Domain Name System

Wise Up To The Internet

The is a system that stores information associated with in a distributed database on networks, such as the Internet. The domain name system associates many types of information with domain names, but most importantly, it provides the IP address associated with the domain name. It also lists mail exchange servers accepting e-mail for each domain.

DNS is useful for several reasons. Most well known, the DNS makes it possible to attach hard-to-remember IP addresses (such as 207.142.131.206) to easy-to-remember domain names (such as "wiseuptothenet.com") Humans take advantage of this when they recite Uniform Resource Locator (URL)s and e-mail addresses. Less recognized, the domain name system makes it possible for people to assign authoritative names, without needing to communicate with a central registrar each time.

A brief history of the DNS

The practice of using a name as a more human-legible abstraction of a machine's numerical address on the network predates even TCP/IP, all the way back to the ARPAnet era. Originally, each computer on the network retrieved a file called from SRI (now SRI International) which mapped an address (eg. 192.0.2.135) to a name (eg. www.example.com.) The Host file still exists on most modern operating systems either by default or through configuration and allows users to specify an IP Address to use for a hostname without checking the DNS. This file is now used primarily for troubleshooting DNS errors or mapping local addresses to more organic names. Such a system had inherent limitations, because of the obvious requirement that every time a given computer's address changed, every computer that wanted to communicate with it would need an update to its Hosts file.

The growth of networking called for a more scalable system: one which recorded a change in a host's address in one place only. Other hosts would learn about the change dynamically through a notification system, thus completing a globally accessible network of all hosts' names and their associated IP Addresses. Enter the DNS.

Paul Mockapetris invented the DNS in 1983; the original specifications appear in Request for Comments 882 and 883. In 1987, the publication of RFC 1034 and RFC 1035 updated the DNS specification and made RFC 882 and RFC 883 obsolete. Several more recent RFCs have proposed various extensions to the core DNS protocols.

How the DNS works in theory

Actors

Domain names are arranged in a tree, and cut into zones, which are served by nameservers.

The domain name space is a gigantic tree data structure of domain names. Each node or leaf in the tree is associated with , which hold the information associated with the domain name. The tree is divided into . A zone is a collection of connected nodes that are authoritatively served by an . (Note that a single nameserver can host several zones.)

When a system administrator wants to let another administrator control a part of the domain name space within his or her zone of authority, he or she can control to the other administrator. This splits a part of the old zone off into a new zone, which is served by the second administrator's nameservers. The old zone is no longer authoritative for what is under the authority of the new zone.

The information associated with nodes is looked up by a . A resolver knows how to communicate with name servers by sending DNS requests, and heeding DNS responses. Resolving usually entails through several name servers to find the needed information.

Some resolvers are simple, and can only communicate with a single name server. These simple resolvers rely on a to perform the work of finding information for it.

Understanding the parts of a domain name

A domain name usually consists of two or more parts (technically ), separated by dots. For example wiseuptothenet.com.

*The rightmost label conveys the (for example, the address en.wiseuptothenet.com has the top-level domain org).

*Each label to the left specifies a subdivision or of the domain above it. Note that "subdomain" expresses relative dependence, not absolute dependence: for example, wiseuptothenet.com comprises a subdomain of the com domain, and en.wiseuptothenet.com could form a subdomain of the domain wiseuptothenet.com (in practice, however, en.wiseuptothenet.com actually represents a hostname - see below). In theory, this subdivision can go down to 127 levels deep, and each label can contain up to 63 characters, as long as the whole domain name does not exceed a total length of 255 characters. But in practice some domain name registries have shorter limits than that.

*Finally, the leftmost part of the domain name (usually) expresses the hostname. The rest of the domain name simply specifies a way of building a logical path to the information required; the hostname is the actual target system name for which an IP address is desired. For example, the domain name en.wiseuptothenet.com has the hostname "en".

The DNS consists of a hierarchical set of . Each domain or subdomain has one or more that publish information about that domain and the name servers of any domains "beneath" it. The hierarchy of authoritative DNS servers matches the hierarchy of domains. At the top of the hierarchy stand the : the servers to query when looking up () a top-level domain name.

An example of theoretical DNS recursion

An example may clarify this process. Suppose an application needs to find the IP address of www.wiseuptothenet.com. It puts this question to a local DNS recursor.

*Before starting, the recursor has to know where to find the ; administrators of recursive DNS servers manually specify (and periodically update) a file called the which specify recently known IP addresses of these servers, from which the DNS server can obtain a current complete list.

*The process starts by the recursor asking one of these root servers - for example, the server with the IP address "198.41.0.4" - the question "what is the IP address for www.wiseuptothenet.com?"

*The root server replies with a , meaning roughly: "I don't know the IP address of www.wiseuptothenet.com, but I know that the DNS server at 204.74.112.1 has information on the org domain."

*The local DNS recursor then asks that DNS server (i.e. 204.74.112.1) the same question it had previously put to the root servers, i.e. "what is the IP address for www.wiseuptothenet.com?". It gets a similar reply - essentially, "I don't know the address of www.wiseuptothenet.com, but I know that the DNS server at 207.142.131.234 has information on the wiseuptothenet.com domain."

*Finally the request goes to this third DNS server (207.142.131.234), which replies with the required IP address.

This process utilises recursive searching.

Understanding domain registration and glue records

Reading the example above, you might reasonably wonder: "how does the DNS server 204.74.112.1 know what IP address to give out for the wiseuptothenet.vom domain?" In the first step of the process, we noted that a DNS recursor has the IP addresses of the root servers more-or-less hard coded. Equally, the name servers that are authoritative for the Top-Level Domains change very infrequently.

However, the name servers that provide authoritative answers for common domain names may change relatively often. As part of the process of registering a domain name (and at any time thereafter), a registrant provides the registry with the name servers that will be authoritative for that domain name; therefore, when registering wiseuptothenet.com, that domain is associated with the name servers gunther.bomis.com and zwinger.wiseuptothenet.com at the .org registry. Consequentially, in the example above, when the server identified by 204.74.112.1 receives a request, the DNS server scans its list of domains, locates wiseuptothenet.com, and returns the name servers associated with that domain.

Name servers in delegations are listed by name, rather than by IP address. This means that a resolving name server must issue another DNS request to find out the IP address of the server to which it has been referred. Since this can introduce a bootstrapping problem when the name of the nameserver is in the domain about which nothing is yet known, it is occasionally necessary for the nameserver providing the delegation to also provide the IP address of the next nameserver. This record is called a .

DNS in practice

When an application (such as a web browser ) tries to find the IP address of a domain name, it doesn't necessarily follow all of the steps outlined in the section above. We will first look at the concept of caching, then outline the operation of DNS in "the real world".

Caching and time to live

Because of the huge volume of requests generated by a system like the DNS, the designers wished to provide a mechanism to reduce the load on individual DNS servers. The mechanism devised provided that when a DNS resolver (i.e. client) received a DNS response, it would that response for a given period of time. A value (set by the administrator of the DNS server handing out the response) called the , or Time_to_live(TTL) defines that period of time. Once a response goes into cache, the resolver will consult its cached (stored) answer; only when the TTL expires (or until an administrator manually flushes the response from the resolver's memory) will the resolver contact the DNS server for the same information.

Generally, the time to live is specified in the Start of Authority (SOA) record. SOA parameters are:

* — the zone serial number, incremented when the zone file is modified, so the slave and secondary name servers know when the zone has been changed and should be reloaded.

* — This is the number of seconds between update requests from secondary and slave name servers.

* — This is the number of seconds the secondary or slave will wait before retrying when the last attempt has failed.

* — This is the number of seconds before a master or slave will wait before considering the data stale if it cannot reach the primary name server.

* — Previously used to determine the minimum TTL, this is used for negative caching.

(Newer versions of will accept 'M','H','D' & 'W' suffixes indicating that the time interval is respectively in Minutes, Hours, Days and Weeks).

Caching time

An important consequence of this distributed and caching architecture is that changes to the DNS are not always immediately effective globally. This is best explained with an example: If an administrator has set a Time_to_live(TTL) of 6 hours for the host www.wiseuptothenet.com, and then changes the IP address to which www.wiseuptothenet.com resolves at 12:01pm, the administrator must consider that a person who cached a response with the old IP Address at 12:00pm will not consult the DNS server again until 6:00pm. The period between 12:01pm and 6:00pm in this example is called , which is best defined as a period of time that begins when you make a change to a DNS record and ends after the maximum amount of time specified by the Time_to_live(TTL) expires. This essentially leads to an important logistical consideration when making changes to the DNS: . RFC1537 helps to convey basic rules for how to set the TTL.

Note that the term "propagation", although very widely used, is a poor term to describe the effects of caching. Specifically, it implies that 1 when you make a DNS change, it somehow spreads to all other DNS servers (instead, other DNS servers check in with yours as needed), and 2 that you do not have control over the amount of time the record is cached (you have complete control for all DNS records on your domain, except your NS records and any authoritative DNS servers that use your domain name).

Many people incorrectly refer to a mysterious 48 hour or 72 hour propagation time when you make a DNS change. When you change the NS records for your domain or the IP addresses for hostnames of authoritative DNS servers using your domain (if any), there can be a lengthy period of time before all DNS servers use the new information. This is because those records are handled by the zone parent DNS servers (for example, the .com DNS servers if your domain is example.com), which typically cache those records for 48 hours. However, those DNS changes will be immediately available for any DNS servers that do not have them cached. And, any DNS changes on your domain other than the NS records and authoritative DNS server names can be nearly instantaneous, if you choose for them to be (by lowering the TTL once or twice ahead of time, and waiting until the old TTL expires before making the change).

