DNS Flashcards

1
Q

Why should you never run an authoritative and recursive server on the same system

A

Running authoritative and recursive DNS on the same system is insecure because recursive servers handle user queries and can have their cache poisoned, spreading malicious data. Combining it with authoritative functions risks exposing sensitive data about internal networks and enables attackers to exploit the system for amplification attacks. Separation isolates these roles, reducing vulnerabilities and maintaining security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the main role of DNS

A

DNS maps domain names to IP addresses and IP addresses to domain names

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Why is DNS difficult to secure

A
  1. DNS lacks built-in security, making it vulnerable to attacks like spoofing.
  2. Its global infrastructure is highly complex and difficult to secure consistently.
  3. Political and administrative control adds challenges to improving DNS security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is DNS caching and why is it important

A

DNS caching stores query results temporarily to reduce lookup times and improve performance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is cache poisoning in DNS

A

It misleads DNS queries to redirect users to malicious websites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Why are certificates important in DNS

A

Certificates are important in DNS because they prevent attacks like DNS cache poisoning and spoofing by verifying the authenticity of DNS responses. They ensure that the data comes from a trusted source, protecting users from being redirected to malicious websites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the maximum size for DNS names

A

255 bytes with 63 bytes per label

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a DNS zone

A

It is a group of resource records served from one primary nameserver

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are A and AAAA records in DNS

A

A records map to IPv4 addresses while AAAA records map to IPv6 addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does TTL stand for in DNS

A

Time to Live which defines how long a record can be cached

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Kaminsky Attack

A

A DNS vulnerability exploiting predictable transaction IDs to poison caches.

Process;

The Kaminsky Attack works by guessing predictable DNS transaction IDs to send fake responses, which the resolver accepts and caches, redirecting users to malicious sites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are recursive servers in DNS

A

Recursive servers in DNS resolve user queries by contacting other DNS servers as needed to find the complete answer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are authoritative servers in DNS

A

Authoritative DNS servers store and provide definitive answers for specific DNS zones they are configured to manage, delivering accurate resource record data without needing to query other servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are glue records in DNS

A

They are A(IPv4) or AAAA(IPv6) records for nameservers to prevent resolution loops

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the function of a DNS resolver

A

A DNS resolver is a client that queries the DNS system to translate domain names into IP addresses and processes the responses to return the requested information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is EDNS0 in DNS

A

An extension mechanism for DNS with support for larger payloads and cookies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is DNS over HTTPS (DoH)

A

DNS over HTTPS (DoH) encrypts DNS queries using HTTPS to enhance privacy and prevent third parties from intercepting or modifying DNS traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Why is DoH controversial

A

DoH is controversial because it bypasses traditional DNS controls, such as those used by network administrators for filtering and monitoring, making it harder to enforce policies or detect malicious activity. This can lead to challenges in network management and security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are Response Policy Zones RPZ in DNS

A

RPZs are used to block, redirect, or filter DNS responses based on security policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is reverse mapping in DNS

A

It resolves IP addresses back to domain names using in-addr.arpa or ip6.arpa

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Why are primary and secondary nameservers used in DNS

A

They are used for redundancy, load balancing, and reliability, ensuring DNS queries are resolved even if the primary nameserver fails

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is a zone file in DNS

A

A zone file is a text file that contains DNS records for a domain, including A, CNAME, MX, NS, and SOA records, to define mappings and settings for the DNS zone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is label compression in DNS

A

It reduces message size by reusing labels in DNS packets

Label = parts of domain name i.e. www or google or com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the role of mail exchangers MX in DNS

A

They define mail servers for a domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the difference between iterative and recursive DNS queries

A

Iterative queries ask one server at a time, passing the next server back to the client for them to ask in turn until they find the answer.

Recursive queries are resolved by one server completely on behalf of the client, sending them back the answer, instead of sending the address of a server that might know the answer, etc etc…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Why are DNS clients considered problematic

A

They are often unreliable inconsistent and poorly implemented

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the purpose of DNSSEC

A

To sign zones providing evidence that packets have not been tampered with

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is a delegation in DNS

A

It assigns authority for a subdomain to another nameserver

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is a PTR record in DNS

A

It maps IP addresses to domain names

30
Q

Why is DNS governance challenging

A

DNS is complex politically sensitive and involves many stakeholders

31
Q

What is DNS spoofing

A

It is a malicious attack redirecting users to fraudulent websites by manipulating DNS responses

32
Q

What is a transaction ID in DNS

A

A 16-bit identifier used to match queries with responses

33
Q

What is the function of the DNS root server

A

It is the starting point for resolving DNS queries

34
Q

How does caching improve DNS performance

A

It stores resolved queries for future use reducing lookup times

35
Q

What is the purpose of the additional section in DNS packets

A

It includes extra data that might be useful for the client

36
Q

What are NS records in DNS

A

They specify nameservers for a domain

37
Q

What is negative caching in DNS

A

It caches information about failed queries to avoid repeated lookups

38
Q

What is the role of the authority section in DNS packets

A

It indicates the authoritative nameserver for the data

39
Q

What is dynamic DNS

A

It updates DNS records automatically in real-time

40
Q

Why should DNS resolvers not be run behind NAT

A

It can weaken security measures like port randomisation

41
Q

What is the role of port randomisation in DNS

A

It improves security by making queries harder to spoof

42
Q

Why is DNS scalability a concern

A

It struggles to handle modern internet demands without significant modifications

43
Q

What are the limitations of IPv4 in DNS

A

It has limited address space compared to IPv6

44
Q

What is the significance of SOA records in DNS

A

They provide information about the zone and its management

45
Q

What is a wildcard record in DNS

A

It matches requests for non-existent names within a domain

46
Q

How does DNS handle load balancing

A

By using multiple nameservers and sometimes anycast

47
Q

What is the primary issue with legacy DNS implementations

A

They are prone to vulnerabilities like cache poisoning

48
Q

What is a forwarder in DNS

A

A server that forwards queries to another server for resolution

49
Q

How does DNS handle delegation

A

It uses NS records to point to authoritative servers for subdomains

50
Q

What are common DNS query types

A

A AAAA PTR MX NS CNAME SOA TXT

51
Q

What is the role of the query section in DNS packets

A

It contains the question the client wants answered

52
Q

What is an example of DNS abuse

A

Using TXT records to store arbitrary data

53
Q

What is the purpose of the flags field in DNS packets

A

It indicates query type and response status

54
Q

What does the recursion desired RD flag in DNS mean

A

The client requests the server to perform a recursive query

55
Q

What is an authoritative answer in DNS

A

It is a response directly from the authoritative server for the queried domain

56
Q

What are the benefits of anycast in DNS

A

It improves redundancy and reduces latency

57
Q

What is the purpose of the root hints file in DNS

A

It provides addresses of root nameservers for recursion

58
Q

What is the role of secondary nameservers in DNS

A

They provide redundancy and load balancing

59
Q

What are common security challenges in DNS

A

Cache poisoning spoofing and poor client implementations

60
Q

Why is DNS considered a critical internet infrastructure

A

It enables the translation of domain names to IP addresses

61
Q

What is the purpose of the opcode field in DNS packets

A

It defines the type of query or operation

62
Q

What are the main types of DNS caching

A

Client-side and server-side caching

63
Q

What is the significance of the DNS time-to-live TTL value

A

It defines how long a record can be cached before it must be refreshed

64
Q

What are common attack vectors against DNS

A

Kaminsky attack cache poisoning and spoofing

65
Q

Why are DNS queries often slow

A

Due to recursive resolution and network delays

66
Q

What is the impact of a misconfigured DNS zone

A

It can lead to resolution failures and incorrect responses

67
Q

What are the challenges with DNS over HTTPS DoH

A

It bypasses traditional controls and creates enforcement difficulties

68
Q

What is the purpose of glue records in DNS

A

To prevent resolution loops by including IP addresses for nameservers

69
Q

What is the difference between A and PTR records

A

A records map names to IP addresses PTR records map IP addresses to names

70
Q

What is the role of the additional section in DNS queries

A

It provides extra information that may help resolve the query

71
Q

Why is DNSSEC adoption low

A

It is complex and does not address common use cases effectively

72
Q

What is the purpose of DNS iterative queries

A

To resolve parts of a name step-by-step starting from the root