Tracking DNS Queries

Published on August 28, 2022 at 5:54 pm by LEW
Print 🖨 PDF 📄 eBook 📱

Introduction

Almost every time you use your browser, you are making a Domain Name Service (DNS) query. Because generally speaking we tend to use website names instead of IP addresses. And the DNS query is what gets us an IP address for a particular named site.

For example, if you have a book mark for Google, take a look at it. I am willing to wager that the URL is “https://www.google.com” instead of “https://172.217.27.14”. This is expected, as there can be some issues with site certificates when going directly to the IP address. Try getting to google using their IP address, and your browser will most likely flag a security warning of some sort.

Everything on the Internet has an IP address, but for the most part they are below our threshold of awareness. The generally accepted explanation for this is it is easier to remember google.com than it is to remember 172.217.27.14. While I agree to a certain extent with this assessment, there are legitimate concerns with DNS services and privacy.

In this post I am going to take a high level look at how DNS works and how your on-line activity might be tracked through the use of DNS.

Authoritative vs Recursive DNS

The first thing I want to highlight is that there are two different types of DNS; Recursive and Authoritative.

Most companies, like Google and Cloud-flare, that offer DNS services are using Recursive DNS. They will attempt to provide IP addresses for any web address presented to them.

Authoritative DNS is restricted to a specific zone, like “.com”, “.org”, or “.net”. They are the final word on domains in their zone. When you register a domain name, the registrar will query and update the Authoritative DNS server for the domain name.

Your device does not normally communicate with Authoritative DNS servers. Your DNS look ups are done by recursive DNS servers.

High Level Look at the DNS Query Process

For this discussion, please refer to the below graphic. This is a representation of what normally happens in most home networks. This is how it comes out of the box. Some go in and change this up a bit for a variety of reasons, but that is the subject for a latter post.

Home base DNS workings

We start with your local device (Loc Dev). This could be anything connected to the Internet, including your smart toaster. But for simplicity we will assume a device running a web browser.

Lets say yo have a bookmark for “retiredtechie.com”, and you click on it. Unless you have set up something different, your browser will send a request to a recursive DNS server via your modem to your Internet Service Provider ISP, green arrows. Note every thing you do on the internet goes through your ISP.

Again, not having set up anything special, this request will go to your Internet Service Provider (ISP) recursive DNS server. Two things happen at this point. Your ISP writes a record of your query, then searches its database. If it finds a record, it will then return the IP address to your browser. If it does not find a record it will forward your request to another DNS server outside their network. Yellow and blue arrows.

Your query will be dutifully logged and the database searched. At some point, if query is not matched, you will an error message if it does not exist within the zone of the Authoritative DNS. Otherwise an IP address will be returned. Pink arrows.

Once your browser has the IP address, it sends a request to the Content Web Server (CWS) which your ISP dutifully makes a log entry. Then the CWS sends you the content for your browser to display. Red arrows

Ramifications of the DNS Process

There is a lot of record keeping going on on the Internet. All computers keep record, or more precisely, log files. Take a look at the Windows 10 event logs for an idea of how much data gets logged. Or take a look in the logs directory on your Linux system.

Servers on the internet keep even more data. Some of this data is important, in that it aids in troubleshooting network problems when they occur, and keeping things running smoothly across the multiple networks that make up the internet. So records need to be kept. The question is what kept, how long it is kept, and what can and cannot be done with this information.

Take a look at some sites privacy statements and terms of use statements. You will find a lot of legal mumbo jumbo caveats that in the end say they can do pretty much anything they want with the data.  The major issue with the whole process is abuse of the record keeping by various bad actors out to make a quick profit.

It is very easy to write programs to parse log files for specific information. And advertising companies will pay a premium for information on what you have been doing on line. Location services are also interested in this data for building a profiles they can sell. And we have not even touched on the governments interest in this data.

Conclusion

This has been a high level overview of how you get IP addresses from domain names. We have also taken a brief look at the record keeping aspects of this process, and possible abuses of that information.

In a previous post I set up an ad blocker. And it has been extremely interesting to see not only who wants to send me ads, but also who wants to track my Internet usage. So be aware that there are companies out there who will =tack and abuse your on line presence.

 

SharePin It!

Add New Comment

Your email address will not be published. Required fields are marked *