A Domain Name System (DNS) name server connects you to the websites you want to visit. Understanding just how it does that requires a little background on how people and computers interact.
Computers work best in the language of numbers, while humans prefer words. Today’s Internet was built in a way that caters to each preference, allowing both computers and people to navigate the Web with ease. This means that every website has two names or addresses. One is a domain name easily remembered by humans, such as verisigninc.com. The other is a unique, computer-friendly series of numbers, or Internet Protocol (IP) address.
A Domain Name System (DNS) is a database that stores all of the domain names and corresponding IP numbers for a particular top-level domain (TLD) such as .com or .net. The DNS identifies and locates computer systems and resources on the Internet. For instance, when you type in a Web address, or URL, the DNS will match the typed name with the IP address for that location, and connect you to that site.
DNS name servers are physical servers that store the DNS database records. These domain name servers are the hardware that handles literally billions of requests every day. Each time someone types a Web address into their browser, a domain name server somewhere around the world receives the query, locates the IP address, and directs that person’s computer to the proper website—all in just a few seconds.
The best way to understand a domain name is to start to the right of the first period or "dot." The characters after the dot signify the top-level domain or TLD. Each TLD has one or more second-level domain names (verisigninc.com); each second-level domain can have many third-level domain names (support.verisigninc.com). Internationalized Domain Names (IDNs) use characters from many different scripts, such as Kanji and Arabic, and not just the familiar Latin alphabet.
Domain names are registered for a period of one to ten years by an individual or an organization. A user contacts a registrar or reseller to register a domain name. The registrar verifies that the domain name is available by checking with the registry that manages the corresponding TLD. If it is available, the registrar registers the domain name with the registry, which adds it to the registry database. At the end of the registration period, the domain name registrant has the option to renew the domain name or let it expire.
As the global leader in domain names, Verisign powers the invisible navigation that takes people to where they want to go on the Internet. For more than 15 years, Verisign has operated the infrastructure for a portfolio of top-level domains that today include .com, .net, .tv, .edu, .gov, .jobs, .name and .cc, as well as two of the world’s 13 Internet root servers. Verisign’s product suite also includes Distributed Denial of Service (DDoS) Protection Services, iDefense Security Intelligence Services and Managed DNS.
The DNS is the addressing system for the Internet. Almost anything that interfaces with the Internet (e.g., computers, mobile devices, laptops, ATMs, and POS terminals) relies on DNS services to exchange information. DNS uses specialized servers to translate (or resolve) names such as www.verisigninc.com into numeric addresses that allow data and information to reach its destination. All Internet applications—ranging from websites, email, social networking, and online banking to Voice over Internet Protocol (VoIP), file sharing, and video on demand—depend on the accuracy and integrity of this translation. Without the DNS, the Internet cannot function. The DNS is integral to a nation's critical infrastructure, online business operations and financial transactions, and all Internet-based communications.
The domain name space consists of a tree of domain names, subdivided into zones. The top-level or root zone is administered by the U.S. Department of Commerce (DoC) and jointly managed by Verisign and the Internet Assigned Numbers Authority (IANA) functions operator, who maintain the data in the root name servers.
A DNS zone consists of a collection of connected nodes served by an authoritative name server. Authoritative name servers for different zones are responsible for publishing the mappings of domain names to IP addresses. Each node or leaf in the tree has zero or more resource records that hold information associated with the domain name. Every domain name ends with a top-level domain (TLD) such as .com or .tv.
For the Internet to function and to prevent duplication of domain names, there must be one authoritative place to register a domain name. Each TLD has an authoritative registry, which manages a centralized database. The registry propagates the information about domain names and IP addresses in TLD zone files. TLD zone files map active second-level domain names (the portion of the domain name that appears immediately to the left of ".") to the unique IP addresses of the name servers.
The process of translating a domain name into an IP address is called DNS resolution. When someone types a domain name, such as www.verisigninc.com, into a web browser, the browser contacts a name server to obtain the corresponding IP address. There are two types of name servers: authoritative name servers, which store complete information about a zone, and recursive name servers, which answer DNS queries for Internet users and store DNS response results for a period of time. When a recursive name server receives a response, it caches (stores) it to speed up subsequent queries. Caching helps reduce the number of information requests required, but it is susceptible to man-in-the-middle attacks.
As a result of these attacks, cyber criminals can:
Cache poisoning occurs when fraudulent DNS data is inserted into the cache of a recursive name server. Recursive name servers temporarily store, or cache, information learned during the name resolution process, but without DNSSEC they have no way to ensure the validity and accuracy of this information. When malicious information is cached on the recursive name server, the server is considered "poisoned." Cache poisoning allows an attacker to redirect traffic to fraudulent sites.
A man-in-the-middle (MITM) attack surreptitiously intercepts and modifies communications between two systems. The attacker can potentially modify the communication to redirect traffic to an illegitimate address or website. End users do not detect the "man in the middle" and assume that they are communicating directly with their intended destination.