What is DNS and how does it work?

The Domain Name System resolves the names of internet sites with their underlying IP addresses adding efficiency and fifty-fifty security in the procedure.

domain name systems dns
Thinkstock

The Domain Name System (DNS) is one of the foundations of the cyberspace, however nearly people exterior of networking probably don't realize they use it every mean solar day to do their jobs, bank check their email or waste material time on their smartphones.

At its nigh basic, DNS is a directory of names that match with numbers. The numbers, in this case are IP addresses, which computers use to communicate with each other. Most descriptions of DNS utilize the analogy of a phone book, which is fine for people over the age of 30 who know what a phone book is.

If you lot're under thirty, think of DNS like your smartphone's contact list, which matches people'southward names with their phone numbers and e-mail addresses. So multiply that contact listing by everyone else on the planet.

A brief history of DNS

When the internet was very, very small, it was easier for people to correspond specific IP addresses with specific computers, only that didn't last for long as more than devices and people joined the growing network. It's still possible to type a specific IP address into a browser to reach a website, just then, equally now, people wanted an address made upwardly of piece of cake-to-call up words, of the sort that we would recognize equally a domain name (like networkworld.com) today. In the 1970s and early '80s, those names and addresses were assigned past one person — Elizabeth Feinler at Stanford – who maintained a master list of every Cyberspace-connected computer in a text file called HOSTS.TXT.

This was manifestly an untenable state of affairs as the Internet grew, not least considering Feinler only handled requests earlier 6 p.m. California time, and took time off for Christmas. In 1983, Paul Mockapetris, a researcher at USC, was tasked with coming upwards with a compromise among multiple suggestions for dealing with the problem. He basically ignored them all and adult his own system, which he dubbed DNS. While it's plainly changed quite a scrap since and so, at a primal level information technology nonetheless works the aforementioned way it did nearly 40 years ago.

How DNS servers piece of work

The DNS directory that matches name to numbers isn't located all in one place in some dark corner of the internet. With more than than 332 1000000 domain names listed at the stop of 2017, a unmarried directory would be very large indeed. Like the internet itself, the directory is distributed effectually the world, stored on domain name servers (mostly referred to as DNS servers for short) that all communicate with each other on a very regular ground to provide updates and redundancies.

Authoritative DNS servers vs. recursive DNS servers

When your reckoner wants to observe the IP address associated with a domain name, it first makes its request to a recursive DNS server, also known as recursive resolver. A recursive resolver is a server that is usually operated past an ISP or other third-political party provider, and it knows which other DNS servers it needs to ask to resolve the proper name of a site with its IP address. The servers that really have the needed data are called administrative DNS servers.

DNS servers and IP addresses

Each domain tin can represent to more than one IP address. In fact, some sites have hundreds or more IP addresses that correspond with a unmarried domain name. For instance, the server your calculator reaches for www.google.com is likely completely different from the server that someone in another land would attain by typing the same site name into their browser.

Some other reason for the distributed nature of the directory is the amount of time it would accept for you to become a response when you were looking for a site if at that place was only 1 location for the directory, shared among the millions, probably billions, of people also looking for data at the same time. That's one long line to utilize the phone book.

What is DNS caching?

To get around this problem, DNS information is shared among many servers. But data for sites visited recently is also cached locally on client computers. Chances are that you use google.com several times a day. Instead of your reckoner querying the DNS name server for the IP address of google.com every fourth dimension, that information is saved on your computer so it doesn't accept to access a DNS server to resolve the name with its IP accost. Additional caching tin can occur on the routers used to connect clients to the cyberspace, also as on the servers of the user'southward Isp (ISP). With so much caching going on, the number of queries that actually brand information technology to DNS proper name servers is a lot lower than information technology would seem.

How do I find my DNS server?

Generally speaking, the DNS server y'all use will be established automatically by your network provider when y'all connect to the cyberspace. If y'all want to see which servers are your primary nameservers — mostly the recursive resolver, every bit described to a higher place — there are spider web utilities that can provide a host of information about your current network connection. Browserleaks.com is a proficient one, and information technology provides a lot of information, including your current DNS servers.

Tin I use viii.8.viii.8 DNS?

It'southward important to keep in mind, though, that while your ISP will set a default DNS server, you're under no obligation to utilise it. Some users may take reason to avert their Internet service provider'due south DNS — for example, some ISPs use their DNS servers to redirect requests for nonexistent addresses to pages with advertising.

If you want an alternative, yous can instead bespeak your figurer to a public DNS server that will act as a recursive resolver. One of the most prominent public DNS servers is Google'southward; its IP address is viii.8.8.viii. Google'due south DNS services tend to be fast, and while there are certain questions virtually the ulterior motives Google has for offering the free service, they can't actually get whatsoever more than information from you lot that they don't already get from Chrome. Google has a page with detailed instructions on how to configure your computer or router to connect to Google's DNS.

How DNS adds efficiency

DNS is organized in a hierarchy that helps go along things running quickly and smoothly. To illustrate, allow'southward pretend that you wanted to visit networkworld.com.

