Understanding DNS: A Beginner-Friendly Guide with Cybersecurity Perspectives

The Domain Name System (DNS) is often called the "phone book of the internet." It translates human-friendly names like example.com into IP addresses like 93.184.216.34, which computers actually use to connect. Without DNS, the web would be much harder to use—imagine memorizing hundreds of numbers instead of simple names!

In this article, we'll explore how DNS works, its hierarchy, and how both attackers (Red Teams) and defenders (Blue Teams) think about DNS in cybersecurity.

When you type a domain into your browser (e.g., openai.com), your device doesn't know where that is yet. It asks DNS servers for the IP address so it can connect to the right server.

Think of DNS like asking a librarian for the location of a book:

  • You provide the book's title (domain name).
  • The librarian gives you the shelf and row (IP address).

DNS Hierarchy: From Local to Global

DNS works in a hierarchical system, starting from your own device and extending all the way to global servers.

  1. Local DNS Cache (Your Computer/Router)
    Your operating system remembers DNS lookups for a while. If you recently visited github.com, your computer may already know the IP address.

    Example (Linux/Mac):

    # View cached DNS entries
sudo systemd-resolve --statistics

  2. Local Resolver (ISP or Corporate DNS) If your machine doesn't know, it asks a DNS resolver—usually provided by your ISP or company network. This resolver checks its own cache first.

  3. Root Servers If the resolver doesn't know, it starts at the top: the DNS root servers. These servers don't know exact websites but know where to find Top-Level Domains (TLDs) like .com, .org, or .net.

  4. TLD Servers These servers handle TLDs. For example, .com servers know the addresses of all authoritative name servers for .com domains.

  5. Authoritative Name Servers These hold the actual records for the domain. For openai.com, the authoritative server provides the final IP address.

Common DNS Records

DNS uses different record types to provide information:

  • A Record - Maps domain to IPv4 address
  • AAAA Record - Maps domain to IPv6 address
  • CNAME Record - Alias for another domain
  • MX Record - Mail server info
  • TXT Record - Can store any text (often used for verification & security like SPF, DKIM)

Example (querying DNS with dig):

dig openai.com A

Output shows the IP address of openai.com.

Red Team Perspective (Offensive Use of DNS)

Attackers often leverage DNS because it's trusted and always available.

  • Domain Enumeration Red teams gather subdomains to discover hidden services.

    # Using dig for subdomain brute forcing
dig admin.example.com A

  • DNS Tunneling Attackers hide data inside DNS queries/responses to bypass firewalls. Tools like iodine and dnscat2 enable covert communication.

  • Typosquatting & Malicious Domains Registering similar-looking domains (g00gle.com) to trick users into visiting phishing sites.

    Always check the link before clicking it.

Blue Team Perspective (Defensive Use of DNS)

Defenders use DNS monitoring and configuration to detect and block threats.

  • DNS Logging & Threat Hunting Monitoring DNS queries can reveal suspicious domains. Security teams often ingest DNS logs into SIEM systems.

  • Blocking Malicious Domains Using DNS firewalls or services like Quad9 (9.9.9.9) to block known bad domains.

  • Preventing DNS Tunneling Setting limits on DNS request size, monitoring unusual query patterns, and deploying intrusion detection rules.

  • DNSSEC (DNS Security Extensions) Adds cryptographic signatures to prevent spoofing or tampering with DNS responses.

Linux systems rely on DNS resolvers such as Unbound, BIND, or systemd-resolved. Below are common approaches.

DNS Firewall using Unbound

Unbound is a validating, recursive DNS resolver that supports DNSSEC out of the box.

  1. Install Unbound: 
    sudo apt update
sudo apt install unbound

Edit the config file /etc/unbound/unbound.conf.d/dnssec.conf to enable DNSSEC:

server:
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    val-permissive-mode: no
    val-clean-additional: yes
    harden-dnssec-stripped: yes

Download root trust anchor:

sudo unbound-anchor -a "/var/lib/unbound/root.key"

Restart Unbound:

sudo systemctl restart unbound

Example (checking DNSSEC with dig):

dig +dnssec example.com

Real-World Example of DNS in Action

Let's trace a lookup for openai.com step by step:

  1. Your browser asks the OS resolver.
  2. If not cached, the query goes to your ISP resolver.
  3. The resolver asks a root server → TLD server (.com) → authoritative server.
  4. The authoritative server replies with an A record: 104.18.12.123.
  5. Your browser now connects to OpenAI's servers.

This entire process usually takes milliseconds.

DNS is backbone of the internet

  • DNS is the backbone of the internet, turning names into numbers.
  • It follows a hierarchical structure: local cache → resolver → root → TLD → authoritative servers.
  • Attackers abuse DNS for stealthy communication and phishing.
  • Defenders rely on DNS monitoring, DNSSEC, and filtering to secure networks.

Understanding DNS is foundational for anyone entering networking or cybersecurity. It's a system that seems simple at first—but plays a critical role in both attacks and defense.

Love it? Share this article: