ISSUE 99

31 October 2019

Article of the Month   Around the World


What is DNS?

The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources.

Each device connected to the Internet has a unique IP address which other machines use to find the device. DNS servers eliminate the need for humans to memorize IP addresses such as (in IPv4), or more complex newer alphanumeric IP addresses such as 2400:cb00:2048:1::c629:d7a2 (in IPv6).

How does DNS work?

The process of DNS resolution involves converting a hostname (such as www.example.com) into a computer-friendly IP address (such as An IP address is given to each device on the Internet, and that address is necessary to find the appropriate Internet device - like a street address is used to find a particular home. When a user wants to load a webpage, a translation must occur between what a user types into their web browser (example.com) and the machine-friendly address necessary to locate the example.com webpage.
In order to understand the process behind the DNS resolution, it�s important to learn about the different hardware components a DNS query must pass between. For the web browser, the DNS lookup occurs � behind the scenes� and requires no interaction from the user�s computer apart from the initial request.

There are 4 DNS servers involved in loading a webpage:

  • DNS recursor - The recursor can be thought of as a librarian who is asked to go find a particular book somewhere in a library. The DNS recursor is a server designed to receive queries from client machines through applications such as web browsers. Typically the recursor is then responsible for making additional requests in order to satisfy the client�s DNS query

  • .Root nameserver - The root server is the first step in translating (resolving) human readable host names into IP addresses. It can be thought of like an index in a library that points to different racks of books - typically it serves as a reference to other more specific locations.

  • TLD nameserver - The top level domain server (TLD) can be thought of as a specific rack of books in a library. This nameserver is the next step in the search for a specific IP address, and it hosts the last portion of a hostname (In example.com, the TLD server is �com�).

  • Authoritative nameserver - This final nameserver can be thought of as a dictionary on a rack of books, in which a specific name can be translated into its definition. The authoritative nameserver is the last stop in the nameserver query. If the authoritative name server has access to the requested record, it will return the IP address for the requested hostname back to the DNS Recursor (the librarian) that made the initial request.

What's the difference between an authoritative DNS server and a recursive DNS resolver?

Both concepts refer to servers (groups of servers) that are integral to the DNS infrastructure, but each performs a different role and lives in different locations inside the pipeline of a DNS query. One way to think about the difference is the recursive resolver is at the beginning of the DNS query and the authoritative nameserver is at the end.

Recursive DNS resolverThe recursive resolver is the computer that responds to a recursive request from a client and takes the time to track down the DNS record. It does this by making a series of requests until it reaches the authoritative DNS nameserver for the requested record (or times out or returns an error if no record is found). Luckily, recursive DNS resolvers do not always need to make multiple requests in order to track down the records needed to respond to a client; caching is a data persistence process that helps short-circuit the necessary requests by serving the requested resource record earlier in the DNS lookup.

 Authoritative DNS server
Put simply, an authoritative DNS server is a server that actually holds, and is responsible for, DNS resource records. This is the server at the bottom of the DNS lookup chain that will respond with the queried resource record, ultimately allowing the web browser making the request to reach the IP address needed to access a website or other web resources. An authoritative nameserver can satisfy queries from its own data without needing to query another source, as it is the final source of truth for
certain DNS records.

It�s worth mentioning that in instances where the query is for a subdomain such as foo.example.com or blog.cloudflare.com, an additional nameserver will be added to the sequence after the authoritative nameserver, which is responsible for storing the subdomain�s CNAME record.

There is a key difference between many DNS services and the one that Cloudflare provides. Different DNS recursive resolvers such as Google DNS, OpenDNS, and providers like Comcast all maintain data center installations of DNS recursive resolvers. These resolvers allow for quick and easy queries through optimized clusters of DNS-optimized computer systems, but they are fundamentally different than the nameservers hosted by Cloudflare.

Cloudflare maintains infrastructure-level nameservers that are integral to the functioning of the Internet. One key example is the f-root server network which Cloudflare is partially responsible for hosting. The F-root is one of the root level DNS nameserver infrastructure components responsible for the billions of Internet requests per day. Our Anycast network puts us in a unique position to handle large volumes of DNS traffic without service interruption.

What are the steps in a DNS lookup?

For most situations, DNS is concerned with a domain name being translated into the appropriate IP address. To learn how this process works, it helps to follow the path of a DNS lookup as it travels from a web browser, through the DNS lookup process, and back again. Let's take a look at the steps.

