How does DNS work?

January 30, 2022|
8 min read

(Maybe Obvious) Preamble

What is DNS?

Wife: What's DNS?

Me: It's that thing you use every day when you browse the web on your phone.

Me: actually even when you don't use your phone you use DNS!

Me: DNS is an invisible magical force all around us! (waves hands)

Wife:

In a nutshell, DNS, or Domain Name System is a system used by computers to translate domain names (e.g. example.com) to their corresponding IP address, which is mapped to a server hosting the content you want to view1. This request happens before your computer can talk to the server directly and contains only the domain (example.com), not the full URL (example.com/blog/page.html).

You can think of DNS as a phone book with the resolving server as the switch operator.

The most common DNS servers in use are usually run by Internet Service Providers (ISPs), and that's the default for most internet users who haven't customized their settings. If your work's network is tightly controlled, often that is done by the company setting the DNS of the corporate network / VPN to their own DNS server.

Why should I care?

Well for one, if it wasn't for DNS you'd have to memorize IP addresses such as 78.134.42.112 to access websites, or in the case of IP v6: 2603:243:d300:e0e:5cdd:d167:af2a:7f6.

So DNS is solving a real problem and makes it easy for developers to swap out the underlying server while keeping the domain the same and giving you stable and consistently secure results.

Because of how DNS is structured it poses some concerns in regards to censorship, security and privacy.

Censorship, Security and Privacy Considerations

Unlike most web traffic these days that uses SSL (HTTPS), DNS is by and large not encrypted and it relies on a resolving server (similar to an old phone switch operator) to funnel all requests. This design makes DNS a prime target for parental controls software, censorship, tracking, and Man-in-the-Middle attacks.

Since the most used resolving name servers are owned by private corporations such as ISPs, Google, CloudFlare etc, it makes it easier for those corporations, and by extension governments, censor which websites you can access.

If for example AT&T decides to block access to one of their (very few) competitors such as comcast.com, all they have to do is update their DNS resolution server to point that domain somewhere else.

Similarly, if by request of the government, Comcast decides that they no longer want you to access wikileaks.org, they can easily change their DNS server to point at another IP address, either an invalid one, or even more maliciously, their own version of the website with "state approved" content.

The Chinese Government infamously uses DNS spoofing to censor the internet in their country and preventing their citizens from reading about certain targeted topics such as the Tiananmen Square Massacre.

Ever used public WiFi?

Hackers often use poor network security, and the unencrypted nature of DNS, to not only track those around them, but also to redirect their traffic to a maliciously crafted website. So if you are on a network you don't control such as public WiFi (or a fake network pretending to be public WIFI 😉), the hacker can redirect yourbank.com to a VERY convincing copy of your bank's login page and steal your credentials2.

One Thousand Eyes

Moreover, every time you access a website, either directly, or indirectly (some script on your computer requests a website), the DNS server can keep a record of your computer's IP and the requested domain. This data is routinely collected and often sold. This harms your privacy because this type of metadata can help companies and governments build a profile cataloging what type of websites you visit, when, and how often. It can also be used to identify and "weed out" political dissidents.

Don't get me started with the "But I have nothing to hide" fallacy.

Censorship, Security and Privacy Solutions

There are also other DNS providers that you can use that offer varying degrees of benefit over using the default ISP DNS. For example Quad9 (9.9.9.9) which is a more secure and privacy respecting DNS server than your ISP's DNS server (allegedly, because we should all be skeptics).

Finally, you can run your own DNS server using something like Pi Hole. Pi Hole is a DNS server you can run on a cheap $10 computer such as the Raspberry Pi Zero W and use to block ads from every device on your local network. You can even use it on the go with your phone by setting up a VPN.

Blocking ads is also great not only for regaining control of your precious attention and privacy, but also for speeding up web browsing, reducing data usage on limited internet plans, conserving battery while on the go and even reducing CO2 emissions!

There are many reasons why you might want to run your own DNS server.

So how does it work?

DNS is a request/response transaction or question/answer. Your computer asks What's the IP for example.com? and the DNS server answers It's 93.184.216.34. This is an over simplification.

What's inside the packet?

Julia Evans posted a really cool diagram/comic explaining the request/response cycle of a DNS request:

DIY

Want to see for yourself what's inside a DNS packet? Use the dig CLI, which is available on most Linux based systems:

dig example.com

The output should look like this:

; <<>> DiG 9.16.15-Ubuntu <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43827
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            6798    IN      A       93.184.216.34

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Jan 30 22:22:42 CST 2022
;; MSG SIZE  rcvd: 56

If you want to dig deeper (pun intended, deal with it!) combine dig with jc and jq. After installing these tools, simply run:

dig example.com | jc --dig | jq

And you should get something looking like this:

[
  {
    "id": 10267,
    "opcode": "QUERY",
    "status": "NOERROR",
    "flags": [
      "qr",
      "rd",
      "ra"
    ],
    "query_num": 1,
    "answer_num": 1,
    "authority_num": 0,
    "additional_num": 1,
    "opt_pseudosection": {
      "edns": {
        "version": 0,
        "flags": [],
        "udp": 65494
      }
    },
    "question": {
      "name": "example.com.",
      "class": "IN",
      "type": "A"
    },
    "answer": [
      {
        "name": "example.com.",
        "class": "IN",
        "type": "A",
        "ttl": 7030,
        "data": "93.184.216.34"
      }
    ],
    "query_time": 0,
    "server": "127.0.0.53#53(127.0.0.53)",
    "when": "Sun Jan 30 22:18:50 CST 2022",
    "rcvd": 56,
    "when_epoch": 1643602730,
    "when_epoch_utc": null
  }
]

Keep reading: A few interesting topics related to DNS

Handshake (HNS)

HNS is a cryptocurrency based, truly decentralized, censorship and tamper resistant TLD provider. It allows you to buy an entire class of domains e.g. yourname.😍 and sell domains as a registrar.

Read more here: https://learn.namebase.io/about-handshake/about-handshake

DNS over HTTPS (DoH)

Since DNS is not encrypted, anyone on a public network (think Starbucks Free WIFI), can listen in to your DNS requests - this is surprisingly easy to do. DNS over HTTPS uses the common SSL encryption available on most websites to encrypt the request response cycle and protects it from "Man-in-the-Middle" attacks]. Read more here: https://en.wikipedia.org/wiki/DNS_over_HTTPS

While some operating systems still don't support DoH natively, you can still set up DoH via a local proxy server such as cloudflared and Pi Hole.

If you are using Firefox you can also enable DoH in your browser3.

DNS Spoofing

DNS Spoofing is an attack in which DNS requests can be intercepted and redirected to alternate addresses, often a malicious server.

Read more of how to perform DNS Spoofing attack

Additional deep dives into DNS

Check out the rest of Julia Evans' DNS articles. Julia always does a great job explaining complicated topics succinctly!


  1. In reality, things can be bit more complicated in modern web hosting: an IP can point to a Load Balancer [LB], either hardware or software, and the LB can talk to a node in a cluster which contains the actual server software.
  2. Admittedly, these type of attacks are now somewhat harder with the advent of HSTS and modern browsers, but they are still possible (not everyone uses HSTS and not every HTTP client respects HSTS or even guaranteed to verify SSL certificates - think cheap IoT devices).
  3. The caveats to using DoH built into Firefox are that it will only affect URLs visited in that browser, and if you use PiHole, DoH in Firefox will bypass any ad filtering done by the PiHole since the browser will communicate directly with the DNS provider instead of your local filter first.

© 2023, Dorian Karter