DNS Flashcards

1
Q

Why should you never run an authoritative and recursive server on the same system

A

Running authoritative and recursive DNS on the same system is insecure because recursive servers handle user queries and can have their cache poisoned, spreading malicious data. Combining it with authoritative functions risks exposing sensitive data about internal networks and enables attackers to exploit the system for amplification attacks. Separation isolates these roles, reducing vulnerabilities and maintaining security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the main role of DNS

A

DNS maps domain names to IP addresses and IP addresses to domain names

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Why is DNS difficult to secure

A
  1. DNS lacks built-in security, making it vulnerable to attacks like spoofing.
  2. Its global infrastructure is highly complex and difficult to secure consistently.
  3. Political and administrative control adds challenges to improving DNS security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is DNS caching and why is it important

A

DNS caching stores query results temporarily to reduce lookup times and improve performance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is cache poisoning in DNS

A

It misleads DNS queries to redirect users to malicious websites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Why are certificates important in DNS

A

Certificates are important in DNS because they prevent attacks like DNS cache poisoning and spoofing by verifying the authenticity of DNS responses. They ensure that the data comes from a trusted source, protecting users from being redirected to malicious websites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the maximum size for DNS names

A

255 bytes with 63 bytes per label

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a DNS zone

A

It is a group of resource records served from one primary nameserver

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are A and AAAA records in DNS

A

A records map to IPv4 addresses while AAAA records map to IPv6 addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does TTL stand for in DNS

A

Time to Live which defines how long a record can be cached

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Kaminsky Attack

A

A DNS vulnerability exploiting predictable transaction IDs to poison caches.

Process;

The Kaminsky Attack works by guessing predictable DNS transaction IDs to send fake responses, which the resolver accepts and caches, redirecting users to malicious sites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are recursive servers in DNS

A

Recursive servers in DNS resolve user queries by contacting other DNS servers as needed to find the complete answer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are authoritative servers in DNS

A

Authoritative DNS servers store and provide definitive answers for specific DNS zones they are configured to manage, delivering accurate resource record data without needing to query other servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are glue records in DNS

A

They are A(IPv4) or AAAA(IPv6) records for nameservers to prevent resolution loops

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the function of a DNS resolver

A

A DNS resolver is a client that queries the DNS system to translate domain names into IP addresses and processes the responses to return the requested information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is EDNS0 in DNS

A

An extension mechanism for DNS with support for larger payloads and cookies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is DNS over HTTPS (DoH)

A

DNS over HTTPS (DoH) encrypts DNS queries using HTTPS to enhance privacy and prevent third parties from intercepting or modifying DNS traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Why is DoH controversial

A

DoH is controversial because it bypasses traditional DNS controls, such as those used by network administrators for filtering and monitoring, making it harder to enforce policies or detect malicious activity. This can lead to challenges in network management and security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are Response Policy Zones RPZ in DNS

A

RPZs are used to block, redirect, or filter DNS responses based on security policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is reverse mapping in DNS

A

It resolves IP addresses back to domain names using in-addr.arpa or ip6.arpa

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Why are primary and secondary nameservers used in DNS

A

They are used for redundancy, load balancing, and reliability, ensuring DNS queries are resolved even if the primary nameserver fails

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is a zone file in DNS

A

A zone file is a text file that contains DNS records for a domain, including A, CNAME, MX, NS, and SOA records, to define mappings and settings for the DNS zone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is label compression in DNS

A

It reduces message size by reusing labels in DNS packets

Label = parts of domain name i.e. www or google or com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the role of mail exchangers MX in DNS