Note: Often DNS lookup information will be cached either locally inside the querying computer or remotely in the DNS infrastructure. There are typically 8 steps in a DNS lookup. When DNS information is cached, steps are skipped from the DNS lookup process which makes it quicker. The example below outlines all 8 steps when nothing is cached.

  1. A user types �example.com� into a web browser and the query travels into the Internet and is received by a DNS recursive resolver.

  2. The resolver then queries a DNS root nameserver (.).
    3. The root server then responds to the resolver with the address of a Top Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD.

  3. The resolver then makes a request to the .com TLD.

  4. The TLD server then responds with the IP address of the domain�s nameserver, example.com.

  5. Lastly, the recursive resolver sends a query to the domain�s nameserver.

  6. The IP address for example.com is then returned to the resolver from the nameserver.

  7. The DNS resolver then responds to the web browser with the IP address of the domain requested initially.

  8. Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser is able to make the request for the web page:

  9. The browser makes a HTTP request to the IP address.

  10. The server at that IP returns the webpage to be rendered in the browser (step 10).



Madura Rajapaksha

Madura is an undergraduate of Sri Lanka Institute of Information Technology, Faculty of Computing who is currently following Bachelor of Science Honors degree specializing in Cyber Security, currently, he is working as an Intern - Information Security Engineer at Sri Lanka CERT|CC




















1 Statistics on the Internet growth in Sri Lanka
2.The Dragon Research Group (DRG)
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
4.Shadowserver Foundation
5. Team Cymru
  Stealthy Tool Detects Malware in Javascript


"...A new open-source tool called VisibleV8 allows users to track and record the behavior of JavaScript programs without alerting the websites that run those programs........"


Deepfakes: When seeing isn�t believing


"....Deepfakes are rapidly becoming easier and quicker to create and they�re opening a door into a new form of cybercrime. Although the fake videos are still mostly seen as relatively harmful or even humorous, this craze could take a more sinister turn in the future and be at the heart of political scandals, cybercrime, or even unimaginable scenarios involving fake videos � and not just targeting public figures........."


Ransomware, Mobile Malware Attacks to Surge in 2020


'...Targeted ransomware, mobile malware and other attacks will surge, while companies will adopt AI, better cloud security and cyber insurance to help defend and protect against them......'

What is cryptojacking? How to prevent, detect, and recover from it



'...No one knows for certain how much cryptocurrency is mined through cryptojacking, but there�s no question that the practice is rampant. Browser-based cryptojacking grew fast at first, but seems to be tapering off, likely because of cryptocurrency volatility.......'

Chrome devs tell world that DNS over HTTPS won't open the floodgates of hell


'....Chrome devs have had a little rant about "misinformation", repeating that DNS-over-HTTPS (DoH) will be supported but won't necessarily be automatically used in upcoming builds of the browser..........'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in September 2019


  Statistics - Sri Lanka CERT|CC

Russia Will Test Its Ability to Disconnect from the Internet

'...Russia will test its internal RuNet network to see whether the country can function without the global internet, the Russian government announced Monday. The tests will begin after Nov. 1, recur at least annually, and possibly more frequently. It's the latest move in a series of technical and policy steps intended to allow the Russian government to cut its citizens off from the rest of the world......'

PHP team fixes nasty site-owning remote execution bug

"...PHP is a common programming language used to run dynamic websites. It operates everything from online forums to ecommerce systems. The bug, found in version 7 of PHP, only affects instances running the PHP FastCGI Process Manager (PHP-FPM), which is an alternative implementation of a standard PHP module called FastCGI. It lets an interpreter outside the web server execute scripts. The process manager version includes some extra features to support high-volume websites......."

Mysterious malware that re-installs itself infected over 45,000 Android Phones

�...Dubbed Xhelper, the malware has already infected more than 45,000 Android devices in just the last six months and is continuing to spread by infecting at least 2,400 devices on an average each month, according to the latest report published today by Symantec.....�
As car manufacturers focus on connectivity, hackers begin to exploit flaws

."...Car manufacturers offer more software features to consumers than ever before, and increasingly popular autonomous vehicles that require integrated software introduce security vulnerabilities... ..."

Notice Board

Training and Awareness Programmes - November  2019

Date Event Venue

Brought to you by: