Mastering DNS: From Basics to Advanced Configuration and Security

What is DNS?

DNS (Domain Name System) is an Internet service that maps domain names to IP addresses using a distributed database, allowing users to access resources via human‑readable names.

Key Characteristics

Distributed architecture

Supports both TCP and UDP (default port 53)

Maximum label length per level: 63 characters

Maximum full domain length: 253 characters

When is TCP used versus UDP? UDP is used for typical queries up to 512 bytes; if a response exceeds this size, DNS falls back to TCP. Modern clients can request larger UDP packets, keeping UDP when possible.

Hierarchical Database Structure

DNS resembles an inverted tree similar to a Linux file system. The root zone (.) sits at the top, followed by top‑level domains (e.g., .com), then second‑level domains (e.g., chinaz.com), and so on. This structure prevents name collisions and enables distributed storage across many servers.

Top‑Level Domains

Top‑level domains (TLDs) are strictly controlled by ICANN and fall into two categories: generic TLDs (gTLDs) like .com, .org, .edu, and country code TLDs (ccTLDs) like .cn, .us. Some popular choices include .me (Montenegro) and .io (British Indian Ocean Territory), often favored by developers.

DNS Resolution Process

When a client requests a domain, the resolver library (e.g.,

/etc/nsswitch.conf

) determines the lookup order. The typical client‑side flow is:

Client queries the local recursive resolver for

tool.chinaz.com

.

If cached, the resolver returns the result immediately.

Otherwise, it contacts a root server to obtain the .com nameserver address.

It then queries the .com nameserver for the

chinaz.com

nameserver.

Finally, it queries the

chinaz.com

nameserver for

tool.chinaz.com

, caches the answer, and returns the IP to the client.

Recursive vs. Authoritative Servers

Recursive resolvers perform the full lookup chain from the root to the target domain, while authoritative servers store the definitive records for zones they manage. Recursive servers are typically provided by ISPs or public services (e.g., Google 8.8.8.8).

Caching

To improve performance, resolvers cache responses. Cached entries are reused for subsequent queries, and caching is hierarchical—knowledge of a parent zone speeds up lookups for its subdomains.

Smart Resolution (EDNS)

Smart DNS returns the IP nearest to the client by including the client’s IP in the query (EDNS). Services like DNSPod in China support this feature, improving latency for users on different networks.

Domain Registrars

Registrars obtain authority from ICANN to sell domain names. They typically provide authoritative name servers for the domains they sell, but customers can delegate to custom name servers (e.g., switching from GoDaddy to DNSPod for better performance).

Setting Up a DNS Server with BIND

The BIND configuration consists of a main file (

/etc/named.conf

) and one or more zone files.

named.conf

Defines global options, logging, and zone declarations. Enabling recursion allows the server to act as a recursive resolver; disabling it restricts the server to authoritative responses only.

Zone File

Specifies resource records such as SOA, A, CNAME, and NS. Example snippets:

<code>zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
};</code>

SOA defines the primary authoritative server; CNAME provides aliasing.

<code>@   IN  SOA ns.example.com. admin.example.com. ( … )
www IN  A   1.2.3.4
www IN  A   1.2.3.5</code>

Testing the Server

Use

named-checkconf

and

named-checkzone

to validate configuration, then start BIND with

service named start

. Verify the service with

netstat -ntlp

and query using

dig @127.0.0.1 www.example.com

.

DNS Load Balancing

Adding multiple A records for a name enables round‑robin load balancing. Clients typically use the first IP in the response, but the order may vary per query.

<code>www IN A 1.2.3.4
www IN A 1.2.3.5</code>

Sub‑Domain Delegation

To delegate a sub‑domain, the parent zone adds an NS record pointing to the child’s name server, and the child zone defines its own SOA.

<code>a.hello.com. IN NS ns.a.hello.com.
ns.a.hello.com. IN A 203.0.113.10</code>

DNS Debugging Tools

Common utilities include

host

,

nslookup

, and

dig

.

dig

provides detailed query and response information, useful for troubleshooting.

DNS Amplification Attacks

Attackers exploit the disparity between small DNS queries and large responses to overwhelm a target’s bandwidth. By spoofing the source IP, a DNS server sends amplified responses to the victim, causing a denial‑of‑service. Mitigations include query rate limiting and response filtering on authoritative servers.