How it works: A few words about DNS

    As a virtual infrastructure provider, 1cloud is interested in networking technologies, which we regularly talk about in our blog. Today we have prepared material that addresses the topic of domain names. In it, we will consider the basic aspects of the functioning of DNS and the security issues of DNS servers. / photo James Cridland CC Initially, before the Internet spread, addresses were converted according to the contents of the hosts file sent to each of the machines on the network. However, as it grew, this method ceased to justify itself - there was a need for a new mechanism, which was the DNS, developed in 1983 by Paul Mockapetris.







    What is a DNS?


    The domain name system (DNS) is one of the fundamental technologies of the modern Internet environment and is a distributed system for storing and processing information about domain zones. It is necessary, first of all, to correlate the IP addresses of devices on the network and symbolic names that are more convenient for human perception.

    DNS consists of a distributed name base whose structure resembles a logical tree called a domain namespace. Each node in this space has its own unique name. This logical tree “grows” from the root domain, which is the highest level of the DNS hierarchy and is indicated by a dot. And already from a root element subdomain zones or nodes (computers) branch.


    A namespace that maps addresses to unique names can be organized in two ways: flat and hierarchical. In the first case, a name is assigned to each address and is a sequence of characters without a structure fixed by any rules. The main disadvantage of a flat namespace is that it cannot be used in large systems, such as the Internet, because of its randomness, since in this case it is quite difficult to check for ambiguity and duplication.

    In the hierarchical namespace, each name is made up of several parts: for example, a first-level domain .ru, a second-level domain 1cloud.ru, a third-level domain panel.1cloud.ru, etc. This type of namespace makes it easy to check for duplicates , and organizations don’t need to worry that the prefix chosen for the host is occupied by someone else - the full address will be different.

    Name mapping


    Let's take a look at how names and IPs are mapped. Suppose a user types www.1cloud.ru in the browser bar and presses Enter. The browser sends the request to the DNS server of the network, and the server, in turn, either responds itself (if the answer is known to it) or sends the request to one of the high-level domain servers (or the root).

    Then the request begins its journey - the root server sends it to the first level server (supporting the .ru zone). That - to the server of the second level (1cloud) and so on, until you find a server that knows exactly the requested name and address, or knows that such a name does not exist. After that, the request starts moving back. To clearly explain how this works, the guys from dnssimple have prepared a colorful comic that you can find bylink .

    It is also worth a few words to say about the reverse matching procedure - getting the name by the provided IP address. This happens, for example, during e-mail server checks. There is a special in-addr.arpa domain, entries in which are used to translate IP addresses to symbolic names. For example, to obtain the DNS name for the address 11.22.33.44, you can query the DNS server for the entry 44.33.22.11.in-addr.arpa, and that will return the corresponding symbolic name.

    Who manages and maintains the DNS server?


    When you enter the address of an Internet resource in a browser line, it sends a request to the DNS server responsible for the root zone. There are 13 such servers and they are managed by various operators and organizations. For example, the a.root-servers.net server has an IP address of 198.41.0.4 and is managed by Verisign, and e.root-servers.net (192.203.230.10) is served by NASA.

    Each of these operators provides this service for free, as well as ensures uninterrupted operation, since in case of failure of any of these servers entire Internet zones will become unavailable. Previously, root DNS servers, which are the basis for processing all Internet domain name queries, were located in North America. However, with the introduction of alternative addressing technology, they "spread" around the world, and in fact their number increased from 13 to 123, which made it possible to increase the reliability of the DNS foundation.

    For example , in North America there are 40 servers (32.5%), in Europe - 35 (28.5%), another 6 servers are located in South America (4.9%) and 3 - in Africa (2.4%) . If you look at the map, the DNS servers are located according to the intensity of use of the Internet infrastructure.

    Attack protection


    Attacks on the DNS are far from a new hacker strategy, but only recently has the fight against this type of threat become global.

    “In the past, attacks on DNS servers have already occurred, leading to massive crashes. Somehow, due to the spoofing of the DNS record, the well-known Twitter service was unavailable for users for an hour, ” says Alexei Shevchenko, head of infrastructure solutions at the Russian representative office of ESET. “But attacks on root DNS servers are much more dangerous.” In particular, the attacks were widely publicized in October 2002, when unknown people tried to conduct a DDoS attack on 10 of 13 top-level DNS servers. ”

    DNS uses a TCP or UDP port to respond to requests. Traditionally, they are sent as a single UDP datagram. However, UDP is a connectionless protocol and therefore has address-spoofing vulnerabilities - many of the attacks against DNS servers rely on spoofing. To prevent this, use a number of techniques aimed at improving security.

    One option would be uRPF (Unicast Reverse Path Forwarding) technology, the idea of ​​which is to determine whether a packet with a specific sender address can be received on a particular network interface. If the packet is received from the network interface, which is used to transmit data addressed to the sender of this packet, then the packet is considered to have passed verification. Otherwise, it is discarded.

    Although this feature can help detect and filter out some of the fake traffic, uRPF does not provide complete protection against spoofing. uRPF assumes that the reception and transmission of data for a specific address is done through the same interface, and this complicates things in the case of several providers. More information about uRPF can be found here..

    Another option is to use the IP Source Guard feature. It is based on uRPF technology and DHCP packet snooping to filter fake traffic on individual ports on the switch. The IP Source Guard checks the DHCP traffic on the network and determines which IP addresses have been assigned to network devices.

    After this information has been collected and stored in the DHCP snooping table, the IP Source Guard can use it to filter IP packets received by the network device. If a packet is received with a source IP address that does not match the DHCP packet snooping table, then the packet is discarded.

    It is also worth noting the dns-validator utility, which monitors the transmission of all DNS packets, matches each request with a response, and in case of header mismatch notifies the user about this. Detailed information is available in the repository on GitHub.

    Conclusion


    The domain name system was developed in the 80s of the last century and continues to provide usability with the address space of the Internet until now. Moreover, DNS technologies are constantly evolving, for example, one of the most significant innovations of recent times has been the introduction of domain names in national alphabets (including the Cyrillic domain of the first level. Rf).

    Work is constantly being done to increase reliability in order to make the system less susceptible to failures (natural disasters, power outages, etc.), and this is very important, since the Internet has become an integral part of our life, and “lose” it, even for a couple of minutes I don’t feel like it at all.

    By the way, 1cloud company offers its users VPS a free service " DNS hosting»- a tool that simplifies the administration of your projects by working with a common interface for managing hosts and domains referring to them.

    What else are we writing about:


    Also popular now: