Domain Name System

DNS is a system used in TCP/IP networks for naming computers and network services.DNS locates computers and services through user-friendly names. It is a hierarchically distributed database and it is defined primarily by RFC 1034 and 1035.The distributed database establishes an inverted logical tree called a domain namespace.Each node or domain in that space has a unique name and the top of the tree is the root.The function of the DNS Server is to store a database containing DNS information,to respond to queries and to replicate the DNS information to other DNS servers.

DNS Queries

DNS supports several different types of queries such as forward-lookup that allows clients to resolve a host name to an IP address,and reverse-lookup queries that resolves an IP address to a host name. Dns also provides a way to cache DNS information to reduce the number of queries required,this means that instead of sending a query to a name server it checks its local cache first.The information is held there for set amount of time called Time-to-Live.

Main components of DNS:

1.Resource records stored in a distributed database 2.DNS Servers responsible for maintaining specific zones 3.DNS resolvers running on the clients.

Resource records

Resource records are used to store domain information.DNS name servers contain resource records for those portions of the DNS namespace for which they are authoritative.

SOA (Start of Authority): Indicates that the server is the best authoritative source for data concerning the zone. Each zone must have an SOA record, and only one SOA record can be in a zone.

NS (Name Server): Identifies a DNS server functioning as an authority for the zone. Each DNS server in the zone (whether primary master or secondary) must be represented by an NS record.

A (Address): Provides a name-to-address mapping that supplies an IPv4 address for a specific DNS name. This record type performs the primary function of the DNS: converting names to addresses.

AAAA (Address): Provides a name-to-address mapping that supplies an IPv6 address for a specific DNS name. This record type performs the primary function of the DNS: converting names to addresses.

PTR (Pointer): Provides an address-to-name mapping that supplies a DNS name for a specific address in the domain. This is the functional opposite of an A record, used for reverse lookups only.

CNAME (Canonical Name): Creates an alias that points to the canonical name (real name) of a host identified by an A record.

MX (Mail Exchanger): Identifies a system that will direct email traffic sent to an address in the domain to the individual recipient, a mail gateway, or another mail server.

Srv (Service location): Makes it possible to find a server providing a specific service. Active Directory uses SRV records to locate domain controllers, global catalog servers, Lightweight Directory Access Protocol (LDAP) servers, and Kerberos servers. SRV records are created automatically.

DNS Zones

Primary zone: Creates a primary zone that contains the master copy of the zone database, where administrators make all changes to the zones resource records. If the Store The Zone In Active Directory (Available Only If DNS Server Is A Domain Controller) check box is cleared, the server creates a primary master zone database file on the local drive.

Secondary zone: The secondary zone contains a backup copy of the primary master zone database file.You can only update the resource records in a secondary zone by replicating the primary master zone database file, by using a process called a zone transfer.

Stub zone: Creates a copy of a primary zone that contains the key resource records that identify the authoritative servers for the zone. The stub zone forwards or refers requests.

Active Directory Integrated: Stores information in Active Directory and uses Active directory to replicate zone information can only be used when you deploy Active Directory on the network.Can only be on domain controllers.

DNS Threats

DNS can be threatened in several ways by attackers: Footprinting: The process by which DNS zone data is obtained by an attacker to provide the attacker with the DNS domain names, computer names, and IP addresses for sensitive network resources.

Denial-of-service attack: An attempt by an attacker to deny the availability of network services by flooding one or more DNS servers in the network with recursive queries.

IP Spoofing: An attempt by an attacker that has footprinted a network using DNS to use valid IP addresses in IP packets the attacker has created, which gives these packets the appearance of coming from a valid IP address in the network.

Redirection: An attacker redirecting queries for DNS names to servers under the control of the attacker. One method of redirection involves the attempt to pollute the DNS cache of a DNS server with DNS data that may direct future queries to servers under the control of the attacker.

Securing DNS

A DNS Server service that is running on a multihomed computer is by default,configured to listen for DNS queries using all of its IP addresses. Limit the IP addresses that the DNS Server service listens on to the IP address that its DNS clients use as their preferred DNS server. By default, the DNS Server service is secured from cache pollution, which results when DNS query responses contain nonauthoritative or malicious data. The Secure cache against pollution option helps prevent an attacker from successfully polluting the cache of a DNS server. Recursion is not disabled for the DNS Server service. This makes it possible for the DNS server to perform recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client queries to it. Recursion may be used by attackers to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive recursive queries, it should be disabled. If you have an internal DNS root in your DNS infrastructure, configure the root hints of internal DNS servers to point only to the DNS servers that host your root domain, not the DNS servers that host the Internet root domain.