DNS

DNS

The Domain Name System (DNS) is responsible for translating human-readable domain names (like www.example.com) into the numerical IP addresses (like 192.0.2.1) that computers use to communicate.

Working of DNS

When you want to visit the webite www.example.com, then the following processes take place:

  • Computer checks cache: Looks in memory for the IP address from a previous visit.

  • DNS resolver checks cache: If not found, the DNS resolver (usually from your ISP) checks its own cache.

  • Recursive lookup begins: If the resolver doesn't have the address, it queries a root name server.

  • Root name server redirects: The root server directs the resolver to the appropriate TLD name server.

  • TLD name server identifies domain: The TLD server points the resolver to the authoritative name server for the domain.

  • Authoritative name server provides IP: The authoritative server gives the correct IP address to the resolver.

  • DNS resolver returns IP: The resolver sends the IP to your computer and caches it for future use.

  • Computer connects: With the IP address, your computer connects to the website’s server to start browsing.

The main entities involved in the DNS resolution process are:

  • DNS Cache: Memory storage in your computer or DNS resolver that temporarily holds IP addresses from previous visits.

  • DNS Resolver: A server (typically provided by your ISP) that handles DNS queries, starting the process of finding the correct IP address.

  • Root Name Server: The first point of contact in the DNS hierarchy; it directs the resolver to the appropriate TLD name server.

  • TLD Name Server: Responsible for the domain’s top-level domain (e.g., .com, .org); it directs the resolver to the authoritative name server.

  • Authoritative Name Server: Holds the actual IP address of the domain and returns it to the resolver.

  • Web Server: The final destination where your computer connects once it knows the IP address.

The difference between TLD name server and Authoritative name server is that TLD name server manages the domain names for a specific top-level domains like .com, .org, etc. while the latter holds the final and accurate DNS records (eg. IP addresses) for the specific domain.

DNS Records

A

Address Record

Maps a hostname to its IPv4 address.

www.example.com. IN A 192.0.2.1

AAAA

IPv6 Address Record

Maps a hostname to its IPv6 address.

www.example.com. IN AAAA 2001:db8:85a3::8a2e:370:7334

CNAME

Canonical Name Record

Creates an alias for a hostname, pointing it to another hostname.

blog.example.com. IN CNAME webserver.example.net.

MX

Mail Exchange Record

Specifies the mail server(s) responsible for handling email for the domain.

example.com. IN MX 10 mail.example.com.

NS

Name Server Record

Delegates a DNS zone to a specific authoritative name server.

example.com. IN NS ns1.example.com.

TXT

Text Record

Stores arbitrary text information, often used for domain verification or security policies.

example.com. IN TXT "v=spf1 mx -all" (SPF record)

SOA

Start of Authority Record

Specifies administrative information about a DNS zone, including the primary name server, responsible person's email, and other parameters.

example.com. IN SOA ns1.example.com. admin.example.com. 2024060301 10800 3600 604800 86400

SRV

Service Record

Defines the hostname and port number for specific services.

_sip._udp.example.com. IN SRV 10 5 5060 sipserver.example.com.

PTR

Pointer Record

Used for reverse DNS lookups, mapping an IP address to a hostname.

1.2.0.192.in-addr.arpa. IN PTR www.example.com.

DNS Tools

dig

Versatile DNS lookup tool that supports various query types (A, MX, NS, TXT, etc.) and detailed output.

nslookup

Simpler DNS lookup tool, primarily for A, AAAA, and MX records.

host

DNS lookup tool with concise output.

dnsenum

A DNS enumeration tool that gathers DNS information like name servers, mail servers, subdomains, and performs zone transfers.

fierce

DNS reconnaissance and subdomain enumeration tool that finds subdomains and performs targeted brute force, zone transfers.

dnsrecon

Combines multiple DNS reconnaissance techniques and supports various output formats.

theHarvester

OSINT tool that gathers information from various sources, including DNS records (email addresses).

Dig

The dig command (Domain Information Groper) is a versatile and powerful utility for querying DNS servers and retrieving various types of DNS records.

dig domain.com

Performs a default A record lookup for the domain.

dig domain.com A

Retrieves the IPv4 address (A record) associated with the domain.

dig domain.com AAAA

Retrieves the IPv6 address (AAAA record) associated with the domain.

dig domain.com MX

Finds the mail servers (MX records) responsible for the domain.

dig domain.com NS

Identifies the authoritative name servers for the domain.

dig domain.com TXT

Retrieves any TXT records associated with the domain.

dig domain.com CNAME

Retrieves the canonical name (CNAME) record for the domain.

dig domain.com SOA

Retrieves the start of authority (SOA) record for the domain.

dig @1.1.1.1 domain.com

Specifies a specific name server to query; in this case 1.1.1.1

dig +trace domain.com

Shows the full path of DNS resolution.

dig -x 192.168.1.1

Performs a reverse lookup on the IP address 192.168.1.1 to find the associated host name. You may need to specify a name server.

dig +short domain.com

Provides a short, concise answer to the query.

dig +noall +answer domain.com

Displays only the answer section of the query output.

dig domain.com ANY

Retrieves all available DNS records for the domain (Note: Many DNS servers ignore ANY queries to reduce load and prevent abuse, as per RFC 8482).

PreviousWhoisNextDNS Zone Transfer

Last updated