DNS

DNS, or the Domain Name System, is a fundamental part of the internet that allows us to use easily remembered domain names (like www.example.com ) instead of IP addresses (like 192.0.2.1). DNS was first proposed in 1983, and officially standardized in 1988. It was designed to replace the aging Host Name Protocol (HNP), which was used to map hostnames to IP addresses on ARPANET, the precursor to the internet.

DNS types

There are several types of DNS records, each with a specific purpose:

• A (Address) record: This is the most basic type of DNS record, and maps a domain name to an IPv4 address. For example, the A record for www.example.com might map it to 192.0.2.1.
• AAAA (IPv6 Address) record: Similar to an A record, but for mapping a domain name to an IPv6 address.
• CNAME (Canonical Name) record: This type of record is used to create an alias for another domain name. For example, you could use a CNAME to map the domain name “www” to “example.com”, so that both “www.example.com “ and “example.com” point to the same website.
• MX (Mail Exchange) record: This type of record is used to specify the mail server responsible for handling email for a domain. For example, the MX record for “example.com” might point to “mail.example.com”.
• NS (Name Server) record: This type of record is used to specify the authoritative name servers for a domain.
• TXT (Text) record: This type of record is used to store arbitrary text data, such as SPF or DKIM records.
• SOA (Start of Authority) record: This type of record is used to specify the primary DNS server for a domain, as well as several other parameters that define the DNS zone.
• SRV (Service) record: This type of record is used to specify the hostname and port of services like XMPP or LDAP.
• PTR (Pointer) record: This type of record is used to map an IP address to a domain name. This is used primarily for reverse DNS lookups.

Examples

• A record example:
  www.example.com A 192.0.2.1
• CNAME record example:
  www.example.com CNAME example.com
• MX record example:
  example.com MX mail.example.com
• MX record example:
  example.com MX mail.example.com
• TXT record example:
  example.com TXT "v=spf1 a mx -all"
• PTR record example:
  192.0.2.1 PTR example.com

DNS security

DNSSEC (Domain Name System Security Extensions) is an extension to the DNS protocol that adds security by allowing DNS records to be digitally signed, providing authenticity and integrity for DNS data. This helps prevent attacks such as DNS cache poisoning, where an attacker can redirect traffic intended for a legitimate website to a malicious one.

TSIG (Transaction SIGnature) is a method of authenticating DNS updates and requests using a shared secret key. It can be used to prevent unauthorized updates to DNS records, and to authenticate responses to DNS queries.

DANE (DNS-Based Authentication of Named Entities) is a method of authenticating the certificate of a website using DNS records. It allows website operators to publish their SSL/TLS certificate in the DNS, which can be used by clients to verify the certificate without having to rely on a centralized certificate authority.

Examples:

• DNSSEC record example:
  example.com DNSKEY (256 3 8 AwEAAb/f+....)
• DANE record example:
  _443._tcp.example.com TLSA 3 0 1 (8f2c5d1a5c5e5f5d5b5a5c5e5f5d5b5a5c5e5f5d5b5a5c5e5f5d5b5a)
  DNSSEC, TSIG, and DANE are all important tools for securing the DNS infrastructure, and can help protect against various types of attacks. By using these technologies, organizations can ensure that their DNS data is authentic and that communication with their websites is secure. DNS is a crucial part of the internet infrastructure and it’s important to understand how it works and the different types of records that can be used.