Beginner โ†’ Intermediate โฑ 60-75 Minutes Prereq: Module 05

DNS & Name Resolution

The Domain Name System (DNS) is the critical infrastructure that translates human-readable domain names into machine-routable IP addresses. Understanding DNS is essential for network troubleshooting, reconnaissance, and exploitation.

1. What Is DNS?

DNS stands for Domain Name System. It serves as the phonebook of the Internet. Humans access information online through domain names like google.com or thevoid.io. Web browsers, however, interact through Internet Protocol (IP) addresses.

DNS translates domain names to IP addresses so browsers can load Internet resources. Without DNS, you would have to type 142.250.190.46 instead of google.com.

2. How Name Resolution Works

When you type a URL into your browser, a specific sequence of checks occurs to find the correct IP address:

  1. Request: User types example.com.
  2. Browser Cache: The browser checks if it has seen this domain recently.
  3. OS Cache & Hosts: The OS checks its own cache and the local hosts file.
  4. Resolver Query: If not found locally, the query is sent to a Recursive Resolver (usually provided by your ISP or Google's 8.8.8.8).
  5. Root Server: The resolver asks the Root Server (.).
  6. TLD Server: The Root directs the resolver to the Top-Level Domain (TLD) server (e.g., .com).
  7. Authoritative Server: The TLD server directs to the Authoritative Name Server responsible for the specific domain.
  8. Response: The Authoritative Server returns the final IP address to the resolver, which passes it to your computer.

๐Ÿงช DNS Resolution Visualizer

See how a domain request travels from your device to root and authoritative servers.

Launch DNS Visualizer

3. DNS Hierarchy

DNS uses a distributed, hierarchical structure. No single server holds the entire internet's directory. Authority is delegated down a chain.

Root DNS Servers (.)
โ†“
TLD Servers (.com, .org, .net)
โ†“
Authoritative Servers (example.com)

Root Servers: There are 13 logical root server sets worldwide. They are the starting point for all recursive searches.
TLD Servers: Maintain information for all domain names sharing a common domain extension (like .com).
Authoritative Servers: Holds the actual DNS records for a specific domain.

4. DNS Record Types Explained

DNS is not just about mapping names to IPs. Different "Record Types" define different functions for a domain.

RecordFull NamePurpose
AAddressMaps a hostname to an IPv4 address (e.g., 192.168.1.1).
AAAAQuad AMaps a hostname to an IPv6 address.
MXMail ExchangeSpecifies the mail server responsible for accepting email.
CNAMECanonical NameAliases one name to another (e.g., www to non-www).
NSName ServerDelegates a DNS zone to use specific Authoritative Name Servers.
TXTTextStores text-based information, often used for SPF/DKIM verification.

๐Ÿงช DNS Record Explorer

Interact with different record types to see how A, MX, and TXT records differ.

Launch Record Explorer

5. Recursive vs Iterative Queries

๐Ÿ” The Distinction

Recursive Query: "I need the IP for google.com. Go find it and don't come back until you have the answer." (Client to Resolver).

Iterative Query: "I need the IP. If you don't have it, tell me who I should ask next." (Resolver to Root/TLD Servers).

Most client devices perform recursive queries, relying on the ISP's DNS resolver to do the heavy lifting of iterative queries across the internet.

6. Local DNS Cache & Hosts File

Before checking the network, your OS checks two local sources.

The Hosts File

A manual override file that maps hostnames to IP addresses. It takes precedence over DNS.

  • Linux/Mac: /etc/hosts
  • Windows: C:\Windows\System32\drivers\etc\hosts

โš ๏ธ Security Risk: Hosts File

Malware often modifies the hosts file to redirect legitimate banking URLs to a malicious IP address controlled by the attacker. This bypasses DNS entirely.

