Lead Image © Sergejus Bertasius, 123RF.com
Domain name resolution with DNS over HTTPS
Secure Paths
Domain name system security extensions (DNSSEC) was meant to solve many of the known security problems in the domain name system (DNS) protocol, but it has not really taken off and is rarely used in practice, not least because of the DNS extension's complexity. For example, if you look at an end user, a recursive DNS request is usually made to the DNS resolver at the user's Internet service provider (ISP), because the browser itself does not know the IP address of a particular website.
The information presumably is not already stored locally or in a cache ISP-side, so the ISP takes care of responding to the DNS request and forwards it through various other DNS servers until the request arrives at the server that has a corresponding entry in its own DNS zone file, which allows it to answer the request. The response is then returned to the requesting DNS server, where it is cached for a certain period of time for further requests and is also sent to the requesting client.
Listing 1 shows a simplified example of how a DNS request ultimately reaches the DNS server responsible for a particular domain. Because the requests reach the DNS resolver in plain text, the resolver can log this information for later use. Whether the information is sold to interested customers or simply discarded is up to the operator of the DNS resolver. The DNS resolver from Google (8.8.8.8 and 8.8.4.4), for example, logs various information either temporarily or permanently [1].
Listing 1
DNS Request
# dig +trace www.redhat.com . 7743 IN NS h.root-servers.net. . 7743 IN NS i.root-servers.net. . 7743 IN NS j.root-servers.net. com. 172800 IN NS l.gtld-servers.net. com.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Secure and seamless server access
The powerful Cloudflare Tunnel provides secure and seamless access to servers and applications, making it a convenient alternative to VPN for any modern IT infrastructure. -
Infrastructure as Code with Terraform
Application releases can take place several times a day. Terraform helps you roll out virtual machines automatically in your data center or in the cloud, and you adapt the manual only when it changes. -
DNS name resolution with HTTPS
Now that web content is encrypted by HTTPS, the underlying name resolution is often unprotected. We look at the classic DNS protocol and investigate whether DNS over HTTPS could be the solution to ensure the confidentiality of DNS requests. -
Distributed denial of service attacks from and against the cloud
In some particularly sophisticated DDoS attacks, the attackers rely on and target the cloud, allowing attackers to work around conventional defense mechanisms. We explain how a DDoS attack in the cloud works, and how you can defend against it. - Cloudflare Launches New DNS Service