Gladiator Research and Security - » DNS: An Introduction

Links

Other Posts: Types of Malicious DNS; January Microsoft Patch Tuesday

DNS: An Introduction

Posted on January 27th, 2012 by Kyle Cooper

Over the next few weeks, we’re going to be delving into the topic of DNS: what it is, and how malicious attackers can use it against you.

DNS stands for Domain Name System. It is a key networking protocol used by the internet and private networks alike.

All computers use IP addresses to identify and communicate with one another across a network. IP addresses can be difficult for humans to remember, so we use domain names to keep track of all of our favorite websites and network resources. That’s where DNS comes into play. Simply put, DNS is responsible for taking a human readable domain query, and translating it into a machine usable IP address which the network can forward on to complete the task at hand.

There are several structures and operations that go into this process. A DNS request starts with the DNS resolver. This is the client-side portion of DNS that initiates the query. This query can be sent by typing a URL into a browser window, an email client checking with a mail server to see if there are any new messages, or any number of processes needing information from a domain.

Once a request is made, the computer will first check its local cache to see if it already knows the IP address of the domain in question. If not, the request will be escalated to the device’s designated DNS server (usually the networks domain controller). The name server will check its cache to see if it contains a current entry for the requested domain. If so, the IP information will be supplied. If not, the name server will check with its DNS forwarder (typically the internet service provider’s name server) for the IP. Again, the forwarder’s cache will be checked for the IP and if no record is found it will take to the internet to track down the authoritative root name servers for the domain. These top level servers will provide its definitive IP.

The diagram below demonstrates a request that needs to run through this entire process.

Using this information, we can begin painting a picture of what normal DNS traffic on a network should look like. DNS traffic leaving the network should only be coming from the designated internal name servers, namely the domain controllers. Some systems, such as email servers and filtering appliances, also directly query Internet DNS servers. Any other activity bypassing the domain controller for lookups could indicate a malicious DNS configuration. These will be discussed further in a future installment.

More Reading:
http://uits.iu.edu/page/adns
http://www.howstuffworks.com/dns.htm
http://en.wikipedia.org/wiki/Domain_Name_System

Tags: DNS

Reader Comments

Sorry, comments are closed.