The DNS automatically converts the name we type into our web browsers to IP addresses of servers hosting that site. DNS also enables you to associate with another authorized PC or allow remote management by utilizing its easy to understand area name as opposed to its numerical IP address. On the other hand, Reverse DNS (rDNS) makes an interpretation of an IP address into a domain name.
Every organization that has a chain of computers has one server dealing with DNS inquiries called a domain server. It will hold all the IP addresses inside its system, in addition to the IP addresses of recently accessed PCs outside the system. DNS can be compared to a telephone directory where you find phone number using easy to remember names.
How DNS Works
DNS resolution involves a process similar to finding a house using the street address. Each device connected to the internet is given an IP address. When someone enters a query, the hostname is converted into an IP address to complete the query. This translation between a web address and machine-friendly address is crucial to for any webpage to load.
The DNS cache servers contain temporary DNS records based on cached value acquired from authoritative DNS servers. An authoritative DNS server as the name suggests stores and provides a list of authoritative name servers for each of the top-level domains. The working of DNS is based on a hierarchy, and it is essential to further learn about these servers.
Types of DNS Servers
1. DNS recursor – The DNS recursor server gets requests from client machines via apps like internet browsers. The recursor then makes additional requests to fulfil the customer’s DNS query. Think of it as a librarian that goes to find a particular book present somewhere in the library.
2. Root nameserver – This is the initial phase in deciphering comprehensible hostnames into the IP. Think of it as the index available in the library that gives you the shelf number based on the name of the book.
3. TLD nameserver – The TLD is the subsequent stage in the search for a particular IP, and it has the last segment of a hostname. The common TLD server are .com, .in, .org., etc.
4. Authoritative nameserver – This nameserver is the final halt in the inquiry. If the definitive name server approaches the mentioned record, it will restore the IP for the mentioned hostname back to the Recursor, which made the underlying query.
What Is DNS Propagation
If your IP address is similar to the street address used to find your house, what happens if you change your home address? What is the domain name server with the new IP address? Well, this is where DNS propagation gain relevance. In simple terms, DNS propagation is the time it takes for any changes made in the name server to come into effect.
When you change the nameservers for your domain or change the hosting provider, the ISP nodes across the world may take up to 72 hours to update their caches with the new DNS information of your domain. However, the time required to ensure a complete update of records across all nodes may differ.
New information about the nameservers will not be propagated immediately, and some of your users may still be redirected to your old website. Each ISP node saves the cache to speed up the loading time, and you will have no other option but to wait until all the nodes are updated.
You can bypass or minimize the DNS propagation by pointing your domain to the destination IP address using “A Record” on the side of the current DNS provider, setting the minimal TTL. After updating the “A Record” you can wait for an hour and then change the nameservers of your domain. This will ensure that your website will not have any downtime as both hosts will show the same new website.
DNS Security Extensions
Given that DNS is vital for redirecting any query to your website, it is hardly surprising that hackers and bad actors will try to manipulate it. DNS inherently has no means of establishing whether the data is coming from authorized domains or has been tampered. This exposes the system to a lot of vulnerabilities and attacks such as DNS cache poisoning, DNS reflection attack, DNS amplification attack, etc.
In a DNS cache poisoning attack, bad actors replace the valid IP address with a malicious IP address. So, virtually all the users reaching for the genuine site will be redirected to this new IP address. This new location could have an exact clone of the original site meant to steal crucial data such as personal information & banking information, or it could redirect to a website and malware would be downloaded on the local computer.
To address these serious concerns, DNS Security Extensions (DNSSEC) were put in place. DNSSEC is aimed at addressing the weaknesses in DNS and adding authentication to it, making the system more secure. DNSSEC uses cryptographic keys and digital signatures to enforce legitimate connections and accurate lookup data.
While DNSSEC can substantially reduce the vulnerabilities of DNS, administrative overhead, as well as time and cost, restrict its implementation. A better alternative for many organizations would be to opt for Cloud-based DNS. Similar to cloud web hosting, a cloud-based DNS ensures geographically diverse networks and DNS server infrastructure. It enables high availability, global performance, scalability, stronger security, and better resource management. Do let us know your thoughts and if you have used cloud-based DNS in the comment section below.
0 comments:
Post a Comment