Mastering DNS: Core Concepts, Configuration, and Security Insights

DNS (Domain Name System)

DNS, also known as the Domain Name System, is an Internet service that maps domain names to IP addresses using a distributed database, enabling convenient access to resources via human‑readable names.

Key Characteristics

Distributed architecture

Supports TCP and UDP (default port 53)

Maximum label length per level: 63 characters

Maximum full domain length: 253 characters

When to use TCP vs. UDP? Historically, DNS UDP packets were limited to 512 bytes; responses larger than this triggered TCP. Modern DNS can request larger UDP packets, using TCP only when necessary.

Hierarchical Database Structure

DNS resembles an inverted tree similar to a Linux file system. The root (.) leads to top‑level domains (e.g., .com), then second‑level domains (e.g., chinaz), and so on. Queries traverse from the leaf up to the root.

Because the global namespace contains millions of domains, DNS is distributed across many servers to avoid storage bottlenecks and to provide flexible management.

Top‑Level Domains

Top‑level domains (TLDs) are controlled by ICANN and fall into two categories: generic TLDs (gTLDs) such as .com, .org, .edu, and country code TLDs (ccTLDs) like .cn, .us. Choosing a TLD depends on whether the service is international or domestic.

DNS Resolution Process

When a client resolves a name, the glibc library uses /etc/nsswitch.conf to determine the order of lookup. The default line is: hosts: files dns myhostname The client first checks the local /etc/hosts file, then queries the configured recursive resolver.

The recursive resolver contacts root servers, then TLD servers, and finally authoritative servers to obtain the final IP address, caching results at each step.

Recursive vs. Authoritative Servers

Recursive resolvers perform the full lookup chain on behalf of clients, while authoritative servers store the definitive records for zones they manage.

Caching

Caching reduces latency and load by storing recent query results. Recursive resolvers maintain hierarchical caches, allowing faster responses for repeated queries.

Smart DNS (EDNS)

Smart DNS returns the IP address nearest to the client by including the client’s IP in the query (EDNS). This mitigates cross‑ISP bandwidth issues.

Domain Registrars

Registrars obtain authority from ICANN to allocate second‑level domains (e.g., hello.com). They also provide default authoritative name servers, which can be replaced with custom ones for performance or smart routing.

Setting Up a DNS Server with BIND

BIND is a widely used DNS server. Its main configuration file is /etc/named.conf, which defines zones, logging, security, and recursion settings.

Key options include recursion yes; to enable recursive queries. After configuring zones, validate the files with: named-checkconf and named-checkzone. $> service named start Verify the service is listening on port 53:

netstat -ntlp

Test resolution with dig: dig @127.0.0.1 www.hello.com Resulting IPs reflect the records defined in the zone files.

Load Balancing with DNS

Multiple A records for a name enable round‑robin distribution:

www     IN      A       1.2.3.4</code>
<code>www     IN      A       1.2.3.5

Clients receive the list of IPs and typically use the first one, achieving simple load distribution without dedicated hardware.

Sub‑Domain Delegation

To delegate a sub‑domain, the parent zone adds an NS record pointing to the child’s name server, and the child zone defines an SOA record for its authority.

@       IN     SOA      ns.a.hello.com. admin.a.hello.com. (…)

a.hello.com      IN       NS       ns.a.hello.com</code>
<code>ns.a.hello.com  IN       A        xx.xx.xx.xx

DNS Debugging Tools

Common utilities include host, nslookup, and dig. They belong to the bind‑utils package and vary in complexity and output detail.

DNS Amplification Attack

DNS amplification is a DoS technique where attackers spoof source IPs, causing open resolvers to send large responses to a victim, magnifying traffic volume. While many resolvers now filter such traffic, the attack exploits the disparity between small queries and large DNS responses.

Author: 多米诺 Link: https://juejin.cn/post/6844903497494855687