How DNS System Works

decorative line

Blockchain on a DNS System!

Recap

In our first series, we covered the following 8 articles:

 

Note

If you are new to the field of cybersecurity, taking our Inro to Cybersecurity (free self-paced) course is highly recommended. Also, if you are already familiar with cybersecurity, taking our Intro to Blockchain Cybersecurity course is highly recommended.

 

The Domain Name System (DNS) is mainly designed to resolve a host name query to an IP address. Internet users need to have domain names, such as www.coding-bootcamps.com, but the internet needs an IP address to route the request to the desired destination. This way, DNS becomes the phonebook of the internet and allows everyone to use it globally; however, this also leaves a high possibility of it getting misused. In this article, we will learn about the DNS infrastructure, the core components, challenges with the existing system, and how blockchain can transform its current functionality.

In this article, we will cover the following topics:

  • DNS
  • DNS structure and hierarchy
  • DNS topology for large enterprises
  • Challenges with the current DNS solution
  • Blockchain-based DNS solution

 

DNS

DNS is the heart of the internet. If DNS is unavailable, each one of us will have a hard time finding resources on the internet. Being a massive phonebook of the internet, our entire online system relies heavily on DNS. Because of DNS namespaces, none of us have to remember a list of IP addresses; instead, we just have to remember the names of web pages.

For IT and security professionals, it is important to understand the basic structure, function, and operations of DNA. It is a hierarchical database with delegated authority. As per the scope of this article, we will be consider enterprise DNS deployments and its functions. There are two ways organizations can manage their DNS infrastructures: by allowing their Internet Service Provider (ISP) to manage it or by managing it internally. Any configuration mistakes or failure in the ISP network can turndown the organization's internet infrastructure.

With the growing number of internet users, DNS became the backbone of organizations on the internet and hence it has given organizations a strong reason to control their own DNS. With an efficient DNS deployment, organizations can even achieve better email spam-filtering systems and optimized network topologies. Here are just a few ways in which the DNS plays a vital role in organizations:

  • Anti-spam: Some DNS mechanisms, including Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), ensure only a predefined list of domains should be allowed to send emails on behalf of a specific organization. These mechanisms are effective if the DNS in the organization is working properly.
  • Load sharing: DNS services can optimize the server infrastructure by load sharing the traffic of highly utilized servers with other underutilized servers.
  • Privacy: DNS services ensure the privacy of an organization's namespace information by masking addresses with different names, depending on whether they are accessed from inside or outside of the network, helping to achieve stronger network security.

 

Understanding DNS components

The DNS is more than just a protocol, it consists of several independent entities working together to deliver a scalable and reliable domain name database. In its simplest form, there are three core components of the DNS: the namespace, server, and resolver.

 

Namespace

A namespace is a structure of the DNS database. It is represented in the form of an inverted tree with its root node at the top. Each node in the tree has a label and the root node has a null label. Take a look at the following diagram:

Blockchain-Based DNS System

 

A domain name is the sequence of labels starting from a node to the root, separated by dots. The namespace can have a maximum depth of 127 levels and domain names can be of a size not more than 255 characters in length:

 

Blockchain-Based DNS System

 

 

Name servers

Name servers are responsible for storing information about the namespace in the form of zones. There can be multiple name servers and ones that load a complete zone are said to be authoritative for the zone. Generally, there is more than one name server used as authoritative for a single zone, ensuring better redundancy and sharing the load.

There are two main types of name servers: authoritative servers and caching servers:

  • Authoritative name server: It provides responses to DNS queries. It is responsible for delivering original and definitive answers to each DNS query. There can be two types of authoritative name servers:
    • Master server (primary name server): It stores the original copies of all zone records. An administrator can only make changes to the master server zone database.
    • Slave server (secondary name server): A slave server keeps a copy of master server files. It is used to share DNS server load and to improve DNS zone availability.
  • Caching name server: It brings the name service closer to the user and improves overall name lookup performance. It also provides a comprehensive mechanism for providing private namespaces to local users, by allowing users to obtain all name mapping from local caching.

