dns知识_您需要了解的有关DNS的知识

dns知识

什么是DNS查找？ (What is DNS lookup?)

Domain Name System Lookup, or DNS for short, is what happens in the time between someone typing a URL into the search bar and the page loading. Technically speaking, it is a process that translates URLs (like www.google.com) into IP addresses.

域名系统查询(简称DNS)是在有人在搜索栏中键入URL并加载页面之间发生的情况。 从技术上讲，这是一个将URL(例如www.google.com)转换为IP地址的过程。

An IP address is similar to your house address. Just as you use addresses to send mail, computers use IP addresses to send data to a specific place. Since IP addresses are hard to remember (they are long strings of numbers), computers use DNS to translate between IP addresses and URLs (which are much easier to remember). All internet-connected devices have an IP address.

IP地址类似于您的房屋地址。 就像您使用地址发送邮件一样，计算机也使用IP地址将数据发送到特定位置。 由于IP地址很难记住(它们是一长串数字)，因此计算机使用DNS在IP地址和URL(它们更容易记住)之间进行转换。 所有连接互联网的设备都有IP地址。

DNS如何工作？ (How does DNS work?)

Given the size of the internet, computers cannot store all IP addresses in their memory. Instead, typing www.google.com into a browser tells the computer to look up the IP address for the website.

考虑到Internet的大小，计算机无法将所有IP地址存储在其内存中。 相反，在浏览器中输入www.google.com会告诉计算机查找该网站的IP地址。

First, the computer checks its local memory, called its cache. This is where the computer stores its most recently visited sites’ IP addresses, so it can load them faster without having to look them up. However, since only a few recently visited sites are here, chances are, the computer does not find the IP address.

首先，计算机检查其本地内存，称为其缓存。 这是计算机存储其最近访问的站点的IP地址的位置，因此它可以更快地加载它们，而不必查找它们。 但是，由于这里只有少数最近访问过的站点，因此计算机找不到IP地址。

Step 1  (steps correspond with the diagram numbers above): Next, the computer will ask the ISP’s local recursive nameserver. An ISP is an internet service provider — like Time Warner Cable, Spectrum, Verizon, etc. A nameserver sounds complicated, but is just server software that is designed to answer DNS requests (such as “what is the IP address for www.google.com?”).

步骤1(步骤与上面的图号相对应)：接下来，计算机将询问ISP的本地递归名称服务器。 ISP是Internet服务提供商，例如Time Warner Cable，Spectrum，Verizon等。名称服务器听起来很复杂，但它只是用于回答DNS请求的服务器软件(例如“ www.google.cn的IP地址是什么)。 com？”)。

Any nameserver can answer this question, by either responding with the IP address (if it knows), or responding that it does not know and telling the requesting server to ask a different server. A recursive nameserver is different because if it does not know the answer to the question. It will do the work of finding the answer, instead of merely re-directing the query. Not all nameservers are recursive.

任何名称服务器都可以通过以下方式回答此问题：通过使用IP地址进行响应(如果知道)，或者响应其不知道并告诉请求服务器询问其他服务器。 递归名称服务器是不同的，因为它不知道问题的答案。 它将完成查找答案的工作，而不仅仅是重定向查询。 并非所有名称服务器都是递归的。

Step 2: The recursive nameserver will check its cache first. If the IP address is not there, it will ask a root nameserver (root nameservers do not know IP addresses, but they can read requests and tell the recursive nameserver where to go next). All recursive nameservers come with 13 root nameservers’ IP addresses pre-configured. The recursive nameserver picks one and asks it the same question (“what is the IP address for www.google.com?”).

步骤2：递归名称服务器将首先检查其缓存。 如果IP地址不存在，它将询问根名称服务器(根名称服务器不知道IP地址，但是它们可以读取请求并告诉递归名称服务器下一步要去哪里)。 所有递归名称服务器都预先配置了13个根名称服务器的IP地址。 递归名称服务器选择一个并询问相同的问题(“ www.google.com的IP地址是什么？”)。

Step 3: The root nameserver reads the top-level domain (the end of the request), in this case .com, (www.google.com) and will tell the recursive nameserver to ask the Global Top Level Domain Servers (GTLD). GTLDs are essentially reference lists for each type of domain — .com, .net., .edu, etc. While they don’t know the IP addresses for websites, they do know which nameservers will have that information.

