InnocentZero's Treasure Chest

HomeFeedAbout MeList of interesting people
27 Oct 2025

DNS

dns

<- SOCKS protocol

DNS is the domain name system. It is a methodical address-book kinda thing that returns the location of the nearest server for that domain name.

It differs from a contact book in the sense that it can return the nearest server instead of having a fixed server. In that sense, it is like a multimap instead of a map if we talk about it in STL terms.

Domain Name Space and Mode of Operation

The tree is separated into zones beginning with the root zone. The first query is sent to the root zone that responds with another zone that it thinks may have the record for the domain name.

This can continue recursively unless the request receives an authoritative answer (AA bit in the responses set to 1).

The zones can be divided by creating many additional zones and authority is delegated over to the child zones. The parent ceases to be authoritative for the new zone.

This setup is obviously better than a single server holding all the records for multiple reasons:

  • Enables lower load on the servers
  • Enables faster lookup times.
  • Ease of adding new zones and new records without disturbing existing ones.

DNS Resolvers

Client side of the DNS is called a resolver. It initiates and queries requests and can use a variety of methods like recursive, non-recursive and iterative. There are also caching DNS resolvers that do what you think they do; they cache values locally and reduce lookup times and upstream loads.

A non-recursive resolver simply means that it will either get the query response from an authoritative server or gives a partial result.

A recursive is the regular one, where a server may generate more requests on behalf of the resolver. An iterative server is one where the query responses lead it to the next server in chain till it reaches an authoritative one.

An example of this is systemd-resolved. Typically applications on linux check /etc/resolv.conf for checking domain name servers for the network. resolved.service symlinks it to one of the two files, /run/systemd/resolve/stub-resolv.conf or /run/systemd/resolve/resolv.conf.

stub-resolv points to the local DNS server created by systemd. It operates on 127.0.0.53. Also, to set global DNS, you need to edit /etc/systemd/resolved.conf.

Domain Name syntax and internationalization

  • Divided into labels that are concatenated by dots.
  • The full domain name can have a total of 253 characters.
  • Each label represents a subdomain. The hierarchy descends from right to left.
  • It can have a maximum of 127 levels of divisions in the subdomains.
  • Each subdivision can have a total of 63 characters.
  • Can only contain letters, digits, and hyphens. This is called as the LDH rule.
  • They are interpreted in a case independent manner. Can't start or end with hyphens either.
  • To map non-ascii characters to domain names punycode is used.

Transport Protocols

  • UDP on port 53
  • TCP on port 53
  • TLS over port 853
    • More secure than DNS over HTTPS, as it encrypts not just browser traffic but all traffic.
  • HTTPS over port 443
    • It appears to be regular HTTPS traffic but is actually easily filterable using cough cough machine learning models.

DNSSEC

  • Each dns record now contain 4 more things: a RRSIG (resource record sig), a DNSKEY pubkey for the next zone, NSEC and DS (denial of existence and delegation signer).
  • Upon a DNS query, an RRset is returned along with the corresponding RRSIG.
  • The public key for the signature is taken from the previous level DNS server.
  • DS contains the hash of the key of the subdomain and is basically a link of the key back to the parent zone.
Other posts
Creative Commons License
This website by innocentzer0 is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.