In our last episode, we discussed how DNS is paid for in the real world — who builds, maintains, and manages all those servers that allow us to put in a domain name, and end up with a web page? This post will look at two other tools or protocols in the DNS system that you might — or you might not — know about. None of this will be covered in extensive detail, but I will provide pointers for topics about which you want to know more.
The first of these bits and pieces is the inaddr.arpa set of records in DNS. The IP address is roughly hierarchical, with the bits describing larger sections of the topology on the left, and smaller pieces of the topology on the right (network to host flows left to right). What’s interesting is that the DNS system flows backwards from this — the TLD is on the right, and the host or service is on the left. This observation leads to another: the entire IP address space can be treated as a DNS name if we just reverse the lookup. In other words, if we treat the first octet of the IP address as the TLD, and the last octet as the host or service, then we could look up IP addresses using DNS.
And what would we find if we tried this little trick? We’d find the DNS name associated with the IP address, of course. These reverse records are contained in the inaddr.arpa zone, or name space, in the DNS system. You can get to them by setting your DNS query type to “pointer,” or “ptr,” or some variant thereof, depending on the implementation of nslookup. The image below depicts an inaddr.arpa lookup in Windows.
What is this useful for? Maybe the answer should be obvious, but consider this situation: you’re seeing a lot of hits on your web site from a single IP address, and it looks like the host there is up to no good. Who does the host belong to? A fair start (sans problems with spoofing, of course) would be to look at the inaddr.arpa record to find the associated domain. Once you have the associated domain, of course, you can rely on a second piece of the DNS system to help you find out more information: whois.
Whois is actually a completely separate protocol and database maintained by the same folks who manage and maintain the DNS system — folks like Verisign. The point of whois is to maintain a list of the folks who actually own each DNS name, including contact information. A sample whois lookup is illustrated below, just for reference.
To return to the example above, once you’ve used inaddr.arpa to find the domain of that mysterious ip address, you can then use whois to find out who owns the domain. Now, to be honest, there’s a lot of information in that whois record that should make you uncomfortable — especially if you own a domain personally. We’ll consider some of the security stuff around DNS, including DDoS protection services based on DNS redirection, encryption of whois data, and DNSSEC, in our next post — the final post on the DNS system in this series.