single server
  • Fake response
  • In transit monitoring
  • DNS server monitoring

Load - Unicast vs Anycast

Right now there are over 600 different DNS root servers distributed across every populated continent on earth.

  • There’s more than 13 root DNS servers. There’s actually 13 IP addresses for root servers.
  • Anycast is when there’s multiple servers having the same IP on the planet. For this to not be a problem, the networking systems need to be aware. The Internet can then route the request to the anycast IP to different servers.
  • Anycast is more of a hack in IPv4. It’s explicitly defined in IPv6.

There’s multiple other addressing methods

  • Unicast addressing uses a one-to-one association between a sender and destination: each destination address uniquely identifies a single receiver endpoint.
  • Broadcast uses a one-to-all association; a single datagram from one sender is routed to all of the possibly multiple endpoints associated with the broadcast address. The network automatically replicates datagrams as needed to reach all the recipients within the scope of the broadcast, which is generally an entire network subnet.
  • Multicast addressing uses a one-to-many-of-many or many-to-many-of-many association; datagrams are routed simultaneously in a single transmission to many recipients. It differs from broadcast in that the destination address designates a subset, not necessarily all, of the accessible nodes.
  • Anycast addressing is a one-to-one-of-many association where datagrams are routed to any single member of a group of potential receivers that are all identified by the same destination address. The routing algorithm selects the single receiver from the group based on least-expensive routing metric. In practice, this means that packets are routed to the topologically-nearest member of an anycast group. Anycasting in the Internet architecture was first described in RFC 1546 [1]

Fake response - DNSSEC

  • Cache poisoning.
    • Since DNS servers are not really authenticated, if you are able to add a rogue DNS server that recursive resolvers trust, you can redirect any domain to any IP. Since the responses are cached through requests, a single bad response could affect multiple queries.
  • An switch on the internet between you and the recursive DNS nameserver or the recursive DNS nameserver and any other DNS server it has to talk to could change the content of responses.
  • DNSSEC - 2005
    • Still not widely used.
    • There was a lot of backlash.
  • DNSSEC is a complex protocol that adds new DNS records that let users validate the authenticity of any response. It’s a chain of trust between the root nameservers and authoritative nameservers. It’s used to digitally sign DNS zones.

In transit monitoring - DoT && DoH

  • DNS over TLS had a RFC in 2016 https://tools.ietf.org/html/rfc7858.
  • DNS over HTTPS was proposed by Mozilla in 2018.
  • Those protocols solve the eavesdropping problem since the communication goes through TLS.

DoH

  • In 2018 Mozilla and Google started to test DoH in their respective browser.
  • In 2020 Mozilla switched to DoH by default for all of its users in the US.
  • Mac and Windows support DoH.
  • DoH is quite simple to use. You simply send the UDP packet to the DoH HTTPS endpoint with the “application/dns-message” MIME type.

    The Internet Service Providers Association (ISPA)—a trade association representing British ISPs—and the also British body Internet Watch Foundation have criticized Mozilla […] for supporting DoH, as they believe that it will undermine web blocking programs in the country, including ISP default filtering of adult content, and mandatory court-ordered filtering of copyright violations. The ISPA nominated Mozilla for its “Internet Villain” award for 2019.

  • DoT is using a dedicated port and DoH is using the generic HTTPS port. This means that it’s harder to filter out DoH.

DNS server monitoring - ODoH

  • co-authored by engineers from Cloudflare, Apple, and Fastly.
  • The goal of ODoH is to prevent the DNS server you are using from keeping track of your activity online.
  • It’s like TOR. You encrypt the DNS query and send it to the ODoH server. It can’t decrypt it. Sends it to the other ODoH server that can decrypt it.
  • By doing this, the second nameserver can’t know from whom the query is.
  • The only problem could be caused by the 2 services colluding.

[1] https://www.cloudflare.com/learning/dns/what-is-dns/
[2] https://www.cloudflare.com/learning/dns/glossary/dns-root-server/
[3] https://www.cloudflare.com/learning/dns/glossary/dns-root-server/
[4] https://en.wikipedia.org/wiki/Anycast
[5] https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
[6] https://tools.ietf.org/html/rfc4033
[7] https://en.wikipedia.org/wiki/DNS_over_HTTPS
[8] https://www.cloudflare.com/learning/dns/dns-over-tls/
[9] https://blog.cloudflare.com/oblivious-dns/