DNS

Question 1

Why should you never run an authoritative and recursive server on the same system

Answer 1

Running authoritative and recursive DNS on the same system is insecure because recursive servers handle user queries and can have their cache poisoned, spreading malicious data. Combining it with authoritative functions risks exposing sensitive data about internal networks and enables attackers to exploit the system for amplification attacks. Separation isolates these roles, reducing vulnerabilities and maintaining security.

Question 2

What is the main role of DNS

Answer 2

DNS maps domain names to IP addresses and IP addresses to domain names

Question 3

Why is DNS difficult to secure

Answer 3

1. DNS lacks built-in security, making it vulnerable to attacks like spoofing.
   
   2. Its global infrastructure is highly complex and difficult to secure consistently.
   3. Political and administrative control adds challenges to improving DNS security.

Question 4

What is DNS caching and why is it important

Answer 4

DNS caching stores query results temporarily to reduce lookup times and improve performance

Question 5

What is cache poisoning in DNS

Answer 5

It misleads DNS queries to redirect users to malicious websites

Question 6

Why are certificates important in DNS

Answer 6

They prevent attacks like cache poisoning by verifying authenticity

Question 7

What is the maximum size for DNS names

Answer 7

255 bytes with 63 bytes per label

Question 8

What is a DNS zone

Answer 8

It is a group of resource records served from one primary nameserver

Question 9

What are A and AAAA records in DNS

Answer 9

A records map to IPv4 addresses while AAAA records map to IPv6 addresses

Question 10

What does TTL stand for in DNS

Answer 10

Time to Live which defines how long a record can be cached

Question 11

What is the Kaminsky Attack

Answer 11

A DNS vulnerability exploiting predictable transaction IDs to poison caches.

Process;

The Kaminsky Attack works by guessing predictable DNS transaction IDs to send fake responses, which the resolver accepts and caches, redirecting users to malicious sites.

Question 12

What are recursive servers in DNS

Answer 12

Recursive servers in DNS resolve user queries by contacting other DNS servers as needed to find the complete answer.

Question 13

What are authoritative servers in DNS

Answer 13

Authoritative DNS servers store and provide definitive answers for specific DNS zones they are configured to manage, delivering accurate resource record data without needing to query other servers.

Question 14

What are glue records in DNS

Answer 14

They are A or AAAA records for nameservers to prevent resolution loops

Question 15

What is the function of a DNS resolver

Answer 15

It is a client that sends DNS queries and processes responses

Question 16

What is EDNS0 in DNS

Answer 16

An extension mechanism for DNS with support for larger payloads and cookies

Question 17

What is DNS over HTTPS DoH

Answer 17

It encrypts DNS queries using HTTPS for privacy

Question 18

Why is DoH controversial

Answer 18

It bypasses traditional DNS controls and creates policy enforcement challenges

Question 19

What are Response Policy Zones RPZ in DNS

Answer 19

They allow policy-based filtering of DNS responses

Question 20

What is reverse mapping in DNS

Answer 20

It resolves IP addresses back to domain names using in-addr.arpa or ip6.arpa

Question 21

Why are primary and secondary nameservers used in DNS

Answer 21

For redundancy load balancing and reliability

Question 22

What is a zone file in DNS

Answer 22

It contains records for a DNS zone

Question 23

What is label compression in DNS

Answer 23

It reduces message size by reusing labels in DNS packets

Question 24

What is the role of mail exchangers MX in DNS

Answer 24

They define mail servers for a domain

Question 25

What is the difference between iterative and recursive DNS queries

Answer 25

Iterative queries ask one server at a time while recursive queries resolve completely on behalf of the client

Question 26

Why are DNS clients considered problematic

Answer 26

They are often unreliable inconsistent and poorly implemented

Question 27

What is the purpose of DNSSEC

Answer 27

To sign zones providing evidence that packets have not been tampered with

Question 28

What is a delegation in DNS

Answer 28

It assigns authority for a subdomain to another nameserver

Question 29

What is a PTR record in DNS

Answer 29

It maps IP addresses to domain names

Question 30

Why is DNS governance challenging

Answer 30

DNS is complex politically sensitive and involves many stakeholders

Question 31

What is DNS spoofing

Answer 31

It is a malicious attack redirecting users to fraudulent websites by manipulating DNS responses

Question 32

What is a transaction ID in DNS

Answer 32

A 16-bit identifier used to match queries with responses

Question 33

What is the function of the DNS root server

Answer 33

It is the starting point for resolving DNS queries

Question 34

How does caching improve DNS performance

Answer 34

It stores resolved queries for future use reducing lookup times

Question 35

What is the purpose of the additional section in DNS packets

Answer 35

It includes extra data that might be useful for the client

Question 36

What are NS records in DNS

Answer 36

They specify nameservers for a domain

Question 37

What is negative caching in DNS

Answer 37

It caches information about failed queries to avoid repeated lookups

Question 38

What is the role of the authority section in DNS packets

Answer 38

It indicates the authoritative nameserver for the data

Question 39

What is dynamic DNS

Answer 39

It updates DNS records automatically in real-time

Question 40

Why should DNS resolvers not be run behind NAT

Answer 40

It can weaken security measures like port randomisation

Question 41

What is the role of port randomisation in DNS

Answer 41

It improves security by making queries harder to spoof

Question 42

Why is DNS scalability a concern

Answer 42

It struggles to handle modern internet demands without significant modifications

Question 43

What are the limitations of IPv4 in DNS

Answer 43

It has limited address space compared to IPv6

Question 44

What is the significance of SOA records in DNS

Answer 44

They provide information about the zone and its management

Question 45

What is a wildcard record in DNS

Answer 45

It matches requests for non-existent names within a domain

Question 46

How does DNS handle load balancing

Answer 46

By using multiple nameservers and sometimes anycast

Question 47

What is the primary issue with legacy DNS implementations

Answer 47

They are prone to vulnerabilities like cache poisoning

Question 48

What is a forwarder in DNS

Answer 48

A server that forwards queries to another server for resolution

Question 49

How does DNS handle delegation

Answer 49

It uses NS records to point to authoritative servers for subdomains

Question 50

What are common DNS query types

Answer 50

A AAAA PTR MX NS CNAME SOA TXT

Question 51

What is the role of the query section in DNS packets

Answer 51

It contains the question the client wants answered

Question 52

What is an example of DNS abuse

Answer 52

Using TXT records to store arbitrary data

Question 53

What is the purpose of the flags field in DNS packets

Answer 53

It indicates query type and response status

Question 54

What does the recursion desired RD flag in DNS mean

Answer 54

The client requests the server to perform a recursive query

Question 55

What is an authoritative answer in DNS

Answer 55

It is a response directly from the authoritative server for the queried domain

Question 56

What are the benefits of anycast in DNS

Answer 56

It improves redundancy and reduces latency

Question 57

What is the purpose of the root hints file in DNS

Answer 57

It provides addresses of root nameservers for recursion

Question 58

What is the role of secondary nameservers in DNS

Answer 58

They provide redundancy and load balancing

Question 59

What are common security challenges in DNS

Answer 59

Cache poisoning spoofing and poor client implementations

Question 60

Why is DNS considered a critical internet infrastructure

Answer 60

It enables the translation of domain names to IP addresses

Question 61

What is the purpose of the opcode field in DNS packets

Answer 61

It defines the type of query or operation

Question 62

What are the main types of DNS caching

Answer 62

Client-side and server-side caching

Question 63

What is the significance of the DNS time-to-live TTL value

Answer 63

It defines how long a record can be cached before it must be refreshed

Question 64

What are common attack vectors against DNS

Answer 64

Kaminsky attack cache poisoning and spoofing

Question 65

Why are DNS queries often slow

Answer 65

Due to recursive resolution and network delays

Question 66

What is the impact of a misconfigured DNS zone

Answer 66

It can lead to resolution failures and incorrect responses

Question 67

What are the challenges with DNS over HTTPS DoH

Answer 67

It bypasses traditional controls and creates enforcement difficulties

Question 68

What is the purpose of glue records in DNS

Answer 68

To prevent resolution loops by including IP addresses for nameservers

Question 69

What is the difference between A and PTR records

Answer 69

A records map names to IP addresses PTR records map IP addresses to names

Question 70

What is the role of the additional section in DNS queries

Answer 70

It provides extra information that may help resolve the query

Question 71

Why is DNSSEC adoption low

Answer 71

It is complex and does not address common use cases effectively

Question 72

What is the purpose of DNS iterative queries

Answer 72

To resolve parts of a name step-by-step starting from the root