What is DNS?
Domain Name System (DNS) is what makes it possible for users to connect to websites using Internet domain names and searchable URLs rather than numerical Internet protocol addresses. Rather than having to remember an IP address like 22.214.171.124, users can instead search for www.example.com.
The technology behind DNS can be likened to the way telephone contacts are managed on smartphones. Instead of needing to remember individual phone numbers, users can store and locate numbers easily by storing them in their contact lists—easily searchable by first and last names.
The translation technology behind DNS also has completely defined how businesses utilize the Internet, especially when creating their brand identity and presenting themselves to their customers. Without the use of a Domain Name System, customers could quickly lose track of which websites they were looking for. And while IP addresses can change from time to time, domain names are easy to remember and stay consistent.
How does DNS work?
It’s important to differentiate between using a public and a private DNS.
- Public DNS: IP records are usually provided to your business by your Internet service provider (ISP). These records are available to the public and can be accessed by anyone, regardless of the device they use or the network they are attached to.
- Private DNS: A private DNS is different than a public one in that it resides behind a company firewall and only holds records of internal sites. In this case, the private DNS is limited in its scope to remembering IP addresses from the internal sites and services being used and can't be accessed outside of the private network.
In the majority of cases, users will rely on public DNS when converting hostnames into IP addresses. Here is a high-level overview of how that process works:
- A user enters a domain name or URL (e.g., www.example.com) into a browser. This then sends a query to a local DNS server, usually provided by a local operating system or your Internet service provider. This middleman between the client and DNS nameserver is known as a recursive resolver, and it is designed to request or receive queried nameserver information to and from the client.
- The recursive resolver requests a query, which is passed to root nameservers that respond with the appropriate TLD nameserver to which to direct, based on the extension of the domain name being searched. Root nameservers are also overseen by the Internet Corporation for Assigned Names and Numbers (ICANN). The TLD nameserver is what holds all the information of URLs that end with common extensions like .com, .net, .edu, and .gov.
- Due to the volume of DNS lookups that are performed on a regular basis, a recursive resolver is used to group search requests into batches that identify the authoritative DNS with the correct IP address based on the search query made. The authoritative nameserver is usually the last step in a DNS lookup. After a recursive resolver gets a response from the TLD nameserver, it moves to an authoritative nameserver where the IP address is located to be served back to the client.
The DNS has become critical to the core functionality of the Internet, helping users easily navigate a sea of IP addresses by way of resource records. Without these essential processes, it would be practically impossible to support all of the features we use on a daily basis online and would limit our capabilities when it comes to setting up mail services, website redirects, or recognizing complex IPv4 and IPv6 web addresses. But what makes DNS lookups so amazing is that regardless of how complex the process may be, all search queries and server redirects happen in mere milliseconds, without impacting the client side.
How to choose a DNS server
Many organizations find it beneficial to own their own DNS servers. There are several advantages to this approach, but ultimately, it comes down to better consistency and control over your own web properties. Since you are the administrator of the server, you’re able to set all parameters for your machines, including lookup processes, security protocols, and performance capabilities.
When deciding on which type of DNS server to use, two of the most important considerations are the scalability and performance that the server provides. The speed with which a DNS server responds to queries depends on a number of variables, including the user's geographic location in relation to the server, load-balancing configurations, and query filtering.
Another option that users have is to rely on a DDI solution—a centralized platform that integrates and manages all DNS, DHCP, and IPAM services. DDI gives enterprises the ability to simplify and automate the management of increasing volumes of IP addresses while adequately provisioning and integrating other cloud orchestration systems.
DNS servers and cybersecurity
While most modern DNS servers are quite secure, older systems that were designed many years ago can come with their own business security challenges. Here are a couple of common risks associated with the use of these DNS servers.
Also known as a redirection attack, DNS hijacking occurs when DNS queries are incorrectly resolved and redirect users to fake and malicious websites. This is done by installing malware on users' computers that take over routers or hijack DNS communications as they occur.
DNS cache poisoning occurs when a hacker actually gets control of a DNS server itself and compromises IP address entries. These false entries are then spread globally to the Internet service providers, where they're cached and used in public DNS lookups.
One way you can effectively combat these risks is through the use of DNSSec. DNSSec uses a secure domain name system and assigns cryptographic signatures to DNS records, ensuring records cannot be altered from their original state. Similar to HTTPS, DNSSec adds an additional layer of security for accessing DNS records without the need for heavy encryption that slows down the querying process.
DNS security best practices
Regardless of the type of DNS services that you choose to use, there are a few best practices you can follow to avoid presenting an attack surface and to minimize any potential security issues:
- DNS flushing: Regularly clearing your DNS cache will remove all entries on your local system. This process is useful for deleting any invalid or compromised DNS records that could be directing you to malicious sites.
- nslookup: nslookup is a program and command code that can be used by server administrators to find out the IP address of a specified hostname. This allows users to protect themselves against phishing attacks and confirm on-demand the validity of the sites they are visiting.
- DNS leaks test: There are several free services available to run a DNS leak test (link resides outside ibm.com). When you use secure VPNs or privacy services, on occasion, you may find they are poorly configured and default DNS servers are still being used. This will mean that anyone monitoring network traffic will still be able to log your activity for malicious purposes. Running a DNS leak test will ensure that you have a closed VPN tunnel, and your network traffic remains secure.
DNS services and IBM
When it comes to choosing a DNS solution, it's important that you partner with a technology provider that focuses on resiliency and performance without sacrificing security. IBM Cloud Internet Services (CIS), powered with Cloudflare, gives enterprises access to a suite of domain management services, complete with dedicated support staff 24 hours a day, all delivered over a secure network. By using authoritative DNS servers along with global and local load balancing, clients can take advantage of using a single interface to make multi-region DNS queries, avoiding latency and downtime, while significantly accelerating the resolution phase.
If you want to maximize the performance of your DNS queries while eliminating the vulnerability present in many public services, explore IBM's suite of cloud service offerings and see how they can scale your enterprise's network capabilities.
Sign up for an IBMid and create your IBM Cloud account.