Domain name system

The Domain Name System (DNS) associates various sorts of information with so-called domain names; most importantly, it serves as the "phone boo " for the !nternet by translatin" humanreadable computer hostnames, e#"# www#e$ample#com, into the !% addresses, e#"# &'(#))#*((#*++, that networ in" e,uipment needs to deliver information# !t also stores other information such as the list of mail e$chan"e servers that accept email for a "iven domain# !n providin" a worldwide eyword-based redirection service, the Domain Name System is an essential component of contemporary !nternet use#

The most basic tas of DNS is to translate hostnames to !% addresses# !n very simple terms, it can be compared to a phone boo # DNS also has other important uses#

%reeminently, DNS ma es it possible to assi"n !nternet names to or"ani-ations (or concerns they represent), independently of the physical routin" hierarchy represented by the numerical !% address# .ecause of this, hyperlin s and !nternet contact information can remain the same, whatever the current !% routin" arran"ements may be, and can ta e a human-readable form (such as "e$ample#com") which is rather easier to remember than the !% address &'(#))#*((#*++# %eople ta e advanta"e of this when they recite meanin"ful /01s and e-mail addresses without carin" how the machine will actually locate them#

The Domain Name System distributes the responsibility for assi"nin" domain names and mappin" them to !% networ s by allowin" an authoritative server for each domain to eep trac of its own chan"es, avoidin" the need for a central re"istrar to be continually consulted and updated#

How DNS works in theory

The domain name space

The domain name space consists of a tree of domain names# 2ach node or leaf in the tree has one or more resource records, which hold information associated with the domain name# The tree sub-divides into -ones# 3 -one consists of a collection of connected nodes authoritatively served by an authoritative DNS nameserver# (Note that a sin"le nameserver can host several -ones#)

4hen a system administrator wants to let another administrator control a part of the domain name space within his or her -one of authority, he or she can dele"ate control to the other administrator# This splits a part of the old -one off into a new -one, which comes under the authority of the second administrator5s nameservers# The old -one ceases to be authoritative for what "oes under the authority of the new -one# %arts of a domain name

3 domain name usually consists of two or more parts (technically labels), separated by dots# 6or e$ample e$ample#com# The ri"htmost label conveys the top-level domain (for e$ample, the address www#e$ample#com has the top-level domain com)# 2ach label to the left specifies a subdivision, or subdomain of the domain above it# Note;"subdomain" e$presses relative dependence, not absolute dependence# 6or e$ample7 e$ample#com comprises a subdomain of the com domain, and www#e$ample#com comprises a subdomain of the domain e$ample#com# !n theory, this subdivision can "o down to *&) levels deep# 2ach label can contain up to +8 characters# The whole domain name does not e$ceed a total len"th of &99 characters# !n practice, some domain re"istries may have shorter limits# 3 hostname refers to a domain name that has one or more associated !% addresses; ie7 the www#e$ample#com and e$ample#com domains are both hostnames, however, the com domain is not#

:edit; DNS servers

The Domain Name System consists of a hierarchical set of DNS servers# 2ach domain or subdomain has one or more authoritative DNS servers that publish information about that domain and the name servers of any domains "beneath" it# The hierarchy of authoritative DNS servers matches the hierarchy of domains# 3t the top of the hierarchy stand the root nameservers7 the servers to ,uery when loo in" up (resolvin") a top-level domain name (T1D)#

:edit; DNS resolvers

3 resolver loo s up the resource record information associated with nodes# 3 resolver nows how to communicate with name servers by sendin" DNS ,ueries and heedin" DNS responses#

3 DNS ,uery may be either a recursive ,uery or a non-recursive ,uery7 3 non-recursive ,uery is one where the DNS server may provide a partial answer to the ,uery (or "ive an error)# DNS servers must support non-recursive ,ueries# 3 recursive ,uery is one where the DNS server will fully answer the ,uery (or "ive an error)# DNS servers are not re,uired to support recursive ,ueries#

The resolver (or another DNS server actin" recursively on behalf of the resolver) ne"otiates use of recursive service usin" bits in the ,uery headers#

0esolvin" usually entails iteratin" throu"h several name servers to find the needed information# <owever, some resolvers function simplistically and can only communicate with a sin"le name server# These simple resolvers rely on a recursive ,uery to a recursive name server to perform the wor of findin" information for them#

3ddress resolution mechanism (This description deliberately uses the fictional #e$ample T1D in accordance with the DNS "uidelines themselves#)

!n theory a full host name may have several name se"ments, (e#" ahost#ofasubnet#ofabi""ernet#inadomain#e$ample)# !n practice, in the e$perience of the ma=ority of public users of !nternet services, full host names will fre,uently consist of =ust three se"ments (ahost#inadomain#e$ample, and most often www#inadomain#e$ample)#

