The Domain Name System (DNS) is one of the foundations of the internet, working in the background to match the names of web sites that people type into a search box with the corresponding IP address, a long string of numbers that no one could be expected to remember.\nIt's still possible for someone to type an IP address into a browser to reach a website, but most people want an internet address to consist of easy-to-remember words, called domain names. (For example,\u00a0Network World.)\nIn the 1970s and early 80s, the task of matching domain names and IP addresses was assigned to one person - Elizabeth Feinler at Stanford Research Institute, who maintained a master list of every internet-connected computer. This was obviously unsustainable, given the rapid growth of the internet, and, in 1983, Paul Mockapetris developed DNS, an automated, scalable system that handles domain-name-to-IP-address translation. \nThere are currently more than 342 million registered domains, so keeping all those names in a single directory would be cumbersome. Like the internet itself, the directory is distributed around the world on domain name servers that communicate with each other on a regular basis to provide updates and eliminate redundancies.\nAnother reason for the creation of a distributed system is to boost performance. For example, imagine if all of the requests coming in at the same time all over the world to resolve the domain name Google with the underlying IP address were being handled in a single location. To address this issue, DNS information is shared among many servers.\nThat means a single domain can have more than one IP address. For example, the physical server that your laptop or smartphone reaches when you enter\u00a0www.google.com\u00a0is different from the server that someone in another country would reach by typing the same site name into their browser. But DNS still gets you to the right place, no matter where you are in the world.\nHow does DNS work\nWhen your computer wants to find the IP address associated with a domain name, it first makes its DNS query via a DNS client, typically in a Web browser. The query then goes to a recursive DNS server, also known as a recursive resolver. A recursive resolver is typically operated by an Internet Service Providers (ISP), such as AT&T or Verizon (or some other third-party), and it knows which other DNS servers it needs to ask to resolve the name of a site with its IP address. The servers that actually have the needed information are called authoritative name servers.\nDNS is organized in a hierarchy. An initial DNS query for an IP address is made to a recursive resolver. This search first leads to a root server, which has information on top-level domains (.com, .net, .org), as well as country domains. Root servers are located all around the world, so the DNS system routes the request to the closest one.\nOnce the request reaches the correct root server, it goes to a top-level domain server (TLD nameserver), which stores information for the second-level domain, which is the words that you type into a search box. The request then goes to a domain nameserver, which looks up the IP address and sends it back to the DNS client device so it can visit the appropriate website. All of this takes mere milliseconds.\nWhat is DNS caching?\nChances are that you use Google several times a day. Instead of your computer querying the DNS nameserver for the IP address every time you enter the domain name, that information is saved on your personal device so that it doesn't have to access a DNS server to resolve the name with the IP address.\nAdditional caching can occur on the routers used to connect clients to the internet, as well as on the servers of the user's ISP. With so much caching going on, the number of queries that actually make it to the DNS name servers is significantly reduced, which helps with the speed and efficiency of the system.\nHow does the DNS numbering system work?\nEvery device that connects to the internet needs to have a unique IP address in order to have traffic properly routed to it. DNS translates human queries into numbers using a system known as IPv4 or IPv6. With IPv4, the numbers are 32-bit integers that are expressed in decimal notation. \nThe string of numbers is divided into sections, which include the network component, the host and the subnet, not dissimilar to a telephone number that might have a country code, an area code, etc. The network part of the number designates the class and category of network that is assigned to that number. The host identifies the specific machine on the network. The subnet part of the number is optional but is used to navigate the sometimes extremely large number of subnets and other partitions within a local network.\nIPv6, which was created to address concerns about the internet running out of IPv4 addresses, uses 128-bit-sized numbers, compared to 32-bit numbers with IPv4. There are 340 trillion trillion possible IPv6 addresses.\nWho assigns IP addresses?\nIn 1998, the U.S. government handed the task of assigning IP addresses over to the Internet Corporation for Assigned Numbers and Names (ICANN). The not-for-profit organization has managed that function ever since without any notable disruptions. ICANN develops policies on things like the creation of new top-level domains (such as .io).\nFor the most part, ICANN takes a neutral and advisory role. For example, anyone who wants to register a domain on the internet today can go to any number of ICANN-accredited registrars, which basically decentralizes the already decentralized DNS system. Once registered, new domains can populate and be reached worldwide via DNS servers in a matter of minutes.