DNS in the real world

Users generally do not communicate directly with a DNS resolver. Instead DNS resolution is handled transparently via client applications such as web browsers ( Mozilla Firefox , Safari, Opera, Internet Explorer , etc), mail clients ( Outlook Express , Mozilla Thunderbird , etc), and other internet applications. When a request is made which necessitates a DNS lookup, such programs send a resolution request to the local DNS resolver in the operating system which in turn handles the communications required.

The DNS resolver will almost invariably have a cache (see above) containing recent lookups. If the cache can provide the answer to the request, the resolver will return the value in the cache to the program that made the request. If the cache does not contain the answer, the resolver will send the request to a designated DNS server or servers. In the case of most home users, the internet service provider to which the machine connects will usually supply this DNS server: such a user will either configure that server's address manually or allow Dynamic_Host_Configuration_Protocol to set it; however, where systems administrators have configured systems to use their own DNS servers, their DNS resolvers will generally point to their own nameservers. This name server will then follow the process outlined above in , until it either successfully finds a result, or does not. It then returns its results to the DNS resolver; assuming it has found a result, the resolver duly caches that result for future use, and hands the result back to the software which initiated the request.

As a final level of complexity, some applications such as Web browsers also have their own DNS cache, in order to reduce use of the DNS resolver library itself, which can add extra difficulty to DNS debugging, as it obscures which data is fresh, or lies in which cache. These caches typically have very short caching times of the order of 1 minute. A notable exception is Internet Explorer. Recent versions cache DNS records for 30 minutes1.

Other DNS applications

The system outlined above provides a somewhat simplified scenario. The DNS includes several other functions:

*Hostnames and IP addresses do not necessarily match on a one-to-one basis. Many hostnames may correspond to a single IP address: combined with virtual hosting , this allows a single machine to serve many web sites. Alternatively a single hostname may correspond to many IP addresses: this can facilitate fault-tolerance/fault tolerance and load distribution, and also allows a site to move physical location seamlessly.

*There are many uses of DNS besides translating names to IP addresses. For instance, Mail transfer agent use DNS to find out where to deliver e-mail for a particular address. The domain to mail exchanger mapping provided by MX_record accommodates another layer of fault tolerance and load distribution on top of the name to IP address mapping.

* Sender Policy Framework controversially takes advantage of a DNS record type, the TXT record.

*To provide resilience in the event of computer failure, multiple DNS servers provide coverage of each domain. In particular, thirteen root servers exist worldwide. DNS programs or operating systems have the IP addresses of these servers built in. The United States hosts, at least nominally, all but three of the root servers. However, because many root servers actually implement anycast , where many different computers can share the same IP address to deliver a single service over a large geographic region, most of the physical (rather than nominal) root servers now operate outside the USA.

The DNS uses Transmission Control Protocol and User Datagram Protocol/UDP on computer port/port 53 to serve requests. Almost all DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. TCP typically comes into play only when the response data size exceeds 512 bytes, or for such tasks as DNS zone transfer.

Types of DNS records

Important categories of data stored in the DNS include the following:

*An or maps a hostname to its 32-bit IPv4 address.

*An or maps a hostname to its 128-bit IPv6 address.

*A or makes one domain name an alias of another. The aliased domain gets all the subdomains and DNS records of the original.

*An or maps a domain name to a list of mail exchange server s for that domain.

*A or maps an IPv4 address to the canonical name for that host. Setting up a PTR record for a hostname in the in-addr.arpa domain that corresponds to an IP address implements reverse DNS lookup for that address. For example (at the time of writing), www.icann.net has the IP address 192.0.34.164, but a PTR record maps 164.34.0.192.in-addr.arpa to its canonical name, referrals.icann.org.

*An or maps a domain name to a list of DNS servers for that domain. Delegations depend on NS records.

*An or specifies the DNS server providing information about an Internet domain.

*An is a generalized service location record.

*A allows an administrator to insert arbitrary text into a DNS record. For example, this record is used to implement the Sender Policy Framework specification.

Other types of records simply provide information (for example, a LOC record gives the physical of a host), or experimental data (for example, a gives a list of servers offering some such as HTTP or POP3 for a domain).

Internationalised domain names

Domain names must use only a subset of ASCII characters - the Roman alphabet in upper and lower case, the digits 0 through 9, and the hyphen . This prevented the representation of names and words of many languages natively. ICANN has approved the Punycode -based Internationalizing Domain Names in Applications system, which maps Unicode strings into the valid DNS character set, as a workaround to this issue. Some domain name registry have adopted IDNA.

