Understanding the DNS Protocol (Part 1)

by Don Parker [Published on 25 Oct. 2005 / Last Updated on 25 Oct. 2005]

Can you imagine a world where you would have to memorize each and every IP address for the sites that you liked? The Internet certainly would not be as popular as it is today were this the case. Not to mention our beloved email, and the crucial role that DNS plays with its delivery. Read on, to learn more about one of the most unheralded protocols in existence today.

If you would like to read the other parts in this series please go read:

Domain Name Service aka DNS

The Domain Name Service is what I would call a “dense” protocol. I would call it dense because there is so much to DNS that it has resulted in many books being written solely on DNS, what it is, and what it does. Unlike some other application layer protocols, which perform only one function, DNS does the normal resolution of domain name to IP address and other things like help route your email. By route I don’t mean that DNS has suddenly turned into a routing protocol, but rather that, through the propagation of something called MX records, your email can be sent to the right mail server.

In this series of articles on DNS we will cover the structure of the domain name service as a whole. We will then go on to cover a bit more about how DNS actually works via its hierarchical design. Furthermore we will cover quite a few examples of what are called resource records and RCODES, also what they mean and how we can break them out. This will be done at the packet level to help give us context in case you have to investigate your network at the packet level at some future date. Just remember that, as I mentioned before, this series of articles will really only just scratch the surface of DNS. What I won’t be covering is the actual setup of DNS on a network, and the troubleshooting of it. With that said let’s begin our exploration of this often unappreciated protocol.

The humble beginnings

For those system administrators out there, you can almost map the early beginnings of DNS to the growth of internal DNS as viewed by Microsoft. In Windows NT we had what was called the LM Hosts file. Contained in the LMHosts file was a mapping of NetBIOS names to IP addresses. This was done to ease the task of finding computers and services offered on the internal network. That was quickly followed by the WINS server, and then by Active Directory.

One goal of these various schemes was to map an IP address to a host name. This static mapping of IP addresses to computer names was actually the beginning of DNS, as we know it today. Back in the early days of ARPA you simply had a file with a list of computers and their names on a computer. There was no such thing as DNS in the form we know it today. It was most certainly not distributed as it is now, but more so held on individual computers. The link provided on ARPA makes for some interesting reading as it details briefly the birth of the Internet. Though the holding of a list of names on each computer quickly became impractical as the Internet grew. Due to this DNS as we know it today slowly began to grow. Some know DNS as Distributed Name Service and that is a fairly accurate term for no one computer holds a list of all domain names to IP addresses.  Please look here for an example of the distributed nature of DNS.

You will see that at the top of the diagram I just linked to is where the DNS root server would reside. Below the root server are the top-level domains, as exemplified by the .com .edu and .mil amongst others. Several of these domains are for the exclusive use of the United States, as that is where the Internet actually originated. On the far left of that diagram is where you see the .arpa. This is used for “reverse lookups” and in essence is the opposite of what DNS is normally used for. In a reverse lookup you are asking that an IP address be resolved to a domain name. That is what the arpa domain is used for. Each of the levels seen on that diagram holds the IP address of the DNS server above it. While you may think that a root DNS server contains a vast amount of entries, this is actually not the case at all. You can check this site or this site out to view the DNS root servers.

So what is actually contained in the root DNS server? Good question. It actually contains a file called the “Root Zone File”. This file contains all of the names and IP addresses for the authoritative DNS servers at the Top Level Domain aka: TLD. An example of a top level domain would be the .com  and .edu amongst others. How does the root name server’s contents get built then? Well that is largely done by the folks at IANA. Contained in this link is a wealth of information as well. You can check for port assignments, as well as protocol assignments here. You could definitely consider IANA a definitive source of information as they are the “Internet Assigned Numbers Authority”.

Back to the DNS root servers though. There is no actual traffic that goes through the DNS root servers as such. They will do no actual routing. These servers as mentioned simply contain a mapping of the IP addresses of the domain DNS servers for the top-level domain. If you recall I mentioned earlier that DNS is actually very much a “distributed” name service. As such there is no one computer which contains a list of all the DNS information. It would be pretty much impossible to do so, or impractical at best.

Anyhow I do not want to delve too deeply into the breakdown of the DNS hierarchy itself, as there are many excellent sites that already do just that. Another part of DNS has to do with caching of the DNS records themselves. To take a look at the DNS cache on your home computer simply type in as follows at a DOS prompt;

ipconfig /displaydns

This will bring up the DNS records that the (lets say you are using Windows XP) XP resolver will check before going out to your ISP’s DNS server to have the query you are issuing resolved. You may want to give the following link a read as well for it contains some excellent information about DNS caching on a Windows XP computer. Contained in the information that the above noted command outputs to the DOS prompt is the record name, record type, ttl value of the cached DNS record as measured in seconds, data length, section, and lastly the record type. You can see a sample output of the ipconfig /displaydns command below. Pretty neat stuff!

   Record Name . . . . . : testlab-cs4
   Record Type . . . . . : 1
   Time To Live  . . . . : 30318069
   Data Length . . . . . : 4
   Section . . . . . . . : Answer
   A (Host) Record . . . :


The record type number you see above relates to the “A” record. A full list of the record type numbers and their corresponding record types can be found here. Well on that note I will wrap up part one of this three part series on DNS. In part two and three we will dig deeper into this multi-faceted protocol. Till then!

If you would like to read the other parts in this series please go read:

The Author — Don Parker

Don Parker, GCIA GCIH specializes in matters of intrusion detection, and incident handling. He has also enjoyed a role as guest speaker at various network security conferences, and writing for various online and print media on matters of computer security. You can contact Don Parker at dparker@bridonsecurity.com

Latest Contributions


Featured Links