* in no particular order
DNS:Â Domain Name System
DNS is a system that translates human-readable domain names into IP addresses.
📖 It's like a phonebook for the internet.
Although it's started as a system to convert names to IP addresses, it's now a distributed system of servers that store and serve DNS records.
DNS records are the data that DNS servers store and serve.
There are different types of DNS records, each with a different purpose.
The most common types of DNS records are A, AAAA, CNAME, MX, and TXT.
| Type | Description |
|---|---|
| A | IPv4 address |
| AAAA | IPv6 address |
| CNAME | Canonical name |
| MX | Mail exchange |
| TXT | Text record |
* there are a lot more types of DNS records, but these are the most common.
It's a distributed sytem of servers that store and serve DNS records.
www.example.com
translates to
www.example.com.
www.example.com.
The domain name is broken down into parts:
| Part | Description |
|---|---|
| . | The root domain |
| com | The top-level domain (TLD) |
| example | The domain (apex domain) |
| www | The subdomain |
generally the domain name resolution is not done by the end user device, but by the recursive resolver.
the recursive resolver is responsible for resolving the domain name part by part.
The recursive resolver caches the results for a certain period of time.
The recursive resolver then returns the result to the end user device.
The end user device then uses the result to access the website.
Practical Examples
Stub Resolvers
Stub Resolvers just aggrigate and forward the requests to the recursive resolvers.
also serves local dns records like /etc/hosts, C:/Windows/System32/drivers/etc/hosts etc.
example stub resolvers
| Stub Resolver | OS | Description |
|---|---|---|
| systemd-resolved | Linux | The default resolver on most Linux distributions. |
| dnsmasq | Linux, MacOS | Highly configurable DNS, DHCP, and TFTP server. |
| coredns | Linux, MacOS, Windows | Highly configurable DNS server. Common in Kubernetes clusters. |
| mDNSResponder | MacOS | Apple's native DNS server. Used for Bonjour and AirPlay. |
Recursive Resolvers
Recursive Resolvers are the servers that resolve the domain names.
these actually query the DNS servers part by part and cache the result and return the result to the stub resolver.
DNSSEC validation happens at Recursive Resolver level.
Free recursive resolver services:
Paid recursive resolver services:
Recursive Resolver softwares:
Notable DNS forwarders:
My Previous DNS Setup at home
all devices were connected to tailscale overlay network.
all devices were using tailscale's DNS configuration.
Tailscale is configured to use AdGuard Home server hosted on my home server.
Demo
AdGuard Home is a DNS server that can be used to block ads, trackers, and other unwanted content.
Root Servers & Root Zone
Root Servers are the top-level servers that store and serve the root zone.
https://www.iana.org/domains/root/serversroot hints
root hints are the DNS records that point to the root servers.
these are hardcoded in recursive resolvers.
these are updated periodically by IANA, and most of the recursive resolvers are configured to use the latest root hints.
https://www.internic.net/domain/named.rootTLDs and TLD servers
TLDs are the top-level domains like .com, .org, .net, .in, .co.in, etc.
TLD servers are the servers that store and serve the TLD zone which contains list of all registered domains of that TLD.
Types of TLDs
DNS Governance
DNS is governed by IANA, which is a division of ICANN.
TLD server infrastructure
Story about .local TLD in my home network
Interesting Tools
https://dns.coffee/Authoritative Servers
Authoritative Servers are the servers that store and serve the zone files for the domains.
Deligating subdomains to other servers is possible and is a common practice.
commercial authoritative hosting services
self hosing software
My DNS setup for rka.xyz
I'm using CoreDNS as my authoritative server.
I have redundant servers in different regions and clouds for high availability.
Zone Files & Zone Transfers
Zone Files are the files that contain the DNS records for a domain.
Zone Transfers are the process of transferring the zone files from one authoritative server to another.
AXFR and IXFR are the two most popular zone transfer protocols.
XoT (XFR Over TLS) is a secure zone transfer protocol that is used to transfer the zone files over a secure connection.
Anycast vs Unicast DNS Servers
https://rka.xyz/blog/anycast-dns/DNS Caching
DNS Caching is the process of storing the results of DNS queries in a cache.
