DNS

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Domain Name System DNS is the term for a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. By providing a worldwide, distributed Directory Service, the Domain Name System has been an essential component of the functionality of the Internet since 1985.

Context

In order to ensure the global uniqueness of a domain (host) name there is only a single root where all top-level domain (TLD) names are registered. Every country gets there own TLD, for example US or EU. Other TLDs are assigned by the IANA.

Problems

  1. DNS spoofing allows attackers to change the results that are obtained from a request for a IP address.
  2. ARP, the address resolution protocol runs in plain text so that acquiring the address of a web site allows an ISP to see all of the site they anyone plans to visit.

Solutions

  1. DNS SEC encrypts the name look-up process.

But some very large companies don't what people to hide their actions. On 2019-09-13 some large ISPs petitioned congress to prevent users from hiding this information.[1] Naturally congress is more responsive to large corporations than they are to their constituents.

Alternate Solutions

DANE for self-signed certs.

DNS Records

  • Type A - Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host.
  • Type AAAA - Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.
  • Type NS - Delegates a DNS zone to use the given authoritative name servers
  • Type CNAME - alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name. This helps when running multiple services (like an FTP and a webserver; each running on different ports) from a single IP address. Each service can then have its own entry in DNS (like ftp.example.com. and www.example.com.). Network administrators also use CNAMEs when running multiple HTTP servers on the same port, with different names, on the same physical host. This however requires host headers support for the two sites to both listen on the default port (port 80).
  • Type SOA - Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.
  • Type PTR - Pointer to a canonical name. Unlike a CNAME, DNS processing does NOT proceed, just the name is returned. The most common use is for implementing reverse DNS lookups by putting a PTR record for a hostname in the in-addr.arpa. domain that corresponds to an IP address. For example (at the time of writing), www.icann.net has the IP address 192.0.34.164, but a PTR record maps 164.34.0.192.in-addr.arpa to its canonical name, referrals.icann.org.
  • Type MX - Maps a domain name to a list of mail exchange servers for that domain
  • Type TXT - Originally for arbitrary human-readable text in a DNS record. Since the early 1990s, however, this record more often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework and DomainKeys.
  • Type HINFO - an special HINFO record gives a description of the type of computer/OS a host uses
  • Type ANY - Not a valid record type, but specifically a query type for DIG, NSLookup and similar tools. These queries request the tool to retrieve any information possible.

TXT Records

The TXT record is a type of DNS record that has TXT-DATA filled with instructions that can work with existing DNS servers. The actual text is formatted, so it has an attribute name than a value for that attribute, and the “=” sign separates the two. The most common way of TXT record use is for email verification, but it also servers for various verification and authentication methods. Some services (Google Apps, Microsoft Office 365, and more) will ask you to add such a DNS record to your zone to prove that you have control over your domain.

  • Multiple TXT records are completely legal per the DNS standards.
  • Multiple TXT records implementing a specific standard can potentially be illegal, but only within the scope of that one standard.
  • Given the need for multiple standards to coexist and play nicely with other TXT records that share a given name, conflicts are unlikely to happen. It is certainly unlikely that such a requirement would make it into an Internet Standard.
  • If you are using Google Domains, when you edit the TXT record, there's a plus(+) symbol next to the TXT value... click that to add multiple values.
  • To understand the difference, let's take a look at what the SPF standard (RFC 7208) has to say on the topic:
  Starting with the set of records that were returned by the lookup,
  discard records that do not begin with a version section of exactly
  "v=spf1".  Note that the version section is terminated by either an
  SP character or the end of the record.  As an example, a record with
  a version section of "v=spf10" does not match and is discarded.
  If the resultant record set includes no records, check_host()
  produces the "none" result.  If the resultant record set includes
  more than one record, check_host() produces the "permerror" result.

In short, TXT records which do not meet the syntax requirements of SPF are ignored. An error only occurs in the case where multiple records match SPF syntax.

(DMARC syntax carries the same restriction, for those who might be wondering.) Example of DMARC record:

v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com

PowerShell DNS Cmdlets

You can view all of the resource records for a given DNS zone with the PowerShell DNS cmdlet Get-DnsServerResourceRecord. Using this cmdlet, you can specify the ZoneName parameter which will list all DNS records in that zone.

As you can see below, this generates quite a lengthy list of records.

PS51> Get-DnsServerResourceRecord -ZoneName corp.ad

Make sure to run PowerShell as admin and check to see that it is working

Get-WindowsCapability -Online -Name “Rsat*”
  Install-Module DnsServerDsc

References

  1. Timothy B. Lee, Why big ISPs aren’t happy about Google’s plans for encrypted DNS Ars Technica (2016-09-30) https://arstechnica.com/tech-policy/2019/09/isps-worry-a-new-chrome-feature-will-stop-them-from-spying-on-you/

Other Material