DNS root servers: what you did not learn in class
Articles,  Blog

DNS root servers: what you did not learn in class

We’re going to look at a lecture on DNS we’re gonna do a quick review of the basics so that we kind of get a refresher and then we’re going to plunge into a review of a topic of DNS that Most people don’t get a chance to deep dive into and that’s the DNS root servers themselves Most of us have seen a DNS hierarchal chart showing the root DNS server Below it. We see the top level domain DNS servers below. That is our authoritative servers Most of us have seen this. What I want to do is I do want to focus on the root server in this presentation But a quick review of how all of this works For me, I have learned that an a big-picture overview of any topic helps me incredibly when I start digging into the details if I don’t have that big picture of any technology I Really struggle to understand it Let’s take a look at this diagram because it really helps us understand DNS and let’s start with the user the user Let’s say is going to go amazon.com But we know we can’t get anywhere with just a name such as amazon.com What the user really needs is an IP address and so we’re going to depend on the next Entity in DNS, which is the resolving name server to help us get that IP address for me in my case. I Have Time Warner or spectrum as my ISP, and they also provide my home PCs With DNS services, so they’re gonna be my resolving name server They’re going to go out and try to find the IP address of amazon.com Their goal remem their goal is to find the authoritative nameservers for amazon.com hopefully we can get to Amazon Web Services, which probably hosts the DNS system for Amazon and with once we’ve reached those authoritative nameservers, we’re gonna ask for the IP address of amazon.com Once we’ve pulled that record out of the Amazon DNS system It’s gonna be sent back to my browser and I’ll get to serve the website Alright, we’re gonna drill into some of the details, but this will really help you understand what’s going on Notice the arrows between the user browser The resolving name server and the authoritative nameservers all of those air arrows represent DNS queries, there’s two basic types non recursive DNS queries and recursive DNS queries The packets that contain DNS queries are very small 600 bytes in size This is a captured DNS packet. The size of this packet is the beauty of DNS. It makes this whole system efficient Now, let’s take a look at the authoritative name servers in the DNS architecture This is the key our browser wants accurate information about Amazon.com I don’t want to go to Walmart for information about Amazon or if I want to go to CVS health corporation I don’t want to go to AT&T so every company Will own and manage its own Authorized DNS name server so that we can go to their website and get accurate information about that company now Authorized name servers managing and host hosting these authorized name servers is very Expensive if you’re a big company you can afford to do that But a lot of smaller companies use Enterprise DNS hosting companies So when we talk about a lot of smaller companies, they need that authoritative domain server But they in a ford they’re very expensive to manage very expensive to secure so they may go to something like CloudFlare or You may go to as you’re sure has their own Dns public service that they provide it’s it’s pricey It’s expensive, but you get very very good reliable DNS Another provider of that would be Google Google has their own cloud DNS system. You can purchase that and you can host your Authoritative nameserver with Google another one is GoDaddy. They have a very Well-known very respected DNS system that you can also use and of course Amazon Amazon has their Amazon route 53 you can provide they provide you with a Thoreau tative DNS services through the Amazon Web service system Now these are only just a few there’s a lot of people will take your money and host your DNS services All right, what about people that are cheap or? Poor but they need an authoritative Nameserver. Well, there are some companies that host for free authoritative nameservers for various entities so if you’re a non-profit or you’re an individual There is free DNS hosting out there for your authoritative nameserver alright our last Concept as we look at this diagram in our review of DNS and that’s the actual record in The DNS server. We see things like the IP address the IP version 4 of a domain name We see the IP version 6 of the domain name We see information like the mail server So the record information in the DNS server is a critical part of DNS now everything we’ve shown you just before is a Simplified view and a review of DNS but none of that will work when you’re talking about a worldwide Network as big as what we have on our planet. Let’s start with one point eight billion websites and when we start talking about three point nine billion users We’ve got to have a serious and a complex DNS system Let’s look at a DNS query again this time I’m going to bring in the root servers the top-level domain DNS servers and let’s take a look at how this operates so we’re back to John he’s gonna go to lowes.com/howto Use spectrums DNS server to begin the process Now I’m going to start with the root server the root server is going to be contacted It’s going to give me the information of who owns the top-level domain for Comm and in this case. That’s Verisign Verisign hosts the entire dot-com top-level domain DNS system Once that information is passed back. It’s going to tell me the authoritative nameservers DNS servers for lowes.com And I’ve got that information below that information is going to send me the IP address of lowes.com that’s going to be sent to my browser and If all goes well, I’m going to connect