Understanding DNS: From Basics to Advanced Configuration and Security

DNS (Domain Name System) is an Internet service that maps domain names to IP addresses via a distributed database.

Distributed architecture

Supports TCP and UDP, default port 53

Label length limit per level: 63 characters

Total domain length limit: 253 characters

When a response exceeds 512 bytes, DNS falls back to TCP; otherwise it can stay on UDP if the client advertises larger UDP support.

Hierarchical Database Structure

The DNS hierarchy resembles an inverted tree similar to a Linux file system. For example, the domain tool.chinaz.com is resolved from the root down through the .com TLD, then chinaz, and finally tool.

Each level delegates authority to the next, allowing distributed storage and flexible management.

When to Build Your Own Nameserver

Typical reasons include internal DNS for large corporate networks and dissatisfaction with the performance of registrar‑provided nameservers.

Deploy an internal nameserver to let internal machines use domain names instead of raw IPs.

Replace registrar nameservers with a custom high‑performance server that can provide smart routing.

Top‑Level Domains

There are two categories of TLDs:

Generic TLDs (e.g., .com, .org, .edu)

Country‑code TLDs (e.g., .cn, .us)

Choosing a TLD depends on whether the service is global or region‑specific.

DNS Resolution Process

Clients first consult /etc/nsswitch.conf, which typically contains: hosts: files dns myhostname This order checks the local /etc/hosts file before querying DNS.

The resolution steps are:

Client sends a query for tool.chinaz.com to its recursive resolver.

Resolver checks its cache; if absent, it proceeds.

Resolver queries a root server for the .com nameserver address.

Resolver queries the .com nameserver for the chinaz.com nameserver.

Resolver queries the chinaz.com nameserver for the final tool.chinaz.com address.

The result is cached and returned to the client.

Recursive vs Authoritative Servers

Recursive resolvers perform the full lookup chain from the root to the target domain, while authoritative servers store the definitive records for the zones they serve.

Recursive resolvers are typically provided by ISPs or public services (e.g., Google 8.8.8.8).

Caching

Resolvers cache responses to improve performance and reduce load. Caches are hierarchical, so a resolver that knows chinaz.com can quickly resolve subdomains without contacting higher‑level servers.

Smart Resolution (EDNS)

Smart DNS returns the IP closest to the client. It relies on the EDNS extension, which adds the client’s IP to the query. DNSPod in China supports EDNS.

Domain Registrars

Registrars provide authoritative nameservers for the domains they sell. You can replace these with custom nameservers (e.g., switching from a registrar’s server to DNSPod for better performance).

Setting Up BIND

The main BIND configuration file is /etc/named.conf, where you define zones, logging, security, and recursion settings.

Zone files specify records such as SOA, A, CNAME, etc.

SOA Record

Indicates the authoritative server for a zone.

CNAME Record

Acts as an alias, pointing one name to another’s A record.

After editing, validate with:

named-checkconf

named-checkzone

Start BIND: $> service named start Verify the service is listening: netstat -ntlp Test resolution with dig against the local resolver.

DNS Load Balancing

Multiple A records for a name enable round‑robin distribution:

www     IN      A       1.2.3.4

www     IN      A       1.2.3.5

Compared to LVS, DNS load balancing is simple to implement but lacks health checks and has longer failover times.

Subdomain Delegation

To delegate a.hello.com to a department’s own nameserver:

Configure the department’s BIND zone with an SOA pointing to its nameserver.

Add an NS record for a.hello.com in the parent hello.com zone:

a.hello.com      IN       NS       ns.a.hello.com

ns.a.hello.com   IN       A        xx.xx.xx.xx

DNS Debugging Tools

Common utilities: host, nslookup, and dig. The dig output provides detailed query and response information.

DNS Amplification Attack

Attackers exploit the fact that a small DNS query can generate a large response, amplifying traffic toward a victim. By spoofing the source IP, the attacker forces DNS servers to flood the target with responses.

Mitigations include query rate limiting and response filtering on authoritative servers.