How DNS Works: Domain Hierarchy, Record Types, Common attacks, and more...

Updated: Jun 11


DNS (Domain Name System) is the backbone of the internet. It translates human-readable domain names into IP addresses that computers can understand.

DNS is one of the most important aspects of the internet, yet it is also one of the most misunderstood.


In this blog post, we will explain what DNS is, how it works, and some of the common attacks that are launched against it. We will also take a look at the domain hierarchy and DNS record types so that you have a better understanding of how everything fits together.


DNS is a hierarchical distributed database that stores mappings between domain names and IP addresses. DNS is used by computers to resolve hostnames into IP addresses. When you type a URL into your web browser, your computer will first ask a DNS server to resolve the hostname into an IP address. The DNS server will then respond with the IP address of the website. DNS is also used to resolve email addresses, map subdomains to different servers, and much more.


The Domain Name System (DNS) breaks down a domain name into smaller components called labels. For example, the domain name "example.com" would be split into two labels: "example" and "com." Each label is then given an individual IP address. When you try to access a website using your web browser, your computer will ask a DNS server to resolve the domain name into an IP address. The DNS server will then respond with the IP address of the website.


DNS is also used to resolve email addresses, map subdomains to different servers, and much more. Many different types of DNS records can be used to store this information, including A records, AAAA records, CNAME records, MX records, and more.

DNS is a critical part of the internet and is responsible for translating human-readable domain names into IP addresses that computers can understand.


Domain Hierarchy


The Domain Name System (DNS) has a tree structure or hierarchy that segments different levels of the domain.

The root domain is at the top of the DNS tree and is represented by a dot.

For example, in the domain name "example.com", the root domain is ".".


Below the root domain are the Top-Level Domains (TLDs). TLDs are the second level of the domain hierarchy and are often referred to as domains.

For example, in the domain name "example.com", the TLD is "com".


Other common TLDs include "net", "org", and "edu". There are also country-specific TLDs such as "us", "uk", and "ca".


Third-level domains are the next level down in the domain hierarchy. They are often referred to as subdomains. For example, in the domain name "blog.example.com", the third-level domain is "blog".


Subdomains can be used to segment different parts of your website or to point to different servers.


Authoritative vs Recursive DNS services

There are two types of DNS servers: authoritative DNS servers and recursive DNS resolvers.


Authoritative DNS servers store the DNS records for a domain. This includes the A record, which maps a domain name to an IP address, as well as other types of records such as MX records, CNAME records, and more.


A recursive DNS resolver is responsible for resolving domain names into IP addresses. When you type a URL into your web browser, your computer will ask the recursive DNS resolver to resolve the hostname into an IP address. The recursive DNS resolver will then query the authoritative DNS servers for the domain to get the IP address of the website you


What happens when you make a DNS request.

When you type a URL into your web browser, your computer will first ask a DNS server to resolve the hostname into an IP address. The DNS server will then respond with the IP address of the website. But how does this process work? Let's take a look at the steps involved in a DNS lookup.

Step One: The first stop for the DNS request is the local DNS cache. The DNS cache is a temporary storage for DNS records. When your computer makes a request to a DNS server, it will first check the DNS cache to see if the record has already been resolved. If the record is in the DNS cache, your computer can skip ahead to Step Seven and load the website.

Step Two: If the record is not in the DNS cache, your computer will send a DNS request to a recursive DNS server.

Step Three: The recursive DNS server will then check its own cache to see if it has already resolved the hostname.

Step Four: If the recursive DNS server doesn't have the record in its cache, it will send a request to one of the root servers.

Step Five: The root server will respond with the IP address of the authoritative DNS server for the Top-Level Domain (TLD). For example, if you're trying to access "example.com", the root server will return the IP address of the ".com" authoritative DNS server.

Step Six: The recursive DNS server will then send a request to the authoritative DNS server for the TLD.

Step Seven: The authoritative DNS server will respond with the IP address of the website. The recursive DNS server will then pass this information back to your computer, and your web browser can finally load the website.

And that's how a DNS lookup works! Whenever you type a URL into your web browser, your computer will go through these seven steps to resolve the hostname into an IP address.

Keep in mind that DNS records are cached on both your computer and on DNS servers. This means that if you try to access a website that you've already visited recently, the DNS lookup will be much faster because your computer (or the DNS server) will already have the IP address cached.


