Introduction

This Refcard is intended as a practical introduction to DNS, and assumes you are familiar only with networking basics. After a brief explanation of how DNS works, the bulk of this card will explain DNS configuration, security, and common problems, in order to get you up and running quickly, safely, and reliably.

What is DNS?

Invented in 1982, the Domain Name System is a replacement for a centralized ‘hostname to numerical address database’ (in reality it was a simple text file) that was used in the days of ARPANET, the precursor to what is known today as the Internet.

The purpose of the original database was to provide an easy way to identify a network connected computer, instead of the unfriendly numerical addresses.

It is much easier to remember ‘google.com’ instead of ‘74.125.237.130’.

As the number of interconnected machines grew, maintaining this information in a central database, as well as ensuring that all clients on the network had an identical copy of this database at all times, became increasingly difficult. The modern DNS addressed this issue by replacing the previous central database with a distributed network of systems.

By design, the DNS is more than a simple name-to-IP address mapping database. It allows for many additional properties to be assigned to a domain name, including associated email addresses, anti-spam information, and much more.

Domain Name Hierarchy

Domain names are the most common method used for accessing websites or any other host on the Internet. Each domain name is made up of a number of elements (called ‘labels’) separated by a dot.

For example: www.google.com

The domain name system works in a hierarchical model, with the right-most elements classed as the ‘Top Level Domain’ or TLD, followed by the second element, which is classed as the ‘Second Level Domain.’ This structure continues from right to left with each element being classed as a subdomain of the element to its right.

Domain Hierarchy

In addition to the structure above, any element may be classed as a hostname should it be associated with one or more IP addresses, and provided it meets the following basic rules as stated in the DoD Host Table Specification as well as RFC1123:

  • A hostname must be a text string consisting of only the letters A through Z (upper or lower case), digits 0 through 9, the minus sign (-), and the period (.)
  • A hostname cannot contain any spaces
  • The first character must be an alphabetic character or a digit
  • The last character cannot be a minus sign or a period
  • The recommended length for a hostname is up to 24 characters

Here are five things to know about DNS.

1: You can speed things up. Most ISPs frankly don’t spend a lot of time optimizing DNS–so replace it. Google’s 8.8.8.8 DNS uses global coverage and load balancing to give fast domain resolution. Although it will collect your data.

More about Innovation

2: You can get extra protection. Cisco-owned OpenDNS has built-in identity theft protection and even parental controls for free. Keep in mind OpenDNS also collects some data about you. Quad9 on the other hand at 9.9.9.9 uses real-time info to block phishing and malware, and Quad 9 does not store your data.

3: You can stay private and fast. Cloudflare offers a service at 1.1.1.1, which is not only fast but encrypted. Cloudflare promises to wipe all logs within 24 hours to insure privacy.

4: There are also IPv6 public DNS servers. It’s not as catchy, but Google’s is 2001:4860:4860::8888 and Quad 9’s is 2620:fe::fe.

SEE:A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

5: This is one you can’t do yourself yet, unless you’re in with the folks working on Oblivious DNS at Princeton. Without requiring a change to DNS structure, Oblivious uses two servers on either side of the Recursive DNS server so that the DNS server doesn’t know what you’re requesting and top-level servers don’t know who you are. Promising!

There are loads more out there with special features and promises–just make sure you read the data collection policies and are comfortable with what they are. And remember even a DNS is not a VPN, so it doesn’t secure your entire network. But that said, it’s another brick in that security wall, so it’s worth looking into.

Advertisements