\nIs DNS secure?\nCybercriminals are extremely clever when it comes to identifying vulnerabilities that can be exploited in just about any system, and DNS has certainly come in for its fair share of attacks. A 2021 IDC survey of more than 1,100 organizations in North America, Europe and Asia-Pacific, showed that 87% had experienced DNS attacks. \nThe average cost of each attack was around $950,000 for all regions and about $1 million for organizations in North America. The report noted that organizations across all industries averaged 7.6 attacks during the previous year.\nThe COVID-related shift to off-premises work and the response by companies to move resources to the cloud to make them more accessible have provided new targets for attackers, the report said. \nThe researchers also found a sharp rise in data theft via DNS, with 26% of organizations reporting that sensitive customer information was stolen, compared with 16% in 2020.\nCommon types of DNS attacks include DNS amplification, DNS spoofing or cache poisoning, DNS tunneling, and DNS hijacking or DNS re-direction.\nAs DNS-related attacks continue to rise, many IT organizations are questioning the security of their DNS infrastructure, according to\u00a0Enterprise Management Associates (EMA). The research firm recently polled 333 IT professionals responsible for DNS, DHCP and IP address management (DDI) and found that only 31% of DDI managers are fully confident in the security of their DNS infrastructure.\nEMA asked research participants to identify the DNS security challenges that cause them the most pain. The top response (28% of all respondents) is DNS hijacking. Also known as DNS redirection, this process involves intercepting DNS queries from client devices so that connection attempts go to the wrong IP address.\u00a0\nThe second most concerning DNS security issue is DNS tunneling and exfiltration (20%). Hackers typically exploit this issue once they have already penetrated a network. DNS tunneling is used to evade detection while extracting data from a compromised. Hackers hide extracted data in outgoing DNS queries.\nIt\u2019s important for security monitoring tools to closely watch DNS traffic for anomalies, like abnormally large packet sizes, according to\u00a0Shamus McGillicuddy, research director for the network management practice at EMA. (Read more:\u00a0DNS security poses problems for enterprise IT)\nWhat is DNSSec?\nDNSSec is a security protocol devised by ICANN to help make communication among the various levels of servers involved in DNS lookups more secure. It addresses weaknesses in the communication between DNS top-level, second-level, and third-level directory servers that would allow hackers to hijack lookups.\nThis hijacking allows attackers to respond to requests for lookups to legitimate sites by directing users to a malicious site. These sites could upload malware to users or carry out phishing attacks.\nDNSSec addresses this by having each level of DNS server digitally sign its requests, ensuring that requests sent by end users aren't commandeered by attackers. This creates a chain of trust so that at each level of the lookup, the integrity of the request is validated. \nDNSSec also can determine if a domain name really exists, and if it doesn't, prevents a fraudulent domain from being delivered to innocent requesters seeking to have a domain name resolved.\nWhat is DNS over HTTPS (DoH)?\nWhile DNSSec addresses potential vulnerabilities within the distributed network of DNS servers, it certainly hasn't stopped DNS-based cyberattacks that use some form of deception to inject malicious code into the DNS system. \nIn one of the biggest shifts in the long history of DNS, Google, Mozilla, and others are encouraging a move to DNS over HTTPS or DoH, an IETF standard that encrypts DNS requests in the same way that the HTTPS protocol already protects most web traffic. \nThe shift to DoH, however, is not without controversy. By encrypting DNS requests, DoH could get in the way of enterprise IT being able to monitor the web activity of employees, and parents have complained that it could block them from implementing parental controls over their children's internet usage.\nUptake of DNS over HTTPS has been slow. On the client side, DoH comes with the latest version of Google Chrome and Mozilla Firefox, but it can be turned off by the end user. Organizations, that try to have some measure of control over which browsers and browser versions are used by employees, have the option to simply disable it. On the ISP side, many of the leading ISPS have not yet enabled DoH on their end.\nHow to find my DNS server\nGenerally speaking, the DNS server that you use will be established automatically by your ISP when you connect to the internet. If you want to see which servers are your primary name servers, there are web utilities that can provide information about your current network connection, such as browserleaks.com. \nWhile your ISP will set a default DNS server, you're under no obligation to use it. Some users may have reason to avoid their ISP's DNS, for example, if the ISP uses their DNS servers to redirect requests for nonexistent addresses to pages with advertising.\nAs an alternative, you can point your computer to a public DNS server that will act as a recursive resolver. One of the most prominent public DNS servers is Google's. The IP address is 126.96.36.199.