🌐

DNS Overview and Security

Jul 20, 2025

Overview

This lecture explains how the Domain Name System (DNS) works to translate human-friendly website names into IP addresses and covers DNS security, DNS records, and domain registration.

Introduction to DNS

  • Browsers need IP addresses, not domain names, to visit websites.
  • DNS acts like a contact list, mapping website names to IP addresses.
  • Without DNS, the internet would not function properly.

DNS Query Process

  • Your computer uses a DNS client called a stub resolver.
  • The stub resolver first checks its local cache for the IP address.
  • If not cached, the stub resolver queries a configured DNS server (often from your ISP or a public provider like Google).
  • If the DNS server doesn't know, it acts as a recursive resolver, querying other servers in a hierarchy.

DNS Hierarchy & Resolution Steps

  • Root servers manage top-level domain (TLD) information (e.g., .com, .net).
  • TLD servers know which authoritative servers handle each second-level domain (e.g., networkchuck.com).
  • The authoritative server holds the zone file with the actual IP address mappings.
  • Subdomains (e.g., academy.networkchuck.com) are handled by the authoritative server.

DNS Security & Encryption

  • Standard DNS uses UDP port 53 and transmits queries in plain text.
  • This makes DNS vulnerable to eavesdropping and spoofing (DNS spoofing).
  • DNS over HTTPS (DOH) encrypts DNS queries using HTTPS, hiding them from attackers and ISPs.
  • DNS over TLS (DOT) and other methods (e.g., DNSCrypt, DNSSEC) provide additional security.
  • Tools like Twin Gate can enforce secure DNS usage on multiple devices.

DNS Records & Their Functions

  • A Records: Map domain names to IPv4 addresses.
  • AAAA Records: Map domain names to IPv6 addresses.
  • NS Records: Identify authoritative name servers for a domain.
  • MX Records: Specify mail servers responsible for handling email.
  • PTR Records: Enable reverse DNS, mapping IP addresses to domain names.
  • CNAME Records: Alias one domain name to another.
  • TXT Records: Store textual information, used for SPF, DKIM, and DMARC for email security.

Domain Registration & Management

  • Domains are bought from accredited registrars (e.g., Squarespace).
  • Registrars update TLD registries with your chosen authoritative name servers.
  • ICANN manages accreditation and global DNS governance.
  • WHOIS database stores domain ownership information, which can be made private.

Running Your Own DNS Server

  • You can run a local DNS server (e.g., with AdGuard or Pi-hole) to cache and filter DNS queries.
  • Local DNS servers forward unknown requests to upstream public DNS servers.

Key Terms & Definitions

  • DNS (Domain Name System) — Translates domain names into IP addresses.
  • Stub Resolver — DNS client on your device that initiates queries.
  • Recursive DNS Server — Server that queries other DNS servers to resolve a domain.
  • Root Server — Top-level DNS server managing TLD servers.
  • TLD (Top-Level Domain) — The last segment of a domain name (e.g., .com).
  • Authoritative Name Server — Server holding DNS records for a domain.
  • Zone File — File containing DNS records (A, CNAME, MX, etc.) for a domain.
  • DOH (DNS over HTTPS) — Secure method for DNS queries using HTTPS.
  • DOT (DNS over TLS) — Secure method for DNS queries using TLS encryption.

Action Items / Next Steps

  • Homework: Query the TXT record for secretmessage.networkchuck.com using a DNS tool and comment the result.
  • Optional: Watch related videos on setting up AdGuard or Pi-hole.
  • For further study: Look forward to the follow-up lecture on DNS hacking.

Full transcript