A

They define mail servers for a domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is the difference between iterative and recursive DNS queries
Iterative queries ask one server at a time, passing the next server back to the client for them to ask in turn until they find the answer. Recursive queries are resolved by one server completely on behalf of the client, sending them back the answer, instead of sending the address of a server that might know the answer, etc etc…
26
Why are DNS clients considered problematic
They are often unreliable inconsistent and poorly implemented
27
What is the purpose of DNSSEC
To sign zones providing evidence that packets have not been tampered with
28
What is a delegation in DNS
It assigns authority for a subdomain to another nameserver
29
What is a PTR record in DNS
It maps IP addresses to domain names
30
Why is DNS governance challenging
DNS is complex politically sensitive and involves many stakeholders
31
What is DNS spoofing
It is a malicious attack redirecting users to fraudulent websites by manipulating DNS responses
32
What is a transaction ID in DNS
A 16-bit identifier used to match queries with responses
33
What is the function of the DNS root server
It is the starting point for resolving DNS queries
34
How does caching improve DNS performance
It stores resolved queries for future use reducing lookup times
35
What is the purpose of the additional section in DNS packets
It includes extra data that might be useful for the client
36
What are NS records in DNS
They specify nameservers for a domain
37
What is negative caching in DNS
It caches information about failed queries to avoid repeated lookups
38
What is the role of the authority section in DNS packets
It indicates the authoritative nameserver for the data
39
What is dynamic DNS
It updates DNS records automatically in real-time
40
Why should DNS resolvers not be run behind NAT
It can weaken security measures like port randomisation
41
What is the role of port randomisation in DNS
It improves security by making queries harder to spoof
42
Why is DNS scalability a concern
It struggles to handle modern internet demands without significant modifications
43
What are the limitations of IPv4 in DNS
It has limited address space compared to IPv6
44
What is the significance of SOA records in DNS
They provide information about the zone and its management
45
What is a wildcard record in DNS
It matches requests for non-existent names within a domain
46
How does DNS handle load balancing
By using multiple nameservers and sometimes anycast
47
What is the primary issue with legacy DNS implementations
They are prone to vulnerabilities like cache poisoning
48
What is a forwarder in DNS
A server that forwards queries to another server for resolution
49
How does DNS handle delegation
It uses NS records to point to authoritative servers for subdomains
50
What are common DNS query types
A AAAA PTR MX NS CNAME SOA TXT
51
What is the role of the query section in DNS packets
It contains the question the client wants answered
52
What is an example of DNS abuse
Using TXT records to store arbitrary data
53
What is the purpose of the flags field in DNS packets
It indicates query type and response status
54
What does the recursion desired RD flag in DNS mean
The client requests the server to perform a recursive query
55
What is an authoritative answer in DNS
It is a response directly from the authoritative server for the queried domain
56
What are the benefits of anycast in DNS
It improves redundancy and reduces latency
57
What is the purpose of the root hints file in DNS
It provides addresses of root nameservers for recursion
58
What is the role of secondary nameservers in DNS
They provide redundancy and load balancing
59
What are common security challenges in DNS
Cache poisoning spoofing and poor client implementations
60
Why is DNS considered a critical internet infrastructure
It enables the translation of domain names to IP addresses
61
What is the purpose of the opcode field in DNS packets
It defines the type of query or operation
62
What are the main types of DNS caching
Client-side and server-side caching
63
What is the significance of the DNS time-to-live TTL value
It defines how long a record can be cached before it must be refreshed
64
What are common attack vectors against DNS
Kaminsky attack cache poisoning and spoofing
65
Why are DNS queries often slow
Due to recursive resolution and network delays
66
What is the impact of a misconfigured DNS zone
It can lead to resolution failures and incorrect responses
67
What are the challenges with DNS over HTTPS DoH
It bypasses traditional controls and creates enforcement difficulties
68
What is the purpose of glue records in DNS
To prevent resolution loops by including IP addresses for nameservers
69
What is the difference between A and PTR records
A records map names to IP addresses PTR records map IP addresses to names
70
What is the role of the additional section in DNS queries
It provides extra information that may help resolve the query
71
Why is DNSSEC adoption low
It is complex and does not address common use cases effectively
72
What is the purpose of DNS iterative queries
To resolve parts of a name step-by-step starting from the root