7. DNS Tools & Practical Commands

For troubleshooting and reconnaissance, nslookup and dig are the industry standards.

nslookup (Windows/Linux)

C:\> nslookup google.com
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
Name: google.com
Address: 142.250.190.46

dig (Linux/macOS) - The Professional Choice

dig (Domain Information Groper) provides more detailed information than nslookup.

root@kali:~# dig google.com MX +short
10 smtp.google.com.

root@kali:~# dig google.com TXT +short
"v=spf1 include:_spf.google.com ~all"

The +short flag keeps the output clean. The query type (MX, TXT, A) tells dig specifically what record to look for.

8. DNS Attacks & Security Risks

Because DNS was designed for reliability rather than security, it is a frequent target.

DNS Cache Poisoning (Spoofing)

Attackers corrupt the cache of a DNS resolver, inserting a fake record. When users request bank.com, they are sent to the attacker's IP instead.

DNS Amplification (DDoS)

Attackers send small queries to open DNS servers with a spoofed source IP (the victim's). The server replies with a large response to the victim, overwhelming them.

DNS Tunneling

Encapsulating other protocols (like SSH or HTTP) inside DNS packets to bypass firewalls or exfiltrate data from a compromised internal network.

๐Ÿงช DNS Spoofing Demo

Simulate a Man-in-the-Middle attack where DNS responses are forged to redirect traffic.

Launch Spoofing Demo

9. Real-World Troubleshooting

If a website fails to load, use this checklist to determine if it's a DNS issue:

  • Check Connectivity: Can you ping 8.8.8.8? If yes, you have internet.
  • Ping by Name: Try ping google.com. If it says "Could not find host," it's likely a DNS failure.
  • Flush Cache:
    Windows: ipconfig /flushdns
    Linux: sudo systemd-resolve --flush-caches
  • Change Resolver: Temporarily set your DNS to 8.8.8.8 to rule out ISP issues.
  • Check Hosts: Ensure the domain isn't hardcoded to a wrong IP in your hosts file.

10. ๐Ÿ›ก๏ธ Why DNS Matters in Pentesting

For ethical hackers, DNS is a treasure trove of information during the Reconnaissance phase.

Subdomain Enumeration

Finding subdomains (e.g., dev.example.com, admin.example.com) often reveals neglected servers that are more vulnerable than the main website.

Zone Transfers (AXFR): If a server is misconfigured, an attacker can request a copy of the entire DNS zone, revealing every subdomain and IP in the network.
Command: dig axfr example.com @ns1.example.com

TXT Records: Often contain sensitive info about service providers (AWS, Microsoft 365) or verification tokens that hint at the technology stack.

11. ๐Ÿงช DNS Practice Lab

Test your knowledge with these scenarios.

1. What record maps a domain name to an IPv4 address? โ–ผ
The A Record.
2. What is the role of a Root Server in the hierarchy? โ–ผ
Root servers are the first step in resolving a domain name. They direct the resolver to the appropriate Top-Level Domain (TLD) server (like .com or .org).
3. What does an MX record define? โ–ผ
MX (Mail Exchange) records specify which mail servers accept email on behalf of a domain.
4. In a recursive query, who performs the full lookup? โ–ผ
The Resolver (often the ISP's DNS server) performs the full lookup on behalf of the client.
5. Why is DNS Cache Poisoning dangerous? โ–ผ
It allows attackers to redirect legitimate traffic to malicious servers without the user knowing, often used for phishing credential harvesting.

๐Ÿ“Œ Module Recap

  • DNS translates human-readable names to machine-readable IPs.
  • The system is hierarchical: Root (.) โ†’ TLD (.com) โ†’ Authoritative.
  • A Records are for IPv4, AAAA for IPv6, and MX for email.
  • Recursive queries ask for the final answer; Iterative queries ask for the next referral.
  • DNS Poisoning and Tunneling are major security vectors in modern networks.
โ† Module 05: MAC & ARP
Next: Routing Fundamentals
Module 07 โ†’