What is DNS cache?

The DNS cache (also known as DNS resolver cache) is a temporary DNS storage on a device (your computer, smartphone, server, etc.) that contains DNS records of already visited domain names (A records for IPv4 addresses, AAAA records for IPv6, etc.). It keeps those records, depending on their time-to-live (TTL). 

Each time you visit a website, its addresses will be saved inside this temporary database of records to facilitate a later revisit. 

Basically, the DNS cache is how your device is trying to save effort and time and skip a long DNS lookup by answering a DNS query with a DNS record that is already inside the temporary DNS cache. 

Why do we need a DNS cache?

We need DNS cache to get a faster response for DNS query for domain names that we have already visited recently in the past. 

Both the device that the user is using (his or her computer) and the multiple DNS resolvers that the request reaches, have DNS cache and they can resolve the domain if it is still in their cache memory. If not, the DNS query will need to follow the long way to the root server who will direct to the TLD servers and then they will direct to the authoritative name server for the domain name to finally get the answer.

What is TLD?

How does it work? 

Each time a user performs a DNS lookup, its device will first check inside the internal DNS cache that is part of the OS. There is a table of DNS records inside the DNS cache, their values, and the time they could be kept (TTL). The TTL value is set by the DNS administrator of each domain name, and it is the time limit that each DNS record has. After the time runs out, a new query is required. 

If the DNS query can be resolved from the DNS cache, the user will get their answer, and they can visit the site they desired. 

If not, the query will travel to a recursive DNS server. There are many DNS recursive servers out there. Like for example, there are inside your Internet Service Provider. They also have a cache that works in the same way. If the answer can be found there, the user will get it and resolve the domain. 

If not, the query will travel to an authoritative nameserver to get the answer. 

When it gets the answer, the DNS record or records will be saved in each of the DNS caches of the recursive DNS servers on the way and inside the user’s device, too, for the period that the TTL value indicates. 

Next time a new query starts for the same domain name, your device will repeat the process. If not so much time has passed, there is a high chance that the DNS record your device needs is still inside this temporary memory, and the query gets answered instantly. 

Types of DNS Caches

DNS caches operate at multiple levels in the network to speed up domain name resolution and improve performance. The main types include:

Browser DNS Cache: Web browsers like Chrome and Firefox maintain their own DNS caches to speed up browsing. This allows them to bypass the operating system’s cache and external DNS servers for previously visited sites. Browser caches can be cleared manually or typically reset when the browser is closed.

Operating System DNS Cache: The OS on your device caches DNS records for faster access during subsequent queries. If a record is found in the OS cache, it’s used immediately; if not, the query is forwarded to an external DNS resolver. This cache is more persistent than the browser’s and can be flushed using command-line tools.

ISP DNS Cache: ISPs maintain their own DNS caches to serve multiple users. When you query a domain, the ISP’s resolver checks its cache first. If the record is available, it’s returned quickly; otherwise, the resolver retrieves it from an authoritative DNS server.

Recursive DNS Server Cache: Recursive DNS servers, whether from ISPs or third-party services, cache records they retrieve from authoritative DNS servers. These cached records are used to answer subsequent queries, reducing the need to access the authoritative servers frequently and speeding up resolution.

How do I check my DNS cache?

You can see the DNS cache of your device with a very easy command on Windows, a bit harder on macOS and Linux.

Windows

1. Open the Command Prompt application by pressing windows+R.
2. Write cmd and press Ok.
3. Inside it, write the following command “ipconfig /displaydns”, and you will see all the DNS records of the sites you have visited. 

macOS

1. You will need to open the Console application.
2. There you will enter the following “any:mdnsresponder”.
3. Now go and open the Terminal application and enter the following command “sudo killall -INFO mDNSResponder”. You will be asked for your password. After that, you will need to get back to the Console application, and you will see the list of DNS records. 

Linux

There was no OS-level DNS caching, so it is a bit harder to display it. Depending on the software you are using, you might find a way to see it. For example, if you are using NSCD (Name Service Caching Daemon), you can see the ASCII strings from the binary cache file. It is located in /var/cache/nscd/hosts, so you can run “strings /var/cache/nscd/hosts” to display it.

If you are using Ubuntu 20.10, Fedora 33, or later, Systemd is responsible for the DNS. 

1. First, open the Terminal and write this command “sudo killall -USR1 systemd-resoved”.
2. Then run another command to export the log message to a basic .txt file with this command “sudo journalctl -u systemd-resolved > ~/dns-cache.txt”. 
3. Wait until the file is created and then open it with “less ~/dns-cache.txt.

Flush (clear) DNS cache

You can flush the DNS cache and that way to delete all of the DNS records from the local cache in your OS or web browser. Both can have different caches, so you will need to delete them both. 

Deleting the DNS cache might resolve problems with the domain resolution of a site or any other problem related to the outdated DNS records still in your cache. 

