From Network Security Wiki
Jump to navigation Jump to search


Why do we need DNS?[1]
  • People prefer to use names instead of numeric addresses.
  • So we need a system that can map a name to an address or an address to a name.
  • When Internet was small, IP to Hostname mapping was done using a Host file, which was periodically updated.
  • Today it is impossible to store & update all as it will create a huge amount of traffic in Internet.
Packet Capture

DNS Packet Capture - TXT, MX, LOC, PTR, A, AAAA, Any, NS, SRV queries

Which Protocol does DNS use?
UDP: For all general purpose DNS Requests like nslookup, client's requests, etc
TCP: For Server to Server Communication like Zone transfer as this process needs reliable protocol.
Zone transfer
It is the process of replicating a zone file to another name server, and is accomplished by copying the zone file information from the master server to the secondary server. 
Zone transfers take place when names and IP address mappings change in a domain.
Who decides it?
  • UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes.
  • If a client doesn’t get response from DNS it must retransmit the data using TCP after 3-5 seconds of interval.
When will firewall close a session opened for DNS?
  • UDP is having timeout of 1 minute.
  • DNS Queries may fill out the session table to its limit.
  • Therefore DNS ALG is used to close the DNS session on getting a reply message.
  • If DNS ALG is disabled, the session table may fill in a short time.

DNS Headers

   Paste.png     This section is under construction.


Source: [think-like-a-computer.com]

DNS Server Zone.gif
  • DNS zone is any distinct, contiguous portion of domain name space for which administrative responsibility has been delegated to a single manager.
  • The domain name space of the Internet is organized into a hierarchical layout of subdomains below the DNS root domain.
  • Don’t associate a zone with a domain.
  • A DNS zone can contain multiple domains or just one domain, the important thing to remember is that it is used for delegating control of portions of the namespace.
  • Different zones can also be on the same server.
  • Think of a zone as a database or part of it.
  • If a company is massive and have offices all over the world.
  • You create a subdomain for each country on the same DNS server.
  • Now if you further split up into cities.
  • Can you imagine how many subdomains, DNS A records etc must be stored on this one server.
  • This DNS server would contain every record of all my worldwide organisations and most likely kill the server.
  • So all these domains are stored in one zone on one server.
  • The problem is that it is too much for one server and too much for the admin team to manage this entire “zone”.
Delegating DNS Zones
  • Now we create a new zone on each COuntry DNS server.
  • Root Server is configured to push all queries for the Country Subdomain to this server.

The key differences here is that:

  • Main DNS Server does not contain any records at all for Country or city subdomains.
  • It only contains a pointer to redirect queries there.
  • This means the entire DNS namespace can be split throughout an organisation.
  • By splitting the entire namespace like this it removes unnecessary bandwidth and queries.
  • If the whole namespace existed in the US then the UK would have to query the US servers for UK queries.
  • Moving the UK subdomain into a zone on a UK server keeps the queries local.
  • Once a zone is created you can set permissions on it and delegate control of it out to different staff.
  • If we wanted 3 domains to be administered by 3 different teams they would need to be in different zones.

Zone Transfer

  • DNS zone transfer (Also called AXFR) is a mechanism to replicate DNS databases across a set of DNS servers.
  • Zone transfers may be performed using two methods, full AXFR and incremental IXFR
  • A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction.
  • The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, called a primary server.
  • The portion of the database that is replicated is a zone.

Query Types[2]

  • DNS client tells DNS server whether Query is Recursive or Iterative.

Recursive query:

  • This means that the resolver expects the server to supply the final answer.
  • Reply with an address or an error message.
  • Server cannot refer client to a different DNS server.
  • Generally made by a DNS client to a DNS server or by server that is configured to pass unresolved name queries to another DNS server, if configured to use a forwarder.

Iterative query:

1 & 8 are Recursive - rest are Interative
  • Returns the best answer server can give based on its cache or zone data.
  • If it does not have an exact match, it returns a pointer to another DNS server.
  • The Client can then query the DNS server for which it obtained a referral.
  • It continues until it locates a DNS server authoritative for the query, or until an error or time-out condition.