 

Resolver

The name resolver helps the name server to find data in the namespace. The name resolver is required to find out the name and IP address of the name servers for the root zone. The root name servers store information about top-level zones and direct servers in whom to contact for all top-level domains (TLDs). The resolver basically breaks the name into its labels from right to left. The first component, the TLD, is queried using a root server to obtain the designated authoritative server.

 

DNS structure and hierarchy

Similar to the internet's DNS infrastructure, organizations also deploy their internal DNS infrastructures. To deploy an internal DNS infrastructure, organizations can select any domain hierarchy; however, once connected to the internet, they have to follow the common DNS framework . Let's understand the name server hierarchy.

 

Root name server

With consistent namespaces across the internet, the root name server directly responds to requests for records in the root zone and answers other requests by returning a list of the authoritative name servers for the appropriate TLD.

In order to modify the root zone, a zone file has first to be published over the internet. The root zone file is published on 13 servers from A to M across the internet.

The root zone contains the following information:

  • Generic top-level domains such as .com, .net, and .org
  • Globally recognized TLDs
  • Country code TLDs, two-letter codes for each country such as .in for India or .no for Norway
  • Globally recognized TLDs, generally similar to country code TLD names

 

The root zone contains the numeric addresses of name servers that serve the TLD contents and the root server answers with these addresses when asked by a TLD.

When organizations get a new domain name, the registrar probably configures DNS records on their behalf and provides them with a name server (NS). Organizations need to have a name server to tell the internet's DNS directory the IP addresses of their web servers and corresponding services.

 

Current TLD structure

The TLD is one of the domains at the highest level of the DNS hierarchy. TLDs are installed in the root zone of the namespace. The domains in the last part of the system have to be recognized with fully qualified domain names. The Internet Corporation for Assigned Names and Numbers (ICANN) ensures that TLDs are managed by delegated organizations. The Internet Assigned Numbers Authority (IANA) is operated by ICANN and is responsible for managing the DNS root zone.

IANA is responsible for managing the following TLDs:

  • ccTLD: Country-code TLDs
  • gTLD: Generic TLDs
  • .arpa: Infrastructure TLDs

 

This hierarchical diagram explains the existing TLD structure:

Blockchain-Based DNS System

 

Registries, registrars, and registrants

The DNS stores a massive database of domain names. In order to perform registration, there are three entities working together—registry, registrar, and registrant:

  • Registry: An organization maintaining the database of namespaces that has edit rights to that database. The registry runs the authoritative NS for the namespace and manages the TLD names. Their role is in creating domain name extensions, setting up rules for the domain names, and working with registrars to provide domain names to the public. For example, Verisign manages the registration of.com domain names and their DNS.
  • Registrar: An organization that reserves domain names and is accredited to sell domain names to the public. This registrar must be accredited by a generic Top-Level-Domain (gTLD) registry or a country code Top-Level Domain (ccTLD) registry. A registrar works under the guidelines provided by domain name registries.
  • Only a designated registrar can modify or delete information about domain names in the central registry database. End users buy domains directly from the registrar and the end user has complete rights to switch registrar, invoking a domain transfer process between registrars. Some of the most popular registrars are GoDaddy, HostGator, BigRock, and many more.
  • Registrant: This is simply the end user who holds the rights to a domain name. As a domain name registrant, every person has certain rights and responsibilities, including access to information from the user's registrar regarding processes for registering, managing, transferring, renewing, and restoring the domain name registration.

Here is a diagram that shows the workings of all three entities together:

Blockchain-Based DNS System

 

DNS records

DNS records are mapping files that associate with DNS server whichever IP addresses each domain is associated with, and they handle requests sent to each domain. Various strings of letters are used as components that resemble the actions of the DNS server and these strings of commands are called DNS syntaxes. These syntaxes are A, AAAA, Canonical Name (CNAME), mail exchanger (MX), pointer (PTR), name server (NS), Start of Authority (SOA), service (SRV) record , text (TXT) and Name Authority Pointer (NAPTR). Let's explore some of these DNS records in detail:

  • SOA: An SOA record notes the beginning of a zone file. It consists of the name of the zone, a technical point of contact, its NS, a serial number, and a timeout value:

Blockchain-Based DNS System

 

  • NS: The NS records identify the authorized name servers for the zone. The NS also delegates subdomains to other organizations or zone files. In the previous example, we can clearly see the list of NSes for www.google.com.

 

Records: Address records establish the forward binding from names to addresses. In this example, we have an IP address mapped with the domain
www.google.com:

 

Blockchain-Based DNS System

 

  • MX records: These records identify the servers that can exchange emails. A priority is always associated with each of the records, so the user can choose the primary and backup mail servers.
  • TXT records: These records deliver a method to expand the information provided through DNS. This text record stores information about the SPF that can identify the authorized server to send email on behalf of your organization.
  • CNAME: CNAMEs are essentially domain and subdomain text aliases to bind traffic. They indicate that the Secure File Transfer Protocol (SFTP) server is on the same system as the mail server. A CNAME plays an important role, particularly when the server is not under organizational control such as a hosted or managed web server.
  • PTR records: These records provide reverse binding from addresses to names.

PTR records should exactly match the forward maps.

 

DNS topology for large enterprises

For IT professionals, understanding DNS queries and the types of name server takes us most of the way to organizational DNS best practices:

  • Network topology: Redundancy plays a critical role in domain infrastructure. Even if one server fails, another takes control to keep the service up and running. BIND (widely used DNS software) supports high redundancy through a master-slave relationship. The master NS updates the change in mapping to one or more slave servers through the zone transfer mechanism.
  • Configuration files: BIND's configuration is stored in a file called named.conf. This named.conf file helps the server to recognize the authoritative and/or caching server and whether it is the master or slave for any specific zone. The file points to zone files that contain the real mapping database. It contains lines or records that define name-to-address and address-to-name mapping for a specific domain.

 

Architecture

With the changing technology and network transformation, DNS has had to be upgraded
over time. There are bodies such as DNS Operations, Analysis, and Research Center
(DNS-OARC) and Internet Systems Consortium (ISC). In the following diagram, we can
see a standard DNS architecture built to optimize the DNS infrastructure:

 

Blockchain-Based DNS System

 

The preceding standard DNS architecture can be described as follows:

  • Master DNS zone: The master zone contains a read/write copy of zone data. Only one master zone is allowed in a network. All the DNS records have to be written in the master zone manually or automatically. This data is then stored in a standard text file.
  • Slave DNS zone: The slave zone is a read-only copy of the zone data. Usually, it is a copied version of master zones. If an attempt is made to change the DNS record on the secondary zone, it can redirect to another zone with read/write access. The slave DNS zone serves the purpose of backing up the DNS zone file.

 

Aggregate Caching Forwarder (ACF): It basically forwards the requests instead of processing them. When the server sends a response, it passes it back to its own client. In some situations, the resolver can also be a forwarder or caching forwarder. It may or may not cache the data; however, it is useful for systems such as small office home office (SOHO) gateways that want to provide DNS data to DHCP clients that don't have a predefined address for the DNS server.

