Hey everyone, welcome back to another video here on TryHackMe. I'm John and today we're going to be taking a look at the room DNS in detail. Learn how DNS works and how it helps you access internet services. That being said, let's go ahead and dive into task one.
What is DNS? DNS, the domain name system, provides a simple way for us to communicate with the devices on the internet without remembering complex numbers. Much like each or every house has a unique address for sending mail directly to it, every computer on the internet has its own unique address to communicate with called an IP address.
An IP address looks like the following. So you can see this is four sets of numbers ranging between 0 and 255 and we can see that right here as well. Separated by a period in between these.
This is referred to as four octets. That is because it comes from the binary notation of this. You'll see this in other representations as well if you go down that addressing learning about that a little bit more.
When you want to visit a website, it's not exactly convenient to remember this complicated set of numbers and that's where DNS can help. So instead of remembering this exact IP here, you can remember triacme.com instead. So here you can see that we have an example DNS record that would be for triacme.com that would point to the IP address here.
Let's see, for the question, what does DNS stand for? That is the domain name system. And there we go.
Let's move into task two, domain hierarchy. First, let's talk about TLD or top level domains. Let me close my streak here.
A TLD is the most right hand part of the domain name. So for example, the tryhackme.com TLD is.com. And you can see that broken out up here.
where we have the period and then we have our TLDs listed here. There are two types of TLD, the gTLD or the generic top level, and ccTLD or country code top level domain. Historically, a gTLD was meant to tell the user the domain name's purpose.
For example, a.com would be for a commercial purposes, or.org for an organization,.edu for education, and.gov for government. And a ccTLD was used for geographical purposes. For example,.ca for sites based in Canada, and.co.uk for sites based in the United Kingdom, and so on and so forth. Due to such demand, there is an influx of new gTLDs, ranging from.online,.club,.biz, and many more.
There's a whole bunch of them. If you've ever gone on Namecheap or GoDaddy or any domain registration site, you're going to see that there are... New TLDs coming out, it seems like every single day at this point.
For a full list, you can click there. I definitely recommend taking a brief look through them. There are some interesting ones, and it can give you an idea of it, especially if you wanted to have your own website at some point, which is something that, for resume purposes, I highly recommend doing at the minimum. It's worth just taking a quick half a minute look through there.
Let's talk about the second level domain. Taking trihackme.com as an example, the.com part is the TLD. And TriHackMe is the second level domain.
When registering a domain name, the second level domain is limited to 63 characters plus the TLD and can only use A through Z and 0 through 9 and hyphens. It cannot start or end with hyphens or have consecutive hyphens though. Next let's talk about subdomains.
A subdomain sits on the left hand side of the second level domain using a period to separate it. For example, in the name admin.trihackme.com which I definitely recommend checking out if you haven't visited this before. The admin part is the subdomain. A subdomain name has the same creation restrictions as a second level domain, being limited to 63 characters and can only use A through Z, 0 through 9, and hyphens.
And of course, the restrictions on hyphens still apply. You can use multiple subdomains split with periods to create longer names, such as jupyter.servers.trihackme.com with the maximum length must be kept below 253 characters. There is no limit to the number of subdomains you can create for your domain name. Now subdomains, this is important to just know this structure.
It comes into play a lot more as we start getting into websites and web hacking and things like that, especially when we're looking at cookies. Let's take a look at the questions below. What is the maximum length of a subdomain? I believe that was 63 characters, so we'll go ahead and submit that.
Which of the following characters cannot be used in a subdomain? That's going to be the underscore. What is the maximum length of a domain name?
That is going to be 253 characters. And then what type of TLD is.co.uk? This is going to be a ccTLD or country code top level domain.
All right, let's move into task three, record types. DNS record types. DNS isn't just for websites though, and multiple types of domain or DNS records exist. We'll go over some of the most common ones you're likely to come across.
First, we have the A record. This is the main one that you'll see other than maybe pointer records, which we don't cover in here, but I'll briefly mention them after I go over the A record. These records resolve to IPv4 addresses. For example, you have... this IPv4 address, so you'd have a domain name, and then it would resolve to that IP address.
Pointer records go the other way, where you can go and have an IP and look up the domain that's associated with it. Very useful for reverse lookups. Then we have the quad A records. These records resolve to IPv4 addresses, and that's an example of an address there.
Note there's some shortening here. Don't worry too much about this. You don't need to know too much about IPv6. Know it exists.
Know that if it's on in the network, that's another way that you can explore and navigate around. But for all intents and purposes, with what we're doing right now, not too important. CNAME record or canonical name. These records resolve to another domain name. For example, TriHackMe's online shop has the subdomain name store.trihackme.com, which returns a CNAME record for shops.shopify.com.
Another DNS request would then be made to shops.shopify.com to work out the specific IP address. So think of it this way. It's a way that we can relabel something where we have a much more friendly name. In this case, we have the store.trihackme.com, which is how we would remember it by. And that's how it's going to be linked on the Trihackme website.
And it's a Shopify domain, which has to be hosted on Shopify. I believe you can host that on your own. Don't worry too much about this. But it's a way that we can relabel it.
It's a nice way that we can remember it, and it's much more friendly than trying to remember a Shopify domain. MX records, or mail exchange records. These records resolve to the address of the servers that handle the mail for your domain, or the domain you are querying.
