2 – Domains and DNS

DNS Fundamentals

• DNS (Domain Name System) translates human-readable domain names into IP addresses
• Like a phone book for the Internet… or your LAN
• On the Internet: hierarchical, distributed database system
  • We’ll see what that means

flowchart LR
    User[User types<br>www. example.com] --> DNS[DNS Server]
    DNS --> IP[Returns IP<br>96.7.128.198]
    IP --> Web[Web Browser connects<br>to IP address]

Ok, but what is a “Domain Name” exactly?

---

Hostname, Domain name, FQDN

• Hostname: Name of a specific device (e.g., laptop1, dockerhost, node12345, mongodb) with an least one IP address.
  • Technically, “hostname” is also the full domain name, e.g. node12345.appengine.host.net
• Domain name: Network/organizational namespace (e.g., example.com, appengine.host.net, one137.dev)
  • “A string that identifies a realm of administrative autonomy, authority or control”
  • “Domain names are formed by the rules and procedures of the Domain Name System (DNS)”
• FQDN (Fully Qualified Domain Name): Name including hostname and domain name
  • Technically: Completely specified DN, including a top-level domain (TLD) of the Internet
  • Format: hostname.subdomain.domain.tld. (trailing dot is optional)
  • Example: example.com., mail.google.com., node12345.appengine.host.net, macbook.lan

[LIVE EXAMPLE]

hostname -s && hostname -d && hostname -f

Let’s dig a little deeper into FQDNs…

---

DNS Root Domain, TLDs

• The DNS root domain is the top-level DNS domain in the hierarchical namespace of the DNS of the Internet.
  • It’s the optional ”.” in FQDNs (en.wikipedia.org.)
  • 13 root name server addresses, a.root-servers.net. to m.root-servers.net.
  • Their IP addresses are hardcoded in DNS systems, otherwise there’d be a circular dependency
  • Managed by the ICANN (Internet Corporation for Assigned Names and Numbers)
  • Root name servers know the IPs of all TLDs
• A Top-Level Domain (TLD) is one at the highest level in the hierarchical DNS of the Internet after the root domain
  • Examples: com, ch, dev
  • Management responsibility of TLDs is delegated to specific organizations by the ICANN
  • TLD name servers know the IPs of all authoritative name server in their zone.

What’s an Authoritative name server and what’s a zone?

---

Name Server Types and DNS Zones

A name server is simply a server that can answer DNS queries.

There are primarily 3 types of name servers:

• Authoritative servers: Holds the official answer of this FQDN = this IP, for a limited number of FQDNs (their DNS Zone)
• Recursive resolvers: Doesn’t hold DNS records but knows who to ask to get the info
• Caching server: Caches DNS results and just asks another RR when it doesn’t know. In practice most RRs are also caching servers.

Every domain name is defined in a zone served by one or more authoritative name servers.

• Example: app.one137.dev and stage.one137.dev are part of the zone one137.dev and are served by rory.ns.cloudflare.com and stevie.ns.cloudflare.com.
• We’ll look at DNS records in more details later on.

Full DNS Resolution Example

sequenceDiagram
    participant C as Client (You)
    participant R as Recursive Resolver<br>(eg. your router's<br>DNS Server)
    participant Root as Root<br>Nameserver
    participant TLD as .dev TLD<br>Nameserver
    participant NS as one137.dev<br>Authoritative<br>Nameserver
    participant Web as one137.dev<br>Webserver

    C->>C: Do I know one137.dev,<br>e.g. from /etc/hosts? => No
    C->>R: one137.dev?
    R->>R: Is one137.dev in my<br>cache within TTL? => No
    R->>Root: one137.dev?
    Root->>R: Ask a .dev nameserver @<br>a.gtld-servers.net / 192.5.6.30
    R->>TLD: one137.dev?
    TLD->>R: Ask a one137.dev nameserver @<br>rory.ns.cloudflare.com / 108.162.195.166
    R->>NS: one137.dev?
    NS->>R: one137.dev = 188.114.97.12
    R->>C: 188.114.97.12
    C->>Web: Establish TCP connection (see<br>"Brief intro to TCP") @ 188.114.97.12

---

DNS Tool: dig

dig is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried.

# Short output (just IP)
dig +short one137.dev
 
# Query NS records
dig NS one137.dev
 
# Basic query
dig one137.dev
 
# Trace full resolution path (ithout DNSSEC)
dig +trace +nodnssec one137.dev
 
# Query specific nameserver
dig @8.8.8.8 one137.dev

nslookup is another popular tool to get a quick answer about the IP address of a FQDN.

[LIVE EXAMPLE]

---

Registering a Domain Name

If you want to use a domain name on the Internet, you need to register it.

