🐏 mogoz

Search

SearchSearch

DNS

Jun 30, 2024, 15 min read

tags : Networking, Selfhosting

FAQ

DNS 1:1?

DNS is not 1:1 you can have multiple domains pointing to the same ip. and can have multiple ips pointing to the same domain.

Does DNS use TCP of UDP?

  • DNS uses both TCP(Zone Transfers) & UDP(Queries)

These organizations are largely related to two things: IP allocation, Domain registries.

Organizations

  • ICANN

    • ICANN is the policy organization
    • People for some reason don’t like ICANN
    • Responsible for picking what TLDs should exist or not
    • Deciding how the IPv4 space was to be handed out the RIRs

  • IANA

    • Currently it is a function of ICANN
    • The IANA is an organization that maintains assignments of various numbers.
    • Assign IP addresses to the regional internet registries (RIRs)
    • Assignment of Autonomous Systems numbers to those same RIRs
    • Maintaining and publishing the root dns zone
    • Maintaining registries of various parameters used in the internet protocols, on behalf of the IETF.
  • Internet Architecture Board (IAB)
  • Internet Engineering Task Force (IETF)
  • Internet Society (ISOC)

IP allocation space

  • Regional Internet Registries (RIR)

    • This is not any specific org, just a type of entity.
    • They get their allocations from IANA.
    • ISPs get theirs from the appropriate RIR

Domain space

This is a whole business and this is not uptodate info.

  • Registry Operators

    These are also called Network Information Center (NIC). Role is to keep the master database of all domain names registered in each top-level domain (TLD) and generate the “zone file” that allows computers to route Internet traffic to and from TLDs anywhere in the world.

  • Registrar

    Basically a middle-man.

    • They’re approved by the registry to sell domains directly to consumers, and they pay the registry a set price (for examples, Verisign gets $7.85 per .com domain).
    • The markup is often quite small on domain name sales, which is why retail registrars like GoDaddy tend to push value-added services.
    • That’s where their major profits come from.
    • How to Become a Registrar - ICANN

  • Registrant

    The registrant is the owner of the domain name. They pay the registrar, who in turn pays the registry.

DNS Servers

Types

4 Types. These 4 DNS servers work together in harmony to complete the task of delivering the IP address for a specified domain to a client.

Resolvers

Essentially the middleman between a client and other DNS nameservers(root-tld-authoritative). It usually will cache responses. Your ISP provides an recursive resolver but you can also use things like 1.1.1.1

  • Recursive: This is usually meant when we say resolver
  • Non-Recursive: You can run a resolver in non-recursive mode
  • Stub Resolver: Your laptop runs a stub resolver

Root Nameservers

  • Official Root Nameservers

    • The most widely used (and first) DNS root is administered by the ICANN
    • There are 13 types DNS root nameservers are known to every recursive resolver. There are multiple copies of each one all over the world running in anycast, ~600 actual instances.
    • These responds by directing the recursive resolver to a TLD nameserver.
    • These are overseen by a nonprofit called ICANN.
    • These are paid for by domain registration fees.

  • Alternative Root Nameservers

    • These run their own root nameserver and typically include pointers to all of the TLD servers for domains delegated by ICANN, as well as name servers for other, custom TLDs that are not sanctioned by ICANN.
    • Unless one specifically changes their DNS resolution settings, alternative DNS top level domains are generally unreachable

TLD Nameservers

This contains all the domains under that TLD. These are owned by registry operators.

  • There are two kinds
    • gTLD: Registry(pivate co(s)) pay ICANN a set amount fee. ICANN doesn’t make any money directly off a domain name sale.
    • ccTLDs: Owned by respective countries, so countries get to keep all their money.
  • Root Zone Database
  • If a registry does not meet their contractually obligated SLAs, ICANN may invoke EBERO and transfer registry services over to one of the Emergency Back-end Registry Operator

Authoritative Nameservers

The authoritative nameserver is usually the resolver’s last step in the journey for an IP address. If you own a domain, you can run an authoritative nameserver for that domain.

  • Primary and Secondary

    The thing about Authoritative nameservers is that there are primary and secondar(ies). Authoritative secondary replicas are common. Usually if people selfhost it, they tend to hide the primary.

    • Have the authoritative server where you perform the updates not referenced in your domains NS records, and instead only list the secondary (replica) servers in your NS records.
    • This way they maintain control and any attack based on NS records is on the replicas, and they refetch the record from the authoritative server periodically (based on SOA record settings).

Running DNS Servers

You can run the whole DNS stack on you own if you want but not recommended ofcourse, but running authoritative and resolvers are popular choices.

