DNS Explained. Resolution

DNS Explained. Resolution:

 Resolution is the process of asking for the resource records of a fully-qualified domain name (FQDN) and receiving back an answer. Every time that your computer does not have an IP address cached for a required FQDN, a resolution takes place. In this post, I discuss the main components involved in DNS resolution and explain the two main methods in which resolution is performed.

Components

There are five main components that play a role in DNS resolution.

The first component is the client. This is the host that is asking the question, “Where is www.netflix.com on the internet?”

The second component is the DNS resolver. Typically provided by your ISP, this serves as the first component that the client reaches out to if the answer to the DNS query is not cached by the client. Its role is to query the other components to find the answer to the original question. The way it does this depends on the type of DNS resolution being performed.

Clients can configure their settings to use a DNS resolver not provided by their ISP. GoogleCloudflareVerisign, and Cisco are just a handful of companies that offer free-alternative DNS resolvers. Be aware of which resolver you choose though! Every site you visit will likely send a DNS query which is handled by your chosen DNS resolver. This gives that resolver an ability to see what you request and may sell this data to advertisers. Always read the policies of DNS resolvers that you are considering to use.

The third component is the DNS Root Zone, which is questioned if the DNS resolver does not have the answer in cache. Its role is to return the nameservers for the requested TLD. There are 13 root servers in the world operated by 12 organizations. These servers are anycasted and I go into more detail about them in my DNS Architecture post.

The fourth component is the TLD’s Nameservers. Its role is to return the authoritative nameservers of the requested second-level domain.

Finally, the fifth component is the Authoritative Nameservers. These servers are the responsibility of the registrant to provide, and their role is to return the resource record for the requested third-level domain (or apex domain).

Iterative Resolution

There are two types of resolution, the first is iterative. In an iterative resolution, it is the responsibility of the DNS resolver to keep querying nameservers until it gets an answer.

Let’s go through each step in more detail.

  1. The client sends an iterative DNS query for www.blakes.site..
  2. The DNS resolver receives this query. If it doesn’t have an answer for this query already cached, it will continue by asking a root server where the nameservers for .site are. If it is cached, the answer will be returned here and the process will terminate. Sidenote: The DNS resolver could also store cache entries for the .site TLD nameservers and the blakes.siteauthoritative nameservers and skip the appropriate steps.
  3. The root server returns the IP addresses for the .site nameservers. It also can cache the .site nameservers for future usage.
  4. The DNS resolver now has to ask the .site TLD nameservers for the IP addresses of the blakes.site authoritative nameservers. It also can cache the .site nameservers for future usage.
  5. The .site TLD nameservers return the IP addresses for the blakes.siteauthoritative nameservers. The DNS resolver can cache the blakes.siteauthoritative nameservers for future usage.
  6. The DNS resolver asks the blakes.site authoritative nameservers for the resource records for the entry www.
  7. The blakes.site authoritative nameservers return the resource records for the entry www.
  8. The DNS resolver caches the response and returns it back to the client.

Recursive Resolution

The alternative to iterative resolution is recursive resolution. Instead of an address to the next nameserver being sent back to the DNS resolver to then query, the nameserver makes the request itself and returns the result all the way back up to the DNS resolver.

Let’s also go through this resolution step-by-step.

  1. The client sends a recursive DNS query for www.blakes.site.. Nothing new.
  2. The DNS resolver receives this query. If it doesn’t have an answer for this query already cached, it will continue by asking a root server for the answer to www.blakes.site.. If it is cached, the answer will be returned here and the process will terminate.
  3. If the root server did not have an answer cached, then it asks the next component that could have an answer: the TLD nameservers. The root servers can also cache the TLD nameservers for the requested domain for future use.
  4. If the TLD nameservers did not have an answer cached, then it asks the next component that could have an answer: the authoritative nameservers. The TLD nameservers can also cache the authoritative nameservers for the requested domain for future use.
  5. The authoritative nameservers find an answer for www.blakes.site. and pass the answer up back to the TLD nameservers.
  6. The TLD nameservers pass the answer back up to the root server.
  7. The root server passes the answer back to the DNS resolver.
  8. The DNS resolver caches and passes the answer back to the client.

There is caching at each component, so it is possible that only a partial resolution has to take place for a query. If the requested FQDN is popular and the DNS resolver is being used by a lot of people, then it is completely possible that the root servers are never contacted.

Recursive Resolution: Pros/Cons

In general, recursive resolution tends to be faster than its iterative counterpart due to caching of final answers. However, this type of resolution creates security flaws including cache poisoning and DNS amplification attacks.

Responsibility: Recursive vs Iterative

In recursive resolution, the burden of having to contact nameservers belongs to the server. On the flip side, for iterative resolution, the burden of contacting nameservers belongs to the client.

DNS Resolver Observation

It should be noted that for both recursive and iterative resolution, it is required that the DNS resolver already know the IP addresses of the 13 root servers. Implementation wise, these addresses are simply hardcoded and publicly available.

from Tumblr https://generouspiratequeen.tumblr.com/post/641304219403599872

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s