Network literacy: Understanding DNS in one article

[[328762]]

Hello everyone, I am Brother Ming.

During job interviews, interviewers like to test basic knowledge. In addition to data structures and algorithms, network knowledge is also a very important subject of examination.

However, network knowledge is usually very abstract and difficult to understand, and many students fail here.

It just so happens that I haven’t shared any content related to the Internet in this official account before, so I plan to reorganize some knowledge about the Internet, which may be useful during your interviews.

Today I will start sharing the first article in this network literacy series: DNS.

1. What is DNS?

DNS is the abbreviation of Domain Name System, which is the domain name resolution system. Its function is very simple, which is to find the corresponding IP address based on the domain name.

You can think of it as a giant phone book. For example, when you want to access the domain name www.163.com, you must first find out its IP address through DNS: 112.48.162.8.

2. Domain name hierarchy

Since I will talk about the DNS resolution process later, you need to have some understanding of the domain name hierarchy.

• Root domain name: .root or ., usually omitted
• Top-level domains, such as .com, .cn, etc.
• Secondary domain names, such as baidu in baidu.com, are available for users to register and purchase.
• Host domain name, such as baike in baike.baidu.com, which is user-assignable

 Host name.Subdomain name.Top-level domain name.Root domain name
 baike.baidu.com.root

3. DNS resolution process

Let's take the domain name www.163.com as an example and see what happens when you visit www.163.com:

1. First search the local DNS cache (on your own computer), return if there is one, otherwise go to the next step
2. Check whether there is a corresponding mapping record in the local hosts file. If yes, return. If not, proceed to the next step.
3. Send a request to the local DNS server (usually provided by your network access server provider, such as China Telecom, China Mobile) to query. After receiving the request, the local DNS server will first check its own cache record. If it finds the record, it will return it directly. If it does not find the record, the local DNS server will initiate a query request to the DNS root domain name server: Excuse me, what is the IP address of www.163.com?
4. After receiving the request, the root domain name server sees that it is a .com domain name and replies: This domain name is managed by .com brother, you can ask him, this is .com brother’s contact information (ip1).
5. After receiving the reply, the local DNS server immediately sends a request to the top-level domain name server of .com according to the contact information (ip1) given by Big Brother: Excuse me, .com, what is the IP address of www.163.com?
6. After receiving the request, the .com top-level domain name server sees that it is a 163.com domain name and replies: This domain name is managed by .163.com brother, you can just ask him, here is his contact information (ip2)
7. After receiving the reply, the local DNS server, following the instructions of the predecessor (ip2), sends a request to the authoritative domain name server .163.com: Excuse me, 163.com, what is the IP address of www.163.com?
8. After receiving the request, the 163.com authoritative domain name server confirmed that it was a domain name it managed, and immediately checked its notebook and told the local DNS server the IP address of www.163.com.
9. After receiving the reply, the local DNS server was very happy, because it finally got the IP address of www.163.com, and immediately told the client (your computer) the message. Since this process is quite long, in order to save time and not to bother the big brothers, the local DNS server secretly recorded the query result in its own notebook, so that it can respond quickly the next time someone comes to query.

To sum up, there are three sentences

• From the "root domain name server", find the NS record and A record (IP address) of the "top-level domain name server"
• Find the NS record and A record (IP address) of the "sub-domain name server" from the "top-level domain name server"
• Find the IP address of the "host name" from the "secondary domain name server"

4. DNS cache time

In the above steps, you can see that there are two places where DNS query records will be cached. With caching, query efficiency will be improved to a certain extent, but at the same time there will be a loss in accuracy.

Therefore, when we configure DNS resolution, there will be a TTL parameter (Time To Live), which means how long the cache can survive. After this time, the local DNS will delete the record. After deleting the cache, if you visit again, you must go through the above process again to obtain the latest address.

5. DNS record types

After we buy a domain name in Alibaba Cloud, we can configure our host domain name resolution rules, that is, records.

Alibaba Cloud Domain Name Cloud Resolution

Common DNS record types are as follows

• A: Address record (Address), returns the IP address pointed to by the domain name.
• NS: Domain Name Server record (Name Server), returns the server address that stores the next-level domain name information. This record can only be set to a domain name, not an IP address.
• MX: Mail eXchange, returns the server address for receiving emails.
• CNAME: Canonical Name record, returns another domain name, that is, the domain name currently queried is a jump to another domain name, see below for details.
• PTR: Pointer Record, which is only used to query domain names from IP addresses. See below for details.

6. DNS message structure

Later I will use wireshark to capture DNS packets, but before starting, I need to understand the DNS message structure.

• Transaction ID: The ID of the DNS message. The value of this field is the same for the request message and its corresponding response message. It can be used to distinguish which request the DNS response message responds to.
• Flags: The flags field in the DNS message.
• Question Count: The number of DNS query requests.
• Answer Resource Records: The number of DNS responses.
• Authoritative Name Server Count: The number of authoritative name servers.
• Additional Resource Records: The number of additional records (the number of IP addresses corresponding to the authoritative name servers).

7. Wireshark packet capture practice

After opening Wireshark, use ping 163.com to initiate a DNS resolution request and use the DNS keyword to filter in Wireshark.

