alunablue - stock.adobe.com
Not all DNS servers are created equal, and understanding how the three different types of DNS servers work together to resolve domain names can be helpful for any information security or IT professional.
DNS is a core internet technology that translates human-friendly domain names into machine-usable IP addresses, such as www.example.com into 192.0.2.1. The DNS operates as a distributed database, where different types of DNS servers are responsible for different parts of the DNS name space.
The three DNS server types server are the following:
- DNS stub resolver server
- DNS recursive resolver server
- DNS authoritative server
Figure 1 below illustrates the three different types of DNS server.
A stub resolver is a software component normally found in endpoint hosts that generates DNS queries when application programs running on desktop computers or mobile devices need to resolve DNS domain names. DNS queries issued by stub resolvers are typically sent to a DNS recursive resolver; the resolver will perform as many queries as necessary to obtain the response to the original query and then send the response back to the stub resolver.
The recursive resolver may reside in a home router, be hosted by an internet service provider or be provided by a third party, such as Google's Public DNS recursive resolver at 22.214.171.124 or the Cloudflare DNS service at 126.96.36.199.
Since the DNS operates as a distributed database, different servers are responsible -- authoritative in DNS-speak -- for different parts of the DNS name space.
Figure 2 illustrates a hypothetical DNS resolution scenario in which an application uses all three types of DNS servers to resolve the domain name www.example.com into an IPv4 address -- in other words, a DNS address resource record.
In step 1, the stub resolver at the host sends a DNS query to the recursive resolver. In step 2, the recursive resolver resends the query to one of the DNS authoritative name servers for the root zone. This authoritative name server does not have the response to the query but is able to provide a reference to the authoritative name server for the .com zone. As a result, the recursive resolver resends the query to the authoritative name server for the .com zone.
This process continues until the query is finally resent to an authoritative name server for the www.example.com zone that can provide the answer to the original query -- i.e., what are the IP addresses for www.example.com? Finally, in step 8, this response is sent back to the stub resolver.
One thing worth noting is that all these DNS messages are transmitted in the clear, and there is the potential for malicious actors to monitor users' internet activities. Anyone administering DNS servers should be aware of DNS privacy issues and the ways in which those threats can be mitigated.