Your web browser is kind of dumb. You see, when you type in a website address like academy.networkchuck.com, it has no idea how to get there. Because to actually visit the website, you have to know the IP address of the server it lives on.
It's essentially its phone number and your web browser doesn't know it. But if you press enter, it does get there. What am I talking about? It's kind of like this.
If I... Actually, hold on. If I handed you an old phone and said, Here, call your friend Bernard. Go ahead. There you go.
Put the number in. You couldn't do it. You don't know Bernard's phone number. We don't memorize those anymore.
You just know his name Bernard. But if you could grab your phone, open up your contacts app and type in Bernard, boom, you would see his phone number and then you could dial the number. Oh, that's really fun. That is DNS, the domain name system. Your browser doesn't know Bernard's phone number or the IP address for academy.networkcheck.com, so it has to check its contacts.
And in this case, that will be a DNS server, a server that's similar to your contacts app will map domain names or website names to an IP address. Bernard's name, Bernard's phone number, website name, IP address. So your browser will query or ask the DNS server, Hey, what's the IP address for academy.networkchuck.com? I got to get there.
And the DNS server will respond with the IP address and boom, you're good to go. You can visit that website. This DNS process is vital to how the internet works without it. Websites, emails, and pretty much anything to do with the internet would break. And it often does when DNS stops working, which which often happens because this process I outlined here is a bit more complex than I've shown.
Also, this process can be hacked. There are ways to secure yourself. I use secure DNS from twin gate, the sponsor of this video twin gate is my VPN replacement and they have amazing DNS features.
We'll talk more about them here in a bit. This is going to be fun. We're going to trace all the DNS queries that your computer will use to get to academy.networkchuck.com. And there's quite a few. You're about to see how the internet works.
So here we go. You open your browser. You're ready to learn because you want to go out to academy.networkchuck.com where I teach on this and many other things like our new course, intro to laptops and mobile devices. Part of our new A plus course. If you're just getting started in it.
Oh, and by the way, here's you, you're excited and you've got a cup of coffee. So you're ready to learn it. I just gave you a refill coffee break. So you launch your browser and type in academy.networkchuck.com.
Now before your computer goes anywhere, he might actually already know the IP address of academy.networkchuck.com. He'll use his stub resolver, which sounds hilarious. I love saying that. It's just the term for the DNS client running on your machine, but it's called a stub resolver. The stub resolver will check your cache because if you've recently been to academy.networkchuck.com, the IP address might be there, stored in your cache for safekeeping.
And if it is, you're good to go. You don't have to go out to a DNS server and ask it questions. But in this case...
This is your first time. You've never been there before. That's crazy.
How have you never been there before? Let's keep going. So your stub resolver knows he needs some help.
It's time to ask his DNS server, his DNS server. What do you mean? Your computer will have in its network configuration, along with its IP address, a DNS server that it can talk to.
This is something that you configure, or it's just given to you by the DHCP server in your network. What is that? You'll learn about that in Network Check Academy.
Check it out. You're about to go there right now. A very common DNS server you might use is Google.
They have a DNS server found at the IP address 8.8.8.8. It's one of the very few IP addresses I have memorized. So your stub resolver will send a query, a DNS query saying, Hey Google, my public DNS server, surely, you know, the IP address of academy.network, chuck.com, right?
And Google might go, Actually, no, I don't wait, wait, what? Yes. You see Google's public DNS server is a recursive DNS server, which means he may not know all the IP addresses for every website, but he knows a guy who knows the guy who can tell him he's going to make multiple requests to other DNS servers to find out. Are you ready for this adventure? I'm telling you it's crazy one.
Now, sometimes he may not have to ask anybody because similar to your stub resolver, he may have some cash. Someone may have already been to academy.networkcheck.com and he's got the IP address saved in his cache. And in that case, he'll just tell you, but we're going to assume he doesn't.
So if Google doesn't know, then who does? Now the next step involves some mafia bosses. Yes, DNS does have a hierarchy.
And at the very top are the DNS mafia bosses. I'm not kidding. It's kind of crazy.
They're called the roots. That's for real. The roots are run by these 12 companies or organizations, big names like NASA, the DOD, VeriSign.
They control and manage 13 server groups or 13 named authorities. And these are hundreds of servers strewn about the world. Here's the map.
Oh, did I say hundreds? I meant 1,865. So Google will reach out to one of the root servers, the mafia bosses, because surely of anyone, they would know the IP address of academy.networkchuck.com right?
