PY-L8-05 · DNS & How URLs Resolve

Learning Goals

3 min

By the end of this lesson you can:

Trace how a domain name resolves to an IP through the DNS hierarchy.
Name the common record types (A, AAAA, MX, TXT, CNAME, NS) and what they reveal.
Explain DNS security risks: spoofing/cache poisoning, hijacking, and recon.
Query DNS from Python and understand DNSSEC / DoH as defences.

Warm-Up · Names Aren't Addresses

5 min

Computers route by IP, but humans remember names. Every time you visit a site, a hidden lookup turns example.com into something like 93.184.216.34 — and you trust whatever answer comes back. That trust is exactly what attackers target.

Today's big idea

DNS (Domain Name System) is a distributed, hierarchical lookup that translates names to IPs (and more). It's security-critical for two reasons: if an attacker can forge a DNS answer, they can silently send you to a malicious server (spoofing/poisoning); and DNS records publicly reveal a lot about an organisation's infrastructure (recon). Understanding it lets you both defend it and gather information ethically.

New Concept · Resolution, Records & Risks

14 min

The resolution journey

You type "www.example.com". Your resolver asks, in order:

1. cache?        already known recently? → done (fast)
2. root server   "who handles .com?"      → points to .com TLD servers
3. TLD server    "who handles example.com?" → points to its nameservers
4. authoritative "what's www.example.com's A record?" → 93.184.216.34
                 ↓
     IP returned, cached for its TTL, browser connects.

It's a hierarchy: root → top-level domain (.com) → authoritative nameserver. Results are cached for a TTL (time-to-live) so the whole journey isn't repeated for every request.

Record types — and what each reveals

A      name → IPv4 address        (where the site lives)
AAAA   name → IPv6 address
CNAME  alias → another name        (www → example.com)
MX     mail servers for the domain (recon: email infrastructure)
TXT    arbitrary text             (SPF/DKIM, domain verification — leaks tools used)
NS     the domain's nameservers
PTR    IP → name (reverse lookup)

To a defender these are config; to a recon analyst they're a map. MX records reveal the email provider; TXT records often list which SaaS tools verify the domain; subdomains hint at internal systems. This is all public — which is why Lesson 6's passive recon is legal: you're reading published records, not breaking in.

DNS security risks

Spoofing / cache poisoning — an attacker injects a fake answer so a name resolves to their server. You think you're at your bank; you're not.
DNS hijacking — compromising the registrar/account to change records, redirecting all traffic.
DDoS via DNS — DNS amplification attacks, or knocking a provider offline (the 2016 Dyn outage).
Data exfiltration — malware sneaking data out inside DNS queries (it's often unmonitored).

Defences

DNSSEC — cryptographically signs records so forged answers are rejected (integrity).
DoH / DoT — DNS over HTTPS/TLS encrypts the query so it can't be sniffed or tampered (confidentiality + integrity).
Monitoring — watch for unexpected record changes and unusual query volumes.

Querying DNS from Python

import socket

# basic forward + reverse lookups (built-in, no extra library)
ip = socket.gethostbyname("example.com")          # A record
print("example.com →", ip)

# full info: name, aliases, all addresses
name, aliases, ips = socket.gethostbyname_ex("example.com")
print("addresses:", ips)

# reverse: IP → name (PTR)
try:
    host, *_ = socket.gethostbyaddr("8.8.8.8")
    print("8.8.8.8 →", host)        # dns.google
except socket.herror:
    print("no PTR record")

For richer queries (MX, TXT, NS) use the dnspython library (pip install dnspython) — we'll lean on it for the recon toolkit next lesson. Querying public DNS records of any domain is legal; it's reading the phone book.

Worked Example · A DNS Inspector

12 min

Goal: a tool that resolves a domain's key records and explains, from a defender's view, what each reveals. Uses only public DNS — entirely legal.

import socket
try:
    import dns.resolver        # pip install dnspython
    HAS_DNS = True
except ImportError:
    HAS_DNS = False

def inspect(domain: str) -> None:
    print(f"=== DNS inspection: {domain} ===")

