DNS Background

Dr. Greg Bernstein

February 14th, 2021

The Domain Name System

References

DNS Terminology: RFC8499 – 2019 “The Domain Name System (DNS) is defined in literally dozens of different RFCs… This document gives current definitions for many of the terms used in the DNS in a single document.”
DOMAIN NAMES - CONCEPTS AND FACILITIES: RFC1034 – 1987, updated by 19 other documents, but not obsolete.
DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION RFC1035 – 1987, updated by 28 other documents, but not obsolete.

Terminology Issues 1

The protocol and message format are defined in [RFC1034] and [RFC1035]. These RFCs defined some terms,and later documents defined others. Some of the terms from [RFC1034] and [RFC1035] have somewhat different meanings now than they did in 1987.

Terminology Issues 2

From DNS Terminology: RFC8499

This document contains a collection of a wide variety of DNS-related terms, organized loosely by topic. Some of them have been precisely defined in earlier RFCs, some have been loosely defined in earlier RFCs, and some are not defined in an earlier RFC at all.

What is DNS? Part 1

From DNS Terminology: RFC8499

Note that there is no single consistent definition of “the DNS”. It can be considered to be some combination of the following:

a commonly used naming scheme for objects on the Internet;
a distributed database representing the names and certain properties of these objects;

What is DNS? Part 2

From DNS Terminology: RFC8499

an architecture providing distributed maintenance, resilience, and loose coherency for this database; and
a simple query-response protocol implementing this architecture.

Security Implications

Domain names can be malicious, i.e., used to deceive
The integrity of the data in the distributed database is key to users getting to the intended sites and apps
The distributed nature of the database can help with resilience but is also subject to DoS attacks
The “protocol” is a target for attacks and a “vector” for others

Elements of the DNS

From DOMAIN NAMES - CONCEPTS AND FACILITIES

The DNS has three major components:

DOMAIN NAME SPACE and RESOURCE RECORDS
NAME SERVERS
RESOLVERS

Domain Names and Records

From DOMAIN NAMES - CONCEPTS AND FACILITIES

The DOMAIN NAME SPACE and RESOURCE RECORDS, which are specifications for a tree structured name space and data associated with the names. Conceptually, each node and leaf of the domain name space tree names a set of information, and query operations are attempts to extract specific types of information from a particular set.

A query names the domain name of interest and describes the type of resource information that is desired. For example, the Internet uses some of its domain names to identify hosts; queries for address resources return Internet host addresses.

Names and Record Diagram

From Wikipedia: DNS

Domain Names in 1987

My Domains

Name Servers General

From DOMAIN NAMES - CONCEPTS AND FACILITIES

NAME SERVERS are server programs which hold information about the domain tree’s structure and set information. A name server may cache structure or set information about any part of the domain tree, but in general a particular name server has complete information about a subset of the domain space, and pointers to other name servers that can be used to lead to information from any part of the domain tree.

Name Servers Authoritative

From DOMAIN NAMES - CONCEPTS AND FACILITIES

Name servers know the parts of the domain tree for which they have complete information; a name server is said to be an AUTHORITY for these parts of the name space. Authoritative information is organized into units called ZONEs, and these zones can be automatically distributed to the name servers which provide redundant service for the data in a zone.

Resolvers

From DOMAIN NAMES - CONCEPTS AND FACILITIES

RESOLVERS are programs that extract information from name servers in response to client requests. Resolvers must be able to access at least one name server and use that name server’s information to answer a query directly, or pursue the query using referrals to other name servers. A resolver will typically be a system routine that is directly accessible to user programs; hence no protocol is necessary between the resolver and the user program.

DNS Implementation

General DNS Protocol Packet

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             LENGTH            |               ID              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Q| OPCODE|A|T|R|R|Z|A|C| RCODE |            QDCOUNT            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            ANCOUNT            |            NSCOUNT            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            ARCOUNT            |               QD              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               AN              |               NS              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               AR              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                             Fig. DNS

DNS Packet Fields 1

ID: A 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied the corresponding reply and can be used by the requester to match up replies to outstanding queries.
Q: A one bit field that specifies whether this message is a query or a response
OPCODE: A four bit field that specifies kind of query

DNS Packet Fields 2

QDCOUNT: specifies the number of entries in the question section (QD)
ANCOUNT: specifies the number of resource records in the answer section (AN)
NSCOUNT: specifies the number of name server resource records in NS section
ARCOUNT: specifies the number of resource records in the additional records section (AR)

Resource Records

From DOMAIN NAMES - CONCEPTS AND FACILITIES

A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource information associated with a particular name is composed of separate resource records (RRs). The order of RRs in a set is not significant, and need not be preserved by name servers, resolvers, or other parts of the DNS.

Resource Record “wire” format

From Scapy documentation

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             RRNAME            |              TYPE             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             RCLASS            |              TTL              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                               |             RDLEN             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             RDATA             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                            Fig. DNSRR

RR Fields 1

From DOMAIN NAMES - CONCEPTS AND FACILITIES

NAME: a domain name to which this resource record pertains.
TYPE: two octets containing one of the RR type codes. This field specifies the meaning of the data in the RDATA field.
CLASS two octets which specify the class of the data in the RDATA field.

RR Fields 2

From DOMAIN NAMES - CONCEPTS AND FACILITIES

TTL: a 32 bit unsigned integer that specifies the time interval (in seconds) that the resource record may be cached before it should be discarded.
RDLENGTH: an unsigned 16 bit integer that specifies the length in octets of the RDATA field.
RDATA: a variable length string of octets that describes the resource.

Some Record Types

From Wikipedia: DNS record types, a few common record types

A: IPv4 address, most commonly used to map hostnames to an IP address of the host
AAAA: IPv6 address, most commonly used to map hostnames to an IP address of the host
MX: Mail exchange record
NS: Name server record
SOA: Start of [a zone of] authority record

Queries

From DOMAIN NAMES - CONCEPTS AND FACILITIES

Queries are messages which may be sent to a name server to provoke a response. In the Internet, queries are carried in UDP datagrams or over TCP connections. The response by the name server either answers the question posed in the query, refers the requester to another set of name servers, or signals some error condition.

Query “wire format”

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             QNAME             |             QTYPE             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             QCLASS            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                            Fig. DNSQR

Query Fields

QNAME: a domain name represented as a sequence of labels
QTYPE: a two octet code which specifies the type of the query. The values for this field include all codes valid for a TYPE field, together with some more general codes which can match more than one type of RR.
QCLASS: a two octet code that specifies the class of the query.

Example Query

Example Response