DNS (Domain Name Server) is the system that translates human-readable domain names into IP addresses. The whole internet heavily depends on DNS to function properly.
FullSail Systems Controls all of our clients DNS requests and records with a service called Cloudflare. We can change and adjust all records but for the most part, this is not necessary.
We believe in the importance of DNS and the statics don't lie. We want to ensure that your site is always available, completely safe and performing at the highest level possible. DNS is the key to many of these aspects. We have outlined many of the benefits in this section but it can be overwhelming at first.
DNS servers are servers that have been dedicated to perform DNS specific tasks. DNS is a complex topic and has many facets so we will only cover what is important to you.
Yes, there are many DNS servers located globally to ensure the proper routing of all web traffic. Listed below are some of the basic servers with some general information about that them so that we can have a baseline of understanding.
First, both recursive DNS servers and authoritative DNS servers are located in different locations. Both are servers or in many cases are groups of servers that are a part of a DNS infrastructure, but this is where the similarities end. Each server performs different tasks in the DNS query.
Recursive DNS resolver
This is our first hop in a DNS lookup and is responsible for handling the user that had made the request.
What does “Recursive” mean - thanks to our friends at Wiki for “is a method of solving a problem where the solution depends on solutions to smaller instances of the same problem mean”.
So the recursive resolver is the server that responds to a recursive request from a user and takes and tracks down the DNS record. It is also responsible for handling the user who made the request. It makes requests until it reaches the “authoritative DNS server” and returns a URL/IP Address - or finds nothing and returns an error.
Our last hop, the Authoritative DNS Server holds and serves the actual DNS records.
Cloudflare maintains infrastructure-level nameservers that are integral to the functioning of the Internet. One key example is the f-root server network which Cloudflare is partially responsible for hosting. The F-root is one of the root level DNS nameserver infrastructure components responsible for the billions of Internet requests per day. Our Anycast network puts us in a unique position to handle large volumes of DNS traffic without service interruption.
DNS records are instructions that are located on authoritative DNS servers and provide information. These records are stored as text files and included a TTL (Time-To-Live) which instructs the DNS server when it should refresh the record.
What are the most common types of DNS record?
|A||Record of the IP address of a domain|
|CNAME||Record that forwards a domain to another domain|
|MX||Record that directs email to an email server|
|TXT||Record of text notes|
|NS||Record of the name server|
|PTR||Record of reverse domain name lookups|
|SRV||Record that is used for port specific services|
|SOA||Record that stores administration information about a domain|
What are some of the less commonly used DNS records? Cited from Cloudflare
|AFSDB||This record is used for clients of the Andrew File System (AFS) developed by Carnegie Melon. The AFSDB record functions to find other AFS cells.|
|APL||The ‘address prefix list’ is an experiment record that specifies lists of address ranges.|
|CAA||This is the ‘certification authority authorization’ record, it allows domain owners state which certificate authorities can issue certificates for that domain. If no CAA record exists, then anyone can issue a certificate for the domain. These records are also inherited by subdomains.|
|DNSKEY||The ‘DNS Key Record’ contains a public key used to verify Domain Name System Security Extension (DNSSEC) signatures.|
|CDNSKEY||This is a child copy of the DNSKEY record, meant to be transferred to a parent.|
|CERT||The ‘certificate record’ stores public key certificates.|
|DCHID||The ‘DHCP Identifier’ stores info for the Dynamic Host Configuration Protocol (DHCP), a standardized network protocol used on IP networks.|
|DNAME||The ‘delegation name’ record creates a domain alias, just like CNAME, but this alias will redirect all subdomains as well. For instance if the owner of ‘example.com’ bought the domain ‘website.net’ and gave it a DNAME record that points to ‘example.com’, then that pointer would also extend to ‘blog.website.net’ and any other subdomains.|
|HIP||This record uses ‘Host identity protocol’, a way to separate the roles of an IP address; this record is used most often in mobile computing.|
|IPSECKEY||The ‘IPSEC key’ record works with the Internet Protocol Security (IPSEC), an end-to-end security protocol framework and part of the Internet Protocol Suite (TCP/IP).|
|LOC||The ‘location’ record contains geographical information for a domain in the form of longitude and latitude coordinates.|
|NAPTR||The ‘name authority pointer’ record can be combined with an SRV record to dynamically create URI’s to point to based on a regular expression.|
|NSEC||The ‘next secure record’ is part of DNSSEC, and it’s used to prove that a requested DNS resource record does not exist.|
|RRSIG||The ‘resource record signature’ is a record to store digital signatures used to authenticate records in accordance with DNSSEC.|
|RP||This is the ‘responsible person’ record and it stores the email address of the person responsible for the domain.|
|SSHFP||This record stores the ‘SSH public key fingerprints’; SSH stands for Secure Shell and it’s a cryptographic networking protocol for secure communication over an unsecure network.|
So how does the end-user (a human) know that the records they are receiving have not been tampered with?
Standard DNS queries, which are required for almost all web traffic, create opportunities for DNS exploits such as DNS hijacking and man-in-the-middle attacks. These attacks can redirect a website’s inbound traffic to a fake copy of the site, collecting sensitive user information and exposing businesses to major liability. One of the best known ways to protect against DNS threats is to adopt the DNSSEC protocol.
DNSSEC attempts to strengthen the Internet by helping protect users from redirection to fraudulent websites and unintended addresses through trust. The Purpose of DNSSEC was to protect clients from counterfeit DNS data by verifying digital signatures.
DNSSEC uses a system of keys and digital signatures to verify the legitimacy of data. These are simple public records (RRSIG & DNSKEY); however to these public keys are no good on their own. When you make a request the data is sent with the private key and you then it is unlocked with the public key. In the event of a key mismatch – the user would be notified of incorrect data.
We enable this by default and it is required for all of our clients.
DNSSEC is a great starting point but it is certainly not the only defense we utilize.
Cloudflare support helps aid is the protection of these types of attacks.:
DNS spoofing/cache poisoning
Phantom domain attacks
Random subdomain attacks
Domain lock-up attacks
Botnet-based CPE attacks