Translate domain names to IP addresses
Overview
DNS servers obtain IP address from URL names by forwarding requests it cannot resolve from its own tables.
9.9.9.9 is by Quad9 (a non-profit based in Switzerland) who does not resolve to known malicious domains defined at isc.sans.edu/suspicious_domains.html
Configure DNS
VIDEO: To configure DNS on MacOS:
- Press control+command+, (comma) for System Preferences
- Type Network
- Advanced
- DNS
- Click the “+”
- Type 9.9.9.9
- Add another: 149.112.112.112
- OK
- Apply
- command+Q to dismiss the dialog by clicking the red icon at the upper-left corner.
A script to test several DNS showed:
- 9.9.9.9 # from Quad9 filtered 96%
- 1.1.1.2 # Cloudflare Malware filtered 57%
- 103.247.36.36 # DNSFilter.com (paid service) filtered 16%
- 208.67.222.222 # OpenDNS (paid service bought by Cisco Umbrella) filtered 9%
- 8.8.8.8 # from Google does not filter
- 1.1.1.1 # from Cloudflare does not filter
VIDEO: Lawrence Systems uses Steve Gibson’s DNS Benchmark to show that Google and Quad9 DNS has similar speed.
Dig name from Google’s DNS
-
To identify the domain name associated with the ip address for Google’s DNS server:
dig -x 8.8.8.8
Under “ANSWER SECTION:” is “google”:
; <<>> DiG 9.10.6 <<>> -x 8.8.8.8 ;; global options: +cmd ;; Got answer: ;; -<<HEADER<<- opcode: QUERY, status: NOERROR, id: 6599 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;8.8.8.8.in-addr.arpa. IN PTR ;; ANSWER SECTION: 8.8.8.8.in-addr.arpa. 300 IN PTR dns.google. ;; Query time: 64 msec ;; SERVER: 10.11.73.1#53(10.11.73.1) ;; WHEN: Thu Apr 09 13:16:59 MDT 2020 ;; MSG SIZE rcvd: 93
For Microsoft.com, the response is “prd1.azuredns-cloud.net. msnhst.microsoft.com”:
For apple.com, apple.com, ipad.host, appleid.org, pv-apple-com.apple.com, apple.by
-
To identify the domain name associated with the ip address for the Quad9 DNS service:
dig -x 9.9.9.9
; <<>> DiG 9.10.6 <<>> -x 9.9.9.9 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2573 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; OPT=15: 00 17 5b 32 30 30 31 3a 35 30 30 3a 31 34 3a 36 30 30 34 3a 61 64 3a 3a 31 5d 3a 35 33 20 74 69 6d 65 64 20 6f 75 74 20 66 6f 72 20 39 2e 39 2e 39 2e 69 6e 2d 61 64 64 72 2e 61 72 70 61 20 44 4e 53 4b 45 59 ("..[2001:500:14:6004:ad::1]:53 timed out for 9.9.9.in-addr.arpa DNSKEY") ;; QUESTION SECTION: ;9.9.9.9.in-addr.arpa. IN PTR ;; ANSWER SECTION: 9.9.9.9.in-addr.arpa. 169406 IN PTR dns9.quad9.net. ;; Query time: 46 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Thu Mar 17 03:25:37 MDT 2022 ;; MSG SIZE rcvd: 150
ICMP Ping
-
To identify the IP address of a domain name such as google.com:
ping google.com
NOTE: Because this can be a vector for denial of service attacks and to limit network reconissance by malicious actors, many organizations disable ping responses through ICMP protocol:
A sample response returned:
PING google.com (216.58.193.206): 56 data bytes 64 bytes from 142.250.217.110: icmp_seq=15 ttl=119 time=45.650 ms ^C --- google.com ping statistics --- 16 packets transmitted, 16 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 45.650/68.117/85.318/12.225 ms
Name Servers
Clients – called resolvers – make requests of DNS name servers.
Two DNS servers are usually specified (in client machine TCP/IP properties) for load balancing and fault tolerance.
DNS servers refer to 3 types of records to answer 3 types of queries:
-
A (host Address) records are used to answer forward lookup of an FQDN (host name) to a specific IP address.
On Windows, the host name to IP address mappings for a zone are stored in the Domain.dns file in the %systemroot%\System32\Dns folder.
-
PTR (Pointer resource) records are used to answer a reverse lookup of an IP address to a host name (another DNS domain name location). IP address to host name mappings are in the z.y.w.x.in-addr.arpa file. Create file 1.0.0.127.in-addr.arpa zone file for reverse lookup.
-
SRV (Server location) records are used to locate domain controllers. SRV specifies the server to which a DNS name server forwards when it cannot resolve a query.
Windows servers require DNS to locate domain controllers. On Windows, DNS is installed as a Windows component on a domain controller with a static (not dynamic) IP address.
Other types of resource records:
-
NS records notate which DNS servers are designated as authoritative for the zone.
-
SOA (Start Of Authority) records indicate the name of origin and other basic properties for each zone, including the name of the primary server for the source for information about the zone,
-
CNAME (Cononical name) records define aliases.
-
MX (Mail exchanger) records define the preference number.
Zones
There is a separate set of DNSNode records for each DNSZone handled by a DNS server.
DNS only resolves queries for zones to which it has authority.
Zones are part of a hierarchial structure of top-level domains over Second-level domains (represented by the organization’s name, such as Microsoft or Compaq), etc.
Standard | Active Directory Integrated |
---|---|
DNSZone | Container Objects |
DNSNode | Leaf Objects |
DNS zone data can be stored in text files on Primary or Secondary domain controllers. This is under the single master model.
Alternately, you can change a Windows 2000 DNS service to use the Active Directory Integrated database. Replication of AD data to other servers makes this a multi-master model.
This is done using the DNS Console Manager GUI – in a zone’s Properties dialog box General tab, click the change button.
Alternately, use a script to issue sub-commands from command interface
nslookup.exe
Default Server: rns2.earthlink.net
Address: 207.217.77.82
AD Integration is reversed in the Advanced tab by setting the “Load Data On Startup” field to “From Registry”.
Configuration
One no longer directly edit /etc/resolv.conf
On Ubuntu, within /etc/network/interfaces
dns-namservers 192.168.1.1. 8.8.8.8 dns-search example.com
Reload network using /etc/init.d/networking reload
-
On Red Hat, write to interface:
/etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=8.8.8.8
DNS2=192.168.1.1
1 To activate:
service network restart
system ctl restart NetworkManager
Response “NXDOMAIN” means that the domain name was not found.
Windows DNS
Use the Windows Network Monitor to monitor and capture packets sent to and from DNS servers.
DNS server administration can be done by a script using this utility from the Windows Server product CD:
- DNSCMD.EXE
Servers send an A (resource) record to DNS when it first boots up. To force a member server to register itself to DNS:
- ipconfig /registerdns
Event Log
In the Event Log, the DNS log file shows DNS request activities. But it doesn’t show specific zone property changes or information about existing zone transfers.
Caching-only DNS servers work from data cached while resolving queries using server in Root Hints stored in the Cache.dns file rather than from DNS zone transfers.