to lowes.com and actually be able to buy something online So I’m on Lowe’s home page and I’m going to use a Chrome extension By DNS lytx. It’s a very cool tool and it allows me to see some very interesting information First of all, I can see the IP address of lowes.com and I can see that the website is hosted in the Netherlands if I go to domain I Can scroll down and see? Yep, I’m in the Lowe’s comm domain. And if I keep scrolling down I can see the authoritative name servers for lowes.com So how in the world can low? Be hosted in the Netherlands and yet I have this fast traffic back and forth Well that all magic is a whole nother subject. But since we’re here, let’s take a look this is being the magic of this website being in Netherlands and yet I’m able to see it and interact with it with incredible speed is because it’s using a content delivery network a CDN in this case alchemy. All right, let’s get back to what we came here for Let’s take a look at DNS root servers So who in the world is responsible for root servers? Well, the overarching organization is I can This is a global policymaking Organization it has members all over the world Companies governments and they are the oversight to root servers I can then Pushes this responsibility to a sub organization called Ayana the internet assigned numbers Authority they’re responsible for the root zone They’re also responsible for the database of the top-level domains They have a lot of other responsibilities, but we’re going to focus on root servers the DNS root Infrastructure is made up of 13 name root servers They are operated by 12 independent organizations in the early days of the internet Most of the root servers resided within the United States that has radically changed there are now over 750 instances of these 13 root servers all across the globe When it comes to DNS root servers and not everybody is equal here when it comes to managing and operating Root servers we can see that the operators really vary some of the root server operators manage up to 200 plus Root servers, some of them may be only manage 6 root servers So it’s not always equal in these operators that manage root servers we can see the University of Maryland NASA is C Verisign I can are the biggest root server operators right now as we speak There’s over 750 root server instances Remember just because you host a root server doesn’t mean you can manage the only person in the world that Can modify or login or control or administer a root server is? those operators on any given day Just one root server And I looked up the statistics for the a root server up to 8 billion queries a day on Just one root server Because root servers are so critical in DNS There is intense interest in the data the statistics the metrics of every root server in the world of root servers Monitoring is serious business Ayana requires all root servers to establish probes Pieces of equipment they can monitor metrics and data so they can collect Serious data on every single root server on the planet. This was an interesting photo from a Island between the mainland of Norway and the North Pole it’s one of the world’s most northernmost inhabited Areas, and you can see their rack of routers and they actually have a root server probe Monitoring the performance of root servers way up there root servers IP address are very very important and In the last few years there have been IP address changes They are very monitored rolled out very carefully. So there’s very little disruption on DNS All right. Mr. Vanderwall. This is really cool root servers Have a database a DNS database. Just how big is this database so exactly what is in a root server? Well it contains over 1500 and Eric top-level domain IP addresses as to where to find the top-level domain servers for dot-com Dotnet org, it also contains the country code top-level domains such as China Indonesia It also contains the IDs the internationalized domain name All of that is in the root zone database so if I wanted to host a root server for DNS What kind of hardware would I need well, believe it or not what you’re seeing is the recommended hardware Basically a 1u rack with X amount of CPU capability storage, etc And that’s typically all you need to handle a root server. All right, wait a minute. Mr Vanderpool that little server is not going to handle eight billion queries. That’s correct Remember we distribute root servers all over the world Just in case you’re interested the dot-com is the largest top-level domain DNS service, it has over a hundred and thirty-nine million Records for the dot-com the next largest record is going to be for China We also see dotnet UK org Verisign hosts some of the largest top-level domain DNS servers in the world They host the entire dot-com net dot TV dot C C and dot name so what is the software that makes the DNS server work the software that runs DNS is typically Bind version 9 bind is a very very popular open-source DNS software. It runs on Linux and Windows. There’s another one called NDS and it’s a called name service daemon and Another one called nots DNS and this is done by the Czech Republic all three of these different software packages are running route server running route servers is serious business if you’ve have 750 instances you’ve got to have a lot of people when it comes to managing root servers This is a conference held for root server operators. You can tell they’re geeks that got their laptops their phones None of them are paying attention to the presentation typical geeks All right, we’ve looked at a lot of things about DNS Let’s get out of the slide deck and let’s go drive around a little bit. This is the root servers Official web page for the operators and you can see they have a map showing you the location of all the instances of the root servers if we scroll down You can see there the root servers are listed as a and I could choose B choose C and you can see where they’re located and Who is the operator so here on the website you can see I’m looking at root server D It’s hosted by the University of Maryland. You can see over a hundred and fifty-four sites. That’s the IP address IP version 4 Address for that root server. It also has an IP version 6 Let’s go trace route 2 trace route a root server. I’m going to use some really cool web tools NuStar has some great tools. Let me show you this particular company has just a ton of great great tools let’s start with ultra tools and we’re gonna go to tracing tools and I’m going to do a tracer and I’m going to simply click in the IP address of a root server, and I’m going to choose up to 64 hops and go as we look at the trace route that this tool gives us we can see geolocation As we’re going from router to router from this website to the root server we can see we jump to the United States and then we jump to Germany and Then here we jump to Ireland and then back to the United States Normally a traceroute you don’t get to see that so here at the end of the trace route We see that it was 8 hops from this web server that hosted our tool To our D root server. It was 8 hops Here’s another cool tool is called the DNS speed test and it’s a DNS hosting speed tool It gives you valuable information about DNS performance for each level in the DNA tree I’m gonna go ahead and put in lowes.com. So let’s go take a look. So let’s remember Everything we learned to get to Lowe’s calm That is going to try to locate a root server So I’m going to scroll down here and we can see as a resolving server tries to find eff root M root I root you can see the different speeds that each of these root servers perform at Next we have the top-level domain for dot-com and you can see each of those vary in speed and then last we look at our authoritative DNS servers for Low’s com we can see all of them listed and the speeds that they perform at as It pertains to queries now Let’s take a look at our authoritative servers for Low’s comm and we can see if you’re trying to get an IP version 6 address It’s actually faster than over here where you’re trying to get an IP version 4 All of this metrics helps give you an administrator of a website Some in some idea of how your dns is performing You can even run a domain health report on your website and it gives you a lot of information about your DNS Authoritative server. So again, if you don’t understand those basics then when I go and deep dive you’re lost This is all about your authoritative Nameserver now, there is some really odd stuff out there concerning DNS root servers Let’s take a look and it’s called the Yeti DNS project. It’s live It’s IP version 6 only root DNS server you can take a look at the Website, let’s take a look. You can go to the Yeti DNS project and take a look. It’s pretty cool let’s talk quickly about DNS privacy and we’ll look at DNS cyber attacks and security Remember our diagram so here is you at home or at your company or on your phone this first DNS resolver knows Everywhere you want to go every website every domain you travel to The owner of this DNS resolver knows about you so if you have an ISP like Comcast ATT Verizon or for your mobile phone Verizon t-mobile They’re they’re resolving your DNS queries. They know all about you if you’re on a company’s network they know all about where you’re going on the internet and Honestly, most of them have legal rights to do so But what if it was a government they could find out everything you do Your dns traffic can be sniffed collected and analyzed and then used or sold Wouldn’t it be nice to have somebody you could trust that would do your DNS resolving? No everywhere you go, but not care and not ant promise you privacy reliability and speed so CloudFlare comm offers two public dns servers. The first one is 1.1.1. The other one is 99.99 These dns servers provide you free public dns service. They guarantee your privacy They’re highly reliable and they’re fast. You can also get CloudFlare on your mobile phone so you can take t-mobile out of the picture You can take horizon out of the picture You can download the 1.1 app and install it and you’ll have a new dns resolver. There are other companies that host public dns systems but cloud fair CloudFlare com promises Privacy they guarantee privacy. They don’t care. They don’t want your data. They don’t want to target you with ads they’re also very very fast in comparison to Google’s public DNS or Cisco’s the Open DNS. They’re very very fast. You can set it up on iPhone Android Mac Windows Linux or your home router and no CloudFlare comm doesn’t sponsor anything I do they probably don’t know I exist but I do like their service. There are serious DNS attacks going on Talos I the Department of Homeland Security CrowdStrike the SANS Institute’s have all released many many white papers on Serious attacks on DNS as of 2019 because root servers are monitored so Intensely, the real attacks on DNS are at top-level domains this year through cyber espionage Over 50 Middle East records were altered in the top-level domain this allowed DNS hijacking record manipulation DNS fronting some of it was done through credential theft of accounts on domain registrar’s and some stealing ssl certificates on dns vendors altering a few records on a Top-level domain DNS server could easily put the bad guys in a man-in-the-middle attack think of any country’s national security Security agency if you put a man in the middle, it would put that agency and severe compromise I hope you enjoyed this lecture. Feel free to contact me if you’d like notes or slides just send me


Leave a Reply

Your email address will not be published. Required fields are marked *