Home » DNS Architecture: Recursive, Authoritative, DNSSEC, DoH, DoT และ DNS Security
DNS Architecture: Recursive, Authoritative, DNSSEC, DoH, DoT และ DNS Security
DNS Architecture: Recursive, Authoritative, DNSSEC, DoH, DoT และ DNS Security
DNS (Domain Name System) แปลง domain names เป็น IP addresses เป็น infrastructure สำคัญที่สุดของ internet Recursive resolvers ทำ DNS lookup แทน clients, Authoritative servers เก็บ DNS records ที่เป็น source of truth, DNSSEC ป้องกัน DNS spoofing ด้วย cryptographic signatures, DoH (DNS over HTTPS) และ DoT (DNS over TLS) encrypt DNS queries และ DNS Security ป้องกัน DNS-based attacks
DNS เป็น single point of failure ของ internet: ถ้า DNS ล่ม ทุกอย่างหยุดทำงาน (website, email, API, cloud services) DNS ยังเป็น attack vector สำคัญ: DNS hijacking, DNS tunneling, DDoS on DNS, cache poisoning การออกแบบ DNS architecture ที่ secure, resilient และ performant เป็นสิ่งจำเป็น
DNS Resolution Process
| Step |
Action |
Server |
| 1. Client Query |
User types www.example.com → OS checks local cache → hosts file |
Local |
| 2. Recursive Resolver |
Query ไป recursive resolver (ISP DNS หรือ 8.8.8.8, 1.1.1.1) |
Recursive |
| 3. Root Server |
Resolver ถาม root server → ได้ referral ไป .com TLD server |
Root (13 addresses, 1000+ instances) |
| 4. TLD Server |
Resolver ถาม .com TLD → ได้ referral ไป example.com authoritative |
TLD (.com, .net, .org, .th) |
| 5. Authoritative |
Resolver ถาม example.com authoritative → ได้ IP address (A record) |
Authoritative NS |
| 6. Response |
Resolver ส่ง IP กลับ client → client connects → resolver caches result |
Recursive → Client |
Recursive vs Authoritative
| Feature |
Recursive Resolver |
Authoritative Server |
| Role |
ค้นหาคำตอบแทน client (walk the DNS tree) |
เก็บ DNS records (source of truth) |
| Cache |
Cache responses (TTL-based) → faster subsequent queries |
ไม่ cache (ให้คำตอบจาก zone file) |
| Examples |
8.8.8.8 (Google), 1.1.1.1 (Cloudflare), ISP DNS |
ns1.example.com, Route 53, Cloudflare DNS |
| Open/Closed |
Open recursive = serve anyone (public DNS) | Closed = internal only |
Answer only for zones it’s authoritative for |
| Security |
Target for cache poisoning, DDoS amplification |
Target for zone transfer attacks, DDoS |
DNS Record Types
| Record |
Purpose |
Example |
| A |
IPv4 address |
www.example.com → 93.184.216.34 |
| AAAA |
IPv6 address |
www.example.com → 2606:2800:220:1:248:1893:25c8:1946 |
| CNAME |
Alias (canonical name) |
blog.example.com → example.com |
| MX |
Mail server |
example.com MX 10 mail.example.com |
| TXT |
Text (SPF, DKIM, DMARC, verification) |
v=spf1 include:_spf.google.com ~all |
| NS |
Nameserver delegation |
example.com NS ns1.cloudflare.com |
| SOA |
Start of Authority (zone metadata) |
Serial, refresh, retry, expire, minimum TTL |
| SRV |
Service location |
_sip._tcp.example.com SRV 10 60 5060 sipserver.example.com |
| CAA |
Certificate Authority Authorization |
example.com CAA 0 issue “letsencrypt.org” |
DNSSEC
| Feature |
รายละเอียด |
| คืออะไร |
DNS Security Extensions — add cryptographic signatures to DNS responses |
| Problem Solved |
DNS cache poisoning / spoofing (Kaminsky attack) — attacker injects fake DNS responses |
| How |
Zone owner signs records with private key → resolver validates with public key (chain of trust) |
| RRSIG |
Signature record — cryptographic signature ของ DNS record set |
| DNSKEY |
Public key record — ใช้ verify RRSIG |
| DS (Delegation Signer) |
