Understanding DNS
THE DOMAIN NAME SYSTEM IS ESSENTIAL TO HOW WE ACCESS WEBSITES AND USE THE INTERNET, BUT IT’S ALSO VULNERABLE TO ATTACK. HERE’S HOW IT WORKS.
THE DOMAIN NAME service was created for a simple reason: because we humans ain’t so good with numbers. But over time, it has evolved, and a number of internet services now actually use DNS to provide additional useful functions, like web filtering and anti-geoblocking. That’s why, this month, we’re going to walk through the basics of DNS, to help you better understand how you can use it.
At its most basic, DNS is a directory, very much like a phone book. But instead of phone numbers it has IP address. When you try to access a site, let’s say www.awebsite.com, your computer will ask its assigned DNS server what the IP address of that site is, because it needs to IP address to route the data. Pretty simple, right?
DNS servers themselves are a network, with updates propagating across the world down from 13 authoritative ‘root’ servers. When a new address is assigned, the DNS servers talk to each other to keep everything up to date. There are tens of thousands of DNS servers across the world, and your ISP runs at least one (the one it assigns you when you connect), ensuring that DNS responses happen as quickly as possible.
DOMAIN OWNERSHIP
As you’ve probably recognised, domain names are hierarchical. That is to say, if you ‘own’ mywebsite.com, you also own ‘www.mywebsite.com’, ‘stuff.mywebsite.com’ and ‘stuff.and.things.mywebsite.com’.
At the top of the tree is the magical root DNS (the domain name is literally ‘.’), owned by the US Department of Commerce and managed by the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN, in turn, creates a bunch of top level domains (TLDs), like ‘.com’, ‘.net’ and ‘.au’ and sublets those to various authorities. For instance, AusRegistry currently manages the ‘.au’ domain. In turn, it can on-sell ‘.com.au’ domains. And so on down the chain of ownership.
HOW DYNAMIC DNS WORKS
The vast majority of internet users don’t have a fixed IP address. When you connect to the internet, you’re assigned an IP address from your ISP’s available pool, and when you connect again, you might be assigned a different one. That would normally make it impossible for you to have a domain linking to your home computer — it would be like if your phone number changed every few days.
Dynamic DNS (DDNS) fixes that. With DDNS you have a software agent running on your home network that continuously updates the DNS network with your current IP address. It can be an app running on your PC, or it can be a tool built into your router. There are two major providers supported by many routers: Dyn (dyn.com) and no-ip (noip.com).
You create an account with the DNS provider, which gives you a URL (for instance, mywebsite.no-ip.com) and a username and password. You can either download a software agent to run on your PC or set up your router’s DDNS with those details. As long as the agent is running, that URL will always point to your home network.
That’s extremely useful. If you want to run your own server — for instance a Minecraft server or remote access server — it will make your life a hell of a lot easier, since you now have a fixed URL that will point to your server no matter what its IP address is. Some Smart DNS and filtering services even use it for authentication.
HOW DNS FILTERING SERVICES WORK
DNS is now commonly used for parental controls and web filtering for security. The best known provider of DNS filtering services is OpenDNS ( www.opendns.com).
With these services, you configure your computer and other devices to point at a specific DNS server address given to you by the provider (most run multiple servers, and you choose the one closest to you for best response
times). This DNS server is special because it doesn’t just hand over whatever IP address you ask for. Instead, it has a blacklist of addresses that it doesn’t respond to. When your device asks for the IP address of a blocked site (say, playboy.com), the DNS server will respond with, “Nope, no site like that exists!”
You can configure a DNS filtering service on your router or on individual devices by manually setting the address to the one provided by the filtering service. If you configure it on your router, all devices on your network that use automatic addresses (DHCP) will also use the filtered DNS service.
OpenDNS has an additional feature: custom lists. You can create an account with it and choose what you want it to filter. It’s quite clever how this works. OpenDNS doesn’t build a new DNS server for every user. Instead, it keeps a live record of the IP addresses of its users through an agent installed on their PC, just like DDNS. For example, it remembers that user Joe Bloggs currently has an IP address of 1.2.3.4. When its DNS server receives a DNS request from 1.2.3.4, it knows that request is coming from Joe Bloggs and it can apply Joe’s custom filters in response.
You can see here where a DDNS address is useful. Instead of running the OpenDNS agent, you can just tell OpenDNS what your DDNS hostname is (eg. mywebsite.no-ip.com). That way, OpenDNS will always have your current IP address.
HOW SMART DNS SERVICES WORK
Smart DNS services such as Getflix and Unblock-US grew up as a means to dodge geoblocks such as the ones used by Hulu and Netflix. They actually work a lot like OpenDNS and other filtering services, modifying the directory to suit their needs.
Let’s say you’re a subscriber to Getflix and you want to access Netflix US. You’d set your computer and other devices up to use Getflix’s DNS server rather than the one supplied by your ISP. When you make a request to go to netflix.com, that DNS server does not give you the real IP address of Netflix. com. Instead it points your computer to a special Netflix proxy server set up by Getflix. That proxy lets you bypass the Geoblock and appear to be in the US.
As with OpenDNS’s custom lists, you do have to keep the smart DNS provider apprised of your current IP address, since DNS itself has no integral authentication method and the Smart DNS providers would like to limit their services to paying subscribers. You can do this by visiting their web page and logging in, or again by setting up a DDNS URL and providing it to them.