# DNS Background

February 14th, 2021

# The Domain Name System

## Terminology Issues 1

From DNS Terminology: RFC8499

The protocol and message format are defined in [RFC1034] and [RFC1035]. These RFCs defined some terms,and later documents defined others. Some of the terms from [RFC1034] and [RFC1035] have somewhat different meanings now than they did in 1987.

## Terminology Issues 2

From DNS Terminology: RFC8499

This document contains a collection of a wide variety of DNS-related terms, organized loosely by topic. Some of them have been precisely defined in earlier RFCs, some have been loosely defined in earlier RFCs, and some are not defined in an earlier RFC at all.

## What is DNS? Part 1

From DNS Terminology: RFC8499

Note that there is no single consistent definition of “the DNS”. It can be considered to be some combination of the following:

1. a commonly used naming scheme for objects on the Internet;
2. a distributed database representing the names and certain properties of these objects;

## What is DNS? Part 2

From DNS Terminology: RFC8499

1. an architecture providing distributed maintenance, resilience, and loose coherency for this database; and
2. a simple query-response protocol implementing this architecture.

## Security Implications

• Domain names can be malicious, i.e., used to deceive
• The integrity of the data in the distributed database is key to users getting to the intended sites and apps
• The distributed nature of the database can help with resilience but is also subject to DoS attacks
• The “protocol” is a target for attacks and a “vector” for others

## Elements of the DNS

From DOMAIN NAMES - CONCEPTS AND FACILITIES

The DNS has three major components:

1. DOMAIN NAME SPACE and RESOURCE RECORDS

2. NAME SERVERS

3. RESOLVERS

## Domain Names and Records

From DOMAIN NAMES - CONCEPTS AND FACILITIES

The DOMAIN NAME SPACE and RESOURCE RECORDS, which are specifications for a tree structured name space and data associated with the names. Conceptually, each node and leaf of the domain name space tree names a set of information, and query operations are attempts to extract specific types of information from a particular set.

A query names the domain name of interest and describes the type of resource information that is desired. For example, the Internet uses some of its domain names to identify hosts; queries for address resources return Internet host addresses.

## Names and Record Diagram

From Wikipedia: DNS

## Name Servers General

From DOMAIN NAMES - CONCEPTS AND FACILITIES

NAME SERVERS are server programs which hold information about the domain tree’s structure and set information. A name server may cache structure or set information about any part of the domain tree, but in general a particular name server has complete information about a subset of the domain space, and pointers to other name servers that can be used to lead to information from any part of the domain tree.

## Name Servers Authoritative

From DOMAIN NAMES - CONCEPTS AND FACILITIES

Name servers know the parts of the domain tree for which they have complete information; a name server is said to be an AUTHORITY for these parts of the name space. Authoritative information is organized into units called ZONEs, and these zones can be automatically distributed to the name servers which provide redundant service for the data in a zone.

## Resolvers

From DOMAIN NAMES - CONCEPTS AND FACILITIES

RESOLVERS are programs that extract information from name servers in response to client requests. Resolvers must be able to access at least one name server and use that name server’s information to answer a query directly, or pursue the query using referrals to other name servers. A resolver will typically be a system routine that is directly accessible to user programs; hence no protocol is necessary between the resolver and the user program.

# DNS Implementation

## General DNS Protocol Packet

 0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             LENGTH            |               ID              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Q| OPCODE|A|T|R|R|Z|A|C| RCODE |            QDCOUNT            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            ANCOUNT            |            NSCOUNT            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            ARCOUNT            |               QD              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               AN              |               NS              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               AR              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fig. DNS


## DNS Packet Fields 1

• ID: A 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied the corresponding reply and can be used by the requester to match up replies to outstanding queries.

• Q: A one bit field that specifies whether this message is a query or a response

• OPCODE: A four bit field that specifies kind of query

## DNS Packet Fields 2

• QDCOUNT: specifies the number of entries in the question section (QD)

• ANCOUNT: specifies the number of resource records in the answer section (AN)

• NSCOUNT: specifies the number of name server resource records in NS section

• ARCOUNT: specifies the number of resource records in the additional records section (AR)

## Resource Records

From DOMAIN NAMES - CONCEPTS AND FACILITIES

A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource information associated with a particular name is composed of separate resource records (RRs). The order of RRs in a set is not significant, and need not be preserved by name servers, resolvers, or other parts of the DNS.

## Resource Record “wire” format

From Scapy documentation

 0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             RRNAME            |              TYPE             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             RCLASS            |              TTL              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                               |             RDLEN             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             RDATA             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fig. DNSRR


## RR Fields 1

From DOMAIN NAMES - CONCEPTS AND FACILITIES

• NAME: a domain name to which this resource record pertains.

• TYPE: two octets containing one of the RR type codes. This field specifies the meaning of the data in the RDATA field.

• CLASS two octets which specify the class of the data in the RDATA field.

## RR Fields 2

From DOMAIN NAMES - CONCEPTS AND FACILITIES

• TTL: a 32 bit unsigned integer that specifies the time interval (in seconds) that the resource record may be cached before it should be discarded.

• RDLENGTH: an unsigned 16 bit integer that specifies the length in octets of the RDATA field.

• RDATA: a variable length string of octets that describes the resource.

## Some Record Types

From Wikipedia: DNS record types, a few common record types

• A: IPv4 address, most commonly used to map hostnames to an IP address of the host
• AAAA: IPv6 address, most commonly used to map hostnames to an IP address of the host
• MX: Mail exchange record
• NS: Name server record
• SOA: Start of [a zone of] authority record

## Queries

From DOMAIN NAMES - CONCEPTS AND FACILITIES

Queries are messages which may be sent to a name server to provoke a response. In the Internet, queries are carried in UDP datagrams or over TCP connections. The response by the name server either answers the question posed in the query, refers the requester to another set of name servers, or signals some error condition.

## Query “wire format”

 0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             QNAME             |             QTYPE             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             QCLASS            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fig. DNSQR


## Query Fields

• QNAME: a domain name represented as a sequence of labels

• QTYPE: a two octet code which specifies the type of the query. The values for this field include all codes valid for a TYPE field, together with some more general codes which can match more than one type of RR.

• QCLASS: a two octet code that specifies the class of the query.

## Example Response

// reveal.js plugins