Home DNS Deep Dive: Recursive, Authoritative, DNSSEC, DNS over HTTPS, Split DNS และ DNS Security DNS Deep Dive: Recursive, Authoritative, DNSSEC, DNS over HTTPS, Split DNS และ DNS Security
DNS Deep Dive: Recursive, Authoritative, DNSSEC, DNS over HTTPS, Split DNS และ DNS Security
DNS (Domain Name System) เป็น critical infrastructure ของ internet Recursive resolver ทำหน้าที่ lookup แทน clients, Authoritative server ตอบคำถามสำหรับ domains ที่ตัวเองดูแล, DNSSEC เพิ่ม digital signatures เพื่อป้องกัน spoofing, DNS over HTTPS (DoH) encrypt DNS queries, Split DNS แยก internal/external views และ DNS Security ป้องกัน DNS-based attacks
DNS เป็น single point of failure ที่สำคัญที่สุด : ถ้า DNS ล่ม → ทุก service ล่มตาม (web, email, VPN, cloud, SaaS) แม้ว่า servers ยังทำงานอยู่ Dyn DNS attack (2016) ทำให้ Twitter, Netflix, Reddit, GitHub ล่มพร้อมกัน DNS ยังถูกใช้เป็น attack vector: DNS tunneling (data exfiltration), DNS spoofing/cache poisoning, DNS amplification DDoS, domain hijacking
DNS Resolution Process
Step
Action
Server
1
Client queries: “www.example.com” → check local cache first
Client OS resolver
2
If not cached → send to recursive resolver (ISP DNS or 8.8.8.8)
Recursive Resolver
3
Recursive checks cache → if miss → query root server: “who handles .com?”
Root Server (13 clusters: a-m.root-servers.net)
4
Root responds: “ask .com TLD server at [IP]”
Root → Recursive
5
Recursive queries .com TLD: “who handles example.com?”
TLD Server (.com, .net, .org)
6
TLD responds: “ask authoritative server at [IP]”
TLD → Recursive
7
Recursive queries authoritative: “what is www.example.com?”
Authoritative Server
8
Authoritative responds: “93.184.216.34” → recursive caches + returns to client
Authoritative → Recursive → Client
Recursive vs Authoritative
Feature
Recursive Resolver
Authoritative Server
Role
Lookup agent — finds answers on behalf of clients
Source of truth — holds actual DNS records for domains
Cache
Caches responses (TTL-based) → faster subsequent queries
No caching needed — has the authoritative data
Examples
Google (8.8.8.8), Cloudflare (1.1.1.1), ISP DNS
Route53, Cloudflare DNS, BIND, Windows DNS
Query Type
Receives recursive queries → performs iterative lookups
Receives iterative queries → responds with answer or referral
Security
Target of cache poisoning → validate with DNSSEC
Target of zone transfer attacks → restrict AXFR/IXFR
DNS Record Types
Record
Purpose
Example
A
Domain → IPv4 address
www.example.com → 93.184.216.34
AAAA
Domain → IPv6 address
www.example.com → 2606:2800:220:1:248:1893:25c8:1946
CNAME
Alias → canonical name
blog.example.com → example.com
MX
Mail exchange (email routing)
example.com → mail.example.com (priority 10)
TXT
Text data (SPF, DKIM, DMARC, verification)
v=spf1 include:_spf.google.com ~all
NS
Nameserver delegation
example.com → ns1.cloudflare.com
SOA
Start of Authority — zone metadata (serial, refresh, retry, expire)
Primary NS, admin email, serial number
SRV
Service location (port + host)
_sip._tcp.example.com → sipserver.example.com:5060
PTR
Reverse DNS (IP → domain)
34.216.184.93.in-addr.arpa → www.example.com
DNSSEC
Feature
รายละเอียด
คืออะไร
DNS Security Extensions: digital signatures บน DNS records → verify authenticity + integrity
RRSIG
Resource Record Signature: digital signature ของ DNS record set
DNSKEY
Public key ที่ใช้ verify RRSIG
DS
Delegation Signer: hash ของ child zone’s DNSKEY → chain of trust จาก root ลงมา
