How it works: A few words about DNS
As a virtual infrastructure provider, 1cloud is interested in networking technologies that we regularly talk about in our blog. Today we have prepared material on the topic of domain names. In it we will look at the basic aspects of the functioning of the DNS and the security of DNS servers.
/ photo by James Cridland CC
Initially, before the spread of the Internet, the addresses were converted according to the contents of the hosts file sent to each of the machines on the network. However, as it grew, such a method ceased to justify itself - there was a need for a new mechanism, which was the DNS, developed in 1983 by Paul Mokapetris (Paul Mockapetris).
')
The Domain Name System (DNS) is one of the fundamental technologies of the modern Internet environment and is a distributed system for storing and processing information about domain zones. It is necessary, first of all, to correlate the IP addresses of devices on the network and more convenient for human perception of symbolic names.
A DNS consists of a distributed name base whose structure resembles a logical tree called a domain namespace. Each node in this space has its own unique name. This logical tree "grows" from the root domain, which is the highest level of the DNS hierarchy and is denoted by a symbol - a dot. And already subdomains of zones or nodes (computers) are branched off from the root element.
A namespace that matches addresses and unique names can be organized in two ways: flat and hierarchical. In the first case, the name is assigned to each address and is a sequence of characters without a structure, fixed by some rules. The main disadvantage of the flat namespace is that it cannot be used in large systems, such as the Internet, because of its randomness, since in this case it is quite difficult to conduct a check of ambiguity and duplication.
In the hierarchical namespace, each name is composed of several parts: for example, the first-level domain .ru, the second-level domain 1cloud.ru, the third-level domain panel.1cloud.ru, etc. This type of namespace allows you to easily check for duplicates while organizations do not need to worry that the prefix chosen for the host is occupied by someone else - the full address will be different.
Let's take a look at how names are mapped to IP addresses. Suppose the user types in the browser line www.1cloud.ru and presses Enter. The browser sends the request to the DNS server of the network, and the server, in turn, either responds by itself (if it knows the answer), or forwards the request to one of the top-level domain servers (or root).
Then the request begins its journey - the root server sends it to the first level server (which supports the .ru zone). The one is for the server of the second level (1cloud) and so on, until you find a server that knows exactly the requested name and address, or knows that such a name does not exist. After this, the request starts moving back. To clearly explain how it works, the guys from dnssimple have prepared a colorful comic book, which you can find here .
It is also worth a few words to say about the reverse mapping procedure - getting the name from the provided IP-address. This happens, for example, when checking email server. There is a special domain in-addr.arpa, records in which are used to convert IP addresses to symbolic names. For example, to get the DNS name for the address 11.22.33.44, you can query the DNS server for an entry 44.33.22.11.in-addr.arpa, and that will return the corresponding symbolic name.
When you enter the address of the Internet resource in the browser line, it sends a request to the DNS server responsible for the root zone. There are 13 such servers and they are managed by various operators and organizations. For example, the a.root-servers.net server has an IP address of 198.41.0.4 and is managed by Verisign, and e.root-servers.net (192.203.230.10) is served by NASA.
Each of these operators provides this service free of charge, and also ensures uninterrupted operation, since if any of these servers fail, entire areas of the Internet will become unavailable. Previously, the root DNS servers, which are the basis for processing all requests for domain names on the Internet, were located in North America. However, with the introduction of alternative addressing technology, they “spread” around the world, and in fact their number increased from 13 to 123, which made it possible to increase the reliability of the DNS foundation.
For example , in North America there are 40 servers (32.5%), in Europe - 35 (28.5%), another 6 servers are located in South America (4.9%) and 3 in Africa (2.4%) . If you look at the map, the DNS servers are located according to the intensity of use of the Internet infrastructure.
Attacking the DNS is not a new hacker strategy, but only recently has the fight against this type of threat become global.
“In the past, attacks on DNS servers, leading to massive disruptions, have already occurred. Somehow, because of the substitution of DNS records, the well-known Twitter service was unavailable for users for an hour, ” says Alexei Shevchenko, head of infrastructure solutions for the Russian representative office of ESET. “But far more dangerous is the attack on root DNS servers.” In particular, attacks in October 2002 were widely publicized when unknown people attempted to conduct a DDoS attack on 10 of the 13 top-level DNS servers. ”
The DNS protocol uses the TCP or UDP port to respond to requests. Traditionally they are sent as a single UDP datagram. However, UDP is a connectionless protocol and therefore has address fraud vulnerabilities - many of the attacks carried out on the DNS server rely on spoofing. To prevent this, use a number of techniques aimed at improving security.
One option is the Unicast Reverse Path Forwarding (uRPF) technology, the idea of ​​which is to determine whether a packet with a specific sender address can be received on a specific network interface. If a packet is received from a network interface that is used to transmit data addressed to the sender of this packet, then the packet is considered to be validated. Otherwise, it is discarded.
Despite the fact that this feature can help detect and filter out some of the fake traffic, uRPF does not provide complete protection against spoofing. uRPF assumes that the reception and transmission of data for a specific address is made through the same interface, and this complicates the situation in the case of several providers. More information about uRPF can be found here .
Another option is to use the IP Source Guard feature. It relies on uRPF technology and tracing DHCP packets to filter out fake traffic on individual switch ports. IP Source Guard checks the DHCP traffic on the network and determines which IP addresses have been assigned to network devices.
After this information has been collected and stored in the join pool of DHCP packet tracking, IP Source Guard can use it to filter IP packets received by the network device. If the packet is received with a source IP address that does not correspond to the DHCP join table, then the packet is discarded.
Also worth noting is the dns-validator utility, which oversees the transfer of all DNS packets, matches each request with a response, and notifies the user in case of a discrepancy in the headers. Detailed information is available in the repository on GitHub.
The domain name system was developed in the 80s of the last century and continues to provide usability to work with the Internet address space until now. Moreover, DNS technologies are constantly evolving, for example, the introduction of domain names in national alphabets (including the first-level Cyrillic domain name) has become one of the most significant innovations of recent times.
Constantly working to improve reliability, to make the system less sensitive to failures (natural disasters, power outages, etc.), and this is very important because the Internet has become an integral part of our life, and "lose" it, even for a couple of minutes absolutely do not want.
By the way, 1cloud offers its VPS users a free DNS hosting service - a tool that simplifies the administration of your projects by working with a common interface for managing hosts and domains that refer to them.
What else do we write about:
/ photo by James Cridland CC
Initially, before the spread of the Internet, the addresses were converted according to the contents of the hosts file sent to each of the machines on the network. However, as it grew, such a method ceased to justify itself - there was a need for a new mechanism, which was the DNS, developed in 1983 by Paul Mokapetris (Paul Mockapetris).
')
What is DNS?
The Domain Name System (DNS) is one of the fundamental technologies of the modern Internet environment and is a distributed system for storing and processing information about domain zones. It is necessary, first of all, to correlate the IP addresses of devices on the network and more convenient for human perception of symbolic names.
A DNS consists of a distributed name base whose structure resembles a logical tree called a domain namespace. Each node in this space has its own unique name. This logical tree "grows" from the root domain, which is the highest level of the DNS hierarchy and is denoted by a symbol - a dot. And already subdomains of zones or nodes (computers) are branched off from the root element.
A namespace that matches addresses and unique names can be organized in two ways: flat and hierarchical. In the first case, the name is assigned to each address and is a sequence of characters without a structure, fixed by some rules. The main disadvantage of the flat namespace is that it cannot be used in large systems, such as the Internet, because of its randomness, since in this case it is quite difficult to conduct a check of ambiguity and duplication.
In the hierarchical namespace, each name is composed of several parts: for example, the first-level domain .ru, the second-level domain 1cloud.ru, the third-level domain panel.1cloud.ru, etc. This type of namespace allows you to easily check for duplicates while organizations do not need to worry that the prefix chosen for the host is occupied by someone else - the full address will be different.
Name Mapping
Let's take a look at how names are mapped to IP addresses. Suppose the user types in the browser line www.1cloud.ru and presses Enter. The browser sends the request to the DNS server of the network, and the server, in turn, either responds by itself (if it knows the answer), or forwards the request to one of the top-level domain servers (or root).
Then the request begins its journey - the root server sends it to the first level server (which supports the .ru zone). The one is for the server of the second level (1cloud) and so on, until you find a server that knows exactly the requested name and address, or knows that such a name does not exist. After this, the request starts moving back. To clearly explain how it works, the guys from dnssimple have prepared a colorful comic book, which you can find here .
