What is DNS?How DNS works?DNS hijacking and DNS pollution
What is DNS?
DNS (Domain Name System, the domain name system ), on the World Wide Web as a domain name and IP address of a mutual mapping of distributed database , enabling users to more easily access the Internet , without having to remember the IP.
The process of obtaining the IP address corresponding to the domain name through the domain name is called domain name resolution (or host name resolution).
Why do I need DNS to resolve a domain name to an IP address?
First, the computer only recognizes the IP address when communicating on the network (most of the network communication is based on TCP/IP protocol, and TCP/IP is based on IP address). For example, I want to access Baidu’s address in the browser. I can You can access Google’s homepage by directly entering [22.214.171.124] in the address bar. But we can’t remember more IP addresses. Then the domain name appears, the domain name is a unique name separated by a string of “.”. So now when we visit the website, we can enter the domain name (www.google.com) in the address bar of the browser, then DNS will translate the domain name into IP and then access the IP.
Domain names are prioritized in order from right to left. The rightmost is the most advanced root domain. The root domain is called “.”. In fact, our domain name www.codecoder.top should be www.codecoder. top. (There is a point at the end), generally we will omit the following points when inputting in the browser. Next is the top-level domain, also known as the primary domain, and the secondary domain is followed by the secondary tertiary domain. How to distinguish the current domain name is a few levels of domain, you can refer to several points in the domain name to judge (except the root domain), such as baidu.com is a first-level domain, and www.codecoder.top is a secondary domain (it is in There is a host called www in this domain of codecoder.top)
Each domain has a bunch of domain name (DNS) servers. The DNS server is a server that provides domain name resolution. The record types can be A (address) records, NS (name server) records, MX (mail), CNAME, etc. Type follow-up will be introduced one by one.
There is a point of knowledge here. Encyclopedia says there are only 13 root DNS servers in the world, but in fact this is the wrong view. The root DNS server has only 13 specific IP addresses, but the number of machines is more than 13.
DNS servers are generally divided into three types, root DNS server, top-level DNS server, and authoritative DNS server.
Next, I will talk about the relationship between these DNS servers and the DNS resolution we said today. Before we talk about the DNS resolution process, we must understand what is the local DNS.
Local DNS generally refers to the DNS that is filled in the IPv4 or IPv6 settings when your computer is online. This may be manually specified or automatically assigned.
If your computer is a direct-connected carrier (ISP) network, DNS is the server address of the ISP by default.
If you have a wireless or wired route between your computer and your ISP (the router itself also has a built-in DNS forwarder), its role is to forward all DNS requests sent to it to the upper DNS, but will eventually forward to ISP’s DNS.
If you manually modify the DNS, such as a public DNS server such as 126.96.36.199, then this is the server.
The local DNS is not an authoritative server. It is equivalent to a proxy DNS resolution server. It will help you to iterate the answers returned by the authoritative server and then return the IP that was finally found back to you.
How DNS works?
- Now I have a computer, enter the www.codecoder.top domain name in the browser, the browser will check whether there is a mapping relationship of this URL from the browser’s DNS cache, if there is, return IP, complete domain name resolution
- If not, the operating system will first check whether the local hosts file has a mapping relationship with this URL. If there is, return the IP and complete the domain name resolution. Everyone should have guessed it here. There is a cache where there is a DNS. Browsers, operating systems, local DNS, root name servers, all of which cache the DNS results to some extent.
- If not, my computer will initiate a request to the local DNS server to query the domain name www.codecoder.top .
- After the local DNS server receives the request, first check if there is any address in its cache, and if so, return directly. The IP address obtained at this time will be marked as a response from a non-authoritative server.
- If the local DNS server does not have a cache, the local DNS server reads the addresses of the 13 root DNS servers from the configuration file and then initiates a request to one of them.
- After the root DNS server receives the request, it knows that it is under the top-level domain name of com. Therefore, it will return the NS record in the com domain name (to indicate which server resolves the domain name), which is actually an IP (com corresponding to Server IP)
- The local DNS server initiates a request based on the returned IP (com DNS server). The com DNS server finds that you are requesting the codecoder.top domain, find the NS record for this domain, and then return the IP (codecoder.top).
- The local DNS server accesses these authoritative servers according to IP (codecoder.top DNS server), and the baidu.com server finds the IP address of www.codecoder.top in the A record (forward resolution record, domain name to IP address mapping). Return IP ( www.codecoder.top )
- Finally, the local DNS server obtains the IP of the www.codecoder.top that the user wants to access , returns it to the client, and performs a cache operation for the next use.