6or ,ueryin" purposes, software interprets the name se"ment by se"ment, from ri"ht to left, usin" an iterative search procedure# 3t each step alon" the way, the pro"ram ,ueries a correspondin" DNS server to provide a pointer to the ne$t server which it should consult# 3s ori"inally envisa"ed, the process was as simple as7 the local system is pre-confi"ured with the nown addresses of the root servers in a file of root hints, which need to be updated periodically by the local administrator from a reliable source to be ept up to date with the chan"es which occur over time#

,uery one of the root servers to find the server authoritative for the ne$t level down (so in the case of our simple hostname, a root server would be as ed for the address of a server with detailed nowled"e of the e$ample top level domain)# ,ueryin" this second server for the address of a DNS server with detailed nowled"e of the second-level domain (inadomain#e$ample in our e$ample)# repeatin" the previous step to pro"ress down the name, until the final step which would, rather than "eneratin" the address of the ne$t DNS server, return the final address sou"ht#

The mechanism in this simple form has a difficulty7 it places a hu"e operatin" burden on the root servers, with each and every search for an address startin" by ,ueryin" one of them# .ein" as critical as they are to the overall function of the system such heavy use would create an insurmountable bottlenec for trillions of ,ueries placed every day# The section DNS in practice describes how this is addressed#

>ircular dependencies and "lue records

Name servers in dele"ations appear listed by name, rather than by !% address# This means that a resolvin" name server must issue another DNS re,uest to find out the !% address of the server to which it has been referred# Since this can introduce a circular dependency if the nameserver referred to is under the domain that it is authoritative of, it is occasionally necessary for the nameserver providin" the dele"ation to also provide the !% address of the ne$t nameserver# This record is called a "lue record#

6or e$ample, assume that the sub-domain en#wi ipedia#or" contains further sub-domains (such as somethin"#en#wi ipedia#or") and that the authoritative nameserver for these lives at ns*#somethin"#en#wi ipedia#or"# 3 computer tryin" to resolve somethin"#en#wi ipedia#or" will thus first have to resolve ns*#somethin"#en#wi ipedia#or"# Since ns* is also under the somethin"#en#wi ipedia#or" subdomain, resolvin" somethin"#en#wi ipedia#or" re,uires resolvin" ns*#somethin"#en#wi ipedia#or" which is e$actly the circular dependency mentioned above# The dependency is bro en by the "lue record in the nameserver of en#wi ipedia#or" that provides the !% address of ns*#somethin"#en#wi ipedia#or" directly to the re,uestor, enablin" it to bootstrap the process by fi"urin" out where ns*#somethin"#en#wi ipedia#or" is located#

4hen an application (such as a web browser) tries to find the !% address of a domain name, it doesn5t necessarily follow all of the steps outlined in the Theory section above# 4e will first loo at the concept of cachin", and then outline the operation of DNS in "the real world#"

>achin" and time to live

.ecause of the hu"e volume of re,uests "enerated by a system li e DNS, the desi"ners wished to provide a mechanism to reduce the load on individual DNS servers# To this end, the DNS resolution process allows for cachin" (i#e# the local recordin" and subse,uent consultation of the results of a DNS ,uery) for a "iven period of time after a successful answer# <ow lon" a resolver caches a DNS response (i#e# how lon" a DNS response remains valid) is determined by a value called the time to live (TT1)# The TT1 is set by the administrator of the DNS server handin" out the response# The period of validity may vary from =ust seconds to days or even wee s#

>achin" time

3s a noteworthy conse,uence of this distributed and cachin" architecture, chan"es to DNS do not always ta e effect immediately and "lobally# This is best e$plained with an e$ample7 !f an administrator has set a TT1 of + hours for the host www#wi ipedia#or", and then chan"es the !% address to which www#wi ipedia#or" resolves at *&7'*pm, the administrator must consider that a person who cached a response with the old !% address at *&7''pm will not consult the DNS server a"ain until +7''pm# The period between *&7'*pm and +7''pm in this e$ample is called cachin" time, which is best defined as a period of time that be"ins when you ma e a chan"e to a DNS record and ends after the ma$imum amount of time specified by the TT1 e$pires# This essentially leads to an important lo"istical consideration when ma in" chan"es to DNS7 not everyone is necessarily seein" the same thin" you5re seein"# 06> *98) helps to convey basic rules for how to set the TT1#

Note that the term "propa"ation", althou"h very widely used in this conte$t, does not describe the effects of cachin" well# Specifically, it implies that :*; when you ma e a DNS chan"e, it somehow spreads to all other DNS servers (instead, other DNS servers chec in with yours as needed), and :&; that you do not have control over the amount of time the record is cached (you control the TT1 values for all DNS records in your domain, e$cept your NS records and any authoritative DNS servers that use your domain name)#

Some resolvers may override TT1 values, as the protocol supports cachin" for up to +( years or no cachin" at all# Ne"ative cachin" (the non-e$istence of records) is determined by name servers authoritative for a -one which ?/ST include the Start of 3uthority (S@3) record when reportin" no data of the re,uested type e$ists# The ?!N!?/? field of the S@3 record and the TT1 of the S@3 itself is used to establish the TT1 for the ne"ative answer# 06> &8'(