Hash ของ child zone’s DNSKEY → establish chain of trust (parent → child) |
| Chain of Trust |
Root (trust anchor) → TLD → domain → sub-domain (each level signs the next) |
| NSEC/NSEC3 |
Authenticated denial of existence (prove domain doesn’t exist — not spoofed NXDOMAIN) |
DoH and DoT
| Feature |
DoH (DNS over HTTPS) |
DoT (DNS over TLS) |
| Port |
443 (same as HTTPS) |
853 (dedicated port) |
| Encryption |
TLS via HTTPS |
TLS direct |
| Visibility |
Blends with HTTPS traffic → hard to block/monitor |
Separate port → easy to identify and block |
| Enterprise |
Problematic (bypasses corporate DNS policy) |
Preferred (can be controlled at firewall) |
| Privacy |
ISP/network ไม่เห็น DNS queries (encrypted + blended) |
ISP ไม่เห็น content แต่เห็นว่ามี DNS traffic (port 853) |
| Providers |
Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9 |
Same providers + more enterprise options |
| Browser Support |
Firefox, Chrome, Edge (built-in) |
OS-level (Android, iOS, Windows 11) |
DNS Security Threats
| Threat |
Attack |
Defense |
| Cache Poisoning |
Inject fake DNS responses into resolver cache |
DNSSEC, source port randomization, 0x20 encoding |
| DNS Hijacking |
Compromise DNS settings (router, registrar) → redirect to malicious site |
Registrar lock, DNSSEC, monitor DNS changes |
| DNS Tunneling |
Encode data in DNS queries → exfiltrate data or C2 communication |
DNS query analysis (length, entropy, frequency), block suspicious patterns |
| DDoS on DNS |
Overwhelm authoritative/recursive with queries |
Anycast, rate limiting, DNS provider with DDoS protection |
| DNS Amplification |
Spoof victim IP → query open resolvers → amplified response to victim |
Block open resolvers, response rate limiting (RRL) |
| Domain Hijacking |
Take over domain at registrar (social engineering, credential theft) |
Registrar lock, MFA, DNSSEC |
DNS Architecture Best Practices
| Practice |
Detail |
| Separate Recursive/Authoritative |
ไม่ใช้ server เดียวกันสำหรับ recursive + authoritative (security + performance) |
| Anycast Authoritative |
Deploy authoritative DNS on Anycast → resilient, fast, DDoS resistant |
| Multiple NS Records |
อย่างน้อย 2 NS records ที่ต่าง network (redundancy) |
| DNSSEC Sign |
Sign zones ด้วย DNSSEC → protect from cache poisoning |
| Low TTL for Critical |
Critical records (failover): TTL 60-300s | Stable records: TTL 3600-86400s |
| Monitor |
Monitor DNS query rate, NXDOMAIN rate, response time → detect anomalies |
| Encrypt |
DoT สำหรับ enterprise (controllable) | DoH สำหรับ consumer privacy |
ทิ้งท้าย: DNS = The Phone Book of the Internet
DNS Architecture Resolution: client → recursive resolver → root → TLD → authoritative → response (cached) Recursive vs Authoritative: recursive walks the tree (cache, open/closed) | authoritative = source of truth Records: A (IPv4), AAAA (IPv6), CNAME (alias), MX (mail), TXT (SPF/DKIM), NS, SOA, CAA DNSSEC: cryptographic signatures → chain of trust (root → TLD → domain) → prevent cache poisoning DoH: encrypted DNS over HTTPS (port 443, blends) | DoT: encrypted over TLS (port 853, controllable) Threats: cache poisoning, hijacking, tunneling, DDoS, amplification Best Practices: separate recursive/authoritative, anycast, DNSSEC, multiple NS, monitor, encrypt
อ่านเพิ่มเติมเกี่ยวกับ DDoS Protection Attack Types Mitigation Anycast และ IPv6 Deployment Dual-Stack NAT64 DNS64 ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
