-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathDNS.protocol.txt
138 lines (129 loc) · 10.3 KB
/
DNS.protocol.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
┏━━━━━━━━━┓
┃ DNS ┃
┗━━━━━━━━━┛
GOAL ==> #Translates hostname to IP address
DOMAIN NAME LABELS ==> # - delimited by dots
# - max 253 chars
# - [[:alnum:]-], with dash in middle of labels. Case-insensitive
# - IDN (International domain name) allow using Punycode for non ASCII chars:
# - clients show Unicode, but use ASCII under the hood
# - applied to individual labels (prepended with xn--)
# - IDN ccTLDs: TLD using IDN
# - IRI (Internationalized Resource Identifier):
# - Like URI, but with UTF8 characters
# - Like Punycode for DNS, but with percent encoding
# - hierarchy:
# - top-level domain (TLD):
# - [IDN] ccTLD (country-specific), e.g. fr
# - gTLD (generic), e.g. com, net, org, edu, jobs, info or gov
# - iTLD (infrastructure): arpa
# - pseudo-TLD: not registered with ICANN (must manually configure it)
# - can be alternative root zones
# - then subdomains
# - if domain is associated to an IP, last subdomain is hostname
# - FQDN (fully qualified domain name): domain name with all its labels
# - DNS zone: serie of labels managed by a single company (e.g. top-level domains)
# - There is a root empty label ("root zone"), managed by Verisign, registered with ICANN
# - use clusters of 13 servers at http://a-m.root-servers.net/
# - virtual hosting (several hostnames per machine):
# - name-based:
# - several hostnames per IP, 1 IP per machine
# - Is harder to implement with HTTPS.
# - When DNS doesn't work, harder to reach directly through IP.
# - IP-based:
# - 1 hostname per IP, several IPs per machine
# - multiple hostnames can bind to single IP (virtual hosting), so a server can serve several
# websites
# - single hostname can bind to several IP, for load distribution / fault tolerance
# - wildcard DNS records: putting * as leftmost label, so any domain name matching is
# associated with same RR
DNS LOOKUP ==> # - use a DNS resolver
# - starts with top label (root zone), which either gives IP of FQDN
# ("authoritative name server"), or reference to lower label
# - client query is non-recursive if it stops at each step
# - sometimes the DNS server does the recursive query itself instead of refering to lower
# label: recursive DNS server
# - Caches:
# - often root zones are cached (hints) by clients
# - other client-side DNS caches are communicated by DNS servers with a TTL:
# - as such, changes takes TTL to propagate
# - some clients (e.g. many browsers) have a min TTL that overrides it
# (e.g. 1min for Chrome)
# - DNS servers can cache DNS resolution too
# - /etc/resolv.conf:
# - nameserver IP (DNS server to use)
# - can be several (max: 3), queried in order
# - if none: use local name server
# - /etc/hosts: local file to assign DNS names to IP addresses locally
# - IP DNS_NAME [DNS_NAME2...]
# - reverse lookup:
# - look for DNS names using IP address
# - uses normal DNS lookup:
# - e.g. IP ONE.TWO.THREE.FOUR -> FOUR.THREE.TWO.ONE.in-addr.arpa
PROTOCOL ==> # - client-server
# - over UDP on port 53. Uses TCP if sizes over 512
# - Structure:
# - header: query ID, Query or reply flag, Authoritative flag, Recursive query flag, DNS
# server supports recursion flag, number of subsections (called Resource Records (RRs) for
# all but query) in following sections
# - query (if query):
# - Name HOST
# - Type TYPE
# - reply (if reply) RR_ARR (several if multiple IPs for one FQDN, often random order to
# achieve load balancing)
# - authority RR_ARR
# - additional RR_ARR
# - RR:
# - NAME: FQDN (must end with "." because of root zone) or just hostname.
# - TYPE:
# - A: IPv4
# - AAAA: IPv6
# - NS: refer to another DNS server (hostname or FQDN)
# - CNAME: alias to another domain name ("canonical name")
# - ex. use: different domain names but same IP and different ports
# - MX|NS values should not point to a canonical name
# - must be on subdomains, not the registered domain name
# - must be unique Record Type for that NAME if present (e.g. cannot have also a AAAA
# record)
# - DNAME: like CNAME, but matches all subdomains too
# - PTR: like CNAME, but stops DNS processing. Used for reverse DNS lookups
# - MX: PRIORITY_NUM MAIL_DOMAIN
# - SRV: PRIORITY_NUM WEIGHT PORT DOMAIN of specific services (used by many protocols)
# - CERT: PKI certificate
# - LOC: geolocation
# - RP: email of the responsible person
# - TXT: arbitrary data as "..." ... (max 255chars by "...")
# (must quote all not [[:alnum:]- ], e.g. info about server
# - SOA: DNS authority delegating that domain name
# Format: DOMAIN EMAIL (replace @ with .) ( 5 NUM ):
# - Version number (serial number or timestamp)
# - Refresh time: cache TTL for all RRs ("zone file"). Often 15mins-1hour
# - Retry time: how long to wait before retrying if problem
# - Expire time: how long to stop retrying
# - MinTTL: Min TTL for caching "domain not existing" responses (negative caching).
# If a RR has a lower TTL, use it instead.
# - CLASS: usually IN for internet
# - TTL: tells client how long to cache it in secs (max 68 years)
# - RDLENGTH, RDATA: value
WHOIS ==> # - TCP protocol on port 43, which asks for info to DNS registrars about hostname
SECURITY ==> # - DNSSEC: like IPSec but for DNS, to prevent DNS cache poisoning, etc.
# - DNS spoofing (cache poisoning): changing DNS server caches, redirecting all DNS clients to
# wrong IP
# - IDN homograph attack: spoofing ASCII chars with similar looking Unicode, to do phishing
# - preventions:
# - Chrome|IE: show raw Punycode if all chars belong to user preferred language
# - Firefox|Opera: show raw Punycode unless using special TLDs
# - blocked by several TLDs
# - typosquatting (URL hijacking): phishing relying on typo mistakes from end-user
# - cybersquatting:
# - buying domain name to sell them later
# - renewal snatching: wait for expiration dates (if forget to renew before expiration),
# using tools
TOOLS ==> # - BIND: most widely used DNS software
# - dig: query DNS
# - zone file: file with all RRs of a given domain name:
# - ;comment
# - $ORIGIN DOMAIN
# - $TTL 1h
# - [NAME] CLASS TYPE [TTL] RDATA (def. NAME: same as before)
DEBUGGING ==> # - about:dns, about:net-internals#dns (Chrome), about:networking#dns (Firefox): DNS caching