?any people incorrectly refer to a mysterious A( hour or )& hour propa"ation time when you ma e a DNS chan"e# 4hen one chan"es the NS records for one5s domain or the !% addresses for hostnames of authoritative DNS servers usin" one5s domain (if any), there can be a len"thy period of time before all DNS servers use the new information# This is because those records are handled by the -one parent DNS servers (for e$ample, the #com DNS servers if your domain is e$ample#com), which typically cache those records for A( hours# <owever, those DNS chan"es will be immediately available for any DNS servers that do not have them cached# 3nd any DNS chan"es on your domain other than the NS records and authoritative DNS server names can be nearly instantaneous, if you choose for them to be (by lowerin" the TT1 once or twice ahead of time, and waitin" until the old TT1 e$pires before ma in" the chan"e)#

In the real world

DNS resolvin" from pro"ram to @S-resolver to !S%-resolver to "reater system#

/sers "enerally do not communicate directly with a DNS resolver# !nstead DNS-resolution ta es place transparently in client-applications such as web-browsers, mail-clients, and other !nternet applications# 4hen an application ma es a re,uest which re,uires a DNS loo up, such pro"rams send a resolution re,uest to the local DNS resolver in the local operatin" system, which in turn handles the communications re,uired#

The DNS resolver will almost invariably have a cache (see above) containin" recent loo ups# !f the cache can provide the answer to the re,uest, the resolver will return the value in the cache to the pro"ram that made the re,uest# !f the cache does not contain the answer, the resolver will send the re,uest to one or more desi"nated DNS servers# !n the case of most home users, the !nternet service provider to which the machine connects will usually supply this DNS server7 such a user will either have confi"ured that server5s address manually or allowed D<>% to set it; however, where systems administrators have confi"ured systems to use their own DNS servers, their DNS resolvers point to separately maintained nameservers of the or"ani-ation# !n any event, the name server thus ,ueried will follow the process outlined above, until it either successfully finds a result or does not# !t then returns its results to the DNS resolver; assumin" it

has found a result, the resolver duly caches that result for future use, and hands the result bac to the software which initiated the re,uest#

.ro en resolvers

3n additional level of comple$ity emer"es when resolvers violate the rules of the DNS protocol# 3 number of lar"e !S%s have confi"ured their DNS servers to violate rules (presumably to allow them to run on less-e$pensive hardware than a fully-compliant resolver), such as by disobeyin" TT1s, or by indicatin" that a domain name does not e$ist =ust because one of its name servers does not respond#:citation needed;

3s a final level of comple$ity, some applications (such as web-browsers) also have their own DNS cache, in order to reduce the use of the DNS resolver library itself# This practice can add e$tra difficulty when debu""in" DNS issues, as it obscures the freshness of data, andBor what data comes from which cache# These caches typically use very short cachin" times C on the order of one minute# !nternet 2$plorer offers a notable e$ception7 recent versions cache DNS records for half an hour#:*;

@ther applications

The system outlined above provides a somewhat simplified scenario# The Domain Name System includes several other functions7 <ostnames and !% addresses do not necessarily match on a one-to-one basis# ?any hostnames may correspond to a sin"le !% address7 combined with virtual hostin", this allows a sin"le machine to serve many web sites# 3lternatively a sin"le hostname may correspond to many !% addresses7 this can facilitate fault tolerance and load distribution, and also allows a site to move physical location seamlessly# There are many uses of DNS besides translatin" names to !% addresses# 6or instance, ?ail transfer a"ents use DNS to find out where to deliver e-mail for a particular address# The domain to mail e$chan"er mappin" provided by ?D records accommodates another layer of fault tolerance and load distribution on top of the name to !% address mappin"# Sender %olicy 6ramewor and DomainEeys instead of creatin" their own record types were desi"ned to ta e advanta"e of another DNS record type, the TDT record#

To provide resilience in the event of computer failure, multiple DNS servers are usually provided for covera"e of each domain, and at the top level, thirteen very powerful root servers e$ist, with additional "copies" of several of them distributed worldwide via 3nycast#

%rotocol details

DNS primarily uses /D% on port 98 :&; to serve re,uests# 3lmost all DNS ,ueries consist of a sin"le /D% re,uest from the client followed by a sin"le /D% reply from the server# T>% comes into play only when the response data si-e e$ceeds 9*& bytes, or for such tas s as -one transfer# Some operatin" systems such as <%-/D are nown to have resolver implementations that use T>% for all ,ueries, even when /D% would suffice#

2$tensions to DNS

2DNS is an e$tension of the DNS protocol which allows the transport over /D% of DNS replies e$ceedin" 9*& bytes, and adds support for e$pandin" the space of re,uest and response codes# !t is described in 06> &+)*

Forward Look Up Zone7 Name to !% Reverse Lookup Zone7 !% to Name