• Must be purchased through an accredited Registrar (e.g. infomaniak.ch)
• Annual fees
• Public registration information / WHOIS (can be hidden)
• Global DNS propagation

sequenceDiagram
    participant U as User
    participant R as Registrar
    participant I as ICANN

    U->>R: Search for available domain
    R->>I: Check domain availability
    I->>R: Domain available
    R->>U: Domain can be purchased
    U->>R: Purchase domain
    R->>I: Register domain ownership
    I->>R: Confirm registration
    R->>U: Provide domain management tools

The Registrar then usually manages the DNS zone (i.e. becomes the Authoritative name server), but not always.

[LIVE EXAMPLE] https://shop.infomaniak.com/order2/select/domain

---

Domain Zone and Records

As we saw, the Authoritative Servers:

• Holds official DNS records for domains in their zone
• Usually provided by Registrars, but can be any DNS name server
• The FQDNs of a zone’s authoritative servers are listed in the “NS” records of that zone.
  • Example: dig NS one137.dev ⇒ one137.dev. 86400 IN NS rory.ns.cloudflare.com.

Some common types of DNS records are:

• A - IPv4 address
• AAAA - IPv6 address
• CNAME - Alias
• MX - Mail exchange
• NS - Name server
• TXT - Text record

[LIVE EXAMPLE] https://manager.infomaniak.com/v3/308659/ng/domain/1772208/dns/manage-zone/list https://dash.cloudflare.com/3bafbaf02e7eb31c839bece8729e3a39/one137.dev/dns/records

---

Using Domains and DNS on a LAN

Local networks can have their own domain namespace and DNS

• Unlike on the Internet, domain names don’t need to be registered or globally unique.
• Common practice: use .local or .lan as TLDs, or use a global domain you own.

You will need a DNS server on your LAN to resolve the names to their IP addresses (most home routers have one).

[LIVE EXAMPLE]

# Run command using a global DNS server:
nmap -sn 192.168.1.0/24 | grep "report"
# Run same command using a local DNS server, see difference

---

Which DNS server does my computer use?

The address of your DNS server can be specified:

1. By the LAN’s DHCP server (most common)
   • Option 6: DNS server address(es)
     • Example 192.168.1.1 (your router), 123.45.67.89 (your ISP’s DNS), 192.168.1.98 (a local DNS)
2. By manual configuration
   • Static DNS server settings
   • Fallback when DHCP is unavailable

Hostname<>IP mappings can also be hardcoded in /etc/hosts.

[LIVE EXAMPLE]

cat /etc/hosts
ssh user@dockerhost cat /etc/hosts
 
ssh user@pihole1 cat /etc/dnsmasq.d/99-second-DNS.conf
 
cat /etc/resolv.conf
scutil --dns;; # macOS only, also Settings>Network>Wifi>Details>DNS

---

Search Domains and local DNS resolution example

The DHCP server (or your manual config) should also specify:

• A default domain name (.lan or .one137.dev)
  • Devices will get their FQDN by combining their hostname with this domain
• Search domain(s)
  • List of domains to try when resolving incomplete hostnames
  • Example: typing server1 can resolve to server1.lan or server1.one137.dev

Therefore the full process when typing e.g. ssh user@dockerhost in your terminal is:

1. Is dockerhost defined in /etc/hosts?
2. No, is it a FQDN?
3. No, let’s apply the search domain ⇒ dockerhost.lan
4. What’s my DNS server? Check in /etc/resolv.conf ⇒ 192.168.1.98
5. Ask 192.168.1.98 what’s the IP address of dockerhost.lan ⇒ 192.168.1.101
6. Establish connection to 192.168.1.101 on port 22 (ssh)

---

Network Ad-blocking (Pi-hole) Example

Visiting a news website:

sequenceDiagram
    participant B as Browser
    participant P as Pi-hole
    participant D as DNS Servers

    B->>P: Query: news.example.com?
    P->>D: Query: news.example.com?
    D->>P: Response: 93.184.216.34
    P->>B: Response: 93.184.216.34

    B->>P: Query: ads.trackingsite.com?
    Note over P: Check blocking lists
    P->>B: Response: 0.0.0.0 (blocked)

Pi-hole configuration:

# Example blocklist entry
0.0.0.0 ads.trackingsite.com
0.0.0.0 metrics.analytics.com

---

DNS Security

Common threats and protections:

1. DNS Spoofing/Cache Poisoning
   • DNSSEC adds cryptographic signatures
   • Response verification
2. DNS Tunneling
   • Can be used to bypass firewalls and smuggle data
   • Monitor unusual DNS traffic patterns
   • Restrict recursive queries
3. DDoS Attacks
   • Rate limiting
   • Anycast deployment (load balancing)
   • Response caching

DNSSEC chain of trust:

flowchart LR
    Root[Root Key<br>aka Master key<br>of the Internet] -->|Signs| TLD[TLD Key<br>e.g. .net]
    TLD -->|Signs| Domain[Domain Key<br>e.g. Cloudflare]
    Domain -->|Signs| Records[DNS Records<br>e.g. one137.dev]

[LIVE EXAMPLE]

dig +trace one137.dev