DNS is one of the core protocols of the Internet. Whether surfing the Internet, or programming development, you need to know a little about it. Let’s review our knowledge of DNS.

What is the DNS

In official words, the Domain Name System (Domain Name System,DNS) is a service of the Internet. It is a System that solves the naming of machines on the Internet. As a distributed database that maps Domain names and IP addresses to each other, it can make people access the Internet more conveniently.

Just like visiting friends to say how people go to the prophet, the Internet when a host to visit another host, must first know its address, TCP/IP IP address is by four to “. Separate numbers (IPv4 addresses for example, IPv6 addresses for example) are not always as convenient as names, so the domain name system (DNS) is used to manage the relationship between names and IP addresses.

For example, the domain name of the Microsoft website is www.microsoft.com, and the IP address of the corresponding Web server is 27.148.139.88. If we want to visit the Microsoft website, we can use DNS to obtain the corresponding IP address: 207.46.230.229 through the domain name www.microsoft.com, so as to visit the Microsoft website through IP.

By now you may have the following questions:

  • Why access a Web server through an IP rather than directly through a domain name?

In terms of efficiency, the IP address is 32 bits, which is 4 bytes, and the domain name, the shortest is a dozen bytes, the longest, maybe 255 bytes, in other words, with the IP address you only need to deal with 4 bytes of numbers, now with the domain name, you need to deal with a dozen or even 255 bytes of characters, This seriously affects efficiency. It also adds to the burden on the router and takes longer to transmit data.

How does DNS perform queries

There are two types of DNS query, one is an iterative query, the other is a recursive query, let’s take a look at the two types of query.

  • Recursive query: The client queries the local DNS server recursively. In this mode, the DNS server receives a client request and must give a final IP address result. If the DNS server does not store the query DNS information locally, the server queries other servers and submits the returned query results to the client.

  • Iterative query: The local DNS server uses iterative query to query the root DNS server. When receiving the iterative query request packet from the local DNS server, the root DNS server either gives the IP address to be queried or tells the local DNS server which DNS server you should query next. Then let the local DNS server proceed to the next DNS server.

DNS domain name servers are also hierarchical, with each domain name server managing only one part of the domain name system. According to the role of DNS, DNS servers are generally divided into root DNS server, top-level DNS server, permission DNS server, local DNS server. As shown below:

When a user enters www.abc.com in the address bar, the DNS resolution process is as follows:

  1. The browser checks whether the IP address corresponding to the resolved domain name exists in the cache. If yes, the resolution is complete. The TTL property can also be used to set the cache time of the domain name.
  2. If not in the browser cache, the browser checks the operating system cache for parsed results. The operating system also has a domain name resolution process. On Windows, this can be done in a file called hosts on drive C. If you specify an IP address for a domain name, the browser will use that IP address first.
  3. If there is no match, the local domain name server (LDNS) is actually requested to resolve the domain name, which is used hereRecursive query. This server typically caches resolution results, and about 80% of domain name resolution is done here.
  4. If the LDNS still does not hit, a resolution request is made to the root DNS server, and the rest is doneIterative query.
  5. The root DNS server returns the TOP-LEVEL DNS IP address that the LDNS should query next time.
  6. LDNS queries the TOP-LEVEL domain name server. The TOP-LEVEL domain name server returns the IP address of the domain name server that should be queried next time.
  7. LDNS queries the domain name server, and the domain name server returns the queried target host IP address.
  8. LDNS returns the final IP address to the user’s host and writes it to the cache for future query.

DNS uses TCP or UDP

It is well established that DNS occupies both UDP and TCP ports 53, but little is known about the circumstances in which DNS uses both protocols respectively.

The maximum length of a UDP packet is 512 bytes, while the MAXIMUM length of a TCP packet is 512 bytes. When the DNS query exceeds 512 bytes, the TC flag of the protocol is deleted. In this case, TCP is used to send DNS packets. Generally, a traditional UDP packet is not larger than 512 bytes.

  • UDP is used for domain name resolution: The client queries the domain name from the DNS server. Generally, the returned value does not exceed 512 bytes. Without the need for a three-way handshake, the DNS server is less loaded and more responsive.

