Question

I believe having a solid understanding of the hierarchical naming system for anything connected to the Internet will make your security tasks easier. DNS stands for Domain Name System. Since 1985, DNS has been an essential component of the Internet. It provides a global, distributed directory service. It coordinates information with domain names assigned to a numerical IP address. It is much harder for us as humans to remember the four octets for every website we want to visit. It is much easier to remember www.example.com .

There are 4,294,967,296 IPv4 addresses. It would be very difficult to build and maintain a database of all those IPv4 addresses in just one place. With the addition of the 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses, it is mind‐boggling. It is estimated there are 7.7 billion people on Earth. That is more than a trillion IP addresses assigned to every single person on this planet. We need a way to track all these addresses. Actually, we have to delegate this process to a system.

The DNS is going to share the responsibility of assigning domain names and mapping those names by designating authoritative name servers for each domain. A name server is going to respond to questions asked about names in a certain zone. This server should only respond to questions about domain names that are specifically configured by a network administrator. This allows this process to be distributed and be fault tolerant. Could you imagine what would happen should one single point of failure bring down the naming system for the entire Internet?

The most common types of records are going to be the Start of Authority (SOA), IP addresses (A and AAAA), SMTP mail exchange (MX), name servers (NS), and Domain Name Aliases (CNAME). The CNAME is also called the canonical name. It can point www.example.com and ftp.example.com to the right DNS entry for example.com , which has an A record, which is the IP address.

The term DNS zone refers to a certain portion or space within the global system. There is a boundary of authority subject to management, which is represented by a zone. DNS zones are organized like a tree according to the hierarchy of cascading lower‐level domains. In Figure 11.7 , you see an example of a DNS zone domain namespace.

Figure 11.7 : The domain namespace of example.com

A DNS zone transfer is the process where a DNS server passes part of its database to another DNS server. There is a master DNS server and one or more slave DNS servers so you can have more than one DNS server able to answer questions about a particular zone. A basic DNS zone transfer attack is to pretend you're a slave DNS server and ask the master for a copy. A best practice is to restrict zone transfers. At the minimum, tell the master the IP addresses of the slaves so they don't share information with an impersonator.