DNS (Domain Name Server)

What is DNS and why is it important to me?

DNS (Domain Name Server) is the system that translates human-readable domain names into IP addresses. The whole internet heavily depends on DNS to function properly.


Who is in control of my DNS?

FullSail Systems Controls all of our clients DNS requests and records with a service called Cloudflare. We can change and adjust all records but for the most part, this is not necessary.


Why is DNS important to me?

We believe in the importance of DNS and the statics don't lie. We want to ensure that your site is always available, completely safe and performing at the highest level possible. DNS is the key to many of these aspects. We have outlined many of the benefits in this section but it can be overwhelming at first.


What are the DNS Servers?

DNS servers are servers that have been dedicated to perform DNS specific tasks. DNS is a complex topic and has many facets so we will only cover what is important to you.


Are there more than one DNS server?

Yes, there are many DNS servers located globally to ensure the proper routing of all web traffic. Listed below are some of the basic servers with some general information about that them so that we can have a baseline of understanding.

Root Name Server
This server is the first server required for resolving human readable host names into IP addresses.
TLD Name Server
This server is the second step in the search for a specific IP address, and it hosts the TLD “Top Level Domain” (example xyz.com).
DNS Recursor
The DNS recursor is the server designed to receive queries from client machines (for instance web browsers).
Authoritative Name Server
This server is the final server in the process and when the authoritative name server has access to the requested record, it will return an IP address for the requested website.

So recursive DNS vs. authoritative DNS, whats the difference?

First, both recursive DNS servers and authoritative DNS servers are located in different locations. Both are servers or in many cases are groups of servers that are a part of a DNS infrastructure, but this is where the similarities end. Each server performs different tasks in the DNS query.


Recursive DNS resolver
This is our first hop in a DNS lookup and is responsible for handling the user that had made the request.

What does “Recursive” mean - thanks to our friends at Wiki for “is a method of solving a problem where the solution depends on solutions to smaller instances of the same problem mean”.

So the recursive resolver is the server that responds to a recursive request from a user and takes and tracks down the DNS record. It is also responsible for handling the user who made the request. It makes requests until it reaches the “authoritative DNS server” and returns a URL/IP Address - or finds nothing and returns an error.


Authoritative DNS server

Our last hop, the Authoritative DNS Server holds and serves the actual DNS records.

Cloudflare maintains infrastructure-level nameservers that are integral to the functioning of the Internet. One key example is the f-root server network which Cloudflare is partially responsible for hosting. The F-root is one of the root level DNS nameserver infrastructure components responsible for the billions of Internet requests per day. Our Anycast network puts us in a unique position to handle large volumes of DNS traffic without service interruption.

Cloudflare


What is a DNS record?

DNS records are instructions that are located on authoritative DNS servers and provide information. These records are stored as text files and included a TTL (Time-To-Live) which instructs the DNS server when it should refresh the record.

What are the most common types of DNS record?

Record Description
A Record of the IP address of a domain
CNAME Record that forwards a domain to another domain
MX Record that directs email to an email server
TXT Record of text notes
NS Record of the name server
PTR Record of reverse domain name lookups
SRV Record that is used for port specific services
SOA Record that stores administration information about a domain

What are some of the less commonly used DNS records? Cited from Cloudflare

Record Description
AFSDB This record is used for clients of the Andrew File System (AFS) developed by Carnegie Melon. The AFSDB record functions to find other AFS cells.
APL The ‘address prefix list’ is an experiment record that specifies lists of address ranges.
CAA This is the ‘certification authority authorization’ record, it allows domain owners state which certificate authorities can issue certificates for that domain. If no CAA record exists, then anyone can issue a certificate for the domain. These records are also inherited by subdomains.
DNSKEY The ‘DNS Key Record’ contains a public key used to verify Domain Name System Security Extension (DNSSEC) signatures.
CDNSKEY This is a child copy of the DNSKEY record, meant to be transferred to a parent.
CERT The ‘certificate record’ stores public key certificates.
DCHID The ‘DHCP Identifier’ stores info for the Dynamic Host Configuration Protocol (DHCP), a standardized network protocol used on IP networks.
DNAME The ‘delegation name’ record creates a domain alias, just like CNAME, but this alias will redirect all subdomains as well. For instance if the owner of ‘example.com’ bought the domain ‘website.net’ and gave it a DNAME record that points to ‘example.com’, then that pointer would also extend to ‘blog.website.net’ and any other subdomains.
HIP This record uses ‘Host identity protocol’, a way to separate the roles of an IP address; this record is used most often in mobile computing.
IPSECKEY The ‘IPSEC key’ record works with the Internet Protocol Security (IPSEC), an end-to-end security protocol framework and part of the Internet Protocol Suite (TCP/IP).
LOC The ‘location’ record contains geographical information for a domain in the form of longitude and latitude coordinates.
NAPTR The ‘name authority pointer’ record can be combined with an SRV record to dynamically create URI’s to point to based on a regular expression.
NSEC The ‘next secure record’ is part of DNSSEC, and it’s used to prove that a requested DNS resource record does not exist.
RRSIG The ‘resource record signature’ is a record to store digital signatures used to authenticate records in accordance with DNSSEC.
RP This is the ‘responsible person’ record and it stores the email address of the person responsible for the domain.
SSHFP This record stores the ‘SSH public key fingerprints’; SSH stands for Secure Shell and it’s a cryptographic networking protocol for secure communication over an unsecure network.

Why is DNS security important?

So how does the end-user (a human) know that the records they are receiving have not been tampered with?

Standard DNS queries, which are required for almost all web traffic, create opportunities for DNS exploits such as DNS hijacking and man-in-the-middle attacks. These attacks can redirect a website’s inbound traffic to a fake copy of the site, collecting sensitive user information and exposing businesses to major liability. One of the best known ways to protect against DNS threats is to adopt the DNSSEC protocol.

Cloudflare


What is DNSSEC and how does it work?

DNSSEC attempts to strengthen the Internet by helping protect users from redirection to fraudulent websites and unintended addresses through trust. The Purpose of DNSSEC was to protect clients from counterfeit DNS data by verifying digital signatures.

DNSSEC uses a system of keys and digital signatures to verify the legitimacy of data. These are simple public records (RRSIG & DNSKEY); however to these public keys are no good on their own. When you make a request the data is sent with the private key and you then it is unlocked with the public key. In the event of a key mismatch – the user would be notified of incorrect data.


What are the steps to enable DNSSEC?

We enable this by default and it is required for all of our clients.


What are some common attacks involving DNS?

DNSSEC is a great starting point but it is certainly not the only defense we utilize.
Cloudflare support helps aid is the protection of these types of attacks.:

DNS spoofing/cache poisoning
DNS tunnelling
DNS hijacking
NXDOMAIN attacks
Phantom domain attacks
Random subdomain attacks
Domain lock-up attacks
Botnet-based CPE attacks