"A" wants to resolve google.com using DNS Server 1 or 2 (as set in IPv4 settings on the NIC). But DNS Server 3 is between "A" and either DNS Server. Will server 3 attempt to respond to the DNS query? Or will the query be ignored until it reaches its intended target DNS server?
Asked
Active
Viewed 313 times
1
-
1If A isn't configured to use DNS 3 then I don't see how DNS 3 could "intercept" the query. What do you mean that 3 is "in between"? There's no such thing as "in between". A either uses 3 or it doesn't. 1 or 2 may use 3 but that doesn't put 3 "in between" A and 1/2. – joeqwerty Mar 29 '18 at 20:03
-
1Sorry, I meant that DNS Server 3 is acting as a gateway between A and the other two DNS servers, so all traffic would have to go through it anyways. – David Breeden Mar 29 '18 at 21:14
-
If you mean a gateway for traffic routing then it shouldn't have any bearing on the DNS resolution/recursion. – joeqwerty Mar 29 '18 at 21:31
-
So DNS queries are not "read" until they reach the DNS server they were sent to? I didn't know if maybe because it's UDP instead of TCP/IP that any DNS server could pick it up and respond to it. – David Breeden Mar 29 '18 at 21:44
-
1@DavidBreeden see my extensive answer. As for your comment above, remember that the DNS protocol uses **BOTH** UDP **AND** TCP. And "Man in the midlle" attacks could happen even for pure TCP (hijack of IP address for example). – Patrick Mevzek Mar 29 '18 at 22:32
-
It would need to be done on the routing level, the classroom i teach in has this happen, install a bind9 server set up as caching only and ask it for one of our hosts, and it returns the internal IP, not the one available in public internet facing DNS. And it doesn't re-sign DNSSEC properly, so queries apparently fail and `apt-get` gives weird error messages. – ivanivan Mar 30 '18 at 05:24
1 Answers
3
Each computer has a list of recursive DNS servers to contact.
When it needs to resolve a name it will contact one of these servers (typically the first one in the list, and switching to the second one only if the first one did not reply at all).
Of course, as anything traveling in the clear on the network, any element in the path could intercept either the query or the reply, and rewrite it.
It happens, and it is called "lying DNS". Some ISP for example may be tempted to rewrite NXDOMAIN replies (when the resource queried does not exist) to instead point you to a generic search engine page or things like that.
The client may or may not easily see that if it happens in the generic case. Only if the resource queried uses DNSSEC the client could verify that the answer was not modified in transit. Or, for greater security, it will need to use DNS over TLS or DNS over HTTPS, as long as it checks the remote certificate.
Have a look at the software dnssec-trigger based on unbound.
Patrick Mevzek
- 9,921
- 7
- 32
- 43
-
So my case isn't really security related; we have two networks/subnets with their own DNS servers (several in each) and a one-way trust in AD between them. Some of the equipment on network 1 is configured to use the DNS servers of network 2 because they're part of the same domain (different subnets, same domain). I'm wondering if network 1's DNS servers respond to those queries. But since I saw your comment that DNS requests also use TCP I assume the answer is no since I'm guessing the TCP part is the IP address of the desired DNS server. – David Breeden Mar 29 '18 at 22:45
-
1If there are no funny things on the network, the client just connects to the IP configured as recursive nameserver for him, that given server replies to its DNS queries and that is all. Either UDP or TCP depending on many things. – Patrick Mevzek Mar 29 '18 at 22:52