Wrong. These are the bosses. they don't deal with the peasant work of domain to IP address mapping.
Now, they're all big picture. All they care about and know about our top level domains or TLDs. What is that?
Well, when Google talks to these roots servers, he's only asking about one thing, this section of our URL right here, the.com. This is a top level domain. or a TLD. So.com.net.co.coffee. These are all top level domains.
Also country specific ones like.jp for Japan or.ph for the Philippines. Now, what does it mean they handle the top level domains? Well, it means they're lazy.
They delegate everything. Meaning that I can tell you any IP addresses for any domains, but they'll say, you know what? I know who can help you.
Middle management, my underling. So what they maintain is a list of other DNS servers that can help you. with these top level domains.
So in our example here, our Google recursive DNS server is only asking about the.com top level domain. And our root server will return a list of other DNS servers that are responsible for that.com domain. And when I say responsible, I also mean authoritative. They're the bosses of those domains using NS lookup.
The query might look like this. And we'll pick one of the root servers here. I'll choose J.
And we'll ask that mafia boss root server, Hey, who manages the.com top level domain? And the mafia boss root server responds with a database, a list of servers that are authoritative responsible for the.com top level domain. These servers here, these DNS servers are referred to as top level domain servers or TLD servers.
But I want to make sure I'm labeling our journey here, the steps. So our Google DNS server asked for it, the root server. response.
He says, you can ask a dot GTL D dash servers.net. He manages.com talk to him. So armed with that knowledge, our Google recursive DNS server will send another query to a dot GTL D dash servers.net because surely he knows the IP address for academy.networkchuck.com right?
Wrong. He does it. It's a whole journey. I told you, but Google knows that. He's only asking about one very specific piece of information.
This right here, me network, Chuck, this part of our domain is called the second level domain or an SLD. So Google's not asking this TLD server. Hey, what's the IP address for academy.networkchuck.com. No, he's asking, Hey, who manages Network chuck.com.
Who is the authority for that second level domain? And that's what sub-level domain servers do. They keep a database or list of authoritative servers for website domains. I know it kind of feels like a, I know a guy who knows a guy's situation within us. Look up the query might look like this.
And the.com TLD server will respond with an authoritative server or servers for networkchuck.com, the second level domain. And as you can see here, the authoritative server for my networkchuck.com domain is Cloudflare. That is who manages my stuff.
So now finally the Google recursive DNS server knows who to ask this whole process so far has been like, Hey, Hey, Hey, to find out who might know. And now he knows the server is cloud flare. His name is Pablo.
I love their DNS server name, server schemes. So Google sends one last DNS query, please, sir. You're the last step of my journey. Do you know the IP address for academy.networkchuck.com and guess what? Pablo does.
Pablo does. Pablo knows everything about the domain networkchuck.com. He's got what's called the zone file, which looks something like this. Here's an example of a zone file, starting with a state of authority record, an SOA. Essentially, hey, who's in charge here?
It's Pablo. He's the name server that you can contact to find out anything you want to know about network chuck.com, including things like, and not limited to the IP address for network chuck.com. If you want to visit the main website, you should, it's really cool. And the reason we came here, the record for academy.networkchuck.com and the IP address.
Yes, it belongs to finally, oh my gosh, it's here. And that's what Pablo responds with good old one Oh four, the 18.42.139 Google has done it. He quickly updates his cash, saving that precious tidbit of information for later. And then finally he can tell us our computer, our stub resolver, the IP address for academy.networkchuck.com.
And by the way, the academy portion of this domain to the left of the second level domain, this is called a sub domain, which allows. allows me to do cool things like make an academy and point just that URL, that website name to a different location, my actual academy, from my main website, network chuck.com. Now, step back for a second and think about this. All of this happens every time you visit a website, it's magic.
And it happens like that because when you visit a website, you've never been to before. You just go there. No time really goes by. You don't even notice it.
But behind the scenes, all this stuff is happening. That's so crazy, but you know, it's also pretty stinking crazy. the fact that this process is often done in securely. You see, when your PC, your client, your stub resolver queries, a DNS server, it will by default use UDP port 53. This is done in plain text, meaning it's not encrypted. It's naked for all the world to see.
So if I were a hacker, if I were a hacker, and I've demonstrated this numerous times on my channel, I could sniff or get in the middle of that traffic, take that traffic and I could just look at it without any Problems. I could see what websites you're visiting. If I really wanted to be bad, I could pretend to be a DNS server and respond with a another IP address.