  • TCP is used for area transmission: The secondary DNS server checks the primary DNS server periodically (usually 3 hours) to see if the data has changed. If there are changes, a sub-transmission is performed for data synchronization. Zone transport uses TCP rather than UDP because data synchronization transfers much more data than a single request reply.

What is DNS hijacking

DNS (domain name hijacking) is a way of Internet attacks, by attacking DNS server (DNS), or fake DNS server (DNS) method, the IP address of the target website domain name resolution to the error so as to realize the purpose of users unable to access the target or intentional or malicious requires the user to access the specified IP address (false).

Here are a few ways to do DNS hijacking:

  1. DNS servers are used to launch DDOS attacks

A normal RECURSIVE DNS query process can be used as a DDOS attack. Assume that the attacker knows the IP address of the attacked machine, and then uses this address as the source address of the parsing command. In this way, when the DNS server is used for recursive query, the DNS server responds to the original user, who is the victim. If an attacker controls enough chickens and performs the preceding operations repeatedly, the victim will be subjected to DDOS attacks with response messages from the DNS server.

  1. DNS cache infection

The attacker uses DNS requests to put data into the cache of a vulnerable DNS server. The cache information is returned to the user when the user accesses the DNS, so that the user’s access to the normal domain name is directed to the page set by the intruder to mount, phishing, or obtain user password information through forged emails and other server services, which leads to further infringement of the customer.

  1. DNS information hijacking

In principle, TCP/IP prevents the insertion of fake data through various methods such as serial numbers. However, if an intruder listens to the dialogue between the client and DNS server, he can guess the DNS query ID that the server responds to the client. Each DNS packet contains an associated 16-bit ID number. The DNS server obtains the request source location based on this ID number. An attacker can trick a client into visiting a malicious web site by giving a fake response to the user before the DNS server. Suppose that when a packet submitted to a DNS resolution request is intercepted, a bogus IP address is returned to the requester as the interceptor intended. In this case, the original requester will connect to the fake IP address as the requested domain name, apparently it has been spoofed elsewhere and cannot connect to the domain name it is trying to connect to.

  1. DNS redirect

If an attacker redirects DNS name query to a malicious DNS server. The resolution of the hijacked domain name is completely under the attacker’s control.

  1. ARP deception

The ARP attack is implemented by forging IP and MAC addresses to achieve ARP spoofing, which generates a large amount of ARP traffic on the network and causes network congestion. As long as the attacker continuously sends forged ARP response packets, the IP-MAC entries in the ARP cache of the target host can be changed, resulting in network interruption or manin-the-middle attack. ARP attacks mainly exist in the LOCAL area network (LAN). If a computer in the LAN is infected with an ARP Trojan, the system that is infected with the ARP Trojan attempts to intercept the communication information of other computers on the network by MEANS of ARP spoofing, which leads to communication failure of other computers on the network. ARP spoofing usually results in incorrect direction of domain names accessed by users on the user office network. However, after an IDC room is invaded, an attacker may use ARP packets to suppress normal hosts or DNS servers, resulting in incorrect direction of access.

  1. This machine is hijacked

After the computer system is infected by Trojan horse or rogue software, there may be some abnormal access to domain names, such as access to mount horses or phishing sites, or access failure. Local hijacking includes hosts file tampering, local DNS hijacking, SPI chain injection, BHO plug-in, etc., although not all through the DNS link. However, the consequences of not being able to obtain the correct address or content as the user wishes.

There are several ways to prevent DNS hijacking:

  1. Use HTTPDNS: Because HTTPDNS directly requests HTTP through IP to obtain the record address of server A, there is no process of asking the local carrier for domain resolution, so the hijacking problem is completely avoided.
  2. Internet companies prepare two or more domain names so that users can access another domain if a hacker launches a DNS attack.

The resources

  • Computer Networking (7th edition) – Xiren Xie
  • Explain the whole process of DNS domain name resolution
  • Front-end scumbag’s correct understanding of DNS, god heartless