How do I stop ISP tracking

DNS monitoring

DNS stands for Domain Name System. The DNS is a service that resolves user-friendly domain names such as google.com into a computer-friendly IP address such as 64.233.160.0. The IP address enables the browser to find the server with the requested content. The combination of host name and IP address is Namespace called. The monitoring of your DNS entry ensures that the domain name system continues to correctly forward visitors to your websites and services as well as electronic communication.

The Domain Name System is a hierarchical, distributed database in which each database contains some of the information that leads to a specific website or device. The Domain Name System works with the network protocols TCP / IP to provide a comprehensive, user-friendly and unrestricted Internet.

The DNS is the busiest database in the world, handling requests from billions of devices. A single page view can result in 50 or more DNS queries. As you surf the Internet, you may generate thousands of DNS queries. Considering the billions of people and devices (Internet of Things) doing the same thing, the number of requests handled by DNS servers proves to be staggering, but the DNS handles traffic excellently and resolves every domain name in microseconds.

How does the DNS work?

The process of entering a host name (e.g. google.com) to get an IP address (e.g. 64.233.160.0) will dissolve called. The resolution of a host name is not visible to the user entering the host name in the address line of the browser. But during those microseconds between request and resolution, a lot happens and four different types of DNS servers are required.

DNS server types

Four different types of DNS servers work together to provide you with the content you need.

DNS Recursor

Usually the ISP (Internet Service Provider) provides the DNS Recursor or recursive DNS server. This server acts as a kind of concierge, taking client requests to resolve a host name to an IP address, doing the work, and returning the IP address to the client.

The recursive resolver first checks its cache to see if the IP address has already been requested. If this is not the case, the resolver contacts the root server.

Root name server

If the DNS Recursor does not have a cache entry, it contacts the DNS root name server. The DNS root name servers are at the top of the hierarchy of zones called the root zones. The DNS root zone is at the top of the DNS hierarchy, directing requests to the correct zone.

There are 13 root zone servers provided by 12 independent organizations. These 13 servers reply to the recursive server with the IP address to the corresponding Top Level Domain (TLD) name server.

TLD name server

The top level domain name servers contain the information about the domain names that have the same domain name extension such as .com, .gov, .net and .edu. These TLD servers reply to the recursive server with the IP address of the authoritative name server that has the required domain information.

Authoritative name server

The authoritative name server has all the information pertaining to a specific domain name such as google.com. The authoritative name server resolves the name for the corresponding IP address, sends it back to the DNS resolver, where it is probably stored in the cache and which forwards it to the client browser. The browser then calls up the website using the IP address.

The process of resolving a hostname sounds like it takes a while, but is mostly instantaneous and resolution times are typically less than a microsecond. The original response from the host often includes additional URLs for more content, so a single web page would require dozens of DNS resolutions.

Load distribution via DNS

Occasionally one hears about load balancing via DNS. DNS load balancing involves an authoritative name server that has multiple entries in the queue for a single host name. As soon as a request is received, the name server takes the first DNS entry for the host name and outputs the IP address. The entry is then placed at the end of the queue. The next time a DNS recursor sends the host name for resolution, the authoritative name server responds with the next DNS entry in the queue.

This method is used to load balance a website with multiple redundant servers. Problems with this method include:

  • The name server may not know when a server is offline and will continue to send requests to that server. Some name servers have built-in failover to check the availability of the IP addresses before responding.
  • The DNS Recursor may cache the IP address and direct each request to the same IP address. Setting a short lifetime (see DNS caching below) can reduce the number of requests to the same IP address, but not completely prevent the problem.

DNS caching

Caching a namespace can be done at any level in the DNS hierarchy. However, it is most common for the DNS resolver. Instead of performing the entire process of resolution over and over again for the same IP address, the servers hold the information for a host name ready for a short time in case the information is needed again. For example, the first response from an IP address will likely have the URLs to the same IP address for additional content. If the DNS Recursor did not save the IP address, it would have to resolve the namespace anew for each of these requests.

The cache can be located directly on your computer, on the router, at your ISP or at any location on one of the DNS servers. These caches age quickly, so every DNS entry has an expiration date. The expiration date is called “Time to Live” (TTL). This setting tells the DNS server how long the DNS entry should remain in the cache before it is deleted.

Cache poisoning

DNS caching makes the Domain Name System vulnerable. This vulnerability is as Cache poisoning known. A DNS cache is poisoned or contaminated when invalid IP addresses are inserted into the cache. Poisoning is usually the result of viruses and malware designed to direct inquiries to a phishing website or other website.

DNS records (zone files)

So we now know that DNS is an enormous hierarchical system that converts human-readable domain names into computer-friendly IP addresses. Most of the time, someone who mentions DNS is referring to the DNS records or zone files for a single domain that is on the authoritative name servers.

Each entry in the DNS has several fields that provide certain information about the domain. The DNS has 40 different record types (get the full list here). Below we present the eight most commonly used DNS entry types.