Maybe an IP address that goes to a another server. That's bad. This is what happens all the time.
It's called DNS spoofing. And it's not just the hackers you want to worry about your ISP, your internet service provider. The person providing you internet can also see your DNS queries, which means they can see what websites you're visiting.
I don't want them to know that get out of here. That's why DNS security has become a pretty big thing. Thankfully, we do have, have a solution, let me talk about how you can secure your own DNS right now.
A big hero to the rescue was a thing called DOH, which is really cool. It stands for DNS over HTTPS. This is actually pretty crazy. So HTTPS, this is the protocol we use to securely access websites. So right now, as you're watching this video, you're on YouTube and you're connected to YouTube via HTTPS.
That connection is secure and encrypted. Hackers can't see inside of that. They don't know what videos you're watching. No one does, but you and that guy standing behind you watch out.
So HTTPS is a secure encrypted connection. DNS, when it goes over HTTPS also becomes a secure connection. So we get things like encryption. Even if a hacker happened to be in the middle of the conversation, they were sniffing your web traffic.
They wouldn't be able to see that DNS query. It's hidden. Not only is it hidden, it's wearing a costume. It's wearing an HTTPS costume. You see normally it's pretty easy to identify DNS traffic when you're looking at Traffic captures.
You can search for things that are using UDP port 53, but if DNS is using HTTPS along with all the other web traffic, I can't identify DNS traffic. It's just all the website traffic. DNS is hiding in a crowd of people.
It's like, where's Waldo? except he's not wearing a bright shirt. He's just, just as a regular person.
You would never know. Okay. This sounds great, right?
So how do you use DNS over HTTPS? Well, the short answer is it's pretty easy. There are a couple of considerations you have to know.
For example, the client, you, your browser has to support DOH, which thankfully most do nowadays. Also the DNS server you're connecting to the one you choose to connect to also needs to support DOH. Choose a DNS server that supports DOH. Just search that Cloudflare, Google, they all have it and make sure your client has DOH enabled.
Cool, that's great for you. But what about your family? What about your employees? Are you gonna go to every device and make sure they're using DOH and they have the appropriate settings enabled and they're connected to the right DNS server?
You could do that, but I don't have that time. Do you? This is why I like to rely on tools like TwinGate. Now TwinGate is my remote access solution.
So when I'm out and about traveling the world, like I for real use this when I was in Japan or when my employees are working from home, like Florida, Nick, this is what he uses to access our stuff here. He'll connect to our network in the studio using his TwinGate client from Florida, getting a super secure connection to us. That's cool by itself.
You should definitely try it. It's free for up to five users. It's zero trust access. You've got granular control over what anyone can access. I love it.
I've been using it for a long time. But back to DNS, a cool feature we can enable is secure DNS. Let me show you what it looks like. I'm gonna log into my TwinGate dashboard. And by the way, I don't pay for TwinGate and they don't give it to me for free.
I'm using the free version right now. So in their internet security settings, they have what's called secure DNS. So essentially any Mac, Windows, or Linux computer with my TwinGate client installed, this policy forces them to use DOH.
I can actually enforce that. and make sure this is happening. I can choose which DOH server I wanna use.
So I can use Cloudflare, Google, OpenDNS, NextDNS. All these are public DNS servers, DNS recursive resolvers that support DOH. Now, if I had some restrictions on what DNS servers my company could use, I can specify a custom DNS server here. And this is pretty cool.
With client configuration, I can add this machine key to my clients. And I can deploy this with any kind of MDM solution I have. And as long as this machine key is on their computer, it doesn't matter if their TwinGate connection is open and connected to my network.
It'll still make sure they're using DOH, making sure the DNS queries are always encrypted and secure. It's persistent. Now you also got a fallback in case something loses connection, whatever that might be.
You can say, you know what? Just fall back to the system's DNS. Maybe you got your DNS server handed to you from your ISP.
And it's actually their DNS providers. You don't wanna do that. Then they're really seeing what you're doing.
So that case, you might wanna go, Hey, you know, I wanna be pretty strict, require DOH, even when resolvers fail and the resolvers would be the DNS servers themselves. Hey network, Chuck from the future here, twin gate just gave me DNS filtering. They unlocked it for me. Thank you twin gate. I'm going to enable it, enable it for everyone.
Okay. Now let's edit our filtering profile, allow list, denial list security categories. It's already blocking threat intelligence feeds content restrictions. Oh yeah. Mike has a gambling problem.
Alex is always on Facebook. We'll leave YouTube on privacy protection. We can block ads and trackers done. This is pretty cool.
Thank you. Twin gate. I just turned it on and we already have so much in there.
It's all from Nick Florida, Nick and Austin's Mac book. I'm actually really excited about this. It's already doing stuff. If you're not already using twin gate, you need to use it. Check it out.
Link below. I'm a massive fan of it and I've got a video up here somewhere where I show you how to set this up and some really cool features of how it handles additional DNS. Now back to DNS security. A DOH is not the only.
Only option, even though it is one of the more popular ones, we've got DOT or DNS over TLS transport layer security, which also is secure and encrypted. We've got DNS crypt doing a lot of the same things. DNS sec, which is actually a suite of tools on how to make sure every query and response is valid, not just encrypted.
And then you have DNS servers like quad nine that do advanced things. Like when you use them as your DNS server, they could do malware prevention. If you happen to be going to a website or URL, that's bad known bad.
They can prevent you from doing that. Now DNS is more than just domain names to IP address mapping. Check this out. So looking back at our zone file. for networkchuck.com.
There's a lot of stuff going on. Some things you're familiar with, others are like, what? So for example, right here, we have what's called A records.
These are our domain names to IP address mappings. Probably the most popular one you're aware of. Another one that we just saw as we were looking at our life of a query going through that process was a name server, otherwise known as an NS record.
The NS record or name server record tells us what server, what authoritative DNS server is responsible for a second level domain. So networkshuck.com, this is his name server, or at least one of them. If you scroll down just a little bit more, you'll see this crazy thing. Quadruple A records overpowered. All it is, is a domain name mapping to an IPv6 address.
I'm not going to cover IPv6 in this video here. Just know it's bigger and more than IPv4 addresses. but they have the same function. And if we scroll down a bit more, we're getting to some more exciting things. This is kind of crazy.
We have what's called MX records or mail exchanger records. These records identify what servers for a domain handle email. What does that mean? Well, it means if you were to send an email to me, which my email address is chuck at networkchuck.com.
Let's draw it up here real quick. And if you're interested in sponsoring one of my videos, it'll be sponsor at networkchuck.com. When you type in this email address into your email client and you click send, your email server has to figure out who manages the emails for networkchuck.com.
Which server does that? So here is just a demo record. You might see mail.networkchuck.com. In reality, I use Gmail or Google Workspace, and it would reply with a bunch of Google servers that handle my email.
Then we have a fun one down here, PTR records or pointer records. How I like to refer to them. These are for reverse DNS, very important for security. These allow you to take an IP address and go boom, which domain name belongs to this IP address.
You're like doing DNS and reverse. So this allows you to verify that when you have just the IP address, that's a great situation. You don't have to query anything, but maybe it's not the right one.
Maybe it's not secure. Let's verify that. So you can query a DNS server and say, do you have a pointer record for this, a PTR? And it will reply with the actual domain name it belongs to.
It'll look crazy like this often, but that's what it's doing. Kind of a crazy concept. Now C names are really fun.
They stand for cannot, name, just kind of a fun word to say. And isn't that the company that runs Ubuntu canonical? Yes, it is. Canonical. Can I spell this first time?
I think I did. This allows you to create an alias for a domain. So for example, shop.networkchuck.com or even www. www.networkchuck.com and point it to another domain, a canonical domain, which means true, the real one.
So alias to real. So just think when you wanna point a domain name to a domain name, it's usually gonna be a CNAME. And yes, when you wanna go to www.whateverwebsite.com, that's going to be a CNAME record pointed to the real domain name. And then finally one more record we'll talk about.
This is not exhaustive because DNS is a whole thing, even though we've covered a lot so far, like you are going to know DNS by the end of this video. I mean, you already are there. Last thing we're going to talk about is TXT records, which just stand for text records. These back in the day were made just to kind of share messages with admins. I don't know, like would they leave notes when they would do DNS requests?
Sounds kind of fun. Tell you what, I'm going to leave a secret message for you guys. If you can query this, it's going to be secret message.networkchuck.com. Query that using your favorite DNS querying tool and see what it says. And please comment that below.
That's your homework. Now, text records are used for a lot more than just playing around. In fact, they're vital in how we secure email now. Yes, we're back to email. Like, for example, this one right here is an SPF record or a TXT record specifying an SPF server.
This TXT record defines which servers are legit for a domain. So, for example, this one might say only mail from mail.networkchuck.com is valid. for our domain. If it comes from anywhere else, any fishy area, that's not it.
Deny it, reject it. You don't want this. And other mail servers can query these TXT records to see that list of verified mail servers. You also might see DKIM TXT records to verify that emails weren't messed with in transit or DMARC, which is a fairly new thing.
We actually have a course on DMARC on academy.networkchuck.com. And this is all about configuring policies on how to deal with mail that doesn't pass DKIM or SPF. and how a domain will utilize SPF and DKIM.
Telling you DNS is extremely powerful. Now for you, if you wanna get your own domain, this is not sponsored by any kind of domain provider. Let's say you wanted to buy ilovecoffee.coffee.
How does that process work, and how do all the DNS servers we talked about find out about you? Well, it starts with going to a domain registrar. Registrar, it's kind of fun to say. Go ahead and say it for me real quick. Say it out loud so I can hear you.
Squarespace is one of those main domain registrars now because they bought Google domains. Now, there's actually one boss I didn't talk about. That's above the mafia bosses. This organization has ultimate authority.
They're called ICANN because they can. They can do whatever they want. They're the Internet Corporation for Assigned Names and Numbers. That's a mouthful. I really don't want to write this, so I'm going to do it anyway.
These guys help govern DNS, making sure it's run smoothly. They're actually the ones who can delegate who can become a TLD server. And another main role they have is they accredit domain registrars. Registrar. Meaning they sign off on these guys.
They're legit. You can buy a domain from them. We said you could. Now I am curious if I love coffee.coffee is available. Let's see, because that's one of the biggest things you gotta worry about is if your domain is available, it is for 50 bucks.
No one steal it. Once I buy it, I then have a choice. I can actually use Squarespace as my name server. So my authoritative name server for my domain.
which means they would hold my zone file. DNS servers would ask them for any information about my domain. Now, if I didn't want to do that, and this is a common thing, let's say I wanted to use Cloudflare as a name server because Cloudflare has a bunch of cool features to protect your websites and assets. So I might say, you know what, Squarespace, you're cool as a domain registrar.
I love you for it. I don't want to use you as a name server. So here are the name servers I want to use. So you would tell Squarespace that.
So I want it to be Pablo. Pablo, I trust this man with my life. This is the guy I'm gonna tell everything about me.
You can ask him, he knows. So Squarespace, now armed with the knowledge of your name servers, has a duty of updating the TLD registry, the top-level domain registry, with these name server records, or NS records. Now I'm curious, who operates.coffee? I've gotta find out. I'm going to query for an NS record for coffee.dot.
I'll ask one of the root servers. I'll ask Jay again, I trust him. Okay, so v0n0.nick.coffee.
That's interesting. Who is that? That's a great segue into who is.
When you register a domain, you actually kind of register a lot of stuff about you as the owner of that domain. The name, the company, address, and that information is maintained in the whois database. I'm gonna discover who this vic.coffee is. So I looked it up and check it out. I can't see it because you can also pay your DNS registrar when you register to make your information private.
It's an extra fee, but I can see that it says identity digital ink. I don't know if that's real or not because everything's redacted. But if I search for google.com or let's do a CIA gov everything is redacted let's try someone real Facebook okay cool we got some stuff for Facebook there it all is so I don't know who Nick coffee is but Squarespace would have to tell them if I bought I left coffee coffee now two more things I want to talk about at the risk of making this video way too long I don't care it's my video if you're still here thank you so much you're awesome let's take a little sip of coffee together First thing is you can actually run your own DNS server inside your house.
It'll be a recursive DNS server, similar to a public Google server, where it'll have a cache of a records domain names to IP addresses that it's remembered that you've been to before. And if it doesn't know an IP address, it'll be configured to go to an upstream DNS server. So for example, right now I've got a raspberry PI.
in my server room running as my local DNS server for my studio. It's running what's called ad guard, which is fantastic because it can block ads, but when it doesn't know about a website, it'll just ask the upstream server, which I've configured as quad nine cloud flare, Google. I've got a few actually. Another popular one is pie hole.
Pie hole is very fun, but you can absolutely run your own DNS server in your house. It's a really fun project, fairly easy to do. I've got two videos on it right up here. Go check them out.
Last thing I want to talk about, it's a bit of foreshadowing is that I talked about how DNS can be hacked. And what I want to do is walk you through how those hacks look and how you can actually learn those hacks yourself, not for any various purposes, but for ethical hacking purposes. And that'll be a part two of this video, how to hack DNS.
It may already be out. Go ahead and go there right now. That's all I got for this video.
See you guys later.