Domain Name System (DNS)
DNS (Domain Name System) translates domain names (e.g., example.com) into IP addresses.
DNS Hierarchical Structure
Most Common DNS Records
Record Name | Explanation | Example |
---|---|---|
A Record (Address Record) | Maps a domain to an IPv4 address. | example.com. IN A 93.184.216.34 |
AAAA Record (Quad A Record) | Maps a domain to an IPv6 address. | example.com. IN AAAA 2606:2800:220:1:248:1893:25c8:1946 |
CNAME Record (Canonical Name Record) | Maps a domain to another domain name, instead of an IP address. | www.example.com. IN CNAME example.com. |
MX Record (Mail Exchange Record) | Specifies the mail servers for a domain. | example.com. IN MX 10 mail.example.com. |
TXT Record (Text Record) | Provides arbitrary text values associated with a domain, often used for email, SPF, DKIM, and DMARC. | example.com. IN TXT "v=spf1 include:_spf.google.com ~all" |
NS Record (Name Server Record) | Specifies authoritative name servers for a domain. | example.com. IN NS ns1.exampledns.com. |
PTR Record (Pointer Record) | Maps an IP address to a domain (reverse DNS lookup). | 34.216.184.93.in-addr.arpa. IN PTR example.com. |
SRV Record (Service Record) | Defines location of services such as SIP or XMPP. | _sip._tcp.example.com. IN SRV 10 50 5060 sipserver.example.com. |
SOA Record (Start of Authority Record) | Contains domain admin details and DNS settings. | example.com. IN SOA ns1.exampledns.com. admin.example.com. (2023041501 7200 3600 1209600 86400) |
CAA Record (Certification Authority Authorization Record) | Specifies allowed SSL certificate issuers for a domain. | example.com. IN CAA 0 issue "letsencrypt.org" |
NAPTR Record (Naming Authority Pointer Record) | Used for ENUM to map phone numbers to SIP URIs. | 2.0.3.6.1.2.4.e164.arpa. IN NAPTR 100 10 "u" "E2U+sip" "!^.*$!sip:info@example.com!" . |
DNAME Record (Delegation Name Record) | Redirects an entire domain subtree to another domain. | sub.example.com. IN DNAME target.example.com. |
Iterative vs Recursive DNS Resolution
Iterative DNS Resolution
Recursive DNS Resolution
Quality Attributes
Security
DNS Spoofing/Poisoning is most common DNS threats, when attackers redirect traffic to malicious sites. Mitigation measures includes:
- DNSSEC (DNS Security Extensions): Uses digital signatures to verify DNS data authenticity, preventing spoofing.
- DNS over HTTPS (DoH): Encrypts DNS queries for improved privacy and security.
- Regular Auditing and Monitoring: Ensures DNS records remain accurate and untampered.
Availability
- Distributed System: The 13 logical root name servers (A–M) have multiple instances distributed worldwide and are managed by 12 different organizations.
- Caching at multiple levels (Local/ISP DNS, Root, Authoritative)
Reliability
- Caching: Cached records help ensure reliability by serving requests even if some DNS servers are temporarily down.
- Redundancy: DNS has replicated copies of each logical server spread systematically across the globe to ensure low latency & ameliorated reliability of the overall system.
- Protocol: DNS typically uses UDP for better performance, as it avoids TCP's three-way handshake.
Consistency
DNS prioritizes performance over strong consistency, ensuring eventual consistency with lazy updates that take from seconds to days. Caching can cause outdated records, but TTL (time-to-live) helps manage expiration and refresh updates efficiently.
Tools
Tools | Example |
---|---|
nslookup | nslookup www.google.com |
dig | dig www.google.com |