Cleaning it will also hide the list of the visited sites on a DNS level. That way, you can hide sites that you don’t want to show you visited. 

It can also be useful if you have any suspicion of DNS poisoning. In case somebody manipulated a DNS record in your DNS cache, deleting it will eliminate the potentially dangerous records. 

The negative part of clearing the DNS cache is that you will need to obtain the IP addresses of all websites that you need again. No site you recently visited will be saved after the DNS flush, and the first DNS resolution for each site will take longer. 

Let’s explore how to flush the DNS on different OSes and browsers. Remember, you will need to clean it both on OS level and browser level. 

Windows 

The process of flushing the DNS in Windows is straightforward. 

1. Open the Command Prompt application and type the following command: “ipconfig /flushdns”.
2. Upon successful clearance, you will see a confirmation message: “Windows IP Configuration. Successfully flushed the DNS Resolver Cache “. 

macOS 

1. On macOS, to delete the DNS cache, you will need first to open the Terminal application. 
2. Then you will need to enter this command “sudo killall -HUP mDNSResponder”, press Enter and write your password. You will also need to clear the DNS cache of the browser you are using. Check Safari if it is your choice. 

Linux 

There is no DNS caching by default on all of the Linux distros. 

If you are on the latest Ubuntu 20.04 LTS or later, you can open the Terminal application and execute the following command “sudo systemd-resolve –flush-caches”. You will need sudo privileges to do it. 

NCSD. If you are using NCSD, you will need to perform this command inside the Terminal “sudo /etc/init.d/nscd restart”. You will need to confirm your password for the command. 

DNSMASQ. The command for dnsmasq DNS cache is “sudo /etc/init.d/dnsmasq restart”, followed by password typing. It will restart the service. 

BIND. In the case of BIND, you will need a few commands: “sudo /etc/init.d/named restart”, then “sudo rndc restart”, and finally “rndc exec”. With that, you have to finish the DNS flushing. 

Google Chrome 

You need to put the following in the address bar “chrome://net-internals/#dns”. Then click on Clear host cache. IF you are using Edge, change chrome to edge from the previous text, and if you are using Opera change it to opera. 

Firefox 

1. Find the icon with 3 lines located on the top right corner and open Firefox’s menu.
2. Then search for Options (preferences). 
3. Inside it, you will see Privacy & Security. Click on it.
4. Go to History and click on Clear History by selecting Everything.
5. Finally, Clear Now. 

Safari 

1. First, Open the Safari browser.
2. There navigate to Preferences > Advanced. 
3. Click on “Show develop menu in menu bar”. 
4. Then go to the menu bar, Develop > Empty Caches. The shortcut is ⌥⌘E. You will need to restart the browser in the end. 

What are the reasons to flush DNS? 

There are various circumstances where flushing your DNS cache might be necessary, primarily related to security issues, technical glitches, or safeguarding personal data. Here are some of the main reasons.

1. You want to protect against DNS spoofing

DNS spoofing (DNS cache poisoning), is a type of attack where cybercriminals manipulate the information in your DNS cache to reroute you to incorrect websites. In some instances, they may lead you to a fake site that looks like the site you intended to visit, hoping you’d unknowingly provide sensitive data like your online banking credentials.

2. You receive a 404 error not found

Suppose you’ve stored the DNS data of a website, which later changes its domain or host. If so, it’s possible your locally stored DNS data may not get refreshed instantly, causing you to receive HTTP status code for Error 404: Not Found or see outdated versions of the site. While your DNS cache will ultimately be updated, you can expedite the process by clearing your DNS cache at your convenience. 

Suggested article: What are HTTP status codes 301 and 302 Redirects?

3. You see outdated information

Changes to DNS records might take 24 to 48 hours to spread across all global servers. This process is known as DNS propagation. Due to this, cached information may become old and lead to problems with websites or apps. Websites may not display correctly or may show old images and text. Cleaning your browser’s cache can help, but it’s not always a complete fix. 

4. You wish to maintain the privacy of your browsing activity

Most people associate internet user tracking with cookies. However, your DNS cache, which functions like a digital directory, storing data of your frequently visited websites, can also expose your online behavior. Regularly flushing your DNS cache is a proactive measure to prevent your browsing history from being accessible to data gatherers or potential online threats.

DNS spoofing (DNS cache poisoning)

As we explained, DNS spoofing is a malicious attack that aims to edit or replace DNS records inside the DNS cache of the targeted device (server or personal computer). The new or modified DNS records have changed data like the IP address, and they will resolve the domains to the new IP addresses. That way, the attackers can direct the traffic to a fake site, where they can steal the users’ personal data. Everything happens in the background, so if the fake site where the user is redirected really looks like the original, it is easy to cheat the user and get the result. 

The DNS spoofing can happen with a spam message that has an executable code that can perform the injection. 

Another way is the man-in-the-middle attack, where the bad actor is in the middle between the user and a DNS resolver. It passes modified information, pretending to be sending normal packets of data. The user gets DNS records from the attacker. 