Browser: @browser Cache, do you know the IP corresponding to www.codecoder.top ?
Browser cache: know, it is xxxx
Browser: Ok, I am going to visit!
Browser cache: don’t know
Browser: @System cache, do you know the IP corresponding to www.codecoder.top ?
System cache: I look at the hosts, I found it, it is xxxx
Browser: Ok, I am going to visit~
System cache: I look at the hosts, oh, I didn’t find it.
Browser: Ok, I can’t do anything, @client thinks about it
Client: I am going to ask @local DNS server, do you know the IP corresponding to www.codecoder.top ?
Local DNS server: I went to the DNS server cache to find, found, is xxxx
Client: @browser, xxxx, you go visit
Browser: Ok, I am going to visit #
Local DNS server: I went to the DNS server cache to find it, oh, I didn’t find it.
Local DNS server: Think of a way, first go to the big brother @root DNS server, do you know the IP corresponding to www.codecoder.top ?
Root DNS server: I know the IP of the com DNS server, you told him to check it for you.
Local DNS server: Ok, @top DNS server, do you know the IP corresponding to www.codecoder.top ?
Com DNS server: I know the IP of the bcodecoder.top DNS server, you told him to check it for you.
Local DNS server: How to start kicking the ball, @codecoder.top DNS server, do you know the IP corresponding to www.codecoder.top ?
codecoder.top DNS server: I found it here, IP is xxxx
Local DNS server: Too happy @client IP is xxxx. So troublesome, first remember the DNS server cache, so as not to be so tossed again next time.
Client: @Browser IP is xxxx
Browser: Ok, I am going to visit it.
The normal DNS resolution process is explained above, and there are mentioned iterative queries. There are recursive query processes and iterative query processes throughout the DNS resolution process.
My computer’s query to the local DNS server is generally using recursive query
The query from the local DNS server to other DNS servers is an iterative query.
In summary, the machine that initiated the query changes is a recursive query. Conversely, the machine that initiates the query is an iterative query.
The DNS resolution process also explains the NS records and A records in the DNS server records, then look at the role of these records in the DNS server.
In fact, when the above DNS resolves the domain name of www.codecoder.top, there is a CNAME record in the actual operation.
When we requested www.codecoder.top from codecoder.top, we returned an alias www.a.xxx.com
In the normal parsing process, CNAME is encountered, the query will be terminated, and the request for querying the alias will be re-initiated to the root DNS server, and finally the CNAME of the computer www.baidu.com and the IP of the alias will be returned.
All the above processes can use nslookup or dig (linux comes with windows can be installed) command query verification
DNS determines the record of which IP address our domain name will resolve to, and is an application layer protocol based on the UDP protocol. The premise of this attack is that the attacker controls your local DNS server.
The attacker hijacks the DNS server and obtains the control of the resolution record of a domain name by some means, thereby modifying the resolution result of the domain name. When the user accesses the domain name address, the original IP address is transferred to the modified one. IP address. The result is that the correct URL cannot be parsed or the IP that is parsed to another URL is used to obtain user data or to disrupt the normal service of the original URL.
Since domain name hijacking can only be performed within a specific hijacked network, DNS servers outside this range can return to normal IP addresses, or modify DNS and direct IP access.
In general, the DNS server that users access to the Internet is assigned by the operator, so on this node, the operator can do something, for example, if you go to www.codecoder.top , the normal DNS should return 10.0.0.1, and the operation After the hijacking, the operator will return an intermediary server IP of the operator. The server will return 302 (temporary redirection) in a consistent manner, allowing the user’s browser to jump to the pre-processed webpage with advertisements, and then in the webpage. Open the address that the user originally accessed through the iframe.
Also known as DNS cache poisoning, it differs from DNS hijacking in that the pollution is directed to the DNS cache, which is done on the nodes that pass through the query before the query reaches the target DNS server, and the hijacking is The wrong content is recorded in the DNS server.
In summary, DNS hijacking is to modify the DNS server, DNS pollution is to modify the DNS cache.
DNS hijacking is used for domestic servers, because the DNS records in the server can be modified, but the foreign server hacker cannot change its contents, so the DNS pollution is used to tamper with the information received by the user. . The process is that when you query the DNS records of foreign DNS servers, these traffic will encounter the hacker keyword review when it goes to the international export bandwidth. If it is blacklisted, hacker will immediately return a fake DNS to you. recording. The above also said that the DNS is UDP protocol, plus the DNS query results only recognize the fastest return, so must first receive the fake DNS record returned by GFW, even if you immediately received a real reply from the foreign DNS It will also be ignored by your system. This type of attack is also known as man-in-the-middle attack.