tags:

views:

230

answers:

4
Q: 

DNS HTTP Requests

If I was to send a URL to a DNS server, lets say: "dev.example.com/?username=daniel", what is exactly sent to the DNS server? The whole URL (including any passed parameters) or is it just website section "dev.example.com"? I want to know so that I know what parameters I should be hiding in a URL.

The reason I am asking is because I just don't want confidential information sent to DNS servers. I am using https for all URLs but when someone asks to go to a URL, I want all parameter information from the URLs to be hidden from all DNS servers. I just am not sure what is sent to a DNS server to establish an SSL connection. Since I have a site that needs just about every parameter encrypted I am concerned about how to hide this information if DNS reads it.

+1  A: 

DNS is agnostic of protocol. The value sent is just the hostname, so in this case dev.example.com.

I'm also not sure what this has to do with "parameter hiding" but if you could expand on that we might be able to provide more helpful advice.

Edit (based on your update): Ah. Well then you shoud be good to go, as only the domain name itself is sent.

Sean Bright  2009-01-31 22:21:26
+2  A: 

The Domain Name System (DNS) resolves hostnames to IP addresses, so only the value of the hostname is sent.

f3lix  2009-01-31 22:24:12
A: 

If the DNS server happens to be a web server which root web application happens to answer to the "username" query, then you might get something back. Other than that, DNS is another kind of animal.

Otávio Décio  2009-01-31 22:25:30
So you think he mixed up HTTP and DNS ... ?
f3lix  2009-01-31 22:29:07
Look, it is possible that a DNS server is also a Web server. I'm pretty sure he mixed things up but I'm just sticking to the question. So, if there is a socket listening on port 80 the server (DNS or otherwise) will receive ?username=daniel along with the http headers...
Otávio Décio  2009-01-31 22:36:23
+3  A: 

dev.example.com may be resolved (if it is not already in the local cache) by sending it to your DNS server (which will almost certainly refer to another DNS Server).

Only the "dev.example.com" is sent, the rest will be passed only to the resolved IP number as an HTTP request.

So, you do not need to hide any parameters, except of course that these parameters could well end up on another website if a user visits it from your page (as a referer). If these parameters are really sensitive encode them or (ab)use POST,

Richard Harrison  2009-01-31 22:35:19

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.