dns

What is DNS

DNS is a domain name system that is responsible for mapping domains to numeric IP addresses through name servers.
When the Internet first started, they used digital names – IP addresses – to communicate between computers,
but when there were more and more of them, they decided to use more understandable text names – domains.
Since initially there were very few domains, their names and IP matches were stored in a special file, which were copied between them. But when their number began to grow, they began to look for solutions
storage of information about domains and their IP addresses.
This is what the DNS system was designed to do.

Since initially there were very few domains, their names and IP matches were stored in a special file, which were copied between them. But when their number began to grow, they began to look for solutions
storage of information about domains and their IP addresses.

This is what the DNS system was designed to do.

Why DNS technology is needed and how it works

The main task of DNS servers is to store information about domains,
namely their addresses where they are posted.
DNS servers can also cache DNS records from other servers,
To distribute the load. How does it work? For example, when you enter a site name in the address bar of your browser, the browser makes a request to the DNS server and gets the IP address of the site and opens the site from this IP.

Types of DNS records and how to manage them

The main task of the DNS server is to give out the IP address of the server,
where the site is located. But beyond that, there are many more DNS
records that are responsible for other services.
The table below summarizes the information about the DNS records.

DNS RecordDescription
ASpecifies the IPv4 address of the server where the domain is hosted
AAAASpecifies the IPv6 address of the server where the domain is hosted
CNAMERedirects the domain to another domain
PTRConverts an IPv4 or IPv6 address into a domain name
NSName server responsible for the domain
MXSpecifies the mail server responsible for the domain
SOATechnical data about the domain
TXTDomain text entry
CAADNS record intended to define the certification authorities that are allowed to issue SSL/TLS certificates for a certain domain
SRVSpecifies the host name and port number of servers for certain services, such as SIP.
Types of DNS records

Previously, all records were managed by making entries in the DNS zone file using a text editor.

There were also Primary and Secondary server roles which could be used to delegate management of DNS records to other DNS servers. In the case of an error in the record, the domain ceased to work. The main mistake was always the missing point at the end of the entry.

Today, as a rule, the management of DNS records comes down to a convenient control panel,
which tells you how to make a correct entry so as not to make a mistake.

What is a DNS server

Let me remind you that the main task of DNS is to match the name and IP address.

Accordingly, each domain has its own individual record.
It is a kind of instruction for the domain where it is served,
where to send mail, which certification centers are allowed to issue certificates, and so on.

Geo-DNS

The DNS server is the first node that receives a request from a visitor and returns the server’s IP address. The visitor’s browser then sends an HTTP request to the application server and receives a response.

Usually one or more IP addresses are used for a single entry. If multiple addresses are used, the DNS server returns responses in a round robin algorithm.

Therefore, this method is often used for load balancing. But what if you want to distribute the load not just on different IP addresses, but also on different countries?

In this case, Geo-DNS will help.

Geo-DNS is an add-on or a part of the DNS server software, capable of giving different DNS answers depending on where the request comes from, from what country. As a rule, in this case the MaxMind database is used, which stores information about what IP refers to what country.

This technology allows you to distribute the load and accelerate the sites. For example, the site has three servers: Ukraine, Europe and the United States.

With GeoDNS you can create a record with which customers from Ukraine will get to the server in Ukraine, customers from the U.S. will get to their server and European customers will get to their server in Europe.

This minimizes the response to the site, as the site will open from the nearest server.

Attacks on DNS servers and ways to protect them

The main task of the DNS server is to respond to requests,
not to question them, so it uses the UDP protocol to transfer data, which is one of the reasons why DNS servers are vulnerable to attack.

There are two main transport protocols for data transfer TCP and UDP.

The main differences between TCP and UDP:

  • TCP establishes a connection between computers before data is transmitted.
  • UDP sends data to the destination computer without checking if it is accessible.

As a result, the DNS has the potential for cyberattacks.

As a rule, there are 3 basic types of attacks on DNS.

  1. Disruption of DNS server availability, the purpose is to prevent access to the site.
  2. DNS spoofing, the purpose of redirecting a visitor to an attacker’s server.
  3. Interception of passing traffic, the purpose is the same as in paragraph 2, also sometimes use
    this method for introducing censorship on the Internet.

Let’s take a look at the main attacks and ways to defend against them:

DNS Amplification (DNS amplification), the essence of amplification is,
that an attacker sends a short request to a vulnerable DNS server, for example, to request all DNS records of some domain, and the latter in turn already responds with a much larger packet.
If you spoof the IP in the packet to the victim computer, the vulnerable DNS server will send large numbers of packets to the victim computer until it completely paralyzes it.

DNS spoofing, also known as DNS cache corruption.
Using vulnerabilities in the DNS server, an attacker tries to gain control over the server.
By accessing the DNS cache it tries to change it, thus directing visitors to a phishing site. The main risk of damage to the DNS is data theft.

DNS flood is a fairly simple type of attack when an attacker sends multiple DNS queries to a DNS server, flooding the server with queries and consuming its resources.
This type of attack usually leads to the fact that the DNS server stops responding to requests and thus visitors stop getting responses from DNS, and therefore can not get to their sites.

DNS hijacking, also called DNS redirecting. The essence of the attack is to make DNS queries incorrectly returned, thereby redirecting the visitor to another resource.
To conduct the attack, attackers either install malware on users’ computers, hijack routers, or intercept or hijack DNS servers.

The main methods of protection against DNS attacks – this is a competent configuration of the DNS server and the use of always stable software with all the security patches.

Also in recent years, one of the popular methods of protecting against DNS spoofing is gaining popularity DNSSEC.

This protocol is based on the method of digitally signing responses to DNS queries. This makes sure that the answer came from the correct DNS server and to spoof the answer will not work.

Conclusion

Finally I would like to note that the work of DNS servers entirely depends on the sites.

If DNS does not respond to the request and the site will not load, regardless of whether the server where the site is located.

Therefore, the work of the DNS is almost the most important factor in the work of sites.

In our work we use four DNS servers geographically located in different countries, which positively affects the performance of sites. Even if one or two servers fail,
Your sites will continue to work, and our specialists will monitor their work around the clock and do everything to make your sites work steadily and 24/7.

Also, you can always organize your own DNS by ordering from us
server or VPS.

Similar Posts

Leave a Reply

Your email address will not be published.