Understanding DNS: From Hostnames to Secure Queries and Packet Anatomy

What Is DNS?

Humans identify themselves with IDs like passports or driver’s licenses, while computers use hostnames (e.g., www.google.com) that are easy for people to remember but not for routers, which prefer fixed‑length, hierarchical IP addresses.

An IP address is a 4‑byte decimal number (0‑255) separated by dots, e.g., 121.7.106.83. Routers operate on IP addresses, so a translation layer— Domain Name System (DNS) —is required to resolve hostnames to IPs.

DNS Basics

DNS is a distributed hierarchical database implemented by DNS servers (often running BIND on UNIX). It operates over UDP port 53 and follows a client‑server model similar to HTTP, FTP, and SMTP, but users never interact with DNS directly; applications request hostname resolution on their behalf.

Typical Resolution Flow

The user’s machine runs a DNS client.

The browser extracts the hostname from the URL and passes it to the DNS client.

The client sends a query containing the hostname to a DNS server.

The server replies with the corresponding IP address.

The browser then opens a TCP connection to that IP on port 80 (or 443 for HTTPS).

Beyond simple hostname‑to‑IP mapping, DNS also provides host aliasing, mail server aliasing, and load distribution across multiple servers.

DNS Architecture

Early DNS designs were centralized, which caused single‑point‑of‑failure, capacity, latency, and maintenance problems. Modern DNS uses a distributed hierarchical design with three server types: Root DNS servers (≈400 worldwide, managed by 13 organizations). Top‑Level Domain (TLD) servers (e.g., com, org, country codes). Authoritative DNS servers that store the actual records for domains.

When resolving www.amazon.com, the client first contacts a root server, receives the TLD server’s IP for com, then contacts that TLD server to obtain the authoritative server’s IP, and finally queries the authoritative server for the final IP address.

DNS Query Process

User types a URL (e.g., www.example.com) and presses Enter.

The DNS resolver sends a query to a root server requesting the TLD server’s address.

The root server returns the IP of the com TLD server.

The resolver queries the TLD server for the domain’s authoritative server.

The TLD server returns the authoritative server’s IP.

The resolver queries the authoritative server.

The authoritative server returns the answer record (IP address).

The resolver forwards the IP to the browser.

After the answer is cached locally, subsequent lookups may skip many steps.

Resolver Types

A DNS resolver is the software on a workstation or router that initiates the query sequence. It must be configured with at least one DNS server address.

Query Types

Recursive query

: the resolver must return the final answer or an error. Iterative query: the server returns a referral to a lower‑level server. Non‑recursive query: the server answers from its cache if it has the record.

DNS Caching

Caching occurs at multiple layers:

Browser cache : stores recent DNS records to reduce network trips.

Operating‑system cache : the OS resolver checks its local cache before contacting external servers.

DNS Message Format

DNS messages consist of a header (12 bytes) followed by four sections: Question, Answer, Authority, and Additional. The header contains fields such as Transaction ID, Flags, Question Count, Answer Count, Authority Count, and Additional Count.

Key flag bits include: QR – query (0) or response (1). OpCode – operation code (0 = standard query). AA – authoritative answer. TC – truncated. RD – recursion desired. RA – recursion available. RCODE – response code (0 = no error).

Each resource record (RR) in the Answer, Authority, or Additional sections contains:

Domain name

Type (e.g., A, AAAA, CNAME, MX, PTR, SRV)

Class (usually IN for Internet)

TTL (time‑to‑live in seconds)

Data length

RDATA (the actual record data, such as an IP address)

Example: a response for mobile-gtalk.l.google.com may contain an A record with IP 63.233.189.188, TTL 5 s.

SOA Record

Authoritative servers include a Start‑of‑Authority (SOA) record containing primary name server (PNAME), responsible mailbox (RNAME), serial number, refresh interval, retry interval, and expiry limit.

DNS Security Threats

DoS/DDoS

attacks overload root or TLD servers. DNS spoofing injects false records. DNS tunneling hides other protocols inside DNS traffic. DNS hijacking redirects queries to malicious servers.

Defenses include: DNSSEC – adds digital signatures to DNS data to verify authenticity. DNS firewalls – rate‑limit queries, provide cached responses during attacks, and filter malicious traffic.

Conclusion

The article covers DNS fundamentals, hierarchical design, query workflow, caching, packet structure, common attack vectors, and mitigation techniques, giving readers a solid foundation for understanding and troubleshooting DNS in both everyday use and security‑focused contexts.