Comprehensive Guide to DNS Security

Oct 17, 2024

Understanding DNS and Its Importance

Introduction to DNS

  • The web browser needs the IP address of a server to visit a website, similar to needing a phone number to call someone.
  • The Domain Name System (DNS) maps domain names (like academy.networkchuck.com) to IP addresses (like 104.18.42.139).

The DNS Process

  1. Initial Query

    • When you enter a website, your browser first checks its cache to see if it already knows the IP address.
    • If not, it uses a stub resolver to ask a DNS server for help.

  2. Using a DNS Server

    • The DNS server, often provided by your network (e.g., Google DNS at 8.8.8.8), may also cache results.
    • If the DNS server doesn't know the IP address, it queries other DNS servers.

  3. Root Servers

    • Root servers, managed by organizations like NASA and VeriSign, help direct queries to the correct top-level domain (TLD) servers based on the TLD (e.g., .com).
    • They respond with a list of authoritative DNS servers for that TLD.

  4. TLD Servers

    • The TLD server for .com will respond with the authoritative servers for the specified second-level domain (e.g., networkchuck.com).

  5. Authoritative Servers

    • Finally, the authoritative server (like Cloudflare) provides the actual IP address needed to visit the website.
    • This entire process happens very quickly and often goes unnoticed by the user.

Security Risks in DNS

  • DNS queries are typically sent in plain text, making them susceptible to interception (DNS spoofing).
  • Users' ISPs can monitor DNS queries, revealing websites visited.

Securing DNS Queries

  1. DNS over HTTPS (DOH)

    • An encryption method that protects DNS queries by sending them over HTTPS.
    • Makes it challenging for hackers to identify and intercept DNS traffic.

  2. Implementing DOH

    • Ensure both the client (browser) and DNS server support DOH.
    • Consider using VPNs or secure access solutions like TwinGate to enforce secure DNS.

Additional DNS Security Options

  • DNS over TLS (DOT): Another encryption method similar to DOH.
  • DNSCrypt: Provides encryption and authentication for DNS traffic.
  • DNSSEC: Ensures the authenticity and integrity of DNS responses.
  • Quad9: A DNS server that also offers malware protection.

Understanding DNS Records

  • A Records: Map domain names to IPv4 addresses.
  • AAAA Records: Map domain names to IPv6 addresses.
  • MX Records: Identify servers handling email for a domain.
  • NS Records: Specify which DNS server is authoritative for a domain.
  • CNAME Records: Alias one domain name to another.
  • TXT Records: Store text information, often used for email verification (e.g., SPF records).

Domain Registration Process

  • To obtain a domain, users go to a domain registrar (e.g., Squarespace) that is accredited by ICANN.
  • Registrars maintain records about the domain owner in the WHOIS database.

Running Your Own DNS Server

  • Users can set up a recursive DNS server at home (e.g., using Raspberry Pi with AdGuard).
  • DIY DNS servers can enhance privacy and security while browsing.

Conclusion & Future Topics

  • The lecture covered how DNS works and its importance to internet functionality.
  • Future sessions may cover ethical hacking techniques related to DNS vulnerabilities.