Overview

• DNS has been one of the pillars of the Internet for the past 40 years, allowing users to access a vast amount of resources and information in a human-friendly way. Despite being old, no major changes have been made to the original protocol and the RSS still performs with the 13 original root servers.

• DNS Purpose: Translates human-readable domain names (e.g., example.com) into IP addresses, enabling internet communication.

• To Know how the DNS system Works I request to read my previous article -From Browser to Server: The Journey of Your Data

Paul Mockapetris definition on DNS:
“I built the first floor and maybe the second floor, and then people came along and added about 20 more floors.”
— Paul Mockapetris, inventor of DNS.

History and Evolution

1. Initial Method:

   • Early systems used a hosts.txt file to map hostnames to IP addresses.

   • File managed manually by the SRI International Network Information Center.

   • Updates were distributed weekly, which became impractical as the network grew.

2. Creation of DNS:

   • Paul Mockapetris designed the first version of DNS in collaboration with DARPA(Defense Advanced Research Projects Agency).

   • Jon Postel, administering the name space, later established the Internet Assigned Numbers Authority (IANA).

   • DNS introduced a hierarchical structure for scalability and distribution.

3. Top-Level Domains (TLDs):

   • The first seven TLDs (root zones):

     • .com, .org, .gov, .net, .mil, .int, .edu.,etc

   • Hierarchical delegation:

     • Example: .com → example.com → sub.example.com.

4. Root Servers:

   • IANA engaged 13 organizations to manage root servers for redundancy.

   • Currently, the root zone is replicated across hundreds of servers, but queries are still routed to 13 IP addresses for efficiency and load balancing.

5. Commercialization of DNS (1991):

   • Network Solutions, managing .com, .net, and .org, began charging for domain registration.

   • The rise of the World Wide Web (WWW) led to:

     • Increased domain registrations.

     • Speculation markets, where individuals hoarded domains for resale.

DNS Limitations

1. Centralization:

   • Traditional DNS infrastructure relies on a centralized hierarchy, making it vulnerable to control by a few entities.

2. Security Vulnerabilities:

   • Susceptible to attacks such as DNS spoofing and DDoS.

3. Censorship:

   • Can be manipulated or restricted by governments or organizations to control access to certain websites.

DNS-Related Attacks

1. Centralization and Single Points of Failure (SPOF):

• DNS is a centralized and hierarchical system; control over the highest level (e.g., root DNS servers) implies control over the entire system.

• Root servers or authoritative name servers can become single points of failure (SPOF).

• Distributed Denial of Service (DDoS) attacks targeting root servers can disrupt the entire DNS system due to their limited number and publicly known locations.

2. Control and Censorship:

• Organizations managing DNS servers can decide which resources to allow, block, or modify, influencing the information clients receive.

• While beneficial for regulation and administration, this control can lead to issues like censorship and misinformation.

3. Data Privacy Risks:

• Clients across multiple regions may share a common root server, exposing navigation habits and resource access data to authorities or attackers.

4. DNS Spoofing and MITM Attacks:

• DNS spoofing allows attackers to impersonate legitimate servers and execute Man-In-The-Middle (MITM) attacks.

• Users are deceived into trusting malicious servers, exposing them to further threats.

• Example: Philipp Jeitner, Haya Shulman, and Michael Waidner demonstrated how DNS spoofing could connect users to an attacker’s NTP server.

5. Lack of Security in Traditional DNS Protocols:

• Traditional DNS lacks encryption and authentication, making it vulnerable to:

  • Eavesdropping

  • Tampering

  • Other malicious activities

• Efforts to improve DNS security include:

  • DNSSEC (DNS Security Extensions): Provides cryptographic authentication of DNS data but does not validate data integrity. A compromised server can still distribute malicious resolutions.

  • DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT): Encrypt DNS traffic to reduce the risk of interception.

6. Caching Challenges:

• Caching improves resolving time and reduces network congestion.

• Issues include:

  • Propagation Delays: Changes to DNS records take time to propagate, leading to inconsistent or delayed resolution.

  • Cache Invalidation: Stale cached entries can prevent clients from accessing updated records, resulting in a poor user experience or exploitation by attackers.

7. DNS Amplification Attacks:

• Attackers send small DNS queries with spoofed source IP addresses to vulnerable servers.

• Servers respond with large replies to the victim's IP address, overwhelming network bandwidth and disrupting connectivity.

External Reference Links

1. List of all Hosted root servers - IANA web page

2. Geographical Locations of all Hosted server - Root servers

3. Extra Readings - Click here

Thank you for reading ❤️🧑‍💻

~ Aashish Jha