Domain Name System (DNS)
The internet's phonebook: translating human-friendly domain names to machine-readable IP addresses
DNS Resolution Process
DNS (Domain Name System) translates human-readable domain names into IP addresses through a hierarchical lookup process. Watch the animation below to see how a DNS query travels through different DNS server levels to resolve a domain name.
Client requests www.example.com from local DNS resolver
DNS Resolution Process
- Client sends a recursive query to its configured DNS resolver
- If the resolver doesn't have the answer cached, it starts the iterative resolution process
- Resolver contacts a root DNS server to find the authoritative server for the TLD (.com, .org, etc.)
- Root server responds with the address of the TLD's DNS server
- Resolver contacts the TLD server to find the authoritative server for the domain
- TLD server responds with the address of the domain's authoritative name server
- Resolver contacts the authoritative server for the domain to get the IP address
- Resolver caches the response and returns the IP address to the client
- Client can now connect directly to the web server using the IP address
DNS Record Types
Different DNS record types serve specific purposes in the DNS system. Click on each record type to see an example.
A
Maps a domain name to an IPv4 address
AAAA
Maps a domain name to an IPv6 address
CNAME
Creates an alias from one domain to another
MX
Specifies mail servers for the domain
TXT
Stores text information (SPF, DKIM)
NS
Delegates a DNS zone to authoritative name servers
SOA
Start of Authority - administrative info about the zone
PTR
Maps an IP address to a domain name (reverse lookup)
SRV
Specifies location of services (port and host)
CAA
Specifies which Certificate Authorities can issue certificates
; A record for example.com example.com. IN A 93.184.216.34 www.example.com. IN A 93.184.216.34
DNS Zone Files
DNS zone files define the DNS records for a domain. Each record has a name, class (usually IN for Internet), type (A, AAAA, MX, etc.), and data specific to the record type. The records are used by authoritative DNS servers to respond to queries about the domain.
DNS Hierarchy
The DNS system is organized in a hierarchical structure with different levels of servers handling specific parts of domain name resolution.
Root DNS Servers
13 sets of servers that serve the DNS root zone
TLD DNS Servers
Manage top-level domains like .com, .org, .net
Authoritative DNS Servers
Provide answers about specific domains
Recursive DNS Resolvers
Query other servers on behalf of clients
Local DNS Cache
Temporary storage of recent DNS lookups
The Domain Name System (DNS) is a hierarchical, distributed database that translates human-readable domain names (like www.example.com) to machine-readable IP addresses (like 93.184.216.34). Without DNS, we would need to remember numerical IP addresses for every website we want to visit.
Introduction to DNS
DNS operates as a critical foundation of the internet, enabling users to access websites and services using memorable domain names rather than IP addresses. This distributed system includes millions of DNS servers worldwide working together to provide fast, reliable name resolution.
The DNS Resolution Process
Step-by-Step DNS Lookup
- Browser DNS Cache Check: Your browser first checks its own cache for recent lookups.
- Operating System Cache Check: If not found in the browser cache, it checks the operating system's cache.
- Router Cache Check: The query may then check your router's cache.
- ISP's DNS Resolver: If still not resolved, your request goes to your ISP's DNS resolver servers.
- Recursive Resolution: The resolver then follows a recursive process through the DNS hierarchy:
- Query a Root DNS server
- Query a Top-Level Domain (TLD) server (like .com, .org)
- Query an Authoritative Name Server for the specific domain
- Response Return: The authoritative server provides the IP address, which traverses back through the chain to your browser.
- Caching: All servers in the chain typically cache the result for efficiency.
The DNS Hierarchy
At the top of the DNS hierarchy are the 13 sets of root servers (labeled A through M), operated by various organizations globally. They serve as the starting point for DNS resolution, directing queries to the appropriate TLD servers.
TLD servers manage top-level domains like:
- Generic TLDs: .com, .org, .net, etc.
- Country-code TLDs: .us, .uk, .jp, etc.
- Special-purpose TLDs: .gov, .edu, .mil, etc.
These servers hold the actual DNS records for specific domains. They provide definitive answers about their domains, including IP addresses and other information.
DNS resolvers (recursive servers) receive queries from clients and work on their behalf to find answers, traversing through the DNS hierarchy as needed.
DNS Record Types
DNS databases store different types of records, each serving a specific purpose:
Address Records
Maps a domain to an IPv4 address
Example: example.com → 93.184.216.34
Maps a domain to an IPv6 address
Example: example.com → 2606:2800:220:1:248:1893:25c8:1946
Alias and Redirection
Creates an alias from one domain to another
Example: www.example.com → example.com
Specifies mail servers for receiving email
Example: example.com → mail.example.com
Administrative Records
Holds text information (commonly used for verification)
Contains administrative information about a DNS zone
Specialized Records
Delegates a DNS zone to specific name servers
Maps an IP address to a domain name (reverse lookup)
DNS Security Considerations
DNS was designed in an era when internet security was not a primary concern. As a result, it has several inherent vulnerabilities that have been addressed through extensions and protocols added over time.
Common DNS Security Issues
Attackers inject false information into DNS caches, redirecting users to malicious websites. This can happen when a DNS resolver accepts and caches incorrect information from an untrusted source.
In this type of DDoS attack, attackers send small queries to DNS servers with spoofed source addresses (the victim's address). The DNS servers then respond with much larger responses to the victim, amplifying the attack traffic.
This technique encodes data of other programs or protocols in DNS queries and responses, creating a covert communication channel that can bypass network security controls.
Security Enhancements
DNSSEC (DNS Security Extensions)
DNSSEC adds a layer of trust to DNS by digitally signing DNS records, allowing resolvers to verify their authenticity and integrity. This prevents cache poisoning and other tampering attacks.
DNS over HTTPS (DoH) and DNS over TLS (DoT)
These protocols encrypt DNS queries and responses, protecting the privacy of DNS data in transit and preventing eavesdropping or manipulation by intermediaries.
Modern DNS Services and Features
Modern DNS services use anycast routing to distribute queries to the nearest server in a network, improving resilience and reducing latency.
This technique returns different answers based on the geographic location of the user, directing them to the closest or most appropriate server.
DNS can be used to distribute traffic across multiple servers, improving performance and reliability.
Summary
DNS is a critical internet infrastructure that provides the translation layer between human-friendly domain names and machine-readable IP addresses. Its distributed, hierarchical design ensures resilience and scalability, making it one of the most successful distributed database systems ever created.
The average DNS lookup takes between 20-120 milliseconds to complete, but due to extensive caching at multiple levels, most DNS resolutions happen almost instantaneously for the end user. Without DNS, the internet as we know it today would not be possible.