For example, an MX record response for tryhackme.com will look something like alt1.aspmx.l.google.com. And that's specifying in this case that this is a G Suite. Email server and you'll learn a little bit more about these as you start examining them Much more interesting if you are looking at this for for example Phishing attacks or if you're doing bug bounty and you're trying to identify the attack surface that's available knowing what MX servers are there Can lead into other things.
I won't go too far into that but know that You'll be familiar with this eventually these records also come with a priority flag This tells the clients in which order to try the servers This is perfect for the main server goes down and email needs to be sent to a backup server. This happens especially when you consider maintenance and updating and patching the mail exchange servers. And then last but not least we have the TXT record or text records. TXT records are free text fields where any text-based data can be stored.
TXT records have multiple uses but some common ones can be to list servers that have the authority to send an email on behalf of the domain. This can help in the battle against spam and spoofed email. They can also be used to verify ownership of the domain name when signing up for third-party services. Don't worry too much about this. This is something that if you get into web hosting, you'll learn a lot more about these.
It's just important to know that they exist. What type of record will be used to advise where to send email? That will be an MX record. And then what type of record handles IPv6 addresses?
That will be a Quad A record. Let's move into task 4, making a request. What happens when you make a DNS request? First, when you request a domain name, your computer checks its local cache to see if you've previously looked up the address recently.
If not, a request to your recursive DNS server will be made. 2. A recursive DNS server is usually provided by your ISP, internet service provider, but you can also choose your own. This server has its own local cache of recently looked up domain names. If a result is found locally, this will be sent back to your computer, and your request ends here.
This is common for popular and heavily requested services such as Google, Facebook, Twitter, YouTube, anything that's going to be looked up a lot will probably live here. If the request cannot be found locally, a journey begins to find the correct answer, starting with the internet's root DNS servers. Step 3. The root servers act as a DNS backbone of the internet. Their job is to redirect you to the correct top-level domain server depending on your requests. If, for example, you request www.tryhackme.com, the root server will recognize the top-level domain of.com and refer you to the correct TLD server that deals with.com addresses.
And here we can see a diagram on the side that's walking through this request. So we have a computer making the request to the DNS server here. It says, hey, I don't have this stored locally in my cache, so we have to reach out the root DNS servers.
And this is where we just ended off. Then we have step four. The TLD server holds records for where to find the authoritative server to answer the DNS request.
The authoritative server is often known as the name server for the domain. For example, the name server for tryhackme.com is kip.ns.cloudflare.com and we have a second one here as well. You'll often find multiple name servers for a domain name to act as a backup in case one goes down. So here we can see this has been sent over to try to find, hey what name server actually holds these records? And you can see that we're drilling down through these servers in order to find a more fine-grained server that's responsible for what we're looking for.
And then we have set five. An authoritative DNS server is the server that is responsible for storing DNS records for a particular domain name and where any updates to your domain name DNS records will be made. Depending on the record type, the DNS record is then sent back to the recursive DNS server where a local copy will be cached for future requests and then relayed back to the original client that made the request in the first place.
DNS records all come with a TTL or time to live value. This value is a number represented in seconds. that the response should be saved for locally until you have to look it up again.
Caching saves on having to make a DNS request every time you communicate with the server. So here you can see in the diagram we're sending this back to our recursive DNS server. So we say, hey, I have your answer here or it just outright fails.
And the DNS server here, assuming it's successful, will save that locally and then relay it back to the client. What field specifies how long a DNS record should be cached for? that's going to be the time to live or TTL.
What type of DNS server is usually provided by your ISP or internet service provider that is recursive and what type of server holds all the records for a domain that is going to be authoritative and there we go. Let's move into task five practical using the website on the right we can build requests to make DNS queries and view the results. Let's go ahead, we'll click on this, and we note that it's going to start spawning the website on the side. The website will also show you the command you need to run on your own computer if you wish to make the request yourself. Let's go ahead and we can see that the command is listed down here.
We can see the type of query that we're looking for. What is the CNAME of the shop.website.thm? We can type in shop.website.
and it looks like we already have website.thm and we can see the cname of it if we change that Let's see, server can't find website.thm. Let's give it just a moment. I'm gonna go ahead and pause this for just a second and we'll see if we can get this all resolved.
All right, and we're back. It took just a moment. It was just taking a moment to actually send the query successfully. If that happens, give it just a few minutes and it should fix itself. That being said, I've gone ahead and we can select CNAME here and we'll type in shop and we can see that we have the command down here and we'll send that, maybe.
There we go. And we can see that we have the shops.myshopify.com. We can do that with shops.
Myshopify.com. Now we want to see what is the value of the TXT record for the of website.thm rather. So we can change this to TXT and we don't actually have to add anything in this case because we already have it entered in there. And we have our text record.
which we can go and copy that out and there we go. What is the numerical priority value for the MX record? Let's go ahead and we'll just send this as is since we don't actually have to specify a subdomain in this case we can just send it and we can see that it is 30 right here.
And then what is the IP address for the A record of www. website.thm and we can change this to a rather and we just need to add in the three w's at the beginning and it looks like it's going to be all 10 so 10.10.10.10 and there we go that is going to do it for this room if you have any questions feel free to join the tryhackme discord and or the tryhackme subreddit both will be linked below but until next time happy hacking