A user can evade such an attack by using a VPN for encrypted communication, not clicking on suspicious messages, and opening infected attachments.

 Conclusion 

The DNS cache is a useful method of saving resources, both on your local system and on multiple servers. It is a fast method of DNS resolution that saves time for everybody. Yes, it is a target for DNS poisoning attacks, but there are various methods to protect the DNS cache. 

The post DNS cache explained  appeared first on ClouDNS Blog.

Cybercriminals are using malicious domain names and DNS servers to bypass the protection and complete data exfiltration.

Before we jump into explaining what the DNS tunneling attack is and how it works, let’s talk a little bit more about what DNS is.

Domain Name System – explained

The Domain Name System, or just for short DNS, is a global naming database. Thanks to it, we are able to use the Internet, as we do in the present day. Its purpose is to translate human-readable domain names, such as example.net, into their corresponding machine-friendly IP addresses, such as 123.45.67.89. That way, regular users are not required to remember long and difficult numbers. Instead, people are easily memorizing domain names, and they can use them to reach and explore their favorite news, sports, or another website.

A lot of services rely on the large number of DNS translation queries that appear constantly. For that reason, DNS traffic is widely used and trusted. Due to the fact that DNS was not invented to transfer data packets but only for name resolution was not viewed as a threat to malicious communications and data exfiltration. Yet, DNS is not just a translation instrument for domain names. DNS queries can also transfer tiny portions of data between two devices, systems, and servers. The bad news is that this makes DNS a potential vector for attacks.

Unfortunately, the majority of organizations do not analyze the DNS packets for malicious activity frequently. Instead, they mainly concentrate on analyzing web or email traffic where they consider a possible attack could appear. The truth is that each endpoint should be under detailed monitoring for preventing DNS tunneling attacks.

DNS Tunneling – what do you have to know?

DNS Tunneling attack is a very popular cyber threat because it is very difficult to detect. It is used to route the DNS requests to a server controlled by the attacker and provides them with a covert command and control channel and data exfiltration path.

Typically, DNS tunneling involves data payloads that are added to the target DNS server. Additionally, they are implemented for gaining control of a remote server and applications. Moreover, for the purpose of this attack, the compromised system should be connected to an external network to achieve access to an internal DNS server with network access. Cybercriminals control a server that operates as an authoritative server and a domain name to complete the server-side tunneling and data payload executable programs.

5 DNS Attacks Types that could affect you

DNS Tunneling History

DNS tunneling history is highly related to the evolution of cybersecurity threats. It appeared as a technique for bypassing network restrictions and avoiding detection. At first, it was used for legitimate purposes like bypassing restrictive networks or anonymous online activity. However, DNS tunneling slowly became popular among malicious actors as a secret communication channel for data exfiltration and command-and-control purposes. The first examples of this attack appeared in the early 2000s and were often associated with malware propagation. Over the years, the attackers become more sophisticated, and their techniques have evolved. That forced cybersecurity specialists to develop advanced monitoring and prevention mechanisms to protect against it.

How does it work?

DNS tunneling attack takes advantage of the DNS protocol and achieves tunneling malware or data through a client-server model. Let’s explain how this attack actually works.

It all starts when a user downloads malware or the cybercriminal manages to exploit a vulnerability of the compromised device to transfer a malicious payload. In most cases, the cybercriminal wants to keep a connection with the compromised device, meaning to have the opportunity to run commands on the target device or exfiltrate data. Therefore, the attacker can set a command-and-control (C2) connection. Such traffic should be able to pass via different network perimeter security measures, plus it should avoid detection until it crosses the target network. 

For that reason, DNS is a suitable option for setting up the tunnel. That is a common term in cybersecurity which stands for a protocol connection that carries a payload that includes data (commands) and passes through perimeter security measures. That way, the DNS tunneling attack manages to hide information within DNS queries and send them to a server controlled by the cybercriminal. The DNS traffic passes freely through perimeter security measures, such as firewalls. For the purpose of setting the DNS tunnel, the cybercriminal registers a domain name and configures an authoritative name server under their control. 

Then the malware or payload on the compromised device initiates a DNS query for a subdomain that defines an encoded communication. The Recursive DNS server (DNS resolver) obtains the DNS query and routes it to the attacker’s server. The server responds with malicious DNS data containing data (command) back to the compromised device. That way, the attack passes without triggering any security measures.

Let’s break the DNS Tunneling attack into the following steps:

1. The cybercriminal registers a domain and points it to the server under its control. There is installed tunneling malware software. 
2. The cybercriminal infects a device with malware, penetrating the victim’s firewall. DNS requests don’t have restrictions for passing in and out of the firewall.
3. The Recursive DNS server (DNS resolver) requests the IP address through root and top-level domain servers.
4. Then the DNS resolver routes the DNS query back to the authoritative DNS server, which is controlled by the attacker and contains the tunneling software. 
5. The connection between the cybercriminal and the target is created without any notice.

Why do Attackers Use DNS Tunneling?

Attackers use DNS tunneling to exploit the widespread and often under-monitored nature of DNS traffic. This attack allows them to secretly transmit data between a compromised system and a command-and-control server. Since DNS queries and responses are generally trusted and rarely scrutinized, this technique can easily bypass firewalls and other security measures. DNS tunneling allows attackers to maintain persistent access, execute remote commands, and exfiltrate sensitive data without detection. The global reach and minimal inspection of DNS make it an ideal medium for hidden communication and data transfer.

Detecting DNS Tunneling

There are several techniques that can help you detect a DNS tunneling attack. However, we can distinguish them into two main categories – payload analysis and traffic analysis.

Payload analysis – The DNS payload for one or more requests and responses is going to be examined for tunnel signs.

• Examining the size of the request and answer. Typically, DNS tunneling utilities are pushing to place as much data into the requests and answers as possible. Therefore, the tunneling requests are more likely to have long labels. For instance, there are up to 63 symbols and, in general, long names – up to 255 symbols.
• Disorder of hostnames. DNS names that are authentic commonly contain dictionary words and have some kind of meaning. Names that are encoded are usually out of any order, plus they are even using a set with more characters.
• Statistical Examination. You can detect tunneling by checking the specific character staff of the DNS names. DNS names that are authentic commonly contain fewer numbers. On the other hand, encoded names tend to have a lot of numbers. Examining the percentage of numerical characters in domain names and examining the percentage of the length of the Longest Meaningful Substring (LMS) could also help you.
• Uncommon DNS Record Types. You can check for DNS records that are not usually implemented by a regular client. For example, you can examine the TXT records.
• Violating a policy. In case a policy directs every DNS lookup to pass through an internal DNS server, violations of that policy may be employed as a detection technique.
• Special Signatures. You can use a special signature to examine precise attributes in a DNS header. Then scan for particular content in the payload.

Traffic analysis – The traffic is under examination over time.

• Volume of DNS traffic per IP address. A simple and easy to accomplish technique is to check the specific amount of DNS traffic that is coming from a particular client IP address. 
• Volume of DNS traffic per domain. Another method that is very easy and basic is by checking for massive amounts of traffic towards a precise domain name. DNS tunnel utilities are typically established to tunnel the data by involving a precise domain name. Therefore, all of the tunneled traffic is going to be that exact domain name.
• The number of hostnames per domain. DNS tunneling utilities ask for an individual hostname on every request. That effects by increasing the number unusually compared to a normal authentic domain name.
• Geographic location of DNS server. You can check for a massive amount of DNS traffic that is directed to geographical areas where you don’t offer your services or products.
• The history of a domain. You can examine when an A record (AAAA record) or NS record was created and added to a domain name. That technique is very useful for detecting domain names that are utilized for malicious criminal actions.

Source: GIAC Certifications

Protection against DNS Tunneling attacks

DNS is a crucial service, so it is going to be a problem if you are considering blocking it. Thus, protection against a DNS Tunneling attack involves several actions that are going to help you prevent such an attack.

• You should keep a closer look and track of questionable IP addresses and domain names that are from non familiar sources.
• You can set all of the internal clients to direct their DNS requests (DNS queries) to an internal DNS server. That way, you can filter potential malicious domains. 
• It is very important to stay watchful for any suspicious domain names, and it is best if you always monitor the DNS traffic. That will help reduce the chance for a DNS tunneling attack to appear.
• Establish a DNS firewall for recognizing and stopping any hacker intrusion.
• A real-time DNS solution that is able to detect uncommon DNS queries and unusual traffic patterns on the DNS server is another excellent option.

Using DNS Monitoring against DNS tunneling

DNS Monitoring can be crucial in mitigating the risks of DNS tunneling by providing real-time visibility into DNS traffic patterns and behavior. By constantly analyzing DNS queries and responses, DNS monitoring can detect anomalies and suspicious activities that indicate tunneling attempts. This proactive monitoring allows organizations to quickly identify and respond to potential threats, such as secret data exfiltration and command and control communications before they escalate. Additionally, the ClouDNS Monitoring service offers different alerting mechanisms that notify administrators of any unusual DNS activities. That way, they can take timely action to investigate and block malicious traffic. Thanks to the extensive monitoring capabilities, organizations can strengthen their DNS infrastructure and improve their ability to defend against different threats, including DNS tunneling.

Risks and Impact of DNS Tunneling

DNS tunneling attack poses several significant risks to organizations:

• Data Breaches: Attackers can exfiltrate sensitive information, including personal data, intellectual property, and financial records.
• Unauthorized Access: Allows attackers to maintain hidden, persistent access to compromised systems.
• Operational Disruption: Enables the execution of remote commands, potentially leading to system malfunctions or downtime.
• Financial Loss: Costs associated with data loss, various fines, and restoration efforts can be significant.
• Reputational Damage: Public exposure of breaches can harm an organization’s reputation, leading to loss of customer trust and business.
• Detection Challenges: The nature of DNS tunneling makes it difficult to detect and mitigate, increasing the potential for long-term undetected exploitation.

