DNS, DNSSEC, and DoH
Work in Progress – not finished.
DNS standard for “Domain Name System” and is how devices attached to the Internet determine the IP address of another device on the Internet they wish to communicate with, among other things.
When different devices connected to the Internet (or a private network implementing IP protocol) wish to communicate, they do so using numbers, similar to how to phone numbers work.
Take the following phone number: (530) 878-5035.
530 is what is known as the Area Code. 878 is the prefix. 5035 is the number within the prefix. Dialing those numbers help phone switches know how to route your call so that you will the office of Doug LaMalfa and you can give him an earful about his support for the NRA and his denial of Climate Change despise Climate Change playing a large role in major parts of his district burning.
IP Protocol works conceptually in a similar way to a phone number. It is used to route the communication to the proper device on the network. With IPv4 an IP address has four components. For example:
Parts of an IP address
There appear to be four parts to that IP address, delimited by a period. Actually there are only two parts. The first part defines the network the device is on, and the second type is your unique ID within that network.
The four numbers (in IPv4) delimited by a period are octets that can have one of 256 different values in the decimal range between 0 and 255. 2^8 = 256 which is why they are called octets.
There are three classes of networks.
A class A network is defined by the first octet only, and can have over 16 million devices connected to it. A Class B network is defined by the first two octets and can have over 65,000 devices connected to it. A Class C network is defined by the first three octets and can have as many as 256 devices connected to it.
The type of network an IP address belongs to and how to route data to the right device in that network is something for routers to worry about, but an IPv4 address has four octets and it isn’t easy for us to remember very many IP addresses, it is much easier for us to remember vanity domain names.
DNS – A Distributed Phonebook
When you want to call someone and you know their name, traditionally you would look up their name in a telephone directory and it would list the phone number for that person. DNS serves a similar purpose. A vanity domain name is used to find the corresponding IP address.
DNS is a distributed database that uses two types of servers to find the information seek.
The first type of server is called an Authoritative Name Server. It contains answers to questions about one or more zone specifically and does not try to answer questions beyond the scope of the zones it is in charge of.
The second type of server is called a Recursive Resolver. You ask it anything you want, and it will try to find the right Authoritative Name Server to ask, get the answer, and then send you the answer. It usually will then cache the answer so that the next time you or someone else asks for the same answer, it can just give it to you without needing to find the right Authoritative Name Server.
Here’s how it works.
You want to visit notrackers.com so you enter notrackers.com into the URL bar of your browser.
You browser then asks the operating system if it knows the IP address for notrackers.com. The operating system makes a request to a Recursive Resolver asking for the A record associated with notrackers.com.
The Recursive Resolver, assuming it does not already have the answer, then makes a request to one of the authoritative root name servers.
The authoritative root name server responds by saying “I don’t have the answer, but here is the address for the Authoritative Name Server in charge of the .com. zone.”
The recursive resolver then asks the Authoritative Name Server in charge of the .com. zone. It replies by saying “I don’t have the answer, but here is the address for the Authoritative Name Server in charge of the notrackers.com. zone”.
The recursive resolver then asks the Authoritative Name Server in charge of the notrackers.com. zone. It replies by saying “Yup, I do have the answer. The A record has a value of 126.96.36.199 and feel free to store that answer for 3600 seconds so that if someone asks again within that time, you can give them the same answer.”
The recursive resolver then responds to your operating system with the answer, and your operating system responds to your browser with the answer, and your browser now knows the IP address to connect to when you want to visit notrackers.com.
DNS over HTTPS
Mozilla (makers of the FireFox browser) want to change how things work with respect to DNS.
Rather than have the browser ask your operating system facilities for the IP address (and related information) from the operating system, they want to have the browser use HTTPS to ask a specified third party DNS server. They call this DNS over HTTPS.
There are some legitimate issues with how DNS works, but I do not believe DoH is the right solution.
On separate pages that are child pages of this page, I will go into further detail on this topic and explain why DoH is not the right solution to the problem.