In our first series, we covered the following 8 articles:
If you are new to the field of cybersecurity, taking our Inro to Cybersecurity (free self-paced) course is highly recommended. Also, if you are already familiar with cybersecurity, taking our Intro to Blockchain Cybersecurity course is highly recommended.
The Domain Name System (DNS) is mainly designed to resolve a host name query to an IP address. Internet users need to have domain names, such as www.coding-bootcamps.com, but the internet needs an IP address to route the request to the desired destination. This way, DNS becomes the phonebook of the internet and allows everyone to use it globally; however, this also leaves a high possibility of it getting misused. In this article, we will learn about the DNS infrastructure, the core components, challenges with the existing system, and how blockchain can transform its current functionality.
In this article, we will cover the following topics:
DNS is the heart of the internet. If DNS is unavailable, each one of us will have a hard time finding resources on the internet. Being a massive phonebook of the internet, our entire online system relies heavily on DNS. Because of DNS namespaces, none of us have to remember a list of IP addresses; instead, we just have to remember the names of web pages.
For IT and security professionals, it is important to understand the basic structure, function, and operations of DNA. It is a hierarchical database with delegated authority. As per the scope of this article, we will be consider enterprise DNS deployments and its functions. There are two ways organizations can manage their DNS infrastructures: by allowing their Internet Service Provider (ISP) to manage it or by managing it internally. Any configuration mistakes or failure in the ISP network can turndown the organization's internet infrastructure.
With the growing number of internet users, DNS became the backbone of organizations on the internet and hence it has given organizations a strong reason to control their own DNS. With an efficient DNS deployment, organizations can even achieve better email spam-filtering systems and optimized network topologies. Here are just a few ways in which the DNS plays a vital role in organizations:
The DNS is more than just a protocol, it consists of several independent entities working together to deliver a scalable and reliable domain name database. In its simplest form, there are three core components of the DNS: the namespace, server, and resolver.
A namespace is a structure of the DNS database. It is represented in the form of an inverted tree with its root node at the top. Each node in the tree has a label and the root node has a null label. Take a look at the following diagram:
A domain name is the sequence of labels starting from a node to the root, separated by dots. The namespace can have a maximum depth of 127 levels and domain names can be of a size not more than 255 characters in length:
Name servers are responsible for storing information about the namespace in the form of zones. There can be multiple name servers and ones that load a complete zone are said to be authoritative for the zone. Generally, there is more than one name server used as authoritative for a single zone, ensuring better redundancy and sharing the load.
There are two main types of name servers: authoritative servers and caching servers:
The name resolver helps the name server to find data in the namespace. The name resolver is required to find out the name and IP address of the name servers for the root zone. The root name servers store information about top-level zones and direct servers in whom to contact for all top-level domains (TLDs). The resolver basically breaks the name into its labels from right to left. The first component, the TLD, is queried using a root server to obtain the designated authoritative server.
Similar to the internet's DNS infrastructure, organizations also deploy their internal DNS infrastructures. To deploy an internal DNS infrastructure, organizations can select any domain hierarchy; however, once connected to the internet, they have to follow the common DNS framework . Let's understand the name server hierarchy.
With consistent namespaces across the internet, the root name server directly responds to requests for records in the root zone and answers other requests by returning a list of the authoritative name servers for the appropriate TLD.
In order to modify the root zone, a zone file has first to be published over the internet. The root zone file is published on 13 servers from A to M across the internet.
The root zone contains the following information:
The root zone contains the numeric addresses of name servers that serve the TLD contents and the root server answers with these addresses when asked by a TLD.
When organizations get a new domain name, the registrar probably configures DNS records on their behalf and provides them with a name server (NS). Organizations need to have a name server to tell the internet's DNS directory the IP addresses of their web servers and corresponding services.
The TLD is one of the domains at the highest level of the DNS hierarchy. TLDs are installed in the root zone of the namespace. The domains in the last part of the system have to be recognized with fully qualified domain names. The Internet Corporation for Assigned Names and Numbers (ICANN) ensures that TLDs are managed by delegated organizations. The Internet Assigned Numbers Authority (IANA) is operated by ICANN and is responsible for managing the DNS root zone.
