Domain, DNS, HTTPS

Mở đầu

Khi gõ google.com Enter, sau đó xảy ra gì? Hành động đơn giản đó chứa cả chuỗi cộng tác tinh vi: domain resolution → DNS query → TLS handshake encryption. Hiểu = must cho dev — quyết web access được không, data bị steal không.

Bạn sẽ học:

DNS principles: domain → IP
Record types: A, CNAME, MX, TXT
HTTPS mechanism: TLS handshake
Certificate: chain of trust
Security: sao HTTPS = baseline Web hiện đại

Chương	Nội dung
1	DNS resolution
2	DNS records
3	HTTPS + TLS
4	Cert trust chain
5	HTTP vs HTTPS

0. Toàn cảnh: từ domain → secure connection

Internet communication base IP (vd 142.250.80.46), nhưng người không nhớ số. → DNS = "phone book" Internet, dịch domain → IP.

Nhưng tìm server thôi chưa đủ. Communication plaintext = ai cũng eavesdrop, tamper được. HTTPS = HTTP + TLS encryption, đảm bảo confidentiality + integrity.

Visit web hoàn chỉnh

Domain resolution: browser hỏi DNS "google.com IP gì?", DNS trả "142.250.80.46"
TCP connect: browser + server TCP 3-way handshake
TLS handshake: 2 bên negotiate encryption + verify cert + exchange key
Encrypted comm: mọi HTTP data qua encrypted channel

1. DNS: "phone book" Internet

DNS (Domain Name System) như tra phonebook: biết name (domain), cần phone (IP). Nhưng "phonebook" Internet là layered distributed system.

🔍 DNS 解析过程模拟器

🌐

浏览器缓存

→

💻

操作系统缓存

→

🔄

递归解析器

→

🌍

根域名服务器

→

📂

TLD 服务器

→

🏠

权威 DNS 服务器

解析流程说明： 浏览器访问网站时，需要先将域名翻译成 IP 地址。这个过程会依次查询多级缓存和服务器，直到找到对应的 IP。

4 step DNS

Browser cache: query local cache, đã visit → dùng cached IP
Recursive resolver: cache miss → request đến ISP recursive resolver (8.8.8.8)
Tier query: recursive resolver hỏi tuần tự Root → TLD (.com) → Authoritative (google.com)
Return: authoritative trả IP cuối, recursive cache + return browser

Tier	Server	Job	Quantity
Root	Root Server	Biết TLD address	13 global groups
TLD	TLD Server	Manage .com, .vn, .org	Mỗi suffix 1 group
Authoritative	Authoritative	Lưu DNS record domain cụ thể	Mỗi domain ≥2
Recursive	Resolver	Thay user complete query	ISP hoặc public DNS

2. DNS records

DNS không chỉ dịch domain → IP. Qua record type khác, control mail routing, redirect, service discovery.

📋 DNS 记录类型速查

AAddress 记录

将域名映射到一个 IPv4 地址。这是最常见的 DNS 记录类型，浏览器访问网站时最终需要的就是这条记录。

示例记录

example.com. IN A 93.184.216.34

常见用途

网站域名指向服务器 IP
子域名指向不同的服务器
配合负载均衡返回多个 IP

小贴士： DNS 不只是把域名翻译成 IP，它还承载了邮件路由、域名验证、负载均衡等多种功能，全靠不同的记录类型来实现。

Record	Use	Example
A	Domain → IPv4	`example.com → 93.184.216.34`
AAAA	Domain → IPv6	`example.com → 2606:2800:220:1:...`
CNAME	Domain → domain khác (alias)	`www.example.com → example.com`
MX	Mail server	`example.com → mail.example.com`
TXT	Text info	SPF verify, domain ownership
NS	Authoritative server	`example.com → ns1.example.com`

Real scenarios

Deploy site: add A record → server IP, hoặc CNAME → CDN
Setup email: MX → mail server, TXT cho SPF/DKIM chống spam
Verify domain ownership: cloud vendor yêu cầu add TXT cụ thể
Load balance: cùng domain multi A record, DNS round-robin

3. HTTPS + TLS: "bulletproof vest" cho data

HTTP plaintext = như postcard, postman (middleman) đọc nội dung tuỳ ý. HTTPS = HTTP + TLS (Transport Layer Security) layer encryption = nhét postcard vào sealed envelope.

TLS handshake = step key build secure connection: verify identity + negotiate key trước khi transmit data.

🤝 TLS 握手过程演示

💻

客户端（浏览器）

→

Client Hello

发送支持的 TLS 版本、加密套件列表、随机数

←

Server Hello

选定 TLS 版本、加密套件、服务器随机数

←

Certificate

服务器发送数字证书（含公钥）

→

Key Exchange

双方协商生成会话密钥

→

Finished

双方确认握手成功，开始加密通信

🖥️

服务器

TLS 1.3 handshake

Client Hello: client send supported cipher list + random
Server Hello: server choose cipher, return cert + random
Cert verify: client verify server cert trust (CA signature, expiry, domain match)
Key exchange: 2 bên qua ECDHE negotiate shared key (key không transmit qua network)
Encrypted comm: data sau dùng symmetric key encrypt

Feature	TLS 1.2	TLS 1.3
Handshake RTT	2-RTT	1-RTT (first) / 0-RTT (resume)
Key exchange	RSA hoặc ECDHE	Chỉ ECDHE (forward secrecy)
Cipher	Hỗ trợ nhiều legacy	Chỉ secure cipher
Performance	Chậm hơn	Nhanh hơn

4. Certificate trust chain: sao tin web này?

TLS handshake step quan trọng nhất = "cert verify". Browser judge cert thật vs fake thế nào? Trả lời: certificate trust chain — system endorsement layer by layer.