Chain of Trust
Root → .com → example.com: แต่ละ level sign ด้วย key ของตัวเอง → verify จาก root ลงมา
Prevents
Cache poisoning, DNS spoofing — attacker ไม่สามารถ forge signed responses
Limitation
ไม่ encrypt (ยัง plaintext) → ต้องใช้ DoH/DoT สำหรับ encryption
DNS over HTTPS (DoH) / DNS over TLS (DoT)
Feature
DoH
DoT
Protocol
DNS queries over HTTPS (port 443)
DNS queries over TLS (port 853)
Encryption
Full encryption — looks like normal HTTPS traffic
Full encryption — dedicated port (easy to identify)
Privacy
ISP/network can’t see DNS queries (mixed with HTTPS)
ISP can see you’re using DoT (port 853) but not queries
Blocking
Hard to block (same port as HTTPS)
Easy to block (block port 853)
Providers
Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9 (9.9.9.9)
Same providers
Browser
Firefox, Chrome, Edge — built-in DoH support
OS-level support (Android, Windows 11)
Enterprise Issue
Bypasses corporate DNS filtering → security concern → need to control DoH
Easier to manage (block port 853 if needed)
Split DNS
Feature
รายละเอียด
คืออะไร
DNS server ตอบ differently ตาม source: internal clients → internal IPs, external → public IPs
Internal View
mail.example.com → 10.1.1.5 (internal IP) — direct access, no hairpin
External View
mail.example.com → 203.0.113.5 (public IP) — through firewall/NAT
Advantage
Internal users access servers directly (faster), hide internal structure from outside
Implementation
BIND views, Windows DNS policies, Infoblox DNS views
DNS Pinning
Caution: split DNS can cause issues with DNS rebinding attacks → validate responses
DNS Security Threats
Attack
How
Defense
Cache Poisoning
Inject fake DNS response → resolver caches wrong IP → users go to attacker’s site
DNSSEC, randomize source port + TXID, use trusted resolvers
DNS Tunneling
Encode data in DNS queries/responses → exfiltrate data or bypass firewalls
DNS traffic analysis, monitor query patterns, DNS firewall
DNS Amplification DDoS
Spoof source IP → send small query → get large response (amplification factor 50-70x)
Rate limiting, BCP38 (anti-spoofing), Response Rate Limiting
Domain Hijacking
Steal domain via registrar account compromise or social engineering
Registrar lock, 2FA on registrar account, DNSSEC
Typosquatting
Register domains similar to legitimate (gogle.com) → phishing
Brand monitoring, DMARC for email, user awareness
ทิ้งท้าย: DNS = Foundation of Internet, Protect It
DNS Deep Dive Resolution: client → recursive resolver → root → TLD → authoritative → answer (with caching) Recursive vs Authoritative: recursive = lookup agent (8.8.8.8), authoritative = source of truth (Route53, BIND) Records: A (IPv4), AAAA (IPv6), CNAME (alias), MX (mail), TXT (SPF/DKIM), NS, SOA, SRV, PTR DNSSEC: digital signatures → verify authenticity (RRSIG, DNSKEY, DS) → chain of trust from root DoH/DoT: encrypt DNS queries → privacy from ISP → DoH harder to block (port 443), DoT easier (port 853) Split DNS: different answers for internal/external → internal users get direct IPs Threats: cache poisoning (→ DNSSEC), tunneling (→ DNS analysis), amplification DDoS, domain hijacking Key: DNS is critical infrastructure — DNSSEC for integrity, DoH/DoT for privacy, monitoring for security
อ่านเพิ่มเติมเกี่ยวกับ DHCP Architecture Relay Failover Option 82 และ Firewall Deep Dive Stateful NGFW WAF IPS ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