 

Challenges with current DNS

Today, DNS has become the backbone of the internet and organization's networks. The DNS is mission-critical infrastructure that no organization can function without. However, despite growing investment in network and information security, attackers still manage to invade the network, and the DNS remains a vulnerable component in the network infrastructure that is often used as an attack vector. Firewalls leave port 53 open and never look inside each query. Let's look at one of the most widely used DNS-based attacks:

Blockchain-Based DNS System


MITM-proof DNS infrastructure

This uses a public key pinning technique to get rid of the MITM attack problem. Public key pinning specifies two pin-sha256 values; that is, it pins two public keys (one is the pin of any public key in the current certificate chain and the other is the pin of any public key not in the current certificate chain):

  • It works in parallel with existing DNS servers
  • Websites and individuals store their public key in the blockchain Blockchain-Based DNS System The keys are shared over the DNSChain software framework

 

DNS spoofing

When a DNS server's records are altered to redirect the traffic to the attacker's server, the DNS gets hijacked. This redirection of traffic allows the attacker to spread malware across the network. DNS spoofing can be carried out in one of the following three ways:

  • DNS cache poisoning: An attacker can take advantage of cached DNS records and can then perform spoofing by injecting a forged DNS entry into the DNS server. As a result, all users will now be using that forged DNS entry until the time the DNS cache expires.
  • Compromising a DNS server: A DNS server is the heart of the entire DNS infrastructure. An attacker can use several attack vectors to compromise a DNS server and can provide the IP address of a malicious web server against each legitimate DNS query.
  • Man-in-the-middle (MITM) attack: In this type of attack, a threat actor keeps listening to conversations between clients and a DNS server. After gathering information and sequence parameters, it starts spoofing the client by pretending to be the actual DNS server and provides the IP addresses of malicious websites.

 

Blockchain-based DNS solution

Blockchain technology has the capabilities to transform several industries and in this article, we are going to use it for managing a name server to overcome some of the most critical DNS challenges. DNSChain is one of the most active projects to transform the DNS framework and protect it from spoofing challenges.

DNSChain is a blockchain-based DNS software suite that replaces X.509 public key infrastructure (PKI) and delivers MITM proofs of authentication. It allows internet users to set a public DNSChain server for DNS queries and access that server with domains ending in .bit.

 

X.509 PKI replacement

X.509 is a standard framework that defines the format of PKI to identify users and entities over the internet. It helps internet users to know whether the connection to a specific website is secure or not. DNSChain has the capability to provide a scalable and decentralized replacement that doesn't depend on third parties.

This article is written in collaboration with Raj Gupta who has CISA, CPISI, Cobit 5, ISMS LA, CDPO-GDPR, CEH, and CHFI certifications. He is also the author of Hands-on Cybersecurty with Blockchain book.

What is Next

If you are interested in exploring more complex yet novel topics on blockchain security, you can read our below article. If you are new to blockchain technology, taking our Intro to Blockchain Technology (self-paced) course is highly recommended.  

Resources

Resources- Free Webinars on Blockchain

Here is the list of our free webinars that are highly recommended:

Resources- Free Courses

Here is the list of our 10 free self-paced courses that are highly recommended:

Resources- Self-Paced Blockchain Courses

If you like to learn more about Hyperledger Fabric, Hyperledger Sawtooth, Ethereum or Corda, taking the following self-paced classes is highly recommended:

  1. Intro to Blockchain Technology
  2. Blockchain Management in Hyperledger for System Admins
  3. Hyperledger Fabric for Developers
  4. Intro to Blockchain Cybersecurity
  5. Learn Solidity Programming by Examples
  6. Introduction to Ethereum Blockchain Development
  7. Learn Blockchain Dev with Corda R3
  8. Intro to Hyperledger Sawtooth for System Admins

Resources- Live Blockchain Courses

If you want to master Hyperledger Fabric, Ethereum or Corda, taking the following live classes is highly recommended:

 

Resources- Articles and Tutorials on Blockchain Technology

If you like to learn more about blockchain, reading the following articles and tutorials is highly recommended:

Private Custom Tutoring

decorative line

We offer private custom tutoring classes both online and in DC, MD and VA for almost all of our courses or bootcamps. Give us a call or email us to discuss your needs.

$90 Regular

$50 Limited Offer

REGISTER NOW