In recent years there have been several outages of very popular services on the internet. Sometimes it is not easy to know where and when the problem occurred. Of course, almost always, one of the first suspects is usually the so-called domain name system, known as DNS, the acronym in English for Domain Name Service.
The DNS is an essential communications protocol for the operation of all services that operate on the Internet. Some examples are web browsing, multimedia services or email, among others. To understand the reason for this importance, we have to go back to the origins of the Network of networks, in the 1980s.
machines with names
We humans like to put names to things. It is our way of identifying them. Computers, therefore, were no exception.
Initially, any word could be used to baptize them. For example, one of the first machines connected to the Internet was called Genie, genius in English.
When communication networks began to be created between computers, it was necessary to identify them by numbers, the well-known network addresses, which allowed knowing where they were and reaching them. In the case of the internet, they are the IP addresses (of internet-protocol, internet protocol). A computer connected to the network therefore had a name and an IP address.
At first, a very simple system was used to relate these two values: write them in a file. was the acquaintance hosts.txt. In each line of the file we had the name and IP address of a computer. We can put as a simile the telephone directories where the name and surname of a person was associated with a fixed number.
This file was kept on a single computer (managed by the Stanford Research Institute) and all computers connected to the network downloaded it once a day.
Every time a new computer was connected to the internet, it had to be added to this registry. As the number of computers connected to the network increased, the system became very complex to maintain. On the one hand, naming a machine was getting more and more complicated because it had to be unique. Two machines with the same name but different IP addresses could not exist. I mean, there couldn’t be another machine on the entire internet named Genie. On the other, the file was getting bigger and harder to handle.
Creation of the DNS system
It was Paul Mockapetris who in the late 1980s proposed a solution to the above problem. He defined the domain name system in 1987. This system made it possible, on the one hand, to facilitate the creation of names and, on the other, to know more quickly what the IP address associated with a name is.
To facilitate the creation of names, he proposed a structure based on an inverted tree, in which each node has a label. The name of a machine is constructed by joining these labels and separating them by dots.
So that there are no conflicts between names, the only thing that must be guaranteed is that there are no repeated names at the same level of the tree. This is achieved by delegating the management of those names.
To understand it better, let’s take an example: the Government of Spain has delegated the management of domain names that end with “.es”. When someone wants to create a name that ends in “.es” they must request it. Thus, the Carlos III University of Madrid has the domain “uc3m.es” and the Complutense University of Madrid has “ucm.es”. This does not prevent the existence of a name “ucm.cl”, which corresponds to a university in Chile.
The most important level of DNS is the first one, the one just below the root of the tree. They are those that are domain top level domains, or TLDs, for its acronym in English Top-Level Domain. At this level are the “.com”, “.net”, “.org”, etc. and also those corresponding to countries or regions, “.es”, “.pt”, “.fr”, etc. This level is managed by the Internet Corporation for Assigned Names and Numbers (ICANN).
While this new structure solved many problems, it opened up different ones, for example, when can a region have a TLD? The world of domain names is not exempt from the geopolitical tensions of the real world. Although this alone would need its own article.
The other problem that DNS solved was to more efficiently store and retrieve the information associated with these names, including IP addresses. What was proposed is to divide the DNS name tree into non-overlapping zones. Information about each zone is stored on separate machines. These machines are called DNS servers. It is as if the initial file hosts.txt be broken into smaller pieces and distributed to several different machines.
DNS as a weak point of the internet
All computers in the world have to know at least one of these DNS servers in order to use internet services. Thus, when we type in our browser theconversation.com To read the front page of the day, our computer first has to contact the DNS server it knows, so that it tells it the IP address associated with that name. This way you can connect to the server where the news is and we can read it quietly in our browser.
What happens if I don’t get a response from DNS? Well, we won’t be able to read the news, even though our computer works perfectly, The Conversation server does too, and our internet connection doesn’t have any problems.
For this reason, the DNS has always been a critical point in the network. If someone manages to make a part of the DNS service not work, for a while no one will be able to access the information that it has in the DNS tree and many services will be inaccessible.
One of these attacks was the one that occurred in October 2016 against the company Dyn, a provider of DNS services. For several hours millions of users could not connect to services such as the BBC, CNNAmazon, Neflix, among many others… It is considered one of the most serious attacks in recent years.
The DNS has grown a lot over the years and has been improved in many aspects related to its security. Readers can rest assured that complete security never exists and more such cyberattacks are likely to follow.
Let us remember that, like all protocols, initially they did not contemplate any type of security. Internet was a network to collaborate, without economic transactions involved. In addition to attacks like the one mentioned above, the DNS presents other problems.
If an attacker manages to impersonate your DNS server, they could direct you to malicious pages when they want to connect to your bank. It could also know what sites you browse and deduce your tastes or political ideology.
Thus, over the years, the DNS has been improved to include confidentiality, integrity and availability, the pillars of security in communication networks. DNSSEC was defined first, and more recently DoT (DNS over TLS), DoH (DNS over HTTPS), and more recently DoQ (DNS over QUIC) have appeared.
Finally, we cannot fail to emphasize that many of these latest proposals have been led by women network scientists (Allison Mankin and Sara Dickinson) who have had and still have a lot to say in the construction of the Internet.