This is my attempt at briefly and simply explaining how a computer finds the website you type into your browser’s address bar. It’s written as a primer for understanding certain types of hacker attacks that I will describe in an upcoming article.
To connect to the internet, most people, whether they know it or not, use the following devices or some equivalent of each:
1) Modem: in short, this is what physically connects you to the intenet. It takes the signal from your ISP and converts it into a signal the other devices in your home can understand, and vice-versa.
2) Router: think of this as a splicer that takes the single internet connection provided by your ISP and lets you share it among multiple devices instead of just one. It’s usually plugged directly into your modem, or your modem may have the router built in. I believe most routers these days are wireless, but support a few (usually 4) wired connections. But wired routers are still available.
3) DNS Server: Since this is almost never located in your house, this is one of the unsung heroes in the network map. When you want to browse a website, your network needs an IP address so it knows where to send your request. You may have seen these before, they are usually 4 groups of numbers separated by periods. But you don’t know 220.127.116.11. You just know you want to go to stupidcatpictures.com. (No, really, it’s actually a real site, I just checked!!! …not that I’m surprised.)
To solve this problem, there is a network of “Domain Name System” (DNS) Servers scattered all around the world. You can think of these as computers whose sole purpose in life is to keep track of all the domain names and their respective IP addresses. You tell the DNS server “I want to go to stupidcatpictures.com” and without even judging your character, the DNS server responds with “If you would like to visit that site, head on over to 18.104.22.168, good sir!” Without DNS servers, there wouldn’t be a facebook.com. There would only be 22.214.171.124. And who would want to share embarassing pics and complain about how bored they are to 350 friends on that?
4) Computer (Duh!): You know what a computer is. You probably also know the computer has a network device (usually a wireless card or a wired NIC card) which allows you to communicate with all of these other devices.
But how does your computer (or network device) know what settings to use to connect to the internet??? There’s still one missing piece to the puzzle, and that is:
5) DHCP Server: Your “Dynamic Host Configuration Protocol” (DHCP) server is usually built into your router (which, as mentioned, may also be built into your modem).
The DHCP server is most famous for being the device that “assigns you an IP address”. That is, your router connects to what I call your “external IP address” provided to you by your ISP, let’s say 126.96.36.199. That’s how data you request finds its way back to your network. But how does the router keep track of your computer, your roomate’s computer, your PS3, your Droid and your roommate’s iPhone? The router assigns each device is own “internal IP address” using a DHCP server. (Network geeks use acronyms like LAN and WAN, but let’s keep it simple) It usually looks something like 192.168.0.100 or 192.168.1.2, etc. Without this internal IP address, there would be no way to tell the difference between data meant for your computer and data meant for your PS3.
Note: There may be a better mnemonic device out there, but if you are having trouble remembering the difference between DNS and DHCP, remember the N in DNS stands for NAME, as in where you send the NAME of the site you want to reach. And the C in DHCP stands for CONFIGURATION, as in where you get the CONFIGURATION for your network device.
PUTTING IT ALL TOGETHER
The way it works is you (or your friendly neighborhood FiOS guy or equivalent) configure your DHCP server to point to some established DNS server, the IP address of which was likely recommended by your ISP (FiOS, Comcast, etc.). Let’s say it was 188.8.131.52. Your DHCP server now sits and listens for requests from machines that want to connect. When you connect a computer to the network, first if it’s wireless it goes through its little wi-fi authentication song and dance, then a DHCP broadcast message is sent out across the network to everyone who is listening. The DHCP server is listening for this broadcast and upon receiving it, assigns a unique internal IP address to the device and sends a response with that internal IP address
The DHCP server also tells your Computer (and by association, your network adapter), a few other settings to use, including the DNS server specified in the DHCP settings (184.108.40.206, remember?). And your stupid (er.. I mean “faithful”?) wireless adapter blindly accepts these settings and begins using them. This is an important detail for understanding rogue DHCP server attacks.
Then, every time you make a request to a domain like facebook.com, google.com or bobbycahill.com, your network adapter will first “resolve” the domain name by sending it to the DNS server to find out the IP address for that domain. This is a key detail in understanding rogue DNS server attacks.
Now that you have the IP address, your computer‘s network adapter can send the HTTP request to the default gateway (usually the router), and because you included an IP address, the router, modem and all other devices in between there and your destination will know where to send it.
I will be back later to post some articles explaining how rogue DHCP server attacks and rogue DNS server attacks work and how to detect and remove them. Check back soon!