From the overall captured message, we can roughly obtain several pieces of information

1. DNS is an application layer protocol, and the transport layer protocol uses UDP
2. The default DNS port is 53

I have included screenshots of the request and response messages below, and I will analyze them one by one.

ask

answer

Transaction ID

The transaction ID for the request and response should be the same: 0xd0d7

Flags

There is a lot of content in the flag field. The meaning of each field is as follows

• QR (Response): Query request/response flag information. When querying a request, the value is 0; when responding, the value is 1.
• Opcode: Operation code. 0 indicates standard query, 1 indicates reverse query, and 2 indicates server status request.
• AA (Authoritative): Authorization response, this field is valid in the response message. When the value is 1, it means that the name server is an authoritative server; when the value is 0, it means that it is not an authoritative server.
• TC (Truncated): Indicates whether the response is truncated. When the value is 1, it means that the response exceeds 512 bytes and has been truncated, and only the first 512 bytes are returned.
• RD (Recursion Desired): Desiring recursion. This field can be set in a query and returned in the response. This flag tells the name server that it must process this query, which is called a recursive query. If this bit is 0, and the requested name server does not have an authoritative answer, it will return a list of other name servers that can answer the query. This method is called an iterative query.
• RA (Recursion Available): Available recursion. This field only appears in the response message. When the value is 1, it means that the server supports recursive query.
• Z: Reserved field. Its value must be 0 in all request and response messages.
• rcode (Reply code): Return code field, indicating the error status of the response. When the value is 0, it means no error; when the value is 1, it means the message format is wrong (Format error), the server cannot understand the requested message; when the value is 2, it means the domain name server fails (Server failure), because the server cannot process this request; when the value is 3, it means the name error (Name Error), which is only meaningful to the authorized domain name resolution server, indicating that the resolved domain name does not exist; when the value is 4, it means the query type is not supported (Not Implemented), that is, the domain name server does not support the query type; when the value is 5, it means rejected (Refused), generally the server refuses to give a response due to the set policy, such as the server does not want to give a response to certain requesters.

Answer RRs

The number of answer resource records is 2 in the response packet, indicating that two query results are returned, which you can see in the Answer field.

Authority RRs

Authoritative Name Server Count

Additional RRs

Number of additional resource records

Answers

The main content of the response. Two results are returned here. The fields in each result are

 Name : The domain name to be queried
 Type: A for IPv4, AAAA for IPv6
 Class: represents the Internet, almost always
 Time   to live: survival time
 Data length: Data length
 Address: The queried IP address

8. DNS hijacking and HTTP hijacking

Through the above explanation, we all know that DNS completes a domain name to IP mapping query. When you visit www.baidu.com, it can correctly return to you the IP address of Baidu's homepage.

But if there are some problems with DNS resolution at this time, when you want to visit www.baidu.com, it returns the IP address of www.google.com to you. This is what we often call DNS hijacking.

Easily confused with this is HTTP hijacking.

So what is HTTP hijacking?

You must have seen that when you visit a website, a glaring ad pop-up window suddenly pops up in the lower right corner. This is HTTP hijacking.

Using the examples in other people's articles, the difference between the two is like

• DNS hijacking is like throwing you at a train station when you want to go to the airport.
• HTTP hijacking is like someone giving you a flyer on your way to the airport. So how does DNS hijacking happen?

Here are some DNS hijacking methods:

1. Local DNS hijacking

The attacker infects the user's computer with a Trojan virus or malware through some means, and then maliciously modifies the local DNS configuration, such as modifying the local hosts file, cache, etc.

2. Router DNS hijacking

Many users set the default password of the router by default. Attackers can break into the router administrator account and modify the default configuration of the router.

3. Attacking DNS servers

Directly attack the DNS server, such as DDOS attack on the DNS server, which can cause the DNS server to crash, abnormal requests, or use certain means to infect the cache of the DNS server so that the malicious IP address is returned to the user

9. Use of tools

dig Command

dig is a tool that queries DNS including NS records, A records, MX records and other related information in Unix-like command line mode.

Through the dig (parameter: +trace) command, we can see the detailed process of DNS resolution described above

From the returned results, we can see several points of information

1. Our local DNS server ip is 192.168.1.1, port is 53, you can see this configuration in /etc/resolv.conf
2. There are currently only thirteen root domain name servers in the world, from a.root-servers.net. to m.root-servers.net. Their corresponding IP addresses are already built into the local DNS server.

If you only want to see the results, you can use the +short parameter to directly return which IP addresses www.163.com corresponds to.

You can also add an @ parameter to specify a DNS server to query from.

If you only want to view specific record types

host command

The host command can be seen as a simplified version of the dig command, returning various records of the currently requested domain name.

whois Command

The whois command is used to view the registration status of a domain name.

nslookup command

nslookup is also a commonly used tool to query DNS resolution results.

 $ nslookup [domain name to query] [specify DNS server]

You can also specify a public domain name server for query, such as the common 114.114.114.114

10. Manually clear the local cache

MacOS

 $ sudo dscacheutil -flushcache
 $ sudo killall -HUP mDNSResponder

Windows

 $ ipconfig /flushdns

Linux

 # Using NSCD's DNS cache
 $ sudo /etc/init.d/nscd restart 
 
 # Server or router using DNSMASQ
 $ sudo dnsmasq restart

This article is reprinted from the WeChat public account "Python Programming Time", which can be followed through the following QR code. To reprint this article, please contact the Python Programming Time public account.