步骤3：根名称服务器读取顶级域(请求的结尾)，在本例中为.com(www.google.com)，并将告诉递归名称服务器询问全局顶级域服务器(GTLD) 。 GTLD本质上是每种域(.com，.net。，。edu等)的参考列表。尽管它们不知道网站的IP地址，但他们确实知道哪些域名服务器将具有该信息。

Step 4: The recursive nameserver asks the GTLD nameserver for www.google.com’s IP address.

步骤4：递归名称服务器向GTLD名称服务器询问www.google.com的IP地址。

Step 5: The GTLD nameserver will read the next part of your request, reading from right to left (in this case the ‘google’ of www.google.com) and will send back a message with the authoritative nameserver to contact. An authoritative nameserver is a nameserver that is responsible for the domain (and is the primary source of information).

第5步： GTLD名称服务器将从右到左读取您请求的下一部分(在本例中为www.google.com的“ google” ) ，并发送回一条消息，与权威名称服务器联系。 权威名称服务器是负责域的名称服务器(并且是信息的主要来源)。

Step 6: The recursive nameserver will ask the authoritative nameserver the same question (“what is the IP address for www.google.com?”). Technically, the server is asking for the Address Record (A), which is how servers refer to the IP address.

步骤6：递归名称服务器将向权威名称服务器询问相同的问题(“ www.google.com的IP地址是什么？”)。 从技术上讲，服务器正在请求地址记录(A)，这是服务器如何引用IP地址的。

Step 7: This server has the answer! It will pass the IP address back to the recursive nameserver, flagged to let the recursive nameserver know the answer is authoritative. The recursive nameserver files the IP address in its cache in case someone tries to access the same website soon. Each item in the cache is tagged with a “time to live” that tells the server how long to hold the information before deleting it.

步骤7：此服务器有答案！ 它将IP地址传递回递归名称服务器，标记为让递归名称服务器知道答案是权威的。 递归名称服务器将IP地址归档在其缓存中，以防有人尝试尽快访问同一网站。 缓存中的每个项目都标记有“生存时间”，该时间告诉服务器在删除信息之前将其保留多长时间。

Step 8: The recursive nameserver tells your computer what the IP address is (it isn’t tagged as authoritative this time, because it is not the primary source of information. It is just passing the information along.

步骤8：递归名称服务器告诉您IP地址是什么(这次它没有被标记为权威IP，因为它不是信息的主要来源。它只是传递信息。

Step 9: Your computer sends a request for www.google.com to the IP address it just received.

第9步：您的计算机将www.google.com的请求发送到刚收到的IP地址。

Step 10: The web server at this address returns the google homepage and the page loads.

步骤10：位于此地址的Web服务器返回google主页，然后页面加载。

This entire process takes only a few milliseconds to complete and happens trillions of times every day.

整个过程只需几毫秒即可完成，每天发生数万亿次。

DNS对最终用户有何影响？ (How does DNS impact end users?)

As DNS is integral to the internet functioning, it is a prominent target for hackers.  The root problem with DNS is the same as most security problems we experience with today's technology. The internet, and much of the technology we use today was designed for a small group of researchers and over time expanded into a system which the entire world uses. DNS (and HTTP, and most of the protocols we use) were not designed with security in mind. Now, we've had to add on fixes for various security issues. Unfortunately, security bolted-on at the end is not as effective as security baked into the development.

由于DNS是Internet运行所不可或缺的，因此它是黑客的主要目标。 DNS的根本问题与当今技术所遇到的大多数安全问题相同。 互联网以及我们今天使用的许多技术都是为一小部分研究人员设计的，随着时间的流逝，它已扩展为整个世界使用的系统。 DNS(和HTTP，以及我们使用的大多数协议)在设计时并未考虑安全性。 现在，我们不得不添加针对各种安全问题的修复程序。 不幸的是，安全性最终无法像开发中的安全性那样有效。

One problem this poses for DNS is that there isn't any verification of the authenticity of the name server when a response is received. Thus a hacker can send malicious responses to a computer’s DNS query and trick the computer into thinking that it is the real response from the DNS nameserver. In other words, when the computer asks, “what is the IP address for www.chase.com?” the hacker will respond (before the DNS server can) with the IP address for the hacker’s malicious site . Then when the site loads, it looks just like the chase.com website, but is actually controlled by the hacker.

