Wilson Mar bio photo

Wilson Mar

Hello!

Calendar YouTube Github

LinkedIn

DNS (Domain Name System)

Translate domain names to IP addresses

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

DNS servers obtain IP address from URL names by forwarding requests it cannot resolve from its own tables.

9.9.9.9 is by Quad9 (a non-profit based in Switzerland) who does not resolve to known malicious domains defined at isc.sans.edu/suspicious_domains.html

Configure DNS

VIDEO: To configure DNS on MacOS:

  1. Press control+command+, (comma) for System Preferences
  2. Type Network
  3. Advanced
  4. DNS
  5. Click the “+”
  6. Type 9.9.9.9
  7. Add another: 149.112.112.112
  8. OK
  9. Apply
  10. command+Q to dismiss the dialog by clicking the red icon at the upper-left corner.

A script to test several DNS showed:

  • 9.9.9.9 # from Quad9 filtered 96%
  • 1.1.1.2 # Cloudflare Malware filtered 57%
  • 103.247.36.36 # DNSFilter.com (paid service) filtered 16%
  • 208.67.222.222 # OpenDNS (paid service bought by Cisco Umbrella) filtered 9%
  • 8.8.8.8 # from Google does not filter
  • 1.1.1.1 # from Cloudflare does not filter

VIDEO: Lawrence Systems uses Steve Gibson’s DNS Benchmark to show that Google and Quad9 DNS has similar speed.

Dig name from Google’s DNS

  1. To identify the domain name associated with the ip address for Google’s DNS server:

    dig -x 8.8.8.8

    Under “ANSWER SECTION:” is “google”:

    ; <<>> DiG 9.10.6 <<>> -x 8.8.8.8
;; global options: +cmd
;; Got answer:
;; -<<HEADER<<- opcode: QUERY, status: NOERROR, id: 6599
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;8.8.8.8.in-addr.arpa.		IN	PTR
 
;; ANSWER SECTION:
8.8.8.8.in-addr.arpa.	300	IN	PTR	dns.google.
 
;; Query time: 64 msec
;; SERVER: 10.11.73.1#53(10.11.73.1)
;; WHEN: Thu Apr 09 13:16:59 MDT 2020
;; MSG SIZE  rcvd: 93

    For Microsoft.com, the response is “prd1.azuredns-cloud.net. msnhst.microsoft.com”:

    For apple.com, apple.com, ipad.host, appleid.org, pv-apple-com.apple.com, apple.by

  2. To identify the domain name associated with the ip address for the Quad9 DNS service:

    dig -x 9.9.9.9 
    ; <<>> DiG 9.10.6 <<>> -x 9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2573
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 17 5b 32 30 30 31 3a 35 30 30 3a 31 34 3a 36 30 30 34 3a 61 64 3a 3a 31 5d 3a 35 33 20 74 69 6d 65 64 20 6f 75 74 20 66 6f 72 20 39 2e 39 2e 39 2e 69 6e 2d 61 64 64 72 2e 61 72 70 61 20 44 4e 53 4b 45 59 ("..[2001:500:14:6004:ad::1]:53 timed out for 9.9.9.in-addr.arpa DNSKEY")
;; QUESTION SECTION:
;9.9.9.9.in-addr.arpa.		IN	PTR
 
;; ANSWER SECTION:
9.9.9.9.in-addr.arpa.	169406	IN	PTR	dns9.quad9.net.
 
;; Query time: 46 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Mar 17 03:25:37 MDT 2022
;; MSG SIZE  rcvd: 150

ICMP Ping

  1. To identify the IP address of a domain name such as google.com:

    ping google.com

    NOTE: Because this can be a vector for denial of service attacks and to limit network reconissance by malicious actors, many organizations disable ping responses through ICMP protocol:

    A sample response returned:

    PING google.com (216.58.193.206): 56 data bytes
64 bytes from 142.250.217.110: icmp_seq=15 ttl=119 time=45.650 ms
^C
--- google.com ping statistics ---
16 packets transmitted, 16 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 45.650/68.117/85.318/12.225 ms

Name Servers

Clients – called resolvers – make requests of DNS name servers.

Two DNS servers are usually specified (in client machine TCP/IP properties) for load balancing and fault tolerance.

DNS servers refer to 3 types of records to answer 3 types of queries:

  • A (host Address) records are used to answer forward lookup of an FQDN (host name) to a specific IP address.

    On Windows, the host name to IP address mappings for a zone are stored in the Domain.dns file in the %systemroot%\System32\Dns folder.

  • PTR (Pointer resource) records are used to answer a reverse lookup of an IP address to a host name (another DNS domain name location). IP address to host name mappings are in the z.y.w.x.in-addr.arpa file. Create file 1.0.0.127.in-addr.arpa zone file for reverse lookup.

  • SRV (Server location) records are used to locate domain controllers. SRV specifies the server to which a DNS name server forwards when it cannot resolve a query.

    Windows servers require DNS to locate domain controllers. On Windows, DNS is installed as a Windows component on a domain controller with a static (not dynamic) IP address.

Other types of resource records:

  • NS records notate which DNS servers are designated as authoritative for the zone.

  • SOA (Start Of Authority) records indicate the name of origin and other basic properties for each zone, including the name of the primary server for the source for information about the zone,

  • CNAME (Cononical name) records define aliases.

  • MX (Mail exchanger) records define the preference number.

Zones

There is a separate set of DNSNode records for each DNSZone handled by a DNS server.

DNS only resolves queries for zones to which it has authority.

Zones are part of a hierarchial structure of top-level domains over Second-level domains (represented by the organization’s name, such as Microsoft or Compaq), etc.

Standard Active Directory Integrated
DNSZone Container Objects
DNSNode Leaf Objects

DNS zone data can be stored in text files on Primary or Secondary domain controllers. This is under the single master model.

Alternately, you can change a Windows 2000 DNS service to use the Active Directory Integrated database. Replication of AD data to other servers makes this a multi-master model.

This is done using the DNS Console Manager GUI – in a zone’s Properties dialog box General tab, click the change button.

Alternately, use a script to issue sub-commands from command interface

nslookup.exe
Default Server:   rns2.earthlink.net
Address: 207.217.77.82

AD Integration is reversed in the Advanced tab by setting the “Load Data On Startup” field to “From Registry”.

Configuration

One no longer directly edit /etc/resolv.conf

On Ubuntu, within /etc/network/interfaces

dns-namservers 192.168.1.1. 8.8.8.8
dns-search example.com

Reload network using /etc/init.d/networking reload

  1. On Red Hat, write to interface:

    /etc/sysconfig/network-scripts/ifcfg-eth0

    DNS1=8.8.8.8
    DNS2=192.168.1.1

1 To activate:

service network restart
system ctl restart NetworkManager

Response “NXDOMAIN” means that the domain name was not found.

Windows DNS

tool Use the Windows Network Monitor to monitor and capture packets sent to and from DNS servers.

tool DNS server administration can be done by a script using this utility from the Windows Server product CD:

    DNSCMD.EXE

Servers send an A (resource) record to DNS when it first boots up. To force a member server to register itself to DNS:

    ipconfig /registerdns

Event Log

tool In the Event Log, the DNS log file shows DNS request activities. But it doesn’t show specific zone property changes or information about existing zone transfers.

Caching-only DNS servers work from data cached while resolving queries using server in Root Hints stored in the Cache.dns file rather than from DNS zone transfers.

DNS (Domain Name System) was published on .