Beginner โ†’ Intermediate โฑ 60-75 Minutes Prereq: Module 05

DNS & Name Resolution

The Domain Name System (DNS) is the critical infrastructure that translates human-readable domain names into machine-routable IP addresses. Understanding DNS is essential for network troubleshooting, reconnaissance, and exploitation.

1. What Is DNS?

DNS stands for Domain Name System. It serves as the phonebook of the Internet. Humans access information online through domain names like google.com or thevoid.io. Web browsers, however, interact through Internet Protocol (IP) addresses.

DNS translates domain names to IP addresses so browsers can load Internet resources. Without DNS, you would have to type 142.250.190.46 instead of google.com.

2. How Name Resolution Works

When you type a URL into your browser, a specific sequence of checks occurs to find the correct IP address:

  1. Request: User types example.com.
  2. Browser Cache: The browser checks if it has seen this domain recently.
  3. OS Cache & Hosts: The OS checks its own cache and the local hosts file.
  4. Resolver Query: If not found locally, the query is sent to a Recursive Resolver (usually provided by your ISP or Google's 8.8.8.8).
  5. Root Server: The resolver asks the Root Server (.).
  6. TLD Server: The Root directs the resolver to the Top-Level Domain (TLD) server (e.g., .com).
  7. Authoritative Server: The TLD server directs to the Authoritative Name Server responsible for the specific domain.
  8. Response: The Authoritative Server returns the final IP address to the resolver, which passes it to your computer.

๐Ÿงช DNS Resolution Visualizer

See how a domain request travels from your device to root and authoritative servers.

Launch DNS Visualizer

DNS Transport Protocol

DNS primarily uses UDP port 53 for speed and low overhead.

However, it switches to TCP port 53 when:

  • The response size exceeds 512 bytes (e.g., Zone Transfers).
  • DNSSEC verification is involved (larger packets).
  • When reliable delivery or larger responses are required.

Modern DNS also uses EDNS0 (Extension Mechanisms for DNS) to allow UDP responses larger than 512 bytes without immediately switching to TCP.

DNS Packet Structure (Simplified)

Understanding the bits on the wire is crucial for analysis. A DNS packet contains:

  • Header: Transaction ID, Flags (Query/Response, Recursion Desired), and Counts.
  • Question Section: The domain name requested + Record Type (A, MX).
  • Answer Section: The RRs (Resource Records) answering the question.
  • Authority Section: Authoritative Name Servers for the domain.
  • Additional Section: Extra helpful data (like IP addresses for the Name Servers).

Wireshark displays DNS traffic broken down exactly into these sections.

3. DNS Hierarchy

DNS uses a distributed, hierarchical structure. No single server holds the entire internet's directory. Authority is delegated down a chain.

Root DNS Servers (.)
โ†“
TLD Servers (.com, .org, .net)
โ†“
Authoritative Servers (example.com)

Root Servers: There are 13 logical root server sets worldwide. They are the starting point for all recursive searches.
TLD Servers: Maintain information for all domain names sharing a common domain extension (like .com).
Authoritative Servers: Holds the actual DNS records for a specific domain.

4. DNS Record Types Explained

DNS is not just about mapping names to IPs. Different "Record Types" define different functions for a domain.

RecordFull NamePurpose
AAddressMaps a hostname to an IPv4 address (e.g., 192.168.1.1).
AAAAQuad AMaps a hostname to an IPv6 address.
MXMail ExchangeSpecifies the mail server responsible for accepting email.
CNAMECanonical NameAliases one name to another (e.g., www to non-www).
NSName ServerDelegates a DNS zone to use specific Authoritative Name Servers.
TXTTextStores text-based information, often used for SPF/DKIM verification.

TTL (Time To Live)

Every DNS record includes a TTL value (in seconds). This tells resolvers how long to cache the record before asking for it again.

Low TTL (e.g., 60s): Fast updates, good for migration. Higher server load.
High TTL (e.g., 86400s): Slow propagation of changes. Lower server load.

๐Ÿงช DNS Record Explorer

Interact with different record types to see how A, MX, and TXT records differ.

Launch Record Explorer

5. Recursive vs Iterative Queries

๐Ÿ” The Distinction

Recursive Query: "I need the IP for google.com. Go find it and don't come back until you have the answer." (Client to Resolver).

Iterative Query: "I need the IP. If you don't have it, tell me who I should ask next." (Resolver to Root/TLD Servers).

Most client devices perform recursive queries, relying on the ISP's DNS resolver to do the heavy lifting of iterative queries across the internet.

6. Local DNS Cache & Hosts File

Before checking the network, your OS checks two local sources.

The Hosts File

A manual override file that maps hostnames to IP addresses. It takes precedence over DNS.

