Understanding the DNS Protocol (Part 1)

The Domain Name Service is what I call a "dense" protocol.

I call it dense because there is so much to DNS that it has resulted in many books being written solely on DNS, what it is, and what it does. Unlike some other application layer protocols, which perform only one function, DNS does the normal resolution of domain name to IP address but it also does other things, like help route your e-mail. By route I don't mean that DNS has suddenly turned into a routing protocol, but rather that, through the propagation of something called MX records, your e-mail can be sent to the right mail server.

In this series, we will cover the structure of the domain name service as a whole. We will then go on to cover a bit more about how DNS actually works via its hierarchical design.

Furthermore, we will cover quite a few examples of what are called resource records and RCODES, also what they mean and how we can break them out. This will be done at the packet level to help give us context in case you have to investigate your network at the packet level at some future date.

Just remember that, as I mentioned before, this series of articles will only scratch the surface of DNS. What I won't be covering is the actual setup of DNS on a network, and the troubleshooting of it. With that said, let's begin our exploration of this often unappreciated protocol.

The humble beginnings

For those system administrators out there, you can almost map the early beginnings of DNS to the growth of internal DNS as viewed by Microsoft. In Windows NT, we had what was called the LM Hosts file. Contained in the LMHosts file was a mapping of NetBIOS names to IP addresses. This was done to ease the task of finding computers and services offered on the internal network. That was quickly followed by the WINS server, and then by Active Directory.

One goal of these various schemes was to map an IP address to a host name. This static mapping of IP addresses to computer names was actually the beginning of DNS, as we know it today. Back in the early days of ARPA (Advanced Research Projects Agency, now known as DARPA), you simply had a file with a list of computers and their names on a computer. There was no such thing as DNS in the form we know it today. It was most certainly not distributed as it is now, but more so held on individual computers.

The link provided on ARPA makes interesting reading as it details briefly the birth of the Internet. However, the holding of a list of names on each computer quickly became impractical as the Internet grew. Due to this, DNS as we know it today slowly began to grow. Some know DNS as Distributed Name Service and that is a fairly accurate term, for no one computer holds a list of all domain names to IP addresses. Please look here for an example of the distributed nature of DNS.

You will see that at the top of the diagram I just linked to is where the DNS root server would reside. Below the root server are the top-level domains, as exemplified by the .com .edu and .mil among others. Several of these domains are for the exclusive use of the United States, as that is where the Internet actually originated.

On the far left of that diagram is where you see the .arpa. This is used for "reverse lookups" and in essence is the opposite of what DNS is normally used for. In a reverse lookup, you are asking that an IP address be resolved to a domain name. That is what the .arpa domain is used for. Each of the levels seen on that diagram holds the IP address of the DNS server above it. While you may think that a root DNS server contains a vast amount of entries, this is actually not the case at all. You can check this site or this site out to view the DNS root servers.

So what is actually contained in the root DNS server? Good question. It contains a file called the "Root Zone File." This file contains all of the names and IP addresses for the authoritative DNS servers at the Top Level Domain aka: TLD. An example of a top level domain would be the .com and .edu among others.

How does the root name server's contents get built? Well, that is largely done by the folks at IANA. Contained in this link is a wealth of information as well. You can check for port assignments, as well as protocol assignments here. You could definitely consider IANA a definitive source of information as they are the "Internet Assigned Numbers Authority."

Back to the DNS root servers though. There is no actual traffic that goes through the DNS root servers as such. They will do no actual routing. These servers simply contain a mapping of the IP addresses of the domain DNS servers for the top-level domain. If you recall, I mentioned earlier that DNS is actually very much a "distributed" name service. As such, there is no one computer which contains a list of all the DNS information. It would be pretty much impossible to do so, or impractical at best.

Anyhow, I do not want to delve too deeply into the breakdown of the DNS hierarchy itself, as there are many excellent sites that already do that. Another part of DNS has to do with caching of the DNS records themselves. To take a look at the DNS cache on your home computer simply type in as follows at a DOS prompt;

ipconfig /displaydns

This will bring up the DNS records that the (let's say you are using Windows XP) XP resolver will check before going out to your ISP's DNS server to have the query you are issuing resolved. You may want to read this link as well for it contains some excellent information about DNS caching on a Windows XP computer. Contained in the information that the above noted command outputs to the DOS prompt is the record name, record type, ttl value of the cached DNS record as measured in seconds, data length, section, and lastly the record type. You can see a sample output of the ipconfig /displaydns command below. Pretty neat stuff!

testlab-cs4

------------------------------------------------------

Record Name . . . . . : testlab-cs4

Record Type . . . . . : 1

Time To Live . . . . : 30318069

Data Length . . . . . : 4

Section . . . . . . . : Answer

A (Host) Record . . . :

192.168.1.110

The record type number you see above relates to the "A" record. A full list of the record type numbers and their corresponding record types can be found here.

On that note I will wrap up part one of this three-part series on DNS. In part two and three we will dig deeper into this multi-faceted protocol. Till then!

If you would like to read part 2 in this series please go to Understanding the DNS Protocol (Part 2).

Don Parker, GCIA, GCIH, specializes in matters of intrusion detection and incident handling. He has also enjoyed a role as guest speaker at various network security conferences, and writing for various online and print media on matters of computer security. You can contact Don Parker at don@windowsecurity.com.

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon