1. DNS Query 2. Recursive Lookup: Carried out by the Recursive DNS Server (typically provided by your ISP but can be self-hosted). The recursive DNS server contains a cache of recently looked up domain names. If a result is found locally it will then be sent to the client (typically common domains such as google, youtube will be stored locally). If it cannot be found here then we move onto the next server which is the Root DNS server. 3. Root name server communicates with Top-Level Domain (TLD) name server to point resolver in the correct direction. Once the TLD is identified the Root DNS server will refer the client to the correct TLD Server. 4. TLD knows which authoritative name server is responsible for the specific domain being searched. Points resolver to that name server. Contains the records on where to find the authoritative server to answer the DNS request. Can also be described as the rightmost part of a domain name. Example: `www[.]thisismydomain[.]com` with the **.com** being the TLD. "thisismydomain" is the Second-level Domain or SLD. A subdomain sits on the left-hand side of the SLD followed by a ".". Example: admin in `**admin**.thisismydomain.com` would be the subdomain (there are no limits to the amount of subdomains that can be created for a domain name but there is a 253 character limit when appending them to the domain name. NOTE: SLD and Subdomains are restricted to 63 characters and can only use a-z, 0-9, and hyphens (cannot store or end with hyphens or have consecutive hyphens). This is good info for enumeration and such prob. 5. Once at the authoritative name server the IP address of the site searched for is returned to the resolver. The Authoritative Name server contains/stores DNS records for a particular domain name where any updates to the domain name DNS records would be made. 6. DNS resolver returns the information to the user PC and will store (cache) it. 7. The user PC connects to desired website and browsing can commence. There are two types of TLD, gTLD (Generic Top Level) and ccTLD (Country Code Top Level Domain) ## DNS Records A Record: Used to resolved IPv4 addresses. AAAA Record: Resolve IPv6 addresses. CNAME Record: A record to resolve another domain name. Example: the website sudowizards{.}com has an online store with the subdomain store.sudowizards{.}com which returns the CNAME record of shops.shopify{.}com (the store is hosted on the shopify platform) which would then start another DNS request to shops.shopify{.}com to resolve the IP address. MX Record: Resolves the address of the servers that handle email for the domain being queried. These records come with priority flags which tells the client the order in which it should try different servers. This provides redundancy as if one server goes down, the client will know which server to try next. TXT Record: These records are free text fields where any text-based data can be stored. These records have multiple uses with common uses being to list servers with authority to send emails on behalf of the domain (helps prevent spoofing and fights against spam) along with verifying ownership of the domain name when signing up for third-party services. [^1] [^1]: The "dig" command is great for discovering useful information. ``` dnsenum --enum example_domain.com -f /wordlist/dir/wordlist.txt -r ```