DNS caching is done by the recursive resolvers and the stub resolvers.
How TTL works?
TTL is the time to live for the DNS record.
TTL is the time for which the DNS record is cached.
TTL is the maximum time for which the DNS record is cached including all levels of caching.
EDNS0 & GSLB
EDNS0 is the extension to the DNS protocol to carry additional information in the DNS request and response.
GSLB is the Global Server Load Balancer.
ECS (EDNS Client Subnet)
ECS is the subnet of the client that is making the DNS request.
ECS can be used to determine the closest server to the user.
Cloudflare DNS doesn't support ECS. hypocritical of a DNS provider.
GSLB (Global Server Load Balancer)
GSLB is used for responding with the server IP closest to the user based on following things.
If ECS is not present, then the request IP of recursive resolver is used to respond with the server IP closest to the recursive resolver.
If ECS is present, then the request client subnet is used to respond with the server IP closest to the user.
GSLB live demo
https://cdn.anuragbhatia.com/favicon.ico https://atlas.ripe.net/measurements/124246597/overviewDNS Privacy & Security
DNS Privacy
DNS privacy is mostly a client side thing.
Mostly achieved by using an encrypted protocol to communicate with the Recursive Resolver.
example: DoH (DNS over HTTPS), DoQ (DNS over QUIC), DoT (DNS over TLS).
To be totally private, you need to use a recursive resolver that doesn't store any logs.
example: Google Public DNS, Cloudflare DNS, Quad9 DNS, OpenDNS, etc. all supports Encrypted protocols.
I mostly use dns.adguard.com on my mobile devices and quad9 on my desktop devices.
DNS Security
DNS security is a server side thing.
DNSSEC is a security extension to the DNS protocol to verify the authenticity of the DNS records.
ADoT (Authoritative DNS over TLS) and ADoQ (Authoritative DNS over QUIC) are security extensions to the DNS protocol to secure the communication between the Authoritative Server and the Recursive Resolver.
currently only Google public DNS supports ADoT ref https://shrirangkahale.com/posts/encrypted-adns/
DNSSEC
DNSSEC uses chain of trust to verify the authenticity of the DNS records.
The chain of trust starts from the Root Server and ends at the Authoritative Server.
The chain of trust is verified by the Recursive Resolver.
root zone trust is configured in the recursive resolvers just like ca-certificates package in linux systems.
https://www.iana.org/domains/root/filesRoot zone is signed by IANA at KSK ceremony and distributed to the Root Servers.
KSK ceremony is live streamed on youtube, and there are some misconceptions about it.
example: https://www.youtube.com/results?search_query=seven+people+who+can+turn+off+the+internet
Lets dive deep into DNSSEC
ZSK (Zone Signing Key) is used to sign the zone files.
KSK (Key Signing Key) is used to sign the ZSK.
DS (Delegation Signer) is used to delegate the zone to the Authoritative Server.
RRSIG (Resource Record Signature) is used to verify the authenticity of the DNS records.
NSEC3 (Next Secure 3) is used as a proof of non-existence.
CDS (Child DNSSEC) & CDNSKEY (Child DNSSEC Key) are a mechanism to update DNSSEC records in parent zone.
a handy tool for DNSSEC validation is https://dnsviz.net/
Aditional security mechanisms that Depend on DNS
CAA (Certification Authority Authorization) records
DANE (DNS-based Authentication of Named Entities) records
MTA-STS (Mail Transfer Agent Strict Transport Security) records
SPF (Sender Policy Framework) records it uses TXT record type
DKIM (DomainKeys Identified Mail) records it uses TXT record type
DMARC (Domain-based Message Authentication, Reporting & Conformance) it uses TXT record type
Domain Registration
Registry
Registry is the company/body which owns the TLD.
Example: Verisign, Radix (Indian), Identity Digital, XYZ Registry
Registrar
Registrar is the company/body which registers the domain name.
Godaddy, Namecheap, cloudflare, Route53 etc.
Registrant
Registrant is the person/entity who registered the domain name.
Domain Transfer
EPP (Extensible Provisioning Protocol) is the protocol used to transfer the domain name.
Sometimes domain transfer code is called as EPP code.
Disable DNSSEC before transfering the domain.