Professional Documents
Culture Documents
Evans J. How DNS Works 2024
Evans J. How DNS Works 2024
WAN
208.94.117.43
=XAA\Pl=
CA7.COA\
about +his zine
Hello! This zine is about DNS: the A^Domain Name System 4r
o
1 updated my site's IP address
and... nothing changed? V/hy????
search domains- 21
TCP DNS............... 22
A 2 AAAA........ 23 MX......................... 25
CNAME................. 2H “TXT......................26
cast ot characters H
Let's meet the cast and see how they communicate with each other!
<---------------------
93.1S4.216.34! 93.184.216.34! 93.184.216.34!
browser resolver authoritative
nameservers
Your browser uses Your operating The function sends The authoritative
DNS to look up IP system provides a requests to a nameservers are the
addresses every function to do DNS server called a servers where the DNS
time it visits a lookups. On Linux resolver which records are actually
domain, like and Mac it's knows how to find stored. They're wearing
example.com. getaddrinfo. the authoritative crowns because they're
nameservers. In Charge.
The browser has Your operating The resolver has
a DNS cache. system also might a DNS cache.
have a DNS cache.
resolvers vs
anytime your browser anytime you update a
One reason DNS is confusing
is that the DNS server you makes a DNS query, it's domain's DNS records,
query (a resolver ) is asking a resolver you're updating an
different from the DNS authoritative nameserver
server where the records set the IP for
are stored (a network of example.com to 1.2.3.4
authoritative nameservers
/got it! Next time 'X
I someone asks, that's LJ ■ • A
\jmhat I'll tell them, y L^J
©find the right authoritative ©that's it, there's no step 2. Types of authoritative nameservers:
nameserver and ask it It's the authority! root nameserver
TLD nameserver (like .com or .ca)
the DNS hierarchy
there are 3 main levels of authoritative DNS servers the root nameserver
delegates
the IP for example.com?)
browser
nope, I don't have it
hmm, I don't have an IP cached, I need to ask the
hmm, I'll look in resolver authoritative nameservers!
address for example.com browser
my cache... resolver I have the root nameserver
cached. I'll ask a reso ver! IPs hardcoded. z
f note: we're pretending the resolver has no .com domains cached. Normally it would use its cache to skip step *t.
a.root-servers.net 198.41.0.4
if they didn't exist, every resolver has the
b.root-servers.net 199.9.14.201
resolvers wouldn't Know root IPs hardcoded in its c.root-servers.net 192.33.4.12
source code d.root-servers.net 199.7.91.13
where to start e.root-servers.net 192.203.230.10
example: https://wzrd.page/bind f.root-servers.net 192.5.5.241
Here they are! •------------------------------ A g.root-servers.net 192.112.36.4
You can query one like this: h.root-servers.net 198.97.190.53
dig @198.41.0.4 example.com i.root-servers.net 192.36.148.17
j.root-servers.net 192.58.128.30
All the IPs will give you the exact k.root-servers.net 193.0.14.129
same results, there are just lots of 1.root-servers.net 199.7.83.42
them for redundancy. m.root-servers.net 202.12.27.33
your domain's aulhoriTat ive name servers
when you register a LOTS of services can be your how to find your
domain, your registrar authoritative nameserver
domain's nameservers
runs your authoritative
nameservers by default $ dig +short NS neopets.com
ITjl J I'm taking carel
ns-42.awsdns-05.com.
y^r of your DNSt^y
ns-1191.awsdns-20.org.
registrar
neopets.com is using AV/S's
You can change your nameservers
in your registrar's control panel. nameservers right now
the TTL for caching negative results comes from the SOA record
example.com. (3600) IN SOA ns.icann.org. noc.dns.icann.org. 2021120741 7200 3600 1209600^600^)
it's the smaller of these 2 numbers (in this case 3600 seconds) —
what you need to know about SOA records how to avoid this problem
Q they control the negative caching TTL
Just make sure not to visit your domain
(?) you can't change them (unless you run before creating its DNS record! That's it!
your own authoritative nameserver)
(5)how to find yours: dig SOA yourdomain.com (if you really want more details, see RFC 2308)
resolvers can lie
When a resolver gets a DNS reason to lie: reason to lie:
query, it has 2 options: block ads / malware to show you ads
fl could tell you what the\ what's the IP fori
what's the IP