Examples and Cases

Over the years, several famous examples of DNS tunneling have highlighted its power as a cyber threat:

• Sea Turtle Campaign (2019)

The Sea Turtle campaign in 2019 highlighted the advanced tactics of state-sponsored cyber espionage. This campaign targeted domain registrars, telecommunications firms, and government entities to compromise their DNS records. Attackers manipulated DNS records to redirect legitimate traffic to malicious servers under their control. DNS tunneling played a key role in allowing the attackers to maintain persistent access, exfiltrate sensitive information, and establish C2 channels while remaining undetected.

• SUNBURST Malware (2020)

The SUNBURST malware, a significant component of the SolarWinds supply chain attack in late 2020, demonstrated the sophistication of modern cyber threats. SUNBURST used DNS tunneling as one of its communication methods to establish contact with its C2 infrastructure. By embedding communication within DNS queries and responses, the malware achieved secret data exchange with remote servers. That way, attackers were able to exfiltrate stolen data and receive further instructions while avoiding detection by security measures focused on more traditional communication protocols.

• UDPoS Malware (2015)

The UDPoS malware, discovered in 2015, demonstrated a variation of DNS tunneling where attackers used User Datagram Protocol (UDP) packets to exfiltrate stolen credit card data. The malware encoded the stolen information into DNS queries, which were then transmitted over UDP to avoid detection by traditional network security controls. This technique allowed the attackers to bypass network monitoring tools that usually focus on Transmission Control Protocol (TCP) traffic.

TCP Monitoring vs. UDP Monitoring

Conclusion

DNS tunneling is a severe cyber threat. It could lead to massive negative consequences. This is because the cybercriminal uses the tunnel for malicious ends, like exfiltrating information. In addition, there is no direct association between the cybercriminal and the target. That makes it hard to detect the attacker’s attempt.

The post DNS Tunneling attack – What is it, and how to protect ourselves? appeared first on ClouDNS Blog.

Understanding DNS

The Domain Name System, or shortly DNS, is the internet’s address book, responsible for translating human-friendly domain names (like www.domain.net) into the numerical IP addresses (like 123.45.6.7) that computers use to communicate with each other. It acts as a distributed database, allowing quick and efficient DNS resolution of domain names to IP addresses (IPv4 and IPv6).

Additionally, DNS is a part of the application layer. As you probably know, all application layer protocols require the use of a transport layer protocol like UDP (User Datagram Protocol) and TCP (Transmission Control Protocol). In the case of DNS, it prefers to utilize the not-so-reliable UDP protocol in most cases. Yet, occasionally it uses the more reliable TCP protocol. 

Let’s dive deep and explain more about these protocols and when and why the Domain Name System puts them in use.

DNS using UDP and TCP

Both UDP and TCP are protocols used to send packets of data over the internet. They do that on top of the IP protocol, which means that they direct the packets to IP addresses. They are treated very similar on their way from the users’ computers, through the routers and all the way to the end destination.

DNS and TCP

TCP, also known as Transmission Control Protocol, is a widely used transport layer protocol. When you make a request for a website from your browser, it will most probably use exactly TCP protocol to send the data packets to the server. For every request you send (every action you take on the web page like click, sign in, etc.) you will receive TCP packets back.
TCP is orientated to the reliability. All the data sent over TCP is tracked, and no data gets corrupted or lost on the way. The protocol numbers the packets and does error checking by pushing the receiver to confirm that it got the data.

Here are some cases in which DNS utilizes TCP (Transmission Control Protocol):

• Zone Transfer: When a DNS server needs to transfer a complete DNS zone to another server, it typically uses TCP. This ensures the reliable delivery of larger data.
• Large DNS Responses: TCP is used when DNS responses exceed the maximum size supported by UDP, which is 65,535 bytes. This can happen with DNSSEC or large resource records.
• DNS over TCP (DoT) and DNS over TLS (DoT): For enhanced security, DNS can be encrypted using TCP-based protocols like DoT and DoT, protecting against malicious attempts.
• Firewall and Network Restrictions: When firewalls or network policies block UDP, DNS queries and responses are transmitted over TCP.

Learn more about TCP (Transmission Control Protocol) !

DNS and UDP

The UDP protocol is all about speed. All those checking of the packets slow down the communication and create latency. By using UDP, the receivers don’t need to confirm the packets; the sender just continues sending without wasting extra time to receive feedback. In this communication, the receivers lose some of the packets, but it doesn’t stop the communication. This makes it perfect for live streaming or online games, even if the connection stops for a bit and the screens of the receivers freeze, in a moment they will receive the next packet, and everything will continue.

