Domain Name System hierarchy
I'm having trouble understanding how the DNS resolution system actually works. I would like to know the functional relationship between these:
DNS server, root nameserver, gTLD, ccTLD, domain name registrar and domain name registry.
I know there is a hierarchy from the root servers down to DNS servers but quite do not understand the role of registrars for example (functionally, as in when resolving a URL).
I actually do have a pretty good knowledge but the top servers and registrars started confusing me after reading about botnets resolving their own DNS queries (from a 2005 source, not sure if they still do) to prevent people from shutting down the DNS servers and that registrars are difficult to deal with. So that means they relied on dynamic DNS in the past and now register a whole domain in the registrar and registrars refuse to block those addresses? What's the role of root servers then and why can't they block these DNS servers? And I'd imagine that registrars do not do dynamic DNS and the IPs of those servers could easily be revealed and shut down as they would be static.
I'm doing research on botnets and the information is very scattered so it's difficult to put everything together. Would really appreciate some help.
Thanks.
DNS server, root nameserver, gTLD, ccTLD, domain name registrar and domain name registry.
I know there is a hierarchy from the root servers down to DNS servers but quite do not understand the role of registrars for example (functionally, as in when resolving a URL).
I actually do have a pretty good knowledge but the top servers and registrars started confusing me after reading about botnets resolving their own DNS queries (from a 2005 source, not sure if they still do) to prevent people from shutting down the DNS servers and that registrars are difficult to deal with. So that means they relied on dynamic DNS in the past and now register a whole domain in the registrar and registrars refuse to block those addresses? What's the role of root servers then and why can't they block these DNS servers? And I'd imagine that registrars do not do dynamic DNS and the IPs of those servers could easily be revealed and shut down as they would be static.
I'm doing research on botnets and the information is very scattered so it's difficult to put everything together. Would really appreciate some help.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
svs:
yeah I know it's vague and it's all I have, in a 2005 paper.
Apart from the registrar part I knew most of that. About the frequent changing of NS records and using proxies, isn't that fast flux which I thought was first used by the Storm (Peacomm) botnet? And even though, isn't caching or TTL a problem for this approach?
yeah I know it's vague and it's all I have, in a 2005 paper.
Apart from the registrar part I knew most of that. About the frequent changing of NS records and using proxies, isn't that fast flux which I thought was first used by the Storm (Peacomm) botnet? And even though, isn't caching or TTL a problem for this approach?
I guess that TTL would be sufficiently short.
Can you give a link to that 2005 paper?
Can you give a link to that 2005 paper?
ASKER
http://www.math.tulane.edu/~tcsem/botnets/ndss_botax.pdf
You can look at the third page, under Recent Developments and Decentralised Naming Resolution. It's just a short sentence, without much detail. The references given aren't any good either.
You can look at the third page, under Recent Developments and Decentralised Naming Resolution. It's just a short sentence, without much detail. The references given aren't any good either.
Let me be blunt -- are you designing your own botnet? :-)
ASKER
Hehehehe... I think I'm flattered in a weird way:)
I'm a computer science (in fact AI) student doing an MSc and I need to write a long report on a distributed system of my own choice. I'm hoping to get into the security industry so trying to choose my research topics accordingly. My first choice was distributed IDS but there are at least 5 other students doing that so decided to do something more interesting. I'll mainly talk about how botnets manage to conceal their C&C servers (or any other server like phishing sites).
The resources for this topic are very scattered and mainly include AV websites and such so I'm having trouble getting a chronological account of how botnet infrastructures (from a distributed network point of view) evolved over the last decade. That's why I'm also reading old papers. Not that useful for designing a new botnet:)
I'm a computer science (in fact AI) student doing an MSc and I need to write a long report on a distributed system of my own choice. I'm hoping to get into the security industry so trying to choose my research topics accordingly. My first choice was distributed IDS but there are at least 5 other students doing that so decided to do something more interesting. I'll mainly talk about how botnets manage to conceal their C&C servers (or any other server like phishing sites).
The resources for this topic are very scattered and mainly include AV websites and such so I'm having trouble getting a chronological account of how botnet infrastructures (from a distributed network point of view) evolved over the last decade. That's why I'm also reading old papers. Not that useful for designing a new botnet:)
Root nameservers take certain information from these databases (nameserver names and addresses) and answer DNS queries.
"botnets resolving their own DNS queries" is quite vague. Botnet owners can, however, frequently change NS records in registrar's database, and use DNS proxies to conceal true identity of their DNS servers.