Mastering DNS: From Basics to Advanced Configuration and Security

What Is DNS?

DNS (Domain Name System) is an Internet service that maps domain names to IP addresses using a distributed database, allowing users to access resources via human‑readable names.

Key Characteristics

Distributed architecture

Supports TCP and UDP (default port 53)

Maximum label length per level: 63 characters

Maximum full domain length: 253 characters

When to use TCP vs. UDP? Early DNS used UDP with a 512‑byte limit; responses larger than that triggered TCP. Modern DNS can request larger UDP packets, but TCP is still used for very large responses or zone transfers.

Hierarchical Database Structure

DNS resembles an inverted tree similar to a Linux file system. For example, the domain tool.chinaz.com. is resolved from the root (.) to the top‑level domain (com), then to chinaz, and finally to tool.

The tree structure distributes storage and management, preventing name conflicts and allowing delegation of subdomains to separate name servers.

Delegation and Nameserver Management

Root servers manage top‑level domains (TLDs) and delegate each TLD to its own name servers. To obtain a second‑level domain like chinaz.com, you register with the .com registry, which then delegates management of chinaz.com to your chosen name server.

Two common scenarios for building a private nameserver:

Internal DNS for corporate networks, allowing servers to communicate via names instead of IPs.

Performance‑oriented DNS when the registrar’s default name servers are insufficient, enabling features such as geographic‑aware routing.

DNS Resolution Process

When an application performs a lookup, the glibc library uses /etc/nsswitch.conf to determine the order of resolution, typically checking /etc/hosts first, then DNS. hosts: files dns myhostname The client sends a query to a recursive resolver, which follows these steps:

Query the local recursive resolver for tool.chinaz.com.

If cached, return the result; otherwise continue.

Contact a root server to obtain the .com nameserver address.

Query the .com nameserver for the chinaz.com nameserver.

Query the chinaz.com nameserver for the final tool record and cache the answer.

Return the IP address to the client.

Recursive resolvers are typically provided by ISPs or public services (e.g., Google 8.8.8.8). Authoritative servers store the actual DNS records.

Caching

Resolvers cache responses to reduce latency and load. Cached entries are hierarchical; a resolver that knows chinaz.com can quickly resolve www.chinaz.com by querying only the chinaz.com nameserver.

Smart Resolution (EDNS)

EDNS (Extension Mechanisms for DNS) allows a resolver to include the client’s IP in the query, enabling the server to return the nearest IP address—a technique used by many Chinese DNS providers such as DNSPod.

Domain Registrars

Registrars obtain authority from ICANN to issue second‑level domains. The registrar’s authoritative servers automatically become the domain’s default name servers, though you can replace them with custom servers for better performance or smart routing.

Setting Up a DNS Server with BIND

The main configuration file is /etc/named.conf, which defines zones, logging, security, and recursion settings. Example snippet:

options {
    recursion yes;
    // other options
};
zone "example.com" IN {
    type master;
    file "example.com.zone";
};

Each zone has a separate file (e.g., example.com.zone) containing records such as SOA, A, CNAME, etc.

Key record types:

SOA : Indicates the authoritative server for the zone.

CNAME : Alias record that points one name to another, simplifying IP changes.

Validate configuration with:

named-checkconf
named-checkzone example.com example.com.zone

Start the service and verify:

$ service named start
$ netstat -ntlp | grep :53

Test with dig:

$ dig @127.0.0.1 www.hello.com

DNS Load Balancing

Adding multiple A records for a name enables round‑robin distribution:

www IN A 1.2.3.4
www IN A 1.2.3.5

Clients typically use the first returned IP, while some smart resolvers select the nearest IP based on client location.

Subdomain Delegation

To delegate a subdomain, the parent zone adds an NS record pointing to the child’s name server, and the child zone defines its own SOA record.

a.hello.com IN NS ns.a.hello.com
ns.a.hello.com IN A 203.0.113.10

DNS Debugging Tools

Common utilities include host, nslookup, and dig. dig provides detailed output useful for troubleshooting.

DNS Amplification Attacks

Attackers exploit the disparity between small DNS queries and large responses to overwhelm a target’s bandwidth. By spoofing the source IP, a DNS server can be tricked into sending massive responses to the victim, creating a denial‑of‑service condition.