Domain Name System hierarchy

I'm having trouble understanding how the DNS resolution system actually works. I would like to know the functional relationship between these:
DNS server, root nameserver, gTLD, ccTLD, domain name registrar and domain name registry.

I know there is a hierarchy from the root servers down to DNS servers but quite do not understand the role of registrars for example (functionally, as in when resolving a URL).

I actually do have a pretty good knowledge but the top servers and registrars started confusing me after reading about botnets resolving their own DNS queries (from a 2005 source, not sure if they still do) to prevent people from shutting down the DNS servers and that registrars are difficult to deal with. So that means they relied on dynamic DNS in the past and now register a whole domain in the registrar and registrars refuse to block those addresses? What's the role of root servers then and why can't they block these DNS servers? And I'd imagine that registrars do not do dynamic DNS and the IPs of those servers could easily be revealed and shut down as they would be static.

I'm doing research on botnets and the information is very scattered so it's difficult to put everything together. Would really appreciate some help.

Who is Participating?
cirlareConnect With a Mentor Commented:
the root servers are the know it all machines, aka gods of dns infrastructure. they are the master list of every single websites that is on the internet. every domain controller have a cheat sheet list of these 13 root server's ip address.

registars such as godaddy basically takes your info about a website and inserts this info into the root servers and dns server around the world so people can find you. so now you have a dns record in the root hint file that says, to find about, go to this address.

the root name server does not have everything for a domain. entries such as mx records or name records fo your domain don't exist on root name servers. instead, the root name server says "go ask xxxx nameserver" about this domain, he will know more about it."

each of the 13 root server have its own dedication. 1 server does .com, other one, etc

the . notation just means that you are part of something. so means that google is part of .com section, and the dns server will ask the .com root name server about the info. just means that there is a server named www within the google domain under the com top level.

as for botnet, you can easy write your own software to specifically go to an ip address to look up other names, depend on how you do it. some of the bot net are controled via IRC, it is not hard to program a piece of software to phone home a specific ip and ask for instruction.

programs can be written so instead of using the default ip resolving theme, it can specifically look for information somewhere on the internet.
Registrars take your money and maintain a record in their database that says you own a particular domain.  You can query that database with WHOIS.

Root nameservers take certain information from these databases (nameserver names and addresses) and answer DNS queries.

"botnets resolving their own DNS queries" is quite vague.  Botnet owners can, however, frequently change NS records in registrar's database, and use DNS proxies to conceal true identity of their DNS servers.
ezgigurkanAuthor Commented:
yeah I know it's vague and it's all I have, in a 2005 paper.

Apart from the registrar part I knew most of that. About the frequent changing of NS records and using proxies, isn't that fast flux which I thought was first used by the Storm (Peacomm) botnet? And even though, isn't caching or TTL a problem for this approach?
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

I guess that TTL would be sufficiently short.

Can you give a link to that 2005 paper?
ezgigurkanAuthor Commented:

You can look at the third page, under Recent Developments and Decentralised Naming Resolution. It's just a short sentence, without much detail. The references given aren't any good either.
Let me be blunt -- are you designing your own botnet? :-)
ezgigurkanAuthor Commented:
Hehehehe... I think I'm flattered in a weird way:)

I'm a computer science (in fact AI) student doing an MSc and I need to write a long report on a distributed system of my own choice. I'm hoping to get into the security industry so trying to choose my research topics accordingly. My first choice was distributed IDS but there are at least 5 other students doing that so decided to do something more interesting. I'll mainly talk about how botnets manage to conceal their C&C servers (or any other server like phishing sites).

The resources for this topic are very scattered and mainly include AV websites and such so I'm having trouble getting a chronological account of how botnet infrastructures (from a distributed network point of view) evolved over the last decade. That's why I'm also reading old papers. Not that useful for designing a new botnet:)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.