IANA is responsible for managing the following TLDs:
This hierarchical diagram explains the existing TLD structure:
The DNS stores a massive database of domain names. In order to perform registration, there are three entities working together—registry, registrar, and registrant:
Here is a diagram that shows the workings of all three entities together:
DNS records are mapping files that associate with DNS server whichever IP addresses each domain is associated with, and they handle requests sent to each domain. Various strings of letters are used as components that resemble the actions of the DNS server and these strings of commands are called DNS syntaxes. These syntaxes are A, AAAA, Canonical Name (CNAME), mail exchanger (MX), pointer (PTR), name server (NS), Start of Authority (SOA), service (SRV) record , text (TXT) and Name Authority Pointer (NAPTR). Let's explore some of these DNS records in detail:
Records: Address records establish the forward binding from names to addresses. In this example, we have an IP address mapped with the domain
PTR records should exactly match the forward maps.
For IT professionals, understanding DNS queries and the types of name server takes us most of the way to organizational DNS best practices:
With the changing technology and network transformation, DNS has had to be upgraded
over time. There are bodies such as DNS Operations, Analysis, and Research Center
(DNS-OARC) and Internet Systems Consortium (ISC). In the following diagram, we can
see a standard DNS architecture built to optimize the DNS infrastructure:
The preceding standard DNS architecture can be described as follows:
Aggregate Caching Forwarder (ACF): It basically forwards the requests instead of processing them. When the server sends a response, it passes it back to its own client. In some situations, the resolver can also be a forwarder or caching forwarder. It may or may not cache the data; however, it is useful for systems such as small office home office (SOHO) gateways that want to provide DNS data to DHCP clients that don't have a predefined address for the DNS server.
Today, DNS has become the backbone of the internet and organization's networks. The DNS is mission-critical infrastructure that no organization can function without. However, despite growing investment in network and information security, attackers still manage to invade the network, and the DNS remains a vulnerable component in the network infrastructure that is often used as an attack vector. Firewalls leave port 53 open and never look inside each query. Let's look at one of the most widely used DNS-based attacks:
This uses a public key pinning technique to get rid of the MITM attack problem. Public key pinning specifies two pin-sha256 values; that is, it pins two public keys (one is the pin of any public key in the current certificate chain and the other is the pin of any public key not in the current certificate chain):
When a DNS server's records are altered to redirect the traffic to the attacker's server, the DNS gets hijacked. This redirection of traffic allows the attacker to spread malware across the network. DNS spoofing can be carried out in one of the following three ways:
Blockchain technology has the capabilities to transform several industries and in this article, we are going to use it for managing a name server to overcome some of the most critical DNS challenges. DNSChain is one of the most active projects to transform the DNS framework and protect it from spoofing challenges.
DNSChain is a blockchain-based DNS software suite that replaces X.509 public key infrastructure (PKI) and delivers MITM proofs of authentication. It allows internet users to set a public DNSChain server for DNS queries and access that server with domains ending in .bit.
X.509 is a standard framework that defines the format of PKI to identify users and entities over the internet. It helps internet users to know whether the connection to a specific website is secure or not. DNSChain has the capability to provide a scalable and decentralized replacement that doesn't depend on third parties.
This article is written in collaboration with Raj Gupta who has CISA, CPISI, Cobit 5, ISMS LA, CDPO-GDPR, CEH, and CHFI certifications. He is also the author of Hands-on Cybersecurty with Blockchain book.
If you are interested in exploring more complex yet novel topics on blockchain security, you can read our below article. If you are new to blockchain technology, taking our Intro to Blockchain Technology (self-paced) course is highly recommended.
Here is the list of our free webinars that are highly recommended:
Here is the list of our 10 free self-paced courses that are highly recommended:
If you like to learn more about Hyperledger Fabric, Hyperledger Sawtooth, Ethereum or Corda, taking the following self-paced classes is highly recommended:
If you want to master Hyperledger Fabric, Ethereum or Corda, taking the following live classes is highly recommended:
If you like to learn more about blockchain, reading the following articles and tutorials is highly recommended:
We offer private custom tutoring classes both online and in DC, MD and VA for almost all of our courses or bootcamps. Give us a call or email us to discuss your needs.
$50 Limited OfferREGISTER NOW