2.6. Domain Name System

2.6.1. Introduction

DNS is a simple request-response protocol, a distributed database that maps domain names and IP addresses to each other, making it easier for people to access the Internet. DNS uses port 53 of the TCP and UDP protocols.

2.6.2. Terminology

2.6.2.1. mDNS

Multicast DNS (mDNS), multicast DNS, uses port 5353, and the multicast address is 224.0.0.251 or [FF02::FB]. mDNS can be used to implement a DNS-like programming interface, packet format, and operational semantics within a small network without a regular DNS server. The message structure of mDNS protocol is the same as that of DNS, but some fields have new meanings for mDNS.

The host that starts mDNS will multicast messages to all hosts after entering the local area network, including host name, IP and other information, and other hosts with corresponding services will also respond with information containing host name and IP.

The domain name of mDNS .local is distinguished from ordinary domain name.

2.6.2.2. FQDN

FQDN (Fully-Qualified Domain Name) is the full form of a domain name, mostly containing a zero-length root tag, eg www.example.com. 。

2.6.2.3. TLD

A Top-Level Domain (TLD) is a domain that belongs to the root domain, such com or jp

TLDs can generally be divided into Country Code Top-Level Domains (ccTLDs), Generic Top-Level Domains (gTLDs) and others.

2.6.2.4. IDN

Internationalized Domain Names for Applications (IDNA) is to handle the case of non-ASCII characters.

2.6.2.5. CNAME

CNAME is Canonical name, also known as alias, which points a domain name to another domain name.

2.6.2.6. TTL

Time To Live, unsigned integer, records the time when the DNS record expires, the minimum is 0, and the maximum is 2147483647 (2^31 - 1).

2.6.3. Request response

2.6.3.1. DNS records

• A record

  • Returns the IPv4 address corresponding to the domain name

• NS records

  • domain name server

  • Returns which domain name server resolves the domain name

• PTR records

  • reverse record

  • Record from IP address to domain name

• MX records

  • Email exchange records

  • Record the IP address corresponding to the email domain name

2.6.3.2. Response codes

• NOERROR

No error condition

• FORMERR

Format error - The name server was unable to interpret the query

• SERVFAIL

Server failure - The name server was unable to process this query due to a problem with the name server

• NXDOMAIN

this code signifies that the domain name referenced in the query does not exist

• NOTIMP

Not Implemented - The name server does not support the requested kind of query

• REFUSED

Refused - The name server refuses to perform the specified operation for policy reasons

• NODATA

A pseudo RCODE which indicates that the name is valid, for the given class, but [there] are no records of the given type A NODATA response has to be inferred from the answer.

2.6.4. How the Domain Name System Works

2.6.4.1. Parsing process

The DNS resolution process is recursive query, the specific process is as follows:

• When a user wants to access the domain name www.example.com, first check whether the local hosts has a record or whether there is a DNS cache on the local machine, if so, return the result directly, otherwise query the recursive server for the IP address of the domain name

• When the recursive cache is empty, first query the root server for the IP address of the com top-level domain

• The root server tells the recursive server the IP address of the com top-level domain name server

• Recursively query the com top-level domain name server for the IP of the authoritative server responsible for example.com

• com top-level domain name server returns the corresponding IP address

• Recursively query the authoritative server of example.com for the address record of www.example.com

• The authoritative server informs the address record of www.example.com

• The recursive server returns the query result to the client

2.6.4.2. Domain Transfer

DNS servers can be divided into primary servers, backup servers and cache servers. Domain transfer is when the backup server copies data from the primary server and uses the resulting data to update its own database. Domain transfer is a mechanism for synchronizing databases between primary and secondary servers.

2.6.5. Server Type

2.6.5.1. Root Servers

The root server is the core of DNS, which is responsible for the resolution of top-level domain names on the Internet, maintains the authoritative information of the domain, and directs DNS queries to the corresponding domain name servers.

The root server represents the top-level . domain and is generally omitted.

The domain names of the 13 IPv4 root servers are numbered a to m, that is, a.root-servers.org to m.root-servers.org. All servers store the same data, including only ICANN-approved TLD domain name authority information.

2.6.5.2. Authoritative Servers

The domain name Zone file is stored on the authoritative server to maintain the authoritative information of the domain name in the domain. The recursive server can obtain the resource records of DNS query from the authoritative server.

The authoritative server needs to be registered with the TLD authority to which the domain name it hosts belongs to. The same authoritative server can host different TLD domain names, and the same domain can also have multiple authoritative servers.

2.6.5.3. Recursive servers

The recursive server is responsible for receiving the user’s query request, performing recursive query and responding to the user’s query request. Initially the recursive server only has a Hint file that records the root domain name.

2.6.6. DNS utilization

2.6.6.1. DGA

DGA (Domain Generate Algorithm, Domain Name Generation Algorithm) is a technical method that uses random characters to generate C&C domain names, thereby evading domain name blacklist detection, and is commonly used in botnets. Generally speaking, the survival time of a DGA domain name is about 1-7 days.

When communicating, both the client and the server run the same set of DGA algorithms to generate the same list of alternative domain names. When an attack needs to be launched, select a small number of them to register, and then communication can be established, and the registered domain name can be applied quickly. IP technology, rapid change of IP, so that both domain names and IP can be changed rapidly.

There are many ways to generate DGA domain names, which can be divided into deterministic and uncertain generation according to the seed type. The seeds of uncertainty may use some real-time data of the day, such as exchange rate information.

2.6.6.2. DNS Tunneling

The DNS tunneling tool encapsulates other protocol traffic entering the tunnel into the DNS protocol and transmits it over the tunnel. These data packets are decapsulated when they exit the tunnel to restore the data.

2.6.7. Encryption Scheme

As a mainstream defense scheme, DNS encryption has five schemes, namely DNS-over-TLS (DoT), DNS-over-DTLS, DNS-over-HTTPS (DoH), DNS-over-QUIC and DNSCrypt.

2.6.7.1. DoT

The DoT scheme was published in RFC7858 in 2016 and uses port 853. The main idea is that the client and the server establish a TLS session through the TCP protocol and then perform DNS transmission, and the client verifies the server identity through the SSL certificate.

2.6.7.2. DNS-over-DTLS

DNS-over-DTLS is similar to DoT, except that the UDP protocol is used instead of the TCP protocol.

2.6.7.3. DoH

The DoH scheme is publishing RFC8484, using https://dns.example.com/dns-query{?dns} o query the IP of the server, multiplexing the 443 port of https, and the traffic characteristics are relatively small. DoH encrypts the DNS server and does not provide a fallback option. Currently, service providers such as Cloudflare and Google provide support for DoH.

2.6.7.4. DNS-over-QUIC

DNS-over-QUIC security features are similar to DoT, but with higher performance, and there is currently no suitable software implementation.

2.6.7.5. DNSCrypt

DNSCrypt uses X25519-XSalsa20Poly1305 instead of standard TLS, and DNSCrypt Client needs additional software and Server needs a special certificate.

2.6.8. Related Vulnerabilities

2.6.8.1. DNS Hijacking

There are many ways of DNS hijacking. The relatively early attack method is to resolve the domain name to a malicious IP address by attacking the domain name resolution server or by forging the DNS response.

With the continuous development of Internet applications, hijacking methods based on discarded records have emerged. The scenario that occurs in this way is that the resolution record of the secondary domain name points to a third-party resource, and the resolution record is not cancelled after the third-party resource is released. In this scenario, you can apply for a third-party resource accordingly to obtain the control resolution record Ability.

2.6.8.2. Denial of Service

The DNS service usually opens the UDP port. When the DNS server has a large number of secondary domain NS records, the UDP reflection attack through DNS can achieve high denial of service.

2.6.9. Reference Links

2.6.9.1. RFC

• RFC 1034 DOMAIN NAMES CONCEPTS AND FACILITIES

• RFC 1035 DOMAIN NAMES IMPLEMENTATION AND SPECIFICATION

• RFC 1123 Requirements for Internet Hosts – Application and Support

• RFC 2535 Domain Name System Security Extensions

• RFC 2930 Secret Key Establishment for DNS (TKEY RR)

• RFC 2931 DNS Request and Transaction Signatures ( SIG(0)s )

• RFC 3596 Legacy Resolver Compatibility for Delegation Signer (DS)

• RFC 3755 DNS Extensions to Support IP Version 6

• RFC 5001 Automated Updates of DNS Security (DNSSEC) Trust Anchors

• RFC 5936 DNS Zone Transfer Protocol

• RFC 5966 DNS Transport over TCP - Implementation Requirements

• RFC 6376 DomainKeys Identified Mail (DKIM) Signatures

• RFC 6762 Multicast DNS

• RFC 6891 Extension Mechanisms for DNS (EDNS(0))

• RFC 6895 DNS IANA Considerations

• RFC 7766 DNS Transport over TCP - Implementation Requirements

• RFC 7858 Specification for DNS over Transport Layer Security (TLS)

• RFC 8082 NXDOMAIN

• RFC 8482 Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY

• RFC 8484 DNS Queries over HTTPS (DoH)

• RFC 8490 DNS Stateful Operations

• RFC 8499 DNS Terminology

2.6.9.2. Tools

• Unbound

• bind9

2.6.9.3. Research articles

• The Past and Present of DGA Domain Names: Origin, Detection, and Development

• DNSSEC principle and analysis

• Plohmann D, Yakdan K, Klatt M, et al. A comprehensive measurement study of domain generating malware[C]//25th {USENIX} Security Symposium ({USENIX} Security 16). 2016: 263-278.

• An End-to-End Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?

2.6.9.4. Related CVE

• SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers