The DNS Verse – Getting Started

DNS, in simple terms, is like a phonebook for the internet that translates human-friendly domain names into IP addresses that computers use to identify each other. Remember, how we don’t have to remember the phone number of our contact list in phone, and by just remembering the name, we can make the call to that specific person and it automatically deals with the details ie. phone number. Similarly in DNS world, We don’t have to remember the location of the machine where the website is hosted (IP address analagous to the phone number) and when we write domain name viz. pwn-security.com on our browser, it automatically makes the right call, thanks to how DNS works.

How DNS works? (Detailed View)

The DNS resolution occurs in the defined order below. Have fun reading!

1. User Requests:
   You entered pwn-security.com in your favorite browser. The browser needs to convert this domain name into an IP address to connect to the web server hosting the website. Let’s see what happens then.
2. DNS Mapping file:
   A local mapping of domain to IP address is provided within the operating system.
   As the zeroth step to DNS resolution, your computer searches for entry in the file (/etc/hosts file in Linux, C:\Windows\System32\drivers\etc\hosts file in Windows) which can be used to resolve the IP address. Example:
   git.pwn-security.com 10.0.1.134
3. Local DNS Resolver:
   The browser first queries the local DNS resolver, probably provided by the Internet Service Provider, to see if pwn-security.com is already cached.
4. Recursive Resolution:
   If the local resolver does not have the IP address cached, it sends a request to a DNS server, which might need to query other DNS servers to get the answer in a recursive way. This process is called recursive resolution.
5. Root DNS Servers:
   The DNS server starts by querying the root DNS servers, which direct the query to the appropriate TLD servers.
6. TLD DNS Servers:
   The TLD servers direct the query to the authoritative DNS servers for the specific domain.
7. Authoritative DNS Servers:
   These servers hold the DNS records for the domain and provide the final IP address for the requested domain.
8. Response:
   The IP address is sent back through the DNS hierarchy to the local resolver, which caches the result and forwards it to the user’s browser. The browser then connects to the web server using the provided IP address.

DNS follows a client-server architecture. DNS Client sends a query to DNS Server which then sends back the response based on the request initiated.

Common DNS Records to query against:

1. A (Address) Record: This represents the IPV4 addresses.
2. AAAA (IPV6 Address) Record: This represents the IPV6 addresses.
3. CNAME (Canonical Name) Record: This represents the alias for a domain name.
4. MX (Mail Exchange) Record: This specifies the mail server responsible for receiving email on behalf of the domain.
5. TXT (Text) Record: This holds arbitrary text information. TXT records are often used for domain verification and security purposes such as SPF(Sender Policy Framework) records.
6. SRV (Service) Record: Defines the location of servers for specific services.
7. PTR (Pointer) Record: Provides a reverse DNS lookup, mapping an IP address back to a domain name. This is commonly used for reverse DNS lookups to verify the domain name associated with an IP address.
8. NS (Name Server) Record: Specifies the authoritative DNS servers for the domain.
9. SOA (Start of Authority) Record: Contains administrative information about the domain, including the primary name server, the email address of the domain administrator, and various timers.

Enough of theory now, we will explore various tools used to exploit DNS from Hacker’s Perspective in next part. Till then, stay tuned!