🔗 证书信任链可视化

点击每一层证书，查看它的详细信息和在信任链中的角色。

🏛️

根证书（Root CA）

信任的起点

签发↓

🏢

中间证书（Intermediate CA）

信任的桥梁

签发↓

🌐

服务器证书（Server Certificate）

网站的身份证

🏛️根证书（Root CA）

签发者DigiCert Global Root G2（自签名）

有效期25 年（2013 - 2038）

密钥长度RSA 2048 位

存储位置操作系统 / 浏览器内置信任库

数量级全球约 150 个受信根证书

根证书是整个信任链的锚点。它由根证书颁发机构自签名，预装在操作系统和浏览器中。全球只有少数几十个根 CA，它们的安全性由严格的审计和物理安全措施保障。根 CA 的私钥通常存储在离线的硬件安全模块（HSM）中。

🔍 浏览器验证流程

1浏览器收到服务器证书，读取其签发者信息

2找到中间证书，用中间 CA 的公钥验证服务器证书的签名

3再用根 CA 的公钥验证中间证书的签名

4确认根证书在本地信任库中 → 整条链验证通过

3-tier cert

Root Certificate (Root CA): signed bởi trusted CA, pre-installed OS + browser. Đây là "anchor" của trust.
Intermediate CA: signed bởi Root CA, dùng sign end cert. Root không direct sign web cert vì security isolation.
Leaf Certificate: cert web thực dùng, signed bởi intermediate CA, chứa domain + public key + expiry.

Cert type	Verify level	Issue speed	Use
DV (Domain Validation)	Chỉ verify domain ownership	Phút	Personal, blog
OV (Organization)	Verify org identity	Vài ngày	Enterprise site
EV (Extended)	Strict org verify	Vài tuần	Banking, finance
Wildcard	Cover mọi subdomain	Theo type	Multi-subdomain

5. HTTP vs HTTPS: sao encryption = baseline?

2024, >95% web traffic global qua HTTPS. Chrome đánh dấu HTTP site "Not Secure", search engine giảm rank HTTP. HTTPS không còn "optional", mà baseline modern Web.

🔐 HTTP vs HTTPS 数据传输对比

💻

浏览器

原始数据

password=MySecret123&user=zhangsan

🔓 明文传输

🕵️

中间人可窃听

🖥️

服务器

对比项	HTTP	HTTPS
端口	80	443
数据加密	无（明文传输）	TLS 对称加密
身份验证	无	CA 证书验证服务器身份
数据完整性	无保障	MAC 校验防篡改
SEO 影响	搜索引擎降权	搜索引擎优先收录
性能开销	无额外开销	TLS 握手增加约 1-2 RTT

Dim	HTTP	HTTPS
Data transmission	Plaintext, eavesdrop được	Encrypted, không eavesdrop
Identity verify	Không	Có (cert verify server)
Data integrity	Không (tamper được)	Có (tamper detected)
Port	80	443
SEO impact	Giảm rank	Tăng rank
Browser display	"Not Secure" warning	Lock icon

Free HTTPS cert

Let's Encrypt = CA miễn phí + tự động, mọi site bật HTTPS không cost. Combo Certbot = 1-click apply + auto renew. Đa số cloud platform + CDN cung cấp SSL free.

Tổng kết

Domain + DNS + HTTPS = 3 pillar Internet infrastructure. DNS giúp dùng tên thay vì số, HTTPS đảm bảo communication safe + reliable.

DNS layered: Root → TLD → Authoritative, tier query, cache speedup
Record types: A → IP, CNAME → alias, MX → mail, TXT → verify
TLS handshake: cert verify + key negotiate, TLS 1.3 chỉ 1-RTT
Cert chain: Root CA → Intermediate CA → Leaf cert
HTTPS baseline: free cert (Let's Encrypt) cho encryption zero-barrier

2026 cho VN dev

DNS providers:
- Cloudflare: free, fast nhất, DDoS protection
- AWS Route 53: deep AWS integration
- VN registrar: Mat Bao, P.A. Việt Nam, Nhân Hoà
TLS cert:
- Let's Encrypt: free, auto renew, default cho 99%
- ZeroSSL: alternative Let's Encrypt
- Commercial CA: DigiCert, Sectigo cho EV banking
VN context:
- VN domain .vn qua VNNIC, mất 2-3 ngày verify
- HTTPS bắt buộc theo VN regulation cho e-commerce + banking
Modern security:
- HTTP/3 + QUIC: faster TLS handshake
- HSTS: force HTTPS, prevent downgrade attack
- DNS-over-HTTPS (DoH): encrypt DNS query, privacy
- Certificate Transparency: public log mọi cert, detect rogue

Domain, DNS, HTTPS ​

0. Toàn cảnh: từ domain → secure connection ​

1. DNS: "phone book" Internet ​

🔍 DNS 解析过程模拟器

2. DNS records ​

📋 DNS 记录类型速查

3. HTTPS + TLS: "bulletproof vest" cho data ​

🤝 TLS 握手过程演示

4. Certificate trust chain: sao tin web này? ​