Reverse DNS query

  • rDNS is the determination of a domain name associated with a IP address.
  • Uses the pointer DNS record type (PTR record).
  • use a reverse IN-ADDR entry in the special domain in-addr.arpa
  • If an address (A) record for mail.example.com points to the IP address
  • In pointer records of the reverse database, this IP address is stored as the domain name pointing back to its designated host name mail.example.com.
  • Original use of the rDNS: network troubleshooting via tools such as traceroute, ping, and the "Received:" trace header field for SMTP e-mail, web sites tracking users (especially on Internet forums), etc.
  • One e-mail anti-spam technique: Checking the domain names in the rDNS to see if they are likely from dialup users, dynamically assigned addresses, or other inexpensive Internet services.
  • System logging or monitoring tools often receive entries by IP addresses. To provide more human-usable data.

DNS Doctoring[3]

   Edit-clear.png     This section needs formatting or rework.
  • DNS doctoring enables an internal host on a LAN to receive the Private ip of an internal server as an answer from a DNS query when using a DNS server that is outside the LAN, such as on the internet.
  • A static NAT translation must also exist to translate the public IP to the private IP.
  • Without DNS doctoring, the external DNS server will reply with the public IP address of the host on the internal LAN.
  • The problem occurs when the client and the host that the client tries to reach are both on the same of different private network behind NAT, but the DNS server used by the client is on another public network.
  • Without DNS doctoring or another solution enabled in this situation, if the client sends a DNS request for the IP address of the Web Server it is unable to access the WWW server.
  • This is because the client receives an A-record that contains the mapped public address of WWW server.
  • When the client tries to access this IP address, the security appliance drops the packets because it does not allow packet redirection on the same interface.
  • Configure static NAT for the DNS server first and if the DNS ALG is enabled, public-to-private and private-to-public static address translation can occur for A-records in DNS replies.

DNS Record Types

A 	Address record 	 	 	 	Returns a 32-bit IPv4 address,
AAAA 	IPv6 address record 	
CNAME 	Canonical name record 	 	 	Alias of one name to another, DNS lookup will continue by retrying the lookup with the new name.
LOC 	Location record 	 	 	Specifies a geographical location associated with a domain name
MX 	Mail exchange record 	 	 	Maps a domain name to a list of message transfer agents for that domain
NS 	Name server record 	 	 	Delegates a DNS zone to use the given authoritative name servers
PTR 	Pointer record 	 	 	 	Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse 
                                                DNS lookups.
SOA 	Start of [a zone of] authority record 	Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial
SRV 	Service locator 	 	 	Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
TXT 	Text record 	 	 	 	Originally for arbitrary human-readable text in a DNS record. Now more often carries machine-readable data, opportunistic encryption, Sender Policy
                                                Framework, etc.
* 	All cached records 	 	 	Returns all cached records of all types known to the name server. If the name server does not have any information on the name, the request will be 
                                                forwarded on.
AXFR 	Authoritative Zone Transfer 	 	Transfer entire zone file from the master name server to secondary name servers.
IXFR 	Incremental Zone Transfer 	 	Requests a zone transfer of the given zone but only differences from a previous serial number.

Authoritative Nameserver

An authoritative Nameserver is a nameserver (DNS Server) that holds the actual DNS records (A, CNAME, PTR, etc) for a particular domain/ address. 
A recursive resolver would be a DNS server that queries an authoritative nameserver to resolve a domain/ address.
If I have a DNS server in my network that holds an A record for foobar.com, my DNS server would be authoritative for the foobar.com domain.
If clients needed to access foobar.com, they could query my DNS server and they would get an authoritative response. 


  • A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) which maps one domain name (an alias) to another (the Canonical Name).
NAME                    TYPE   VALUE
bar.example.com.        CNAME  foo.example.com.
foo.example.com.        A
Glue Record
  • A glue record is a term for a record that's served by a DNS server that's not authoritative for the zone, to avoid a condition of impossible dependencies for a DNS zone.
  • What glue records do is to allow the TLD's servers to send extra information in their response to the query for the example.com zone - to send the IP address that's configured for the name servers.
  • It's not authoritative, but it's a pointer to the authoritative servers, allowing for the loop to be resolved.

  1. www.zscaler.com
  2. www.mphasis.com
  3. www.juniper.net

blog comments powered by Disqus