The initial request for the IP address is made to a recursive resolver, equally discussed above. The recursive resolver knows which other DNS servers information technology needs to inquire to resolve the name of a site (networkworld.com) with its IP address. This search leads to a root server, which knows all the information about acme-level domains, such as .com, .cyberspace, .org and all of those state domains like .cn (People's republic of china) and .great britain (Uk). Root servers are located all effectually the world, so the organisation usually directs y'all to the closest ane geographically.

One time the request reaches the correct root server, it goes to a summit-level domain (TLD) name server, which stores the information for the second-level domain, the words used before you get to the .com, .org, .net (for example, that information for networkworld.com is "networkworld"). The request then goes to the Domain Name Server, which holds the information well-nigh the site and its IP address. Once the IP address is discovered, it is sent dorsum to the client, which can now utilize it to visit the website. All of this takes mere milliseconds.

Because DNS has been working for the past 30-plus years, most people take it for granted. Security also wasn't considered when building the system, and then hackers have taken total advantage of this, creating a variety of attacks.

DNS reflection attacks

DNS reflection attacks tin swamp victims with high-volume letters from DNS resolver servers. Attackers request large DNS files from all the open DNS resolvers they can find and do so using the spoofed IP address of the victim. When the resolvers respond, the victim receives a overflowing of unrequested DNS data that overwhelms their machines.

DNS cache poisoning

DNS cache poisoning tin divert users to malicious Web sites. Attackers manage to insert false accost records into the DNS and then when a potential victim requests an accost resolution for one of the poisoned sites, the DNS responds with the IP address for a different site, one controlled by the assaulter. Once on these phony sites, victims may be tricked into giving up passwords or endure malware downloads.

DNS resources exhaustion

DNS resource exhaustion attacks can clog the DNS infrastructure of ISPs, blocking the ISP'due south customers from reaching sites on the net. This can be done by attackers registering a domain name and using the victim'southward proper name server equally the domain's authoritative server. So if a recursive resolver tin't supply the IP accost associated with the site name, information technology will inquire the name server of the victim. Attackers generate large numbers of requests for their domain and toss in not-existent subdomains to boot, which leads to a torrent of resolution requests being fired at the victim'due south name server, overwhelming it.

What is DNSSec?

DNS Security Extensions is an effort to make communication among the various levels of servers involved in DNS lookups more than secure. Information technology was devised past the Internet Corporation for Assigned Names and Numbers (ICANN), the system in charge of the DNS system.

ICANN became aware of weaknesses in the communication between the DNS top-level, second-level and third-level directory servers that could allow attackers to hijack lookups. That would allow the attackers to respond to requests for lookups to legitimate sites with the IP address for malicious sites. These sites could upload malware to users or deport out phishing and pharming attacks.

DNSSEC would accost this by having each level of DNS server digitally sign its requests, which insures that the requests sent in by end users aren't commandeered past attackers. This creates a chain of trust so that at each footstep in the lookup, the integrity of the request is validated.

In addition, DNSSec tin can decide if domain names exist, and if i doesn't, it won't let that fraudulent domain be delivered to innocent requesters seeking to have a domain name resolved.

As more than domain names are created, and more devices continue to join the network via internet of things devices and other "smart" systems, and as more sites drift to IPv6, maintaining a healthy DNS ecosystem volition be required. The growth of big data and analytics as well brings a greater need for DNS management.

SIGRed: A wormable DNS flaw rears its head

The earth got a good await recently at the sort of chaos weaknesses in DNS could cause with the discovery of a flaw in Windows DNS servers. The potential security hole, dubbed SIGRed, requires a circuitous assail concatenation, but tin can exploit unpatched Windows DNS servers to potentially install and execute arbitrary malicious code on clients. And the exploit is "wormable," significant that it tin spread from computer to figurer without human intervention. The vulnerability was considered alarming enough that U.S. federal agencies were given only a few days to install patches.

DNS over HTTPS: A new privacy landscape

Equally of this writing, DNS is on the verge of one of its biggest shifts in its history. Google and Mozilla, who together control the panthera leo's share of the browser market, are encouraging a move towards DNS over HTTPS, or DoH, in which DNS requests are encrypted by the same HTTPS protocol that already protects most web traffic. In Chrome's implementation, the browser checks to come across if the DNS servers support DoH, and if they don't, it reroutes DNS requests to Google's eight.viii.8.8.

Information technology's a movement not without controversy. Paul Vixie, who did much of the early work on the DNS protocol dorsum in the 1980s, calls the movement a "disaster" for security: corporate It volition have a much harder time monitoring or directing DoH traffic that traverses their network, for instance. Nonetheless, Chrome is omnipresent and DoH will soon be turned on by default, and then nosotros'll run across what the hereafter holds.

(Keith Shaw is a former senior editor for Network World and an laurels-winning author, editor and product reviewer who has written for many publications and websites effectually the earth.)

(Josh Fruhlinger is a writer and editor who lives in Los Angeles.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2022 IDG Communications, Inc.