DNS primarily uses UDP (User Datagram Protocol) for most of its operations. UDP is chosen for its speed, efficiency, and suitability for small, time-sensitive DNS queries and responses. UDP is used in the following cases:

• Regular DNS queries: When you enter a web address, UDP is used to send the query from your device to a DNS server.
• DNS responses: The DNS server sends the response, including the IP address, back to your device using UDP packets.
• Caching: DNS servers often cache previously resolved queries, allowing for faster responses using UDP without querying authoritative servers again.
• Small data transfers: DNS queries and responses are typically small, fitting well within UDP’s maximum packet size of 65,535 bytes.
• Stateless communication: DNS operates on a stateless model, and UDP’s stateless nature enables the efficient processing of multiple requests together.

UDP explained in details

Why does DNS prefer UDP?

As you just read, the UDP is unreliable but a lot faster than TCP, but don’t panic just yet. DNS requests are very tiny, so they have no problems fitting into the UDP segments.
It doesn’t use a time-consuming three-way hand-shake procedure to start the data transfer like TCP does. The UDP just transmits the data and saves plenty of time.
UDP can support many more clients at the same time thanks to the lack of connection state. The TCP has Receive and Send buffers, Sequence and Acknowledge Number Parameters and congestion-control parameters.
Don’t think it is so dangerous using UDP, you can add extra protection on the application layer. An application can use it and it can be reliable by using timeouts and resend at the application layer.

How does Domain Name System work?

In the DNS world, we are trying to cut the resolving time as much as possible. Seconds is an eternity, we want to reduce the time to just a few milliseconds. TCP is more secure, but it just can’t keep up with the UDP, and about protection, there are extra ways of adding it. So, in the end, you get them both – speed and protection.

Advantages and Disadvantages of Using UDP for DNS

UDP is widely used for DNS operations. Below are some of the advantages and disadvantages of using UDP for DNS.

Advantages:

• Speed and Efficiency: UDP is faster than TCP because it is connectionless, which means it does not establish a connection before sending data. This makes DNS queries quicker and more efficient, crucial for the large volume of DNS requests.
• Lower Overhead: UDP has less overhead compared to TCP, as it does not perform error-checking and connection management. This results in faster data transmission and lower latency.
• Simplicity: UDP has a simple protocol structure that allows easier and faster processing of DNS queries and responses.

Disadvantages:

• Lack of Reliability: UDP does not guarantee the delivery of packets, which can lead to packet loss. This lack of reliability can affect the accuracy of responses.
• No Error Correction: Since UDP does not include mechanisms for error correction, any lost or corrupted packets are not retransmitted. Additional mechanisms to handle these issues may be needed.
• Security Concerns: Because it is stateless, it is more exposed to spoofing and other types of attacks, requiring additional security measures.

Despite these challenges, the efficiency of UDP makes it a preferred choice in DNS operations. Its ability to quickly resolve numerous requests with minimal overhead outweighs the potential drawbacks, making it suitable for the high demands of DNS queries.

Conclusion

In conclusion, DNS uses UDP due to its speed, efficiency, and suitability for most DNS operations. UDP allows fast DNS resolution of domain names, quick delivery of DNS queries and responses, and efficient processing of small, time-sensitive data transfers. While TCP is employed in specific cases such as zone transfers, larger responses, and encrypted communication, UDP remains the preferred choice for its lightweight nature and low resource usage. The utilization of UDP in DNS ensures the smooth functioning of the internet, connecting users to their desired websites and services with speed and efficiency.

The post Why does DNS use UDP? appeared first on ClouDNS Blog.

How to check the TTL using Windows OS?

You will need to open the Command Prompt as an administrator. From there, you need to use the nslookup. Write this on the command line “nslookup -type=soa www.cloudns.net”. You will get an answer from the authoritative server with the TTL.

You can change the type of the record and look it up for A, AAAA, MX or another type.

How to check the TTL using Linux OS and Mac OS?

You will need to use the dig command.

“dig a cloudns.net” This will give you a long answer. If you want just the TTL, you can try dig +nocmd +noall +answer +ttlid a www.cloudns.net

You can check the different DNS records by changing the text on the last before the domain. For example for AAAA records it will be: dig +nocmd +noall +answer +ttlid aaaa www.cloudns.net and for the MX it will be: dig +nocmd +noall +answer +ttlid mx www.cloudns.net

The previous answers are provided by the recursive servers. If you want to ask directly an authoritative nameserver you should add “+trace” after the “dig” and it will look like this: dig +trace +nocmd +noall +answer +ttlid aaaa www.cloudns.netTTL for different DNS records

• If you want to setup different TTL for every single record you can use our Anycast DNS network!

Easy way to check the SOA TTL value

Now, let’s see how to check the SOA TTL value, which is important for understanding the duration DNS records are cached and how quickly changes are propagated across the internet. For this purpose, we will use the ClouDNS Free DNS tool, a straightforward and effective solution for DNS management and analysis.

1. Access ClouDNS Free DNS Tool
Navigate to the ClouDNS website and locate their Free DNS Tool. This tool is specifically designed for conducting DNS audits and other DNS-related inquiries.

2. Enter the domain name
In the Free DNS Tool interface, you’ll find a field to input the domain name you wish to investigate. This is where you type in the full domain (for example, “cloudns.net”). It’s crucial to ensure the domain name is entered correctly to get accurate results.

3. Choose DNS audit and Select DNS resolver
Once the domain is entered, you need to specify the type of inquiry you’re making. Select “DNS audit” from the available options. Then, choose a DNS resolver. Typically, you might have options like Cloudflare, Google, etc. The choice of DNS resolver can influence the results, as different resolvers might have different cached data.

4. Review the results
After initiating the audit, the tool will process your request and display the results. In these results, look for the SOA (Start of Authority) record section. This part of the report will include information about the primary nameserver, the responsible party for the domain, and various timers related to the domain’s DNS records.

Most importantly, locate the “Default TTL” value within the SOA record section. This number, typically shown in seconds, is the SOA TTL value for the domain. It indicates the duration for which DNS records are cached by resolvers.

Shorter or longer TTL?

Many clients prefer to set the TTL to a long period like 2 days (172 800 seconds). This will reduce the load on the DNS servers, because the queries need to be done less frequently. This can be good if you have a very limited DNS plan, but your clients won’t be happy about it. Make your clients’ experience better, with lower TTL and frequently updated records.  Shorter TTL is useful if you have a very dynamic environment.

A and AAAA records. You can set it as low as 60 seconds if you really need your clients to get the latest update, but we recommend to have it around 1-2 hours to reduce the load on the servers. You can put it as long as 12 hours or a whole day.

SOA record. Unlike other DNS records, SOA controls the speed of DNS updates. A longer TTL (e.g., 48 hours) delays updates but reduces server load. A shorter TTL (e.g., 2 hours) speeds up updates but increases server queries. Choose based on your update frequency and server capacity.

CNAME record. If you need to deliver a lot of content to different parts, you can lower the TTL but in normal conditions you can leave it to 12 hours

MX record. System that have a static IP (it doesn’t change) can put 1800 seconds or more, but the rest with dynamic IP must keep the TTL low.

TXT record. This one you don’t change a lot, so you can set it up to 12hours.

You can experiment with the TTL to see which suits you best. Remember the lower it is, the more often the recursive servers will update the information which is good for your clients. But this will signify a bigger load on your servers and more queries. You should see the results and think if you want to move to a lower or to a higher DNS plan.

30-day Free Trial for Premium Anycast DNS hosting

The post TTL and how to check TTL appeared first on ClouDNS Blog.

Recursive DNS server explained

The Recursive DNS server called, also commonly DNS resolver, has the important responsibility of seeking requested data and responding to users’ DNS queries.

In computing, when we talk about recursion, it is clearly associated with a technique that aims to solve a particular problem. In addition, that involves a program or solution that continuously repeats itself until it reaches the desired goal.

A Recursive DNS server is positioned to function in the middle between the Authoritative DNS server and the end-users that initiate DNS requests. So, each time a user desires to visit and explore a particular website, it types its domain name into the address bar of the browser. From there, the Recursive DNS server receives the request and starts searching for the IP address (IPv4 or IPv6) that corresponds to the domain name. Shortly after the required IP address is found, the DNS resolver returns to the user’s device and provides the needed information. Then the browser on the device (smartphone, laptop, computer, etc.) of the user is able to connect and load the desired website. 

The number of available Recursive DNS servers all over the world is significant. However, the most popular among them are the ones of the Internet service providers (ISP).

Tasks of the Recursive DNS server

The role of the DNS resolver is to complete one of the following tasks:

1. Checks if the IP address is stored in the cache memory. There is a certain period of time, pre-defined by the domain’s owner called Time to Live or TTL. It says for how long the Recursive server can hold the information. If it is still there, it will return the answer fast and won’t take further actions.
2. Searches for the IP address elsewhere. If it is not in the cache, it will continue the searching process until it gets to an Authoritative server which has the information.

How does it work?

The Recursive DNS server takes a very important role in the DNS resolution process. As we mentioned earlier, it operates between the user and the Authoritative DNS server. Yet, it completes several crucial tasks. Let’s summarize how it operates and what actions it performs in this vital process: 

• The DNS resolver is the one that obtains the DNS query from the user.
• It then asks the Root server about the location of the TLD (Top Level Domain) server.
• The Recursive queries the TLD (Top Level Domain) server for information about which is the accountable Authoritative DNS server for the precise domain.
• It makes a request to the Authoritative DNS server responsible for the particular domain. 
• The Resolver gets back to the user and provides the requested data.
• It caches the DNS information for further use.

The existence of Recursive DNS servers is crucial. This is because they support the Authoritative DNS servers, which would not otherwise be able to handle the workload created by themselves. Additionally, DNS Resolvers distribute the load of the huge number of user requests and make the resolution of domain names way easier.

