The webservers that we so often connect to using names like www⋅cisco⋅com, are actually reached by assigning IP addresses to packets.
On the internet, these domain names are much easier for people to remember than an IP address such as 74.163.4.161. If Cisco decides to change the numeric address of www⋅cisco⋅com, it is transparent to the user because the domain name remains the same. The new address is simply linked to the existing domain name and connectivity is maintained.
The Domain Name System (DNS) was developed to provide a reliable means of managing and providing domain names and their associated IP addresses.
The DNS system consists of a global hierarchy of distributed servers that contain databases of name to IP address mappings. The client computer in the figure will send a request to the DNS server to get the IP address for www⋅cisco⋅com so that it can address packets to that server.
A recent analysis of network security threats discovered that over 90% of malicious software exploits use the DNS system to carry out network attack campaigns.
A cybersecurity analyst should have a thorough understanding of the DNS system and the ways in which malicious DNS traffic can be detected through protocol analysis and the inspection of DNS monitoring information. In addition, malware frequently contacts command-and-control servers by using DNS.
This makes the server URLs indicators of compromise for specific exploits.
Figure 1 shows a client computer and a server connected to a network. The client is attempting to reach Cisco
DNS Resolves Names to IP Addresses
The DNS Domain Hierarchy
The DNS consists of a hierarchy of generic top-level domains (gTLD) which consist of .com, .net, .org, .gov, .edu, and numerous country-level domains, such as .br (Brazil), .es (Spain), .uk (United Kingdom), etc. At the next level of the DNS hierarchy are second-level domains. These are represented by a domain name that is followed by a top-level domain.
Subdomains are found at the next level of the DNS hierarchy and represent some division of the second-level domain. Finally, a fourth level can represent a host in a subdomain.
Each element of a domain specification is sometimes called a label. The labels move from the top of the hierarchy downward from right to left. A dot (“.“) at the end of a domain name represents the root server at the top of the hierarchy. The figure illustrates this DNS domain hierarchy.
The different top-level domains represent either the type of organization or the country of origin. Examples of top-level domains are the following:
.com – a business or industry
.org – a non-profit organization
.au – Australia
.co – Colombia
The figure shows the DNS Hierarchy tree. At the top is the Root Level Domain with the TOp-Level Domains(TLD) connected underneath the Root Level Domainmain. THe TLDs are .net, .edu, .com,.au, .co, and other top-level domains. Under the .com TLD is the Second-Level domain www.cisco.com and under cisco.com are www.cisco.com , ftp.cisco.com, and mail.cisco.com.
The DNS Lookup Process
To understand DNS, cybersecurity analysts should be familiar with the following terms:
Resolver – A DNS client that sends DNS messages to obtain information about the requested domain name space.
Recursion – The action taken when a DNS server is asked to query on behalf of a DNS resolver.
Authoritative Server – A DNS server that responds to query messages with information stored in Resource Records (RRs) for a domain name space stored on the server.
Recursive Resolver – A DNS server that recursively queries for the information asked in the DNS query.
FQDN – A Fully Qualified Domain Name is the absolute name of a device within the distributed DNS database.
RR – A Resource Record is a format used in DNS messages that is composed of the following fields: NAME, TYPE, CLASS, TTL, RDLENGTH, and RDATA.
Zone – A database that contains information about the domain name space stored on an authoritative server.
When attempting to resolve a name to an IP address, a user host, known in the system as a resolver, will first check its local DNS cache. If the mapping is not found there, a query will be issued to the DNS server or servers that are configured in the network addressing properties for the resolver.
These servers may be present at an enterprise or ISP. If the mapping is not found there, the DNS server will query other higher-level DNS servers that are authoritative for the top-level domain in order to find the mapping. These are known as recursive queries.
Because of the potential burden on authoritative top-level domain servers, some DNS servers in the hierarchy maintain caches of all DNS records that they have resolved for a period of time.
These caching DNS servers can resolve recursive queries without forwarding the queries to higher-level servers. If a server requires data for a zone, it will request a transfer of that data from an authoritative server for that zone. The process of transferring blocks of DNS data between servers is known as a zone transfer.
The figure shows a client DNS resolver on the left who sends a DNS query to the DNS recursive resolver, a secondary level domain server, that has the domain name of dns.xyxco.com.
The query is relayed to one of the top-level domain servers. Examples in this column include a .com server, a .org server, a .br server, and a .uk server. Each of the top-level domain servers communicates with a root DNS server. One of the top-level domain servers sends a non-authoritative DNS response to the DNS recursive resolver who, in turn, sends a non-authoritative DNS response back to the client, the DNS resolver.
Step 1 The user types an FQDN into a browser application Address field.
this is a figure with a client contacting a DNS sever thru the network with a FQDN typed in a browser URL field because the name of a website is easier for people to used
DNS Message Format
DNS uses UDP port 53 for DNS queries and responses. DNS queries originate at a client and responses are issued from DNS servers. If a DNS response exceeds 512 bytes, such as when Dynamic DNS (DDNS) is used, TCP port 53 is used to handle the message.
It includes the format for queries, responses, and data. The DNS protocol communications use a single format called a message. This message format shown in the figure is used for all types of client queries and server responses, error messages, and the transfer of resource record information between servers.
The DNS server stores different types of RRs used to resolve names. These records contain the name, address, and type of record. Here is a list of some of these record types:
A – An end device IPv4 address
NS – An authoritative name server
AAAA – An end device IPv6 address (pronounced quad-A)
MX – A mail exchange record
When a client makes a query, the server’s DNS process first looks at its own records to resolve the name. If it is unable to resolve the name using its stored records, it contacts other servers to resolve the name.