DNS software

Various flavors of DNS software implement the DNS, including:

* BIND (Berkeley Internet Name Daemon) – full featured, most popular, de facto Internet standard

* djbdns ( Daniel J. Bernstein 's DNS) – composed of several small-footprint components

* MaraDNS – UDP only

* VitalQIP (Lucent Technologies)

* Adonis DNS Management Appliance (BlueCat Networks Inc)

* NSD (Name Server Daemon) – small footprint, UDP only, authoritative only

* PowerDNS

* Microsoft DNS (in the server editions of Windows 2000 and Windows Server 2003/Windows 2003 )

DNS-oriented utility software/utilities include:

* dig (the "domain information groper")

* mysqlBind - BIND 8/9 DNS server administration system for one or hundreds of DNS servers. GPL licensed.

Legal users of domains

Registrant

No one in the world really "owns" a domain name except the Network Information Centre (NIC), or domain name registry . Most of the NICs in the world receive an annual fee from a legal user in order for the legal user to utilise the domain name (i.e. a sort of a leasing agreement exists, subject to the registry's terms and conditions). Depending on the various naming convention of the registries, legal users become commonly known as "registrants" or as "domain holders".

ICANN holds a complete list of domain registries in the world. One can find the legal user of a domain name by looking in the WHOIS database held by most domain registries.

For most of the more than 240 country code top-level domain s (ccTLDs), the domain registries hold the authoritative WHOIS (Registrant, name servers, expiry dates etc). For instance, DENIC , Germany NIC holds the authoritative WHOIS to a .DE domain name.

However, some domain registries, such as VeriSign , use a registry-registrar model. There are hundreds of Domain Name Registrars that actually perform the domain name registration with the end-user, such as eNom . By using this method of distribution, the registry only has to manage the relationship with the registrar, and the registrar maintains the relationship with the end-users, or 'registrants'. For .COM, .NET domain names, the domain registries, VeriSign holds a basic WHOIS (registrar and name servers etc). One can find the detailed WHOIS (Registrant, name server s, expiry dates etc) at the registrars.

Since about 2001, most gTLD registries (.ORG, .BIZ, .INFO) have adopted a so-called "thick" registry approach, i.e. keeping the authoritative WHOIS with the various registries instead of the registrars.

Administrative contact

A registrant usually designates an administrative contact to manage the domain name. In practice, the administrative contact usually has the most immediate power over a domain. Management functions delegated to the administrative contacts may include (for example):

* the obligation to conform to the requirements of the domain registry in order to retain the right to use a domain name

* authorisation to update the physical address, e-mail address and telephone number etc in WHOIS

Technical contact

A technical contact manages the name servers of a domain name. The many functions of a technical contact include:

* making sure the configurations of the domain name conforms to the requirements of the domain registry

* updating the domain zone

* providing the 24x7 functionality of the name servers (that leads to the accessibility of the domain name)

Billing contact

Self-explanatory, the party whom a NIC invoices.

Name servers

Namely the authoritative name server s that host the domain name zone of a domain name.

Politics

Many investigators have voiced criticism of the methods used currently to control ownership of domains. Most commonly, critics claim abuse by monopolies or near-monopolies, such as VeriSign , Inc., and problems with assignment of top-level domain s. The international body Internet Corporation for Assigned Names and Numbers (ICANN) (the Internet Corporation for Assigned Names and Numbers) oversees the domain name industry .

Truth in Domain Names Act

In the United States , the "Truth in Domain Names Act", in combination with the PROTECT Act of 2003forbids the use of a misleading domain name with the intention of attracting people into viewing a Internet pornography on the Internet.

External links and documentation

* All About DNS

* Securing DNS with Transaction Signatures

* (PDF format)

* DNS Forgery

* DNS Poisoning, a practical example

* How to 'Quickly' Test DNS Resolution

* Sites supporting DNS LOC

* Domain Name System Links, Whitepapers, and Research

* DNS lookups shows recursive search process during dns lookup

* Setting up DNS server in unix

* Online DNS tools

* Microsoft KB Article on IE Cache Times

* Serving DNS using a Peer-to-Peer Lookup Service

* Distributed DNS

Daily.Round.Up
  • Blair questioned in honours probe
    Prime Minister Tony Blair has been interviewed by police investigating allegations of cash for honours.
  • Second man held in murders probe
    Police probing the murders of five prostitutes arrest a second man and get longer to question their first suspect.
  • Air tragedy sea search called off
    A search for the seventh man involved in a helicopter crash in Morecambe Bay is halted, as six dead men are named.
  • Cartoons protester found guilty
    A UK Muslim is convicted of soliciting murder at a protest over cartoons satirising the Prophet Muhammad.
  • US launches air strike in Somalia
    The US launches an air strike against suspected al-Qaeda members in a village in southern Somalia.
    		•

    WISE UP TO THE NET