In windows, you can view your DNS cache by typing "ipconfig /displaydns"



DNS Record Types


A DNS record is used to map a domain name to an IP address (or other data). There are several different types of DNS records, and each type has a different purpose.

A Record: The A record is the most basic type of DNS record. It's used to map a domain name to an IP address, and it's the only record type that's required for a website to work.


CNAME Record: A CNAME record is used to map a subdomain to another domain name. For example, you could use a CNAME record to map the "blog" subdomain to the "example.com" domain.


MX Record: An MX record is used to route email messages for a domain. When someone sends an email to "example@example.com", their email server will look up the MX records for the "example.com" domain and route the message accordingly.


NS Record: An NS record is used to delegate a subdomain to another DNS server. For example, you could use an NS record to delegate the "blog" subdomain to a different DNS server.


PTR Record: A PTR record is used to map an IP address to a domain name. This type of record is mostly used for reverse DNS lookups.


SOA Record: The SOA record is used to store information about the DNS server itself, such as the contact information for the administrator and the default TTL value.


TXT Record: A TXT record is used to store arbitrary text data. This type of record is often used for verification purposes or for storing small pieces of data like website security keys.


DNS Propagation and TTL (Time To Live)

DNS propagation is the process of updating DNS records across the Internet. When you make a change to a DNS record, that change needs to propagate to all of the DNS servers around the world so that everyone can see the new record.


The time it takes for DNS changes to propagate can vary depending on a few factors, but it's generally pretty quick. For most people, DNS changes will propagate within an hour or two. In some cases, it may take up to 24 hours for the changes to fully propagate.

If you're making a major change to your website (like changing your web hosting provider), you should plan ahead and make the DNS changes at least a day in advance. This way, you can be sure that everyone will be able to see your new website as soon as the DNS changes have propagated.


The TTL is a value that's set in a DNS record. It tells DNS servers how long they should cache the record. For example, if a DNS record has a TTL of 24 hours, that means that any DNS server that looks up that record can cache it for up to 24 hours.


The TTL is important because it controls how often DNS servers need to check for changes to DNS records. If you make a change to a DNS record, you need to wait for the TTL to expire before that change will propagate to all of the DNS servers around the world.


In general , you should set the TTL to a relatively low value (like an hour or two) when you're making changes to DNS records. Once the changes have propagated, you can increase the TTL to a higher value (like a day or two) to improve performance.


DNS propagation and TTL are important concepts to understand if you're responsible for managing a website. By understanding how DNS works, you can make sure that your website is always accessible and that any changes you make will propagate quickly.

For example we can see that in my domain the TTL value is set to 1 hour = 3600 second's.



Whenever I ping my website, the DNS record will be stored in my local cache for 1 hour until the next time I query the DNS server.


You can see in the image below that the TTL configuration value is set to 1 Hour - 3600 seconds.

I can find out how much time has elapsed until the next time I need to query the DNS server by checking my computer's local cache -


Below, we see that my computer still has 2900 seconds until it needs to query my DNS server again for the www.menitasa.com record has left 2900 sec until my computer need to query the DNS server again.


Types of DNS Attacks


DNS spoofing: DNS spoofing is a type of man-in-the-middle attack where an attacker intercepts DNS requests and responds with fake DNS records. This can be used to redirect traffic from one website to another or to serve malicious content.



DNS cache poisoning: DNS cache poisoning is a type of attack where an attacker inserts false DNS records into the cache of a DNS server. This can be used to redirect traffic from one website to another or to serve malicious content.


DNS hijacking: DNS hijacking is a type of attack where an attacker redirects DNS requests to a different server. This can be used to redirect traffic from one website to another or to serve malicious content.


DNS amplification: DNS amplification is a type of attack where an attacker sends a small DNS request to a server that responds with a much larger response. This can be used to overload the victim's network or to cause a denial-of-service attack.


These are just some examples of DNS attacks that can be carried out.


For more information on DNS attacks and how to protect against them, see the following resources:


- How to Protect Against DNS Attacks

- What is DNS Spoofing?

- What is DNS Cache Poisoning?

- What is DNS Hijacking?

- What is DNS Amplification?


By understanding what DNS is and how it works, you can better protect yourself against these types of attacks.


In this post, we’ve covered how DNS works, from the domain hierarchy to record types. We also looked at some common attacks and mitigation techniques. If you have any questions or would like more information on a specific topic, please visit my website for more great posts like this one.


Thanks for reading!

Meni Tasa

60 views0 comments