It is also worth a few words to say about the reverse mapping procedure - getting the name from the provided IP-address. This happens, for example, when checking email server. There is a special domain in-addr.arpa, records in which are used to convert IP addresses to symbolic names. For example, to get the DNS name for the address 11.22.33.44, you can query the DNS server for an entry 44.33.22.11.in-addr.arpa, and that will return the corresponding symbolic name.
Who manages and supports DNS servers?
When you enter the address of the Internet resource in the browser line, it sends a request to the DNS server responsible for the root zone. There are 13 such servers and they are managed by various operators and organizations. For example, the a.root-servers.net server has an IP address of 198.41.0.4 and is managed by Verisign, and e.root-servers.net (192.203.230.10) is served by NASA.
Each of these operators provides this service free of charge, and also ensures uninterrupted operation, since if any of these servers fail, entire areas of the Internet will become unavailable. Previously, the root DNS servers, which are the basis for processing all requests for domain names on the Internet, were located in North America. However, with the introduction of alternative addressing technology, they “spread” around the world, and in fact their number increased from 13 to 123, which made it possible to increase the reliability of the DNS foundation.
For example , in North America there are 40 servers (32.5%), in Europe - 35 (28.5%), another 6 servers are located in South America (4.9%) and 3 in Africa (2.4%) . If you look at the map, the DNS servers are located according to the intensity of use of the Internet infrastructure.
Attack protection
Attacking the DNS is not a new hacker strategy, but only recently has the fight against this type of threat become global.
“In the past, attacks on DNS servers, leading to massive disruptions, have already occurred. Somehow, because of the substitution of DNS records, the well-known Twitter service was unavailable for users for an hour, ” says Alexei Shevchenko, head of infrastructure solutions for the Russian representative office of ESET. “But far more dangerous is the attack on root DNS servers.” In particular, attacks in October 2002 were widely publicized when unknown people attempted to conduct a DDoS attack on 10 of the 13 top-level DNS servers. ”
The DNS protocol uses the TCP or UDP port to respond to requests. Traditionally they are sent as a single UDP datagram. However, UDP is a connectionless protocol and therefore has address fraud vulnerabilities - many of the attacks carried out on the DNS server rely on spoofing. To prevent this, use a number of techniques aimed at improving security.
One option is the Unicast Reverse Path Forwarding (uRPF) technology, the idea of ​​which is to determine whether a packet with a specific sender address can be received on a specific network interface. If a packet is received from a network interface that is used to transmit data addressed to the sender of this packet, then the packet is considered to be validated. Otherwise, it is discarded.
Despite the fact that this feature can help detect and filter out some of the fake traffic, uRPF does not provide complete protection against spoofing. uRPF assumes that the reception and transmission of data for a specific address is made through the same interface, and this complicates the situation in the case of several providers. More information about uRPF can be found here .
Another option is to use the IP Source Guard feature. It relies on uRPF technology and tracing DHCP packets to filter out fake traffic on individual switch ports. IP Source Guard checks the DHCP traffic on the network and determines which IP addresses have been assigned to network devices.
After this information has been collected and stored in the join pool of DHCP packet tracking, IP Source Guard can use it to filter IP packets received by the network device. If the packet is received with a source IP address that does not correspond to the DHCP join table, then the packet is discarded.
Also worth noting is the dns-validator utility, which oversees the transfer of all DNS packets, matches each request with a response, and notifies the user in case of a discrepancy in the headers. Detailed information is available in the repository on GitHub.
Conclusion
The domain name system was developed in the 80s of the last century and continues to provide usability to work with the Internet address space until now. Moreover, DNS technologies are constantly evolving, for example, the introduction of domain names in national alphabets (including the first-level Cyrillic domain name) has become one of the most significant innovations of recent times.
Constantly working to improve reliability, to make the system less sensitive to failures (natural disasters, power outages, etc.), and this is very important because the Internet has become an integral part of our life, and "lose" it, even for a couple of minutes absolutely do not want.
By the way, 1cloud offers its VPS users a free DNS hosting service - a tool that simplifies the administration of your projects by working with a common interface for managing hosts and domains that refer to them.
What else do we write about:
Source: https://habr.com/ru/post/309018/
All Articles