DNS面临的一个问题是，在收到响应时，没有任何对名称服务器真实性的验证。 因此，黑客可以向计算机的DNS查询发送恶意响应，并诱使计算机认为这是来自DNS名称服务器的真实响应。 换句话说，当计算机询问“ www.chase.com的IP地址是什么？”时， 骇客会(在DNS伺服器可以之前)回应骇客恶意网站的IP位址。 然后，当网站加载时，它看起来就像chase.com网站，但实际上是由黑客控制的。

This is very similar to phishing — except that users aren’t being tricked into clicking on bad links, but rather the websites they’re trying to visit are being routed to bad sites through DNS lookup (much more dangerous, as it is much harder to prevent these type of attacks). This then requires the user to be wary, to notice that the site is spoofing the real site (perhaps the link doesn't look quite right, or there are misspellings or poor logo copies). However, this can be very difficult and relies upon users to be relatively technically savy.

这与网上诱骗非常相似-除了不会诱骗用户单击不良链接，而是将他们尝试访问的网站通过DNS查找路由到不良站点(危险性更大，因为难度更大)以防止此类攻击)。 然后，这需要用户保持警惕，注意该网站正在欺骗真实网站(也许链接看起来不太正确，或者拼写错误或徽标副本不正确)。 但是，这可能非常困难，并且依赖于用户在技术上比较熟练。

In 2016, a DNS attack knocked out significant parts of the internet for most of the east coast of the United States for almost a full day.In that case, the outage was caused by a DDoS attack. A DDoS attack is a distributed-denial-of-service attack, in which thousands of machines across the internet attack a system at the same time. Generally, these are machines that have been infected with malware without their owner’s knowledge, and one hacker, or group of hackers, is controlling all the machines. These machines are called a ‘botnet’ when used together.

2016年，DNS攻击将美国东海岸大部分地区的大部分互联网都瘫痪了，这种情况下，中断是由DDoS攻击造成的。 DDoS攻击是一种分布式拒绝服务攻击，其中Internet上成千上万的计算机同时攻击一个系统。 通常，这些计算机是在所有者不知情的情况下感染了恶意软件的计算机，并且一个黑客或一组黑客控制着所有计算机。 这些机器一起使用时称为“僵尸网络”。

The botnet sends DNS requests to the victim server and the amount of requests sent overwhelms the system, rendering the server unable to handle the legitimate traffic it receives. Thus, while hackers are attacking DNS servers and a computer tries to request IP addresses, the server is unable to respond. So the computer cannot access the sites that server controls (or is authoritative for) until the attack is stopped.

僵尸网络向受害服务器发送DNS请求，并且发送的请求数量使系统不堪重负，从而使服务器无法处理其收到的合法流量。 因此，当黑客攻击DNS服务器并且计算机尝试请求IP地址时，服务器将无法响应。 因此，在攻击停止之前，计算机无法访问服务器控制的站点(或权威站点)。

This attack can be mitigated against by over-provisioning servers in order to handle excess demand or having a DNS firewall.

可以通过过度配置服务器来缓解这种攻击，以便处理过多的需求或拥有DNS防火墙。

A broader way to approach solving many of the problems presented by DNS is DNSSEC. DNSSEC strengthens authentication with digital signatures based on public key cryptography. Essentially the owner of the requested data digitally signs it, in order to ensure that the above situation can't happen. This provides data origin authentication (the data actually came from where the resolver thinks it came from) and data integrity protection (the data hasn't been modified in transit).

解决DNS存在的许多问题的一种更广泛的方法是DNSSEC。 DNSSEC通过基于公共密钥加密的数字签名来加强身份验证。 本质上，所请求数据的所有者对其进行数字签名，以确保不会发生上述情况。 这提供了数据源身份验证(数据实际上来自解析程序认为来自的位置)和数据完整性保护(数据在传输中没有被修改)。

Unfortunately, in order to fix DNS, DNSSEC requires wide deployment. It needs to be specifically enabled by network operators on their recursive resolvers, and by domain name owners on authoritative servers. This hasn't yet happened, but hopefully will as more people become aware of the issues DNS presents and advocate for changes.

不幸的是，为了修复DNS，DNSSEC需要广泛部署。 需要由网络运营商的递归解析器上的特定功能，以及权威服务器上的域名所有者的特定功能。 这还没有发生，但是随着更多的人意识到DNS提出的问题并倡导进行更改，希望能够做到这一点。

翻译自: https://www.freecodecamp.org/news/what-is-dns-anyway/

dns知识