DEV Community

Shivakumar
Shivakumar

Posted on

Networking Internals II: DNS recursion, ARP, NAT, Subnetting & CIDR

#architecture #computerscience #networking

This is a "Senior Engineer" level deep dive. We will move beyond what these things are and look at how they function at the packet and protocol level.

1. DNS (Domain Name System): The Deep Dive

We know DNS maps Names to IPs. But how does it handle the traffic?

The Protocol: UDP vs. TCP

DNS is unique because it uses both UDP and TCP on Port 53, but for different things.

  • UDP (The Standard): Used for standard queries (like "Where is https://www.google.com/url?sa=E&source=gmail&q=google.com?"). It is fast and low-overhead. The limit for a UDP DNS packet is historically 512 Bytes.
  • TCP (The Heavy Lifter): Used if the response data exceeds 512 bytes (common with IPv6 or DNSSEC security keys) or for Zone Transfers (when a backup DNS server copies the entire database from the primary server).

Key DNS Record Types

A DNS response isn't just an IP; it contains specific "Records":

  • A Record: Maps Hostname → IPv4 Address (1.2.3.4).
  • AAAA Record: Maps Hostname → IPv6 Address (2001:db8::1).
  • CNAME (Canonical Name): Maps Hostname → Another Hostname (Alias).

  • Example: www.google.com might actually point to google.com.

  • MX (Mail Exchange): Tells email servers where to send emails for that domain.

  • TXT: Arbitrary text. Now critical for verification (SPF/DKIM for email security, verifying domain ownership for Google Console).

  • NS (Name Server): Delegates authority. "I don't know the IP, but this server does."

The "Zone" File

On the server side, DNS isn't magic; it's a text file called a Zone File.

; Zone file for example.com
$TTL 86400          ; Time to Live (how long to cache)
@   IN  SOA  ns1.example.com. admin.example.com. ( ... )
@   IN  NS   ns1.example.com.
@   IN  A    93.184.216.34
www IN  CNAME example.com.
Enter fullscreen mode Exit fullscreen mode

2. ARP (Address Resolution Protocol): The Deep Dive

ARP assumes a "trusting" network. It is stateless, which means it doesn't remember asking for information; it just accepts answers. This makes it fast but insecure.

The ARP Packet Structure

When you send an ARP request, you aren't sending IP data. You are sending a raw Layer 2 frame containing:

  1. Hardware Type: Ethernet (0x0001)
  2. Protocol Type: IPv4 (0x0800)
  3. Opcode:
  4. 1 = ARP Request ("Who is 10.0.0.1?")

  5. 2 = ARP Reply ("I am 10.0.0.1")

  6. Sender MAC & Sender IP

  7. Target MAC & Target IP

Security Flaw: ARP Spoofing

Because ARP is stateless, a hacker can send a "Gratuitous ARP Reply" (an unrequested answer).

  • Hacker says: "Hey everyone, I am the Router (192.168.1.1)."
  • Victim PC: Updates its ARP table blindly.
  • Result: The victim now sends all their internet traffic to the hacker instead of the real router. This is a Man-in-the-Middle (MitM) attack.

3. NAT (Network Address Translation): The Deep Dive

NAT breaks the original rule of the internet (end-to-end connectivity). It modifies packet headers in flight.

How NAT "Tracks" You (Connection Tracking)

When your router performs NAT, it must modify the IP Header (Source IP) and the TCP/UDP Header (Source Port).
Because it changes the headers, the Checksum (error checking math) is now wrong.

  1. Recalculation: The router must recalculate the TCP/IP checksum for every single packet. This is CPU intensive.
  2. Conntrack Table: The router keeps a table in RAM:
  3. [Protocol=TCP] [Src=192.168.1.5:5432] -> [Dst=8.8.8.8:80] | [NAT-Port=15432]
  4. If this table fills up (common in cheap routers during BitTorrent use), the router crashes or drops connections.

SNAT vs. DNAT

  • SNAT (Source NAT): Used when you go out to the internet. The Source IP is changed (Private → Public).
  • DNAT (Destination NAT): Used when you host a server at home (Port Forwarding). The Destination IP is changed (Public → Private) so the router knows which internal computer gets the traffic.

4. Subnetting & CIDR: The Binary Logic

Understanding subnetting requires thinking in Binary (Base-2), not Decimal.

The "AND" Operation

How does a computer know if an IP is "Local" (send directly) or "Remote" (send to Gateway)? It uses the Bitwise AND operation on the IP and the Subnet Mask.

Scenario:

  • IP: 192.168.1.10
  • Subnet Mask: 255.255.255.0 (/24)

The computer converts everything to binary:

Type Decimal Binary
IP 192.168.1.10 11000000.10101000.00000001.00001010
Mask 255.255.255.0 11111111.11111111.11111111.00000000
AND Result 192.168.1.0 11000000.10101000.00000001.00000000
  • Logic: 1 AND 1 = 1. Anything else is 0.
  • The result (192.168.1.0) is the Network ID.
  • If the destination IP produces the same Network ID, the computer knows "It's on my local LAN." If different, it sends the packet to the Default Gateway.

VLSM (Variable Length Subnet Masking)

In the old days, subnets were fixed (Class A, B, C). VLSM allows us to be efficient.

  • Example: You have a main network 10.0.0.0/8.
  • You give the Sales Dept 10.1.0.0/16.
  • Inside Sales, you give the WiFi 10.1.10.0/24.
  • Inside WiFi, you reserve a small slice for admin 10.1.10.240/28. This nesting of subnets saves IP addresses.

Summary: The Life of a Packet

To tie it all together, if you type google.com:

  1. DNS: Your PC uses UDP to resolve google.com to 142.250.x.x.
  2. Subnetting: Your PC does the Binary AND. Result: "Google is Remote."
  3. Routing: PC decides to send packet to Gateway (Router).
  4. ARP: PC yells "Who is the Gateway?" Gateway replies with MAC.
  5. NAT: Gateway receives packet, changes Source IP to Public IP, updates Conntrack, and recalculates Checksum.
  6. Transport: The packet travels over the internet via TCP/IP.

Top comments (0)