Locally

  • Authoritative Nameserver

    You usually do not need to run authorative ns locally unless you have a local zone or something

  • Resolver

    • Pi-Hole + Unbound Recursive DNS. (Popular combination for local resolver setup)
    • Why run a local resolver? Basically, it’s the difference between asking your mother for her phone number, and asking your father, for your mothers phone number. By going direct to the source, there is less chance of error, malicious intent, or someone reporting your “request” to someone else.
    • Good discussion

  • Security Concerns

    • https://dnsprivacy.org/
    • OPNSense custom i5 16GB router. Only the Pi’s can make DNS calls (DoT, DoH, DNS) to outside. Any other device is blocked by firewall to call DNS on their own and instead, forward to Pi-Hole.
    • Cluster, Part 3: Laying groundwork with Unbound as a DNS server | Stardust | …
    • I’m using Stubby as a shim to my Pi-Hole.
    • Like this explanation but might be incorrect (there is wrong use of terms for sure)
      • ISPs can see all the apps and traffic to and from you, regardless of what DNS you use. They cannot see content of encrypted connections, but can see the time, amount of data and hosts you’re talking to.
      • A VPN will get around that, but your ISP can see the traffic volume to the VPN, and the VPN provider can of course see all your traffic.
      • As far as DNS goes, if you run Unbound and let it query the root servers, your ISP can still see the unencrypted lookups. You’ll be querying the authoritative servers for each domain directly, but it’s still unencrypted.
      • Using DOH, your DNS queries are encrypted, but your ISP can see what DNS servers you are talking to over DOH.
      • The operators of those DNS servers could of course also see what your DNS queries are.
    • for the possibility of DNS leakage but if the ISP somehow uses the IP-blocking approach then there’s no other way but to either use a VPN, a proxy, or Tor.
    • DNS leaks happen when your DNS requests hit your ISP rather than getting handled by the VPN server.

Publicly

DNS servers list

Selfhostable servers

This is a very small list with things that interest me. See feature matrix here in wikipedia and in the arch wiki

NameRemark
CoreDNSModern, Written in Go, Focused for SD in containerized environments but can work generally
PowerDNSHas a DB backend, more suitable for larger environments
Pi-HoleCute and powerful
0xERR0R/blockyFast and lightweight DNS proxy as ad-blocker for local network with many features
AdGuard HomeSome people use it
djbdns
UnboundRecursive DNS
dnsmasqSimple, suitable for homelab. Does both DHCP and DNS.
KnotAuthoritative only
Knot ResolverResolver only. 1.1.1.1 uses it.
NSDAuthoritative only
BindBeen around in some incarnation since the 1980s and supports just about every DNS standard written. Both Authoritative and resolver.
https://dns.he.net/

Other stuff

Services

NameRemark
NextDNS/DNS0I mean if I don’t have time NextDNS summary
Quad9
OpenDNSService

Wildcard DNS Services like xip.io

Basically this saves you from editing your own hosts file/ editing your DNS records.

  • Virtual Hosts

    • Even though the name VH mostly refers to Apache VH, here I am refering all of Caddyfile site block, Nginx Server block, Apache Virtual Host etc. i.e the idea of a virtual host. I feel they are similar to Reverse Proxies in a way.
    • Suppose you have a server hosting two different sites as virtual hosts. apple.com and orange.com and you have virtual hosts setup for them. To access what them you’d need to add the DNS records now!
    • Here comes xip.io and friends, you can just set apple.10.0.0.1 and orange.10.0.0.1. And then you add them to your virtual hosts file as alternative domains for the server block and you’re good to go! No need to edit DNS records now. Since both will direct to 10.0.0.1 and will have their respective origins in the request.
    • On top of that, this will be accessible not only to your development machines, other devices in the local network will also be able to do the same provided they can connect to xip.io
    • Alternatively, if you do the following in /etc/hosts , even though they’ll point to 10.0.0.1 it’ll only be accessible to your host and not elsewhere.
    • With TLS we get SNI 
      10.1.1.1 doop.apple.com
10.1.1.1 poop.apple.com

  • Subdomains

    • Since you’d get the origin, if you application behaves differently based on subdomain.
    • in.google.com, us.google.com can be in.10.1.1.1.xip.io and us.10.1.1.1.xip.io
    • Your application should work as expected, if it checks the subdomain in/us and behaves differently.

DNS Records (Resource Records)

A Records

  • Multiple A records can distribute traffic among several servers, helping to balance the load.
  • When a client queries the DNS for the domain name, it may receive multiple IP addresses. The client typically connects to one of these IPs,
  • But this can be problematic if the two servers hold local state that’s used for the session with the user as no guarantee on which ip it returns etc.

