Introduction to DNS Recursion

The Internet’s DNS structure is often (accurately) described as hierarchical with authoritative servers sitting at the top of the structure.  However because of this setup it is essential that all DNS servers are able to communicate with each other in order to supply response to the name queries which are submitted by clients.

This is because although we would expect our companies internal DNS server to know all the addresses of internal clients and servers, we wouldn’t expect it’s database to contain every external server on the the internet.     Although in the early days of the internet, most DNS servers did contain an entire list of connected server addresses, nowadays that would simply not be feasible or in fact very sensible.

When a DNS server needs to find an address which is not in it’s database, it will query another DNS server on behalf of the requesting client in order to find the answer.    The server in this instance is actually acting in the same way as a client by making a request to another DNS server for the information, this process is known as recursion.

It’s actually quite difficult to detect whether a query is answered by recursion or by directly when troubleshooting DNS queries.    You need to be able to listen to all a DNS servers traffic in order to identify a recursive query.   The additional query (recursive one) is generated after the DNS serverc has checked it’s local database in order to resolve the query.  If this isn’t successful the DNS server will generate the additional request before replying to the client.   This is also dependent on the recursion bit being set in the initial query from the client too, as this allows the server to ask another server if the answer is not in it’s own database.

The recursive query is merely a copy of the initial DNS request and it has the effect of turning the server into a client. You can notice if you analyse the traffic that the transaction ID numbers will change in order to differentiate the initial query from the recursive query sent by the DNS server.   It’s important to keep a note of these transaction IDs when troubleshooting DNS traffic as it’s easy to get confused as many of the packets will look very similar.  If you are trying to analyze something more complicated like the modern, intelligent Smart DNS servers like these – http://www.proxyusa.com/smart-dns-netflix-its-back then it’s even more important to keep track of these transactions.  This is because these DNS servers actually make decisions on how to route the traffic in addition to resolving queries.

 

Domain Name System Packet Structure

The Domain Name System (DNS) is one of the most vital protocols used on the internet, it basically holds everything together. DNS links all the web friendly names to IP addresses without DNS you’d need to memorize the IP address of every server or resource you wanted to visit online.

DNS servers hold databases of resource records which contain the mappings that allow devices to resolve IP addresses to DNS names and vice versa. These databases are generally made accessible to any device that requests them or other DNS servers. If you’ve ever had anything to do with DNS you’ll know that although the basic principles of DNS are quite straight forward the overall architecture can be very complicated particularly with regards to the internet.

In this initial article we’re going to cover some of the basics of the DNS packet structure, which is in many ways very different to other protocols used to communicate online.

DNS Packet Structure

  • DNS ID – Associates DNS responses with corresponding queries.
  • (QR) Query/Response – Simply identifies whether packet is a query or response packet.
  • (AA) Authoritative Answers – When this value is set it indicates that the Name server is the ultimate authority for that domain.
  • (RD) Recursion Desired – DNS client requires a recursive query if answer not available.
  • (RA) Recursion Available – DNS Server supports recursive queries.
  • (RC) Response Code – Used to identify any errors
  • Questions Section – Variable section which contains all the queries to be resolved
  • Answers Section – Variable section which contains responses to queries.
  • Authority Section – Variable section which contains records pointing to authoritative name servers if required.

There are more components of the DNS packet but these are the important ones which contain the bulk of the information i.e. the query and answer. This is how a simple DNS query will be performed – a client wishes to know an IP address (or DNS Name) will send the query to a DNS server, the server will send the answer in it’s response.

The simplest DNS transaction will take place in just two packets i.e the query and the response. You can see it quite easily by using a packet capture program like wireshark and in fact DNS exchanges are a very good way to start packet analysis because the majority are relatively straight forward. There are exceptions of course, indeed we are increasingly seeing modified DNS services used to access US media sites like Netflix like this article – http://www.onlineanonymity.org/proxies/the-return-of-us-dns-netflix/ describes.

There are a few things to remember when studying and troubleshooting DNS traffic and one of the most important is that DNS relies on UDP as it’s transport mechanism. This is useful to know because if you do use something like Wireshark to analyse you’ll notice lots of UDP traffic and that it condenses the beginnings of the packet into a single flags section which can be difficult to follow initially.

Remember though the vast majority of DNS traffic is very simple, consisting of a query and a response. There is more information in the packet but essentially it’s a question and an answer – if you need to see all the data and resource record types they are here – DNS Resource Parameters.

Residential IP Gateways

For anyone with a significant interest in working online, your IP address is important, it’s a vital part of your online presence.     Most people don’t really care about their address, as long as you have a valid IP address you can get online.   However there are distinctions about these addresses which can make a huge difference to your online experience.

Often the first indication people have that their IP address is of any relevance is when they find themselves getting blocked somewhere.   You might click on a video or website and get redirected to a message ‘sorry not available in  your country’ or you might try and view a website and get redirected somewhere else.   What’s generally to blame is where your IP address is registered and this behaviour is called ‘region locking’.  It’s extremely common and annoying especially if you’re settling down to watch the BBC News live while on holiday outside the UK for example.

This is all factored around the geographical location where you’re IP address is assigned to.  Which is why it usually becomes evident when people travel or go on their holidays, suddenly they find they can’t access the websites that they used to.  Watching domestic TV, streaming videos or accessing their online banking and things like that suddenly become very difficult when you’re outside your usual location.

People have found ways around this, normally you can hide your location by using a proxy or VPN service.  However this only works on a basic level, because there are other restrictions which stop these working mainly centered around the IP classification.   You see many websites now also look one step further than simply location – they look at the classification of the address and whether it originates from a commercial or residential origin.

Anyone who makes their living online is likely to need a little more control.  After all operating in a global market like the internet, getting blocked all the time because of location and what sort of IP address you have is going to be extremely inconvenient.   Sure you can use traditional proxies which are mostly run from datacentres but they too have significant problems.  The issue is that websites increasingly block access to all but residential IP addresses, they just want ordinary home users which means none of these proxy solutions actually work.  The alternative is to use VPNs that have residential IP addresses and gateways built in (read more here)

However it’s much, much harder to set up a residential IP gateway than it is a commercial one.  For instance you can’t just roll up to Comcast or BT and ask it to assign you a few hundred IP addresses, they use those for domestic customers only.   They are appearing but at the moment they are fairly hard to find and extremely expensive.  You have to be careful though as some of these ‘solutions’ actually piggy back domestic customers computers like the not recommended Hola which is a huge security risk to use.