  • Linux/Mac: /etc/hosts
  • Windows: C:\Windows\System32\drivers\etc\hosts

โš ๏ธ Security Risk: Hosts File

Malware often modifies the hosts file to redirect legitimate banking URLs to a malicious IP address controlled by the attacker. This bypasses DNS entirely.

7. DNS Tools & Practical Commands

For troubleshooting and reconnaissance, nslookup and dig are the industry standards.

nslookup (Windows/Linux)

C:\> nslookup google.com
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
Name: google.com
Address: 142.250.190.46

dig (Linux/macOS) - The Professional Choice

dig (Domain Information Groper) provides more detailed information than nslookup.

root@kali:~# dig google.com MX +short
10 smtp.google.com.

root@kali:~# dig google.com TXT +short
"v=spf1 include:_spf.google.com ~all"

The +short flag keeps the output clean. The query type (MX, TXT, A) tells dig specifically what record to look for.

8. DNS Attacks & Security Risks

Because DNS was designed for reliability rather than security, it is a frequent target.

DNS Cache Poisoning (Spoofing)

Attackers corrupt the cache of a DNS resolver, inserting a fake record. When users request bank.com, they are sent to the attacker's IP instead.

DNS Amplification (DDoS)

Attackers exploit open recursive DNS servers to amplify traffic toward a victim using spoofed source IP addresses. A small 60-byte query can generate a 3,000-byte response (50x amplification).

DNS Tunneling

Encapsulating other protocols (like SSH or HTTP) inside DNS packets to bypass firewalls or exfiltrate data from a compromised internal network.

Defense: DNSSEC

DNS Security Extensions (DNSSEC) adds cryptographic signatures to DNS records. It ensures that the IP address you receive actually came from the domain owner and wasn't tampered with in transit.

Note: DNSSEC guarantees integrity/authenticity, but it does NOT encrypt the traffic (privacy).

๐Ÿงช DNS Spoofing Demo

Simulate a Man-in-the-Middle attack where DNS responses are forged to redirect traffic.

Launch Spoofing Demo

9. Real-World Troubleshooting

If a website fails to load, use this checklist to determine if it's a DNS issue:

  • Check Connectivity: Can you ping 8.8.8.8? If yes, you have internet.
  • Ping by Name: Try ping google.com. If it says "Could not find host," it's likely a DNS failure.
  • Flush Cache:
    Windows: ipconfig /flushdns
    Linux: sudo systemd-resolve --flush-caches
  • Change Resolver: Temporarily set your DNS to 8.8.8.8 to rule out ISP issues.
  • Check Hosts: Ensure the domain isn't hardcoded to a wrong IP in your hosts file.

10. ๐Ÿ›ก๏ธ Why DNS Matters in Pentesting

For ethical hackers, DNS is a treasure trove of information during the Reconnaissance phase.

Subdomain Enumeration

Finding subdomains (e.g., dev.example.com, admin.example.com) often reveals neglected servers that are more vulnerable than the main website.

Automated tools like amass, subfinder, and dnsenum rely heavily on DNS data sources.

Zone Transfers (AXFR): If a server is misconfigured, an attacker can request a copy of the entire DNS zone, revealing every subdomain and IP in the network.
Command: dig axfr example.com @ns1.example.com

TXT Records: Often contain sensitive info about service providers (AWS, Microsoft 365) or verification tokens that hint at the technology stack.

11. ๐Ÿงช DNS Practice Lab

Test your knowledge with these scenarios.

1. What record maps a domain name to an IPv4 address? โ–ผ
The A Record.
2. What is the role of a Root Server in the hierarchy? โ–ผ
Root servers are the first step in resolving a domain name. They direct the resolver to the appropriate Top-Level Domain (TLD) server (like .com or .org).
3. What does an MX record define? โ–ผ
MX (Mail Exchange) records specify which mail servers accept email on behalf of a domain.
4. In a recursive query, who performs the full lookup? โ–ผ
The Resolver (often the ISP's DNS server) performs the full lookup on behalf of the client.
5. Why is DNS Cache Poisoning dangerous? โ–ผ
It allows attackers to redirect legitimate traffic to malicious servers without the user knowing, often used for phishing credential harvesting.

๐Ÿ“Œ Module Recap

  • DNS translates human-readable names to machine-readable IPs.
  • The system is hierarchical: Root (.) โ†’ TLD (.com) โ†’ Authoritative.
  • A Records are for IPv4, AAAA for IPv6, and MX for email.
  • Recursive queries ask for the final answer; Iterative queries ask for the next referral.
  • DNS Poisoning and Tunneling are major security vectors in modern networks.
โ† Module 05: MAC & ARP
Next: ports and protocols
Module 07 โ†’