09. DNS (Domain Name System)

Before DNS, name-to-address mapping was done with HOSTS.TXT.

• Domain Structure
  • A domain name like www.tsinghua.edu.cn is a series of labels read from right to left, corresponding to a tree structure starting from the root (.).
• DNS Zones
  • A zone is a portion of the domain name space managed by a specific entity.
  • For example, Tsinghua University manages the tsinghua.edu.cn zone. A zone contains all the resource records for the domains within it.
• Resource Records (RR)
  • Entries in the DNS database. Common types include: A, AAAA, CNAME, MX, and NS.
• Root Servers
  • The 13 logical root server IPs are the starting point for all DNS lookups.
  • Anycast allows these IPs to be announced from hundreds of physical locations around the world. This means a query is automatically directed to the nearest physical root server.
• Recursive Resolver (Caching Server)
  • The server a computer talks to directly (e.g., 8.8.8.8 or an ISP's server).
  • Doesn't own any DNS records itself.
  • Act as a proxy and perform the entire lookup process on behalf of the client.
• Authoritative Name Server
  • Holds the actual, official DNS records for a specific zone.
  • For example, Tsinghua University runs the authoritative name servers for the tsinghua.edu.cn zone.
  • Only knows how to answer questions about the zones it manages.

Iterative query process performed by a recursive resolver for www.tsinghua.edu.cn:

1. Client to Resolver
   • Computer sends a recursive query to its configured resolver.
   • "What is the IP for www.tsinghua.edu.cn?"
   • The RD (Recursion Desired) flag in the DNS header is set to 1.
2. Resolver to Root
   • The resolver checks its cache.
   • Assuming the record is not cached, it begins the process by sending an iterative query to one of the 13 Root Servers.
   • "Who is the name server for .cn?"
3. Root Response (Referral)
   • The Root Server doesn't know the answer for www.tsinghua.edu.cn, but it knows who manages .cn.
   • Responds with a referral containing the NS records for the .cn Top-Level Domain (TLD) servers.
4. Resolver to TLD
   • The resolver follows the referral and sends an iterative query to one of the .cn TLD servers.
   • "Who is the name server for edu.cn?"
5. TLD Response (Referral)
   • The .cn server responds with another referral, pointing to the NS records for the edu.cn zone.
6. Resolver to Second-Level Domain
   • The resolver again follows the referral and queries an edu.cn server.
   • "Who is the name server for tsinghua.edu.cn?"
7. Second-Level Response (Referral)
   • The edu.cn server responds with a final referral, pointing to the NS records for tsinghua.edu.cn (Tsinghua's own servers).
8. Resolver to Authoritative Server
   • The resolver sends a final iterative query to one of Tsinghua's authoritative name servers.
   • "What is the A record for www.tsinghua.edu.cn?"
9. Authoritative Response (Answer)
   • This server holds the zone file and has the final answer.
   • It responds with the A record containing the IP address.
   • The AA (Authoritative Answer) flag in the response header is set to 1.
10. Resolver to Client
    • The resolver receives the final answer, stores it in its local cache for the duration of the record's Time-To-Live (TTL), and finally sends the answer back to the computer.

DNS Packet Format

Consists of a 12-byte header followed by four variable-length sections.

DNS Header:

• Transaction ID (TXID) (16 bits): A random identifier to match queries with responses.
• Flags (16 bits): Control bits like QR (Query/Response), AA (Authoritative Answer), and RD (Recursion Desired).
• RCODE (Response Code) (4 bits): Indicates the result (e.g., 0 for No Error, 3 for NXDOMAIN).
• Section Counts (4 x 16 bits): Counts for the number of records in each of the following sections.

DNS Message Sections:

1. Question Section: The domain name and record type being queried.
2. Answer Section: Contains records that directly answer the query.
3. Authority Section: Contains NS records pointing to authoritative servers.
4. Additional Section: Contains "glue" records, like the IP addresses of the servers in the Authority section.

The Kaminsky Attack (2008)

• Instead of attacking a real domain, it queries for a non-existent random subdomain (random123.victim-bank.com).
• The attacker then floods the resolver with forged responses.
• The malicious payload doesn't answer the random query but instead uses the Authority Section to claim that the attacker's server is now the authoritative server for the entire parent domain (victim-bank.com).
• When the resolver accepts this, its cache is poisoned.

DNS Defenses

• Source Port Randomization
  • The primary defense against the Kaminsky attack, making the TXID and port much harder to guess.
• DNS-0x20 / Case Randomization
  • The resolver randomizes the capitalization of the letters in the domain name it queries (e.g., wWw.TsingHua.eDu.Cn).
  • Since DNS lookups are case-insensitive but responses are case-preserving, the resolver can check if the case in the response matches the query it sent.
  • This adds extra bits of entropy for an attacker to guess, making spoofing harder.
• DNSSEC (DNS Security Extensions)
  • The true cryptographic solution.
  • Adds digital signatures to DNS records, creating a chain of trust from the root down to the final answer.
  • Uses RRSIG (the signature), DNSKEY (the public key), and DS (a hash of the key in the parent zone) records to ensure data authenticity and integrity.
• Modern Privacy Enhancements
  • DNS over TLS (DoT): Encrypts DNS queries over a TLS tunnel on port 853.
  • DNS over HTTPS (DoH): Encapsulates DNS queries within standard HTTPS traffic on port 443, making it hard to block or monitor.