A record

The A record is the IPv4 version of the IP address. The IPv4 version is a 32-bit address. IPv4 has been the standard for IP addresses since the beginning of the Internet, but the small number of available addresses (4.29 billion) is already a problem. In order to cope with the growing number of required IP addresses, 128-bit IPv6 addresses have been used more and more for some time.

AAAA record

If a website supports 128-bit IPv6 addresses, the AAAA record contains the IP address. In numerical terms, this is 2128 or over 340 sextillion available addresses.

CNAME record

The "C" in CNAME stands for "canonical" (recognized name). Instead of outputting an IP address, the CNAME record provides an alias for the request. For example, if you changed your hostname from mysite.com to mywebsite.com, you could update the CNAME to "mywebsite.com". When a request for mysite.com is sent to the authoritative name server, the response is mywebsite.com. The resolver then knows that the IP address for mywebsite.com needs to be resolved.

MX record

MX stands for "mail exchange" (domain that relates to e-mail). When the resolver asks for the MX record, it wants to know how to route the email for the domain using the Simple Mail Transfer Protocol (SMTP).

NS Record

NS stands for name server. The NS record tells the resolver which name server is the primary one for the domain. Additional NS records designate backup name servers with the domain information. Specifying backup servers provides redundancy in the event of a primary server failure (provided that they are hosted separately).

SOA record

SOA stands for “Start of Authority”. This entry provides domain-level information such as the administrator's email address. An important value that is frequently monitored is the serial number. Every time a DNS entry is updated, the DNS increases the serial number by 1. If you pay attention to whether the SEO number changes, you can determine whether someone has tampered with the DNS entries.

SRV record

SRV stands for "Service". The service entry names the host and port for a service such as instant messaging.

TXT record

TXT is the abbreviation for "Text". These entries are plain text entries that can be used for annotations. Mail servers can use TXT records for Sender Policy Framework Codes that enable an email server to verify the source of an email.

What is DNS Monitoring?

As we have already learned, communication over the Internet lives through the DNS. With DNS monitoring, you can protect your online presence by regularly checking the DNS entries for unexpected changes or location-based failures due to human errors or malicious attacks. DNS records are one of the preferred targets of hackers and are often the victims of human error. Aside from hacking into your ISP account and changing the values ​​directly, there are two primary ways that hackers can use DNS to attack a website.

DNS poisoning

We mentioned this in the section on caching. DNS poisoning occurs when someone enters incorrect information in the cache or on a server. The server with the fake entry for a website then responds to a question with information from the cache. Other servers and routers save the fake entry and the fake is distributed. These attacks usually redirect the user to a fake website where hackers can collect login information and other data such as credit card numbers.

Poisoning can also result from human error. One such case occurred in California and Chile when the DNS directed Facebook, Twitter, and YouTube users to local websites in China. The problem was with an ISP directing requests to a root server in China, where the Chinese government had blocked those channels and redirected them to government-controlled websites.

DDoS and DoS attacks

DDoS (Distributed Denial of Service) and DoS (Denial of Service) attacks occur when one (Dos) or several (DDoS) computers start a request to the DNS and a website in quick succession about the supporting infrastructure of a website of excessive requests lead to overload. These attacks take many different forms, using all available connections and flooding the servers with data, affecting performance or causing them to fail completely.

Monitoring can help stop a DNS attack right from the start

Monitoring your DNS entries should be a top priority. If an error occurs in your DNS records, it can affect your entire system and damage your brand's reputation. To keep an eye on your DNS entries, consider monitoring the following DNS aspects.

IP address (es)

This point is easy. A DNS request pulls the IP address from the system and compares it with the IP addresses that you provide (one or more addresses with regular expressions). If the IP address does not match, the test object will notify you. If you support IPv4 and IPv6, you should monitor both the A record (IPv4) and the AAAA record (IPv6) as it is possible that one of them will fail but the other will not.

SOA record

Your SOA record contains a serial number that is updated by the system if a change is made anywhere in the DNS entry. Although the number does not contain any information about what has changed, it can help prevent an attack.

MX Record and SRV Record

Imagine that all of a sudden your company's emails and messages are lost or sent back to anyone who wants to reach you. Or worse, someone hacking the system and forwarding the messages and emails elsewhere. Monitoring the MX and SRV records supports you in preventing the loss of important communication channels.

NS record and root server

You should test your NS records to make sure no one has changed the primary and back-up name server records. You should also test these name servers directly to ensure that they are returning the correct information. Monitoring is a great way to ensure that your DNS records are safe and providing reliable responses.

Test your DNA from anywhere

You will often find that DNS errors are local and only affect a subset of your users. The use of an external monitoring service with a large network of test stations helps you to quickly identify even the finest local problems.

Conclusion

The IP network and Internet communication rely on DNS. Active monitoring helps you anticipate a DNS attack or failure. You will be the first to know and don't have to wait for customer complaints or compromised accounts.

Try Uptrends DNS Monitoring today

Test Uptrends for 30 days free of charge - no credit card required and no commitment! Monitor your DNS within minutes without any installation effort.

Try Uptrends for free!