What is DNS at present?

DNS performs the name to IP resolution and much more …. I am sure everyone knows this and hence would not spend time talking about it on this blog.

If you type ”www.bing.comthis request would first go to the resolver (go to Run à Ncpa.cpl) which is present on the client machine. Now it would look at the DNS setting defined on the resolver and send the query to the Primary DNS Server with the following information:

i)Query itself Example for bing.com : i.e. 16-bit transaction ID (XID), port 52 and UDP protocol (all this info would be tagged
with the query)

Now the resolver on the client waits for a response with same information which is tagged with the query, anyone who replies with the information would be first accepted by the resolver on the client and the rest would be discarded. So what if an hacker replies first and it can safely redirect you to a bogus website which has the same layout as your original website and may get access to your credentials (e.g. of Hotmail etc.)  And then use them to go in drafts or some hidden folder to get your bank account number and details (possibly).

Question)  How can a client guess a query type, XID Value and Port?

Answer) Query name and the XID value is seen in clear text
in the request. Port of DNS is 53.

Windows Server 2008 R2 has a feature know as Source Port Randomization and in this for every communication it chooses a different port to communicate with the Server. EG

Now you would be like cool ‘I AM SAFE’. My answer would be oOh Yes. Before it took a hacker to poison
your cache in a minute. Now it would take him some hours:)

Now your question is …. Doesn’t it have a method for Data integrity?

Simple answer is no! so what happens is if I am a client and I send a response to my local DNS Server which then sends the request to my ISP DNS Server. Let us assume that my Local DNS Server receives a reply first from the hacker and not the ISP ? The scenario explained is called DNS cache poisoning. Where now the hacker has set the TTL for 1 year and this record is
in the cache of the DNS Server and stays in there for one year. Now all the clients would be using this entry which points to a Bogus IP + Website. (Wow aren’t the hackers really doing a good job)

Question)  I have heard of a term called secure dynamic updates. Doesn’t that use Mutual authentication?
Answer )Yes it does but that is the only point where DNS does Mutual authentication. For the rest of the stuff it never does any Mutual Authentication.

I was just scrolling some article and just read that the Root DNS Server is now DNSSEC enabled. So lets us understand what would I need to do if my domain is hosted as ‘’Company.fazal.gov’’. On my internal DNS Server I have a zone which is representing ‘’Company.fazal.com’’. So I would need to complete two tasks here:

1) Sign my zone  (Which means we would Add a signature for each record 🙂 )

2)Create the key pairs.

Now the key pairs which have been created I would send these key pairs to the people which host “.GOV”. They would take my Key pair and sign my key pair. Which means that there is a list of signed Keys maintained by the ‘’.GOV’’(DSRecord). Now If my client would send a DNS query to the DNS server. They can both verify with the help of the key pairs and thus the hacker gets
out of the picture.

Note: Dynamic updates are automatically disabled on a DNSSEC-signed zone.  Windows Server® 2008 R2 DNS server supports the signing of static zones only. You must use Dnscmd.exe or DNS Manager to add more resource records to a zone and the zone must be re-signed.

Hope this proves useful – happy reading!