The internet is a magical place. Well, okay, maybe not everything on the internet, but the internet itself, the fact that you can type example.com into a search engine and access a webpage with the exact information you were seeking (presumably a webpage dedicated to examples…), that can seem like magic sometimes, especially when all we’re doing is clicking a search button. But it’s not magic, of course. It’s an elegant system called the Domain Name System (DNS) which operates behind the scenes, acting as a global translator between humans and computers.
The internet at its core is a set of network communication protocols, the most fundamental of which is the Internet Protocol. The Internet Protocol, or IP, assigns a unique sequence of numbers called an IP address to every device in a network. Since every IP address is unique, computers are able to use these numbers to find and communicate with each other, in the same way that your unique phone number allows anyone who knows it to contact you. But human memory is imperfect and we can’t be expected to remember the number of everyone we want to call, which is why modern phones store contact information so you can press “Call Bob Bobson” and call your very good friend Bob Bobson without ever interacting with his phone number. Of course when you press that button your phone isn’t reaching across cell towers looking for something named “Bob Bobson’s Phone,” because that’s not the language phones speak in. instead it translates your contact name into the phone number it has stored for that contact and calls that number, since that’s how phones call each other.
The Domain Name System works the same way, but on an even grander scale. Just as human beings can’t memorize a hundred plus phone numbers, we can’t be expected to memorize server IP addresses for each webpage we want to access. This is where DNS comes in. DNS pairs server IP addresses to human-readable domain names, like www.azion.com, designed to be much easier for us to write and remember than the number sequences that computers use. But just like with phone contacts, those domain names don’t mean anything to computers on their own. So every time you type in a domain name, a DNS service begins a series of steps to find the specific IP address that corresponds to your searched domain name, and return it to your computer so that you can complete the connection.
DNS Resolve Process
In order to find your chosen IP address, a DNS service uses a series of specialized servers to home in on the IP address’ exact location. First, your own operating system will check to see if it has the IP address cached locally. This is likely if you’ve searched the same domain name recently. If it’s not in the cache, that’s when the DNS service steps in. Your query is forwarded to the entry-level DNS server, called a resolver server. The resolver server will search its own, much more extensive cache memory, returning the proper IP address if it has it stored. If even the resolver server doesn’t have it is when things get fun. The resolver sends the query to a central DNS server called the root server. There are only 13 sets of root servers in the world, globally distributed to service the needs of every DNS compliant network. The root server doesn’t bother to check its own cache for the information. It doesn’t have it, but it knows how to find who does. The root server instead finds the appropriate top-level domain server (TLD) and brokers a connection between it and the resolver server. TLDs are massive repositories each assigned to a different category of domain name, such as .com, .org, or .net. So if you’re searching azion.com, the root server will establish a connection between your resolver and the .com TLD server. The TLD then passes the query to the final level in this maze of servers: the authoritative name server. This server is responsible for knowing everything about the domain in question, including the IP address. It feeds the IP address to the resolver, the resolver forwards it to your device, and you’re done, all in the time it takes to load a webpage.
Secondary DNS Servers
It’s considered good practice for a DNS service to maintain one or more secondary servers attached to every primary DNS server. Secondary servers are simplified replicas of the primary server, storing much of the same information, but as static read-only text files. They make no modifications to themselves the way primary servers do, instead receiving periodic zone transfers from their primary, which add to or reorganize their existing data. Secondary servers serve as an added layer of redundancy, ensuring that if a primary becomes unresponsive there will always be a copy to resolve DNS queries. With enough secondaries, you can also load balance your DNS servers, ensuring that no single server is overtaxed with queries.
A key reason that the quality of DNS services must continue to improve are the severe security concerns. The Domain Name System is one of the most popular areas for hackers to attack, and companies around the world have reported millions of dollars in losses from DNS breaches. Here’s just a few examples of the many ways hackers can target vulnerable DNS servers.
This attack is not exclusive to DNS servers, but the importance of DNS to network health means flood attacks target it regularly. A network flood overwhelms a DNS server with a swarm of junk queries, potentially forcing it to go offline. If the server is not equipped to filter out bad queries, or not properly load balanced to distribute the traffic, these attacks can cripple vital parts of the DNS process.
Focusing on the authoritative name server, attackers can exploit the server’s ability to update its DNS records. If they are able to compromise an authoritative name server, unauthorized entries can be substituted into its memory, passing bad data to any servers that query it.
DNS relies on some degree of trust. When we type in example.com we expect to be directed to our favorite example-focused website. But if an attacker can link a different IP address to the domain name, your search can be redirected to an imposter site, creating opportunities to launch attacks directly to your computer.
This one attacks the resolver. Since resolvers try to cache as many IP addresses as they can to avoid the ordeal of querying all those other servers, corrupting the data in that cache is an easy way to deliver bad data to every computer depending on that resolver.
Luckily there are security measures in place on existing DNS services that block the majority of these attacks. However they’re not perfect, as evidenced by the devastating successful DNS hacks that are occurring more frequently each year. There are plenty of free and simple DNS services if all you’re running is a small website, but if you’re trying to maintain a network of any sort of scale, you’ll want to make sure you have a DNS service that is smart, fast, and secure. Here’s a few examples:
Azion Intelligent DNS
Security is critical to the edge computing work we do at Azion, and existing DNS services didn’t quite satisfy our unique needs, so we built our own. Azion intelligent DNS is our attempt at a smart serverless DNS system. This means that we make use of our redundant, distributed edge network to cut down on DNS query lag time and deliver high-speed network connections. Our DNS smart technology enables the network to adapt to changes or disruptions as they occur, rerouting away from downed servers and integrating directly with our Azion load balancing tools to streamline traffic. We don’t believe administrator inexperience should be a barrier to running your network on secure DNS, so we’ve built the Intelligent DNS interface with a focus on user-friendliness. We’ve also equipped our system with total 3rd party integration, available on Azion marketplace, because collaborative innovation is how great networks are built, and you shouldn’t have to buy exclusively from us just to make your DNS run optimally. Lastly, our full suite of DDOS protection tools keeps the system safe from a wide range of outside attacks, ensuring that standard DNS vulnerabilities will not be the cause of a compromised network.
The Domain Name System is a fascinating beast, but also a vulnerable one. Our ability as humans to easily communicate with the internet is only possible because of DNS services, and attacks to DNS servers can endanger whole networks at a time. Choosing a secure and intelligent DNS service has become more critical to network reliability than ever before. Azion Intelligent DNS’ secure, high-speed edge capabilities provide a powerful option, but what really matters is making sure you find a service you can trust, so you can build the best version of your network.