    # A records (built-in)
    try:
        _, _, ips = socket.gethostbyname_ex(domain)
        print("A   ", ", ".join(ips), "  (where it's hosted)")
    except socket.gaierror:
        print("A    could not resolve"); return

    if not HAS_DNS:
        print("(install dnspython for MX/TXT/NS records)")
        return

    for rtype, hint in [("MX", "email infrastructure"),
                        ("NS", "who controls DNS"),
                        ("TXT", "verification tokens / SPF — leaks tools used")]:
        try:
            answers = dns.resolver.resolve(domain, rtype)
            for r in answers:
                print(f"{rtype:4} {str(r)[:60]}   ({hint})")
        except Exception:
            print(f"{rtype:4} none")

inspect("example.com")

=== DNS inspection: example.com ===
A    93.184.216.34   (where it's hosted)
MX   none
NS   a.iana-servers.net.   (who controls DNS)
NS   b.iana-servers.net.   (who controls DNS)
TXT  "v=spf1 -all"   (verification tokens / SPF — leaks tools used)

Read the code

Each record is annotated with what it tells an analyst. On a real organisation, the MX records reveal the email provider (Google? Microsoft?), TXT records often list SaaS verification tokens (which CRM, which security vendor), and NS shows who runs their DNS — all public, all useful for both attackers (targeting) and defenders (knowing your own footprint). This is the heart of passive reconnaissance, which Lesson 6 builds into a full toolkit. Nothing here touches the target's servers; it queries public DNS.

Try It Yourself

13 min

01 🟢 Forward & reverse

Resolve three domains to their IPs with gethostbyname_ex, then reverse-lookup a public DNS IP (e.g. 1.1.1.1, 8.8.8.8) with gethostbyaddr. Note which have PTR records.

02 🟡 Read the records

Using dnspython, fetch the MX and TXT records for your own domain (or a well-known one). Write one sentence per record on what it reveals about that organisation's infrastructure.

Hint

import dns.resolver
for r in dns.resolver.resolve("gmail.com", "MX"):
    print("mail server:", r.exchange, "priority", r.preference)

03 🔴 TTL & cache effect

Resolve a domain, note the answer's TTL (via dns.resolver's response), then explain in code comments how caching with that TTL both speeds things up and creates a window for cache poisoning.

Hint

import dns.resolver
ans = dns.resolver.resolve("example.com", "A")
print("TTL:", ans.rrset.ttl, "seconds")
# Caching: within TTL, repeats are instant (no journey to root).
# Risk: a poisoned cache entry persists for the whole TTL — every
#   user of that resolver is misdirected until it expires.

Mini-Challenge · The DNS Footprint Report

8 min

For a domain you own (or a public one like wikipedia.org), build a report that gathers A, AAAA, MX, NS, and TXT records and, for each, writes a defender's note: "this reveals X — is exposing it necessary?" This is how you audit your own public footprint to reduce what attackers can learn.

Show a sample solution

import dns.resolver

NOTES = {
    "A":   "public IP — expected, but ties you to a hosting provider",
    "AAAA":"IPv6 address — same exposure as A",
    "MX":  "email provider — phishers target the known mail vendor",
    "NS":  "DNS provider — a hijack target; protect the registrar account",
    "TXT": "often lists SaaS tools / SPF — minimise; old entries leak history",
}

def footprint(domain: str) -> None:
    print(f"DNS footprint: {domain}\n")
    for rtype, note in NOTES.items():
        try:
            answers = dns.resolver.resolve(domain, rtype)
            for r in answers:
                print(f"  {rtype:4} {str(r)[:55]}")
            print(f"       ↳ {note}\n")
        except Exception:
            print(f"  {rtype:4} (none)\n")

footprint("wikipedia.org")

Non-negotiables: gathers multiple record types, a defender's exposure note per type, public DNS only.

Recap

3 min

DNS resolves names to IPs through a cached hierarchy: root → TLD → authoritative nameserver, with answers held for their TTL. Record types (A/AAAA, CNAME, MX, TXT, NS, PTR) both configure services and publicly reveal infrastructure — which is why DNS is a recon goldmine and reading public records is legal. Security risks include spoofing/cache poisoning (you're silently misdirected), hijacking, DNS-based DDoS, and exfiltration; defences are DNSSEC (signed records), DoH/DoT (encrypted queries), and monitoring. Query it from Python via socket or dnspython — and audit your own footprint to minimise what you expose.

Vocabulary Card

DNS: The system that translates domain names into IP addresses and other records.
A / MX / TXT / NS: Record types: IPv4 address / mail servers / text data / nameservers.
cache poisoning: Injecting a forged DNS answer so a name resolves to an attacker's server.
DNSSEC / DoH: Signing records / encrypting queries — DNS integrity and confidentiality.