Check out Fantastic Premium DNS service plans by ClouDNS!

Recursion and Iteration: Explaining the Dynamic Duo

Recursion and iteration are two programming concepts that play a crucial role in the functionality of DNS servers, particularly recursive ones. Let’s explore these concepts:

• Recursion 

Recursion, in the context of DNS, refers to the process where a DNS server, upon receiving a query for a domain name, doesn’t have the necessary information in its cache and initiates a series of requests to other DNS servers to resolve the query. Each subsequent request dives deeper into the DNS hierarchy until the authoritative DNS server for the queried domain is reached.

Imagine recursion as a detective following a trail of clues to solve a mystery. The DNS server starts with limited information, asking other servers for more details until it discovers the complete answer. This recursive process ensures that even if a DNS server doesn’t have the needed information, it can still find and deliver a response after consulting other authoritative sources.

• Iteration

Iteration, on the other hand, involves repeating a set of instructions until a specific condition is met. In the DNS context, iteration occurs when a DNS server sends iterative queries to authoritative servers and, at each step, refines the search until it obtains the precise information needed to resolve a domain name.

Think of iteration as a systematic approach where the DNS server persistently refines its search, step by step, until it comes to the solution. This process allows for efficient querying, minimizing the chances of overwhelming authoritative servers with unnecessary requests.

• Recursion and Iteration in Recursive DNS Servers

Recursive DNS servers blend recursion and iteration to navigate into the complex DNS hierarchy. When a recursive DNS server receives a query, it first checks its cache to see if the information is available. If not, it starts a recursive process, reaching out to authoritative servers and using iteration to specify its search for the required data. This dynamic dance between recursion and iteration ensures that DNS queries are resolved quickly and accurately. 

The Benefits of Recursive DNS Servers

Now that we’ve explained the meaning of recursion and iteration let’s explore the benefits that Recursive DNS servers bring to the table.

• Enhanced Performance and Speed: Recursive DNS servers significantly improve the speed of DNS resolution. Maintaining a cache of previously resolved queries allows these servers to respond promptly to reappearing requests without crossing the entire DNS hierarchy again. This results in faster load times for websites and a smoother browsing experience for users.
• Reduced Network Latency: With their ability to store and reuse resolved queries, Recursive DNS servers help minimize network latency. By reducing the time it takes to get information from authoritative servers, these servers contribute to quicker and more responsive internet connections.
• Improved Security: Recursive DNS servers can protect users from malicious activities. Through features like DNS filtering and blocking known malicious domains, these servers safeguard against phishing attacks, malware, and other online threats. They can perform detailed checks and validations before serving DNS responses, adding an extra layer of security to the online experience.
• Load Distribution and Balancing: Recursive DNS servers contribute to the efficient distribution of network traffic by balancing the load on authoritative servers. These servers reduce the load on the DNS infrastructure by caching and serving responses locally.
• User Privacy: They can enhance user privacy by implementing features like DNS over HTTPS (DoH) or DNS over TLS (DoT). These encryption protocols add a layer of security, preventing unauthorized parties from intercepting and monitoring DNS requests.

Vulnerabilities

Cybercriminals are well aware of the importance of Recursive DNS servers. Unfortunately, they managed to use their vulnerabilities and initiate different malicious attacks. Some of the DNS resolvers are public, which makes them an easy target. Attackers often use DNS spoofing attacks or execute DDoS attacks in order to shut the servers down directly.

• Recursive DNS servers and the amplified attacks

DNS Amplified Attacks are a very common threat on the Internet. They exploit the public Recursive DNS servers to generate high traffic and to damage the target.

• Public (Open) recursive DNS

To leave your Recursive DNS server public is dangerous. Such devices are with minimum security and visible IP address. This means that anyone, including cyber-criminal, can easily access it and later use it as a botnet device to amplify their next attack.
Many of the network administrators don’t know their recursive servers are open, and this can lead to severe problems. If you doubt about your DNS server, you can check it on this page: http://openresolverproject.org

• Oversized packets

A threat that some of the attackers take advantage of is manipulating the query packets. They send multiple queries to recursive servers, but with a modified IP addresses, directing all of the generated traffic towards the victims. They use many servers, and if the traffic is high, they can crush the victims’ servers.

Can you have safe Recursive DNS servers?

Yes, it is possible to secure your servers. We recommend you to use our Private DNS servers. They are hidden from the public eye and still have all of the premium features like TTL management, Cloud domains, Secondary DNS, SOA Settings and Hourly statistics
You don’t need to get all of them. You can strategically choose just a few of them where you most need them.

Conclusion 

The Recursive DNS servers are a fundamental component of the global network Internet and the DNS (Domain Name System). The role they play in the DNS resolution process is significant. DNS resolvers simplify and manage to balance the load of numerous DNS requests daily!

The post What is a Recursive DNS server? appeared first on ClouDNS Blog.