CNAME

  • A CNAME record is used for referencing a domain’s alias instead of its actual name.
  • CNAME records typically point to an A record (in IPv4) or AAAA record (in IPv6) for that domain.

See Email

DNS security

DNSSEC

  • DNSSEC is Unnecessary, all secure crypto on the Internet assumes that the DNS lookup from names to IP addresses are insecure. Securing those DNS lookups
  • dnssec/ntp dependency loop is absurd
  • DNSSEC can be bypassed by using a resolver that doesn’t care about it.
  • DNSSEC is the publisher’s responsibility.: that your responses are as the publisher intended.
  • Against DNSSEC — Quarrelsome

Encrypted DNS

  • Comparison: https://dnscrypt.info/faq/
  • DNSCrypt/DNSCryptv2/DoH/DoT are alternatives. They can be combined but doesn’t make a lot of sense to combine.
  • Encrypted DNS (between resolver and nameserver) is a modern replacement for regular cleartext DNS lookups.
  • DoH is the easiest to start w, ppl tend toward DoH for devices that frequently travel with, and DNSCrypt or DoT for devices that rarely leave their home.

DNSCrypt

  • Runs on port 443, hard for ISPs to block. Now comes w anon dns.
  • It provides payload encryption and server authentication, within the context of otherwise-normal DNS queries.
  • DNDcrypt-proxy: Implementation of dnscrypt
    • Acts as an intermediary between client devices and DNS resolvers.

DoH

  • Runs on port 443, hard for ISPs to block.
  • DNS over HTTPS is one good answer here - this is the best scenario for it. Hypothetically indistinguishable from normal HTTPS traffic to the given website
  • However, from a privacy perspective, DoH is arguably preferable. With DoH, DNS queries are hidden within the larger flow of HTTPS traffic. This gives network administrators less visibility but provides users with more privacy.

DoT

  • Runs on a known port, easier for ISPs to block
  • DoT and DoH are traditionally available over TCP (or reworked versions of TCP like QUIC), which have built in protections against address spoofing.
  • DNS over TLS/HTTPS is probably a sufficient solution for you (as I commented on another comment). It sounds like your ISP is doing DNS hijacking. DNSCrypt won’t protect you from this as it only provides integrity/tamper evidence, not privacy.

Things to read about encrypted DNS

Issues

  • Even if using DOH/DoT SNI can be leaked, The snooping ISP will still see your plaintext SNI request to the destination web server, even if your DNS lookups are encrypted. This gives the ISP the hostname you’re trying to hit. Solution is Good-bye ESNI, hello ECH!
  • A number of ISPs (e.g. sky, virgin media) are turning to forwarding all UDP/TCP port 53 DNS traffic to their own DNS servers irrespective of the destination marked on the packet.
  • These encrypted DNS services are usually blocked here in Iran. The unencrypted ones are compromised, too. I use self-hosted dnscrypt.

Maintenance and Practices

DNS tips for SysAdmins

  • Separate Registrar from the source of the DNS records
  • Multiple NS records on the registrar
  • Multiple vendors for DNS records with Terraform sync between the two vendors 🌟
  • Limit A records or point A Records to CNAMES
  • Low TTL times for NS records, risky if you are hacked though or make a bad change

TTLs

Makes sense about increasing the TTL of anything that’s static and constant, like MX records. That TTL value buys time when there are issues before it is propagated to hosts that need to query your records as it’s not cached at their end.

  • Those times will say to resolvers for much time they could cache that information, and give a time for propagation of a change in that information.
  • You can have them frequent but have some margin to have meaningful caches in remote resolvers to speed up access to your sites.
  • The higher TTL will help as it won’t be querying them
  • Note that ISPs may round your TTL to 10mins or something if they see DNS cache abuse
  • Choice of resolver (e.g. 1.1.1.1, 8.8.4.4) is out of your control when you’re not running your own nameserver (??)
  • Assuming that your clients’ resolvers are well-behaved and respect TTLs
  • See A survey of DNS caching and TTL in end-user client software | Ctrl blog

EDNS0

  • Note: if there are more than 8 IPs behind one name, the DNS backend must support the EDNS0 protocol.

How to and Whys

DynamicDNS

Dynamic DNS requires a small piece of software on the server that every now and then tells the DNS Server its current IP for it to broadcast to end users and other DNS Servers. If your server changes IP Address the DNS Servers will automatically update to the servers new IP.

Other Fun DNS tools

Tailscale MagicDNS

Graph View

Backlinks