Homework

4 min

Build a DNS footprint report for two domains: one you own (or a small org you can ask), and one large public site. Compare what each exposes. Write a short note: which records were "necessary" vs. "reducible," and one DNS defence (DNSSEC, DoH, or registrar lock) you'd recommend. Reading public DNS only — no probing of servers.

Sample · footprint comparison note

Small site (mine):
  A → 1 IP (shared host). MX → Google Workspace (phishers know to
  spoof Google login). TXT → an SPF record + 2 old verification
  tokens for tools I no longer use → REDUCIBLE: remove stale TXT.
Large site (wikipedia.org):
  Multiple A/AAAA (load-balanced), dedicated NS, minimal TXT —
  a deliberately tidy footprint. Necessary records only.

Recommendation: enable DNSSEC (rejects forged answers) and a
registrar lock (stops hijacking by changing records), and prune
stale TXT records that leak which vendors I've used over time.

Non-negotiables: two domains compared, necessary-vs-reducible judgement, one concrete DNS defence, public-records only.

You type "www.example.com". Your resolver asks, in order: 1. cache? already known recently? → done (fast) 2. root server "who handles .com?" → points to .com TLD servers 3. TLD server "who handles example.com?" → points to its nameservers 4. authoritative "what's www.example.com's A record?" → 93.184.216.34 ↓ IP returned, cached for its TTL, browser connects.

A name → IPv4 address (where the site lives) AAAA name → IPv6 address CNAME alias → another name (www → example.com) MX mail servers for the domain (recon: email infrastructure) TXT arbitrary text (SPF/DKIM, domain verification — leaks tools used) NS the domain's nameservers PTR IP → name (reverse lookup)

import socket # basic forward + reverse lookups (built-in, no extra library) ip = socket.gethostbyname("example.com") # A record print("example.com →", ip) # full info: name, aliases, all addresses name, aliases, ips = socket.gethostbyname_ex("example.com") print("addresses:", ips) # reverse: IP → name (PTR) try: host, *_ = socket.gethostbyaddr("8.8.8.8") print("8.8.8.8 →", host) # dns.google except socket.herror: print("no PTR record")

import socket try: import dns.resolver # pip install dnspython HAS_DNS = True except ImportError: HAS_DNS = False def inspect(domain: str) -> None: print(f"=== DNS inspection: {domain} ===") # A records (built-in) try: _, _, ips = socket.gethostbyname_ex(domain) print("A ", ", ".join(ips), " (where it's hosted)") except socket.gaierror: print("A could not resolve"); return if not HAS_DNS: print("(install dnspython for MX/TXT/NS records)") return for rtype, hint in [("MX", "email infrastructure"), ("NS", "who controls DNS"), ("TXT", "verification tokens / SPF — leaks tools used")]: try: answers = dns.resolver.resolve(domain, rtype) for r in answers: print(f"{rtype:4} {str(r)[:60]} ({hint})") except Exception: print(f"{rtype:4} none") inspect("example.com")

=== DNS inspection: example.com === A 93.184.216.34 (where it's hosted) MX none NS a.iana-servers.net. (who controls DNS) NS b.iana-servers.net. (who controls DNS) TXT "v=spf1 -all" (verification tokens / SPF — leaks tools used)

import dns.resolver ans = dns.resolver.resolve("example.com", "A") print("TTL:", ans.rrset.ttl, "seconds") # Caching: within TTL, repeats are instant (no journey to root). # Risk: a poisoned cache entry persists for the whole TTL — every # user of that resolver is misdirected until it expires.

import dns.resolver NOTES = { "A": "public IP — expected, but ties you to a hosting provider", "AAAA":"IPv6 address — same exposure as A", "MX": "email provider — phishers target the known mail vendor", "NS": "DNS provider — a hijack target; protect the registrar account", "TXT": "often lists SaaS tools / SPF — minimise; old entries leak history", } def footprint(domain: str) -> None: print(f"DNS footprint: {domain}\n") for rtype, note in NOTES.items(): try: answers = dns.resolver.resolve(domain, rtype) for r in answers: print(f" {rtype:4} {str(r)[:55]}") print(f" ↳ {note}\n") except Exception: print(f" {rtype:4} (none)\n") footprint("wikipedia.org")