Home / Blogs

Why DNS Is Broken, Part 1: Trust

So this Internet thing, as we discussed in our last article, is broken. I promised to detail some of the specific things that are broken. Implicit trust is the Achilles heel of the Internet.

Here is how the Domain Name System (DNS) works… you, a user, open a browser and type in a URL, www.dnsstuff.com, your browser asks your operating system for the IP address of the URL you typed in. The operating system relies on a small, but important, piece of software called the resolver, the resolver is responsible for resolving host and domain names to IP addresses. In the case of www.dnsstuff.com, the domain is dnsstuff.com, the “host” is www, the resolver is being asked to lookup the IP address of the host www in the domain dnsstuff.com, the first step the resolver takes is to look in a file that is private to your computer, it is called the hosts file, the resolver looks there for the record you are requesting, if it finds it it sends it to the browser, if it does not find it it checks its own private cache of data, does it already have a listing for www.dnsstuff.com, if not the resolver has to ask someone out in the world for more information. Your computer has several explicit settings which allow it to interact with the network; one setting is the DNS servers the resolver is to use when it does not know an answer. So the resolver now asks the DNS server what is the IP address of www.dnsstuff.com. Now, that DNS server does a very similar process as the resolver did. It looks in its cache to see if it already knows about www.dnsstuff.com, if it does and that record has not expired yet, it sends that answer back to the resolver. This is important.

All of the communication between the resolver and the DNS server is in plain text that can be easily seen and changed while in transit, further, the resolver completely trusts the answer that was returned. There is no reason to believe that that answer has not been tampered with, there is no way to verify if it has been tampered with. Here we see the first weakness of DNS. In addition, there are numerous ways to trick the DNS servers in to thinking that a host is at a different IP address than it really is. For example, there are questions that a malicious person could send to a DNS server to cause it to lookup things improperly and store those bad answers in its cache. Then it would send that bad data on to subsequent requestors.

So these are just two of the significant issues with the current DNS system. DNSSEC addresses the verifiability of the data returned during a DNS query. However, there are more issue we will need to address.

By Paul Parisi, Chief Technology Officer at DNSstuff.com

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com


Sponsored byVerisign

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global