After a match is found and returned to the original requesting server, the server temporarily stores the numbered address in the event that the same name is requested again.
The DNS Client service on Windows PCs also stores previously resolved names in memory. The ipconfig /displaydns command displays all of the cached DNS entries.
The figure shows the structure of a DNS message within a UDP datagram. The UDP header accounts for 8 bytes, the DNS Fixed Header accounts for 12 bytes, and then the various DNS messages make up the remainder of the message. The DNS message can be up to 512 bytes in size. The text in the graphic notes that DNS uses the same message for all types of client queries and server responses, error messages, and the transfer of resource records between servers.
As shown in the figure, DNS uses the same message format between servers, consisting of a question, answer, authority, and additional information for all types of client queries and server responses, error messages, and transfer of resource record information. The table describes each section.
DNS message section
Description
Question
The question for the server. It contains the domain name to be resolved, the class of domain, and the query type.
Answer
The DNS resource record, or RR, for the query including the resolved IP address depending on the RR type.
Authority
Contains the RRs for the domain authority.
Additional
Relevant to query responses only. Consists of RRs that hold additional information that will make query resolution more efficient
Dynamic DNS
DNS requires registrars to accept and distribute DNS mappings from organizations that wish to register domain names and IP address mappings. After the initial mapping has been created, a process that can take 24 hours or more, changes to the IP address that is mapped to the domain name can be made by contacting the registrar or using an online form to make the change.
However, because of the time it takes for this process to occur and the new mapping to be distributed in the domain name system, the change can take hours before the new mapping is available to resolvers.
In situations in which an ISP is using DHCP to provide addresses to a domain, it is possible that the address that is mapped to the domain could expire and a new address be granted by the ISP. This would result in a disruption of connectivity to the domain through DNS. A new approach was necessary to allow organizations to make fast changes to the IP address that is mapped to a domain.
Dynamic DNS (DDNS) allows a user or organization to register an IP address with a domain name as in DNS. However, when the IP address of the mapping changes, the new mapping can be propagated through the DNS almost instantaneously.
For this to occur, a user obtains a subdomain from a DDNS provider. That subdomain is mapped to the IP address of the user’s server, or home router connected to the internet. Client software runs on either the router or a host PC that detects a change in the internet IP address of the user.
When a change is detected, the DDNS provider is immediately informed of the change and the mapping between the user’s subdomain and the internet IP address is immediately updated, as shown in the figure. DDNS does not use a true DNS entry for a user’s IP address. Instead, it acts as an intermediary.
The DDNS provider’s domain is registered with the DNS, but the subdomain is mapped to a totally different IP address. The DDNS provider service supplies that IP address to the resolver’s second-level DNS server. That DNS server, either at the organization or ISP, provides the DDNS IP address to the resolver.
Dynamic DNS can be abused by threat actors in various ways. Free DDNS services are especially useful to threat actors. DDNS can be used to facilitate the rapid change of IP address for malware command-and-control servers after the current IP address has become widely blocked. In this way, the malware can be coded with a URL rather than a static IP address.
DDNS can also be used as a way to exfiltrate data from inside a network because DNS traffic is very common and is frequently considered to be benign. DDNS itself is not malignant, however monitoring DNS traffic that is going to known DDNS services, especially free ones, is very useful for the detection of exploits.
In the left corner is a server for my host dot d d n s – provider dot com at the I p address of 2 0 3 dots 0 dot 1 1 3 dot 2. An arrow goes from this server to the server on the right for dynamic I p address changes. The server on the right is labelled my host dot d d n s – provider dot com that has an I p address of two O 3 dot o dot one one three-dot one one.
The left server also has an arrow that points to a cloud labelled w w w for the purpose that the host informs D D n S provider of change to I p. There is a laptop labelled old mapping in the left corner that has an arrow pointing to the top left server for the purpose of h t t p : / / my host dot d d n s – provider dot com. There is a bi-directional arrow going from the bottom left laptop and the w w w cloud for the d n s query and d n s reply from d d n s – provider dot com.
There is a laptop in the right corner labelled new mapping. A bidirectional arrow goes between the laptop and the www cloud for d n s queries and d n s replies from d d n s – provider dot com with the new address mapping. There is also an arrow going from the right laptop to the right server for the U r l of h t t p : / / my host dot d d n s – provider dot com.
The WHOIS Protocol
WHOIS is a TCP-based protocol that is used to identify the owners of internet domains through the DNS system. When an internet domain is registered and mapped to an IP address for the DNS system, the registrant must supply information regarding who is registering the domain.
The WHOIS application uses a query, in the form of a FQDN. The query is issued through a WHOIS service or application. The official ownership registration record is returned to the user by the WHOIS service. This can be useful for identifying the destinations that have been accessed by hosts on a network. WHOIS has limitations, and hackers have ways of hiding their identities.
However, WHOIS is a starting point for identifying potentially dangerous internet locations that may have been reached through the network. An internet-based WHOIS service is called ICANN Lookup can be used to obtain the registration record a URL. Other WHOIS services are maintained by regional internet registries such as RIPE and APNIC.
Action Point PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Fact Check Policy
TECHMANIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.
Adeniyi Salau is a highly dedicated and committed Blogger of repute. He likes sharing his IT knowledge with others. My desire is to impact as many lives as possible with my IT skills. You can download my mobile APP. Download the ICTLOAD APP on Google Playstore. Thanks.
Leave a Reply