S 2.450 Introduction to DNS basics

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: IT Security Officer

The Domain Name System (DNS) is a network service for resolution of host names of IT systems in computer networks. Forward resolution means resolving a host name into an IP address. In contrast, if the IP address is resolved into a host name this is referred to as reverse resolution.

Domain name space

DNS is a distributed database which administers the tree-shaped domain name space. The tree consists of nodes and leafs which are referred to a labels. Concatenating the labels separated by points reveals a domain name. The domain name is divided into different domains. The top level is represented as a point and referred to as "root". Below that are the top-level domains such as com., edu., de., at. followed by the second-level domains such as bund., etc.

In the domain name space, information on the assignment of IP addresses to domain names are stored. DNS can be described as a kind of telephone book in computer networks the main task of which is to resolve names. For example, it is sufficient to enter the domain name www.bsi.bund.de. in the browser, DNS will find the associated IP address in the domain name space, and the browser can use the result of the search to connect to the corresponding web server.

Figure: Domain name space

There is a basic distinction between domains and zones. As shown in the figure Domain vs. zone, a zone is an administrative unit read by a DNS server via a master file. A master file contains all domain information of a zone and is administered by the administrators responsible. Examples of zones are arpa, com, example, a, b, and c, whereby com, example, a, b, and c represent an independent zone each. On the other hand, the term domain refers, for example, to a domain such as com and all underlying subdomains, in this case example, a, b, c.

Figure: Domain vs. zone

At least two DNS servers are authoritative for every zone. This means that these DNS servers administer the domain information of this zone. In addition, every DNS server knows the authoritative DNS servers for its subdomains. This means that, for example, the DNS server for com knows the DNS server for example and can thus refer to this server for a name resolution.

Resolver

Client applications require a resolver in order to participate in DNS. The resolver is often part of the operating system. If a client application requires a name resolution, it sends a request to the resolver. The resolver packs the request in a DNS-compliant packet, sends the package to a DNS server, interprets the reply and transmits the data back to the corresponding application. To increase the performance of DNS, the resolver stores the reply data in the cache for a certain period. While the data is stored in the cache it is not necessary to send a another request to the DNS server in case of a repeated resolution.

DNS servers

DNS servers are applications that administer information on a specific area of the domain name space. The information is stored in so-called zone files. If a DNS server administers several domains, for example, bund.de and the associated subdomain bsi.bund.de, they are each stored in independent zones. A DNS server reads the information regarding a zone from the master files.

DNS servers are differentiated according to their tasks. There are two basic types:

• Advertising DNS server
• Resolving DNS server

The task of advertising DNS servers is usually to process requests from the Internet regarding internal domains. If they have stored the required domain information they supply the corresponding reply. Otherwise they refer to a different DNS server. The main task of an advertising DNS server is to make the domain information stored on it available.

Resolving DNS servers, however, usually process requests from the internal network of the organisation. If they have stored the required domain information, just like advertising DNS servers, they supply the corresponding reply. However, if this is not the case, resolving DNS servers do not refer to a different DNS server, but perform the name resolution themselves. The name "resolving" already implies that the main task of such a DNS server is the resolver functionality.

A distinction between these two functionalities is made in all threats and safeguards of the modules. The term "DNS server" is used in general explanations and descriptions which apply to both advertising and resolving DNS servers.

DNS servers that can respond to requests using their own zone information are referred to as authoritative. If a DNS server receives a request which does not relate to its own zone(s) and for which it does not have any information in the cache, a DNS server can react in three possible ways:

• Delegating
  
  Delegating means that part of the information on the domain name space was outsourced to a subdomain. If, for example, the DNS server receives a request for bund.de, then the DNS server will forward the request to the responsible DNS server. As a DNS server must know all DNS servers responsible for the delegated zones, it can forward the request directly to the responsible DNS servers.
• Resolution via root name servers
  
  In total there are 13 root DNS servers. These root DNS servers store information on which DNS servers are authoritative for the top-level domains. If the requested data is outside the administered domain and if no data is available in the cache, then a recursive resolution starting with the root name servers must be started. This behaviour corresponds to a resolving DNS server.
• Forwarding
  
  If a DNS server can not supply the requested information, it forwards the request to a previously configured DNS server.

Communication

As already described, applications communicate with DNS servers via the resolver interface, regardless of whether this is an advertising or a resolving DNS server. Resolvers send requests to DNS servers in lieu of applications and interpret the replies received in order to return them to the application. There are two basic types of requests:

• Iterative requests:
  
  Iterative means that if a DNS server receiving a request has not stored the required data it refers to the next responsible DNS server. The DNS server receiving a request is therefore an advertising DNS server. The resolver sending a request must perform the entire name resolution itself. A name resolution to www.bsi.bund.de via the root DNS servers (root DNS servers only respond to iterative requests and are thus advertising DNS servers) would appear as follows: In a first step, the resolver asks the root DNS servers for the advertising DNS server that is responsible for de.. In a second step, the resolver of the advertising DNS server responsible for de. determines the DNS server that is responsible for bund.de.. Then, the advertising DNS server for bsi.bund.de. is requested from this server. Finally, the advertising DNS server for bsi.bund.de. can deliver the IP address for www.bsi.bund.de to the resolver.
• Recursive requests:
  
  The principle of resolution in recursive requests is very similar. The only difference is that the DNS server responsible for the resolver performs the entire name resolution, as described above. It is therefore a resolving DNS server. All the resolver of the client has to do is send a request.

An advertising DNS server only accepts iterative requests, whereas a resolving DNS server accepts both iterative and recursive requests. In contrast to iterative requests, recursive requests mean a higher load for the DNS server.

Zone transfers

As DNS is required by a large number of network applications, RFC 1034 specifies that at least two authoritative DNS servers must be operated for every zone. As administration of individual consistent master files for every DNS servers would be too complex, the master files are synchronised by means of zone transfers. The DNS server that receives the domain information directly from the master files is referred to as primary or master DNS server. Every additional DNS server is referred to as secondary or slave DNS server and receives the data via a zone transfer from the primary DNS server. A secondary DNS server checks in regular intervals whether the domain information of its zone(s) has changed. Alternatively it is notified of changes by its primary DNS server. If this is the case, the secondary DNS server initiates a zone transfer to update its domain information.

Caching-only DNS server

The caching-only DNS server is a special from of resolving DNS server. A DNS server is usually authoritative for one or several zones, regardless of whether it is an advertising or resolving DNS server. This means that it has read domain information on these zones from the master files or received such information from its master DNS server via a zone transfer. In contrast, caching-only DNS servers are not authoritative for any zone; they have not stored any zones themselves. Usually, their purpose is to accept requests and to perform the name resolution. Caching-only DNS servers are often used as forwarders for internal resolving DNS servers of the organisation, if these need to resolve domain information from the Internet.

Security aspects

With regard to DNS, integrity and availability are particularly important. However, confidentiality is also assigned an increasingly important role as described in S 2.451 Planning the use of DNS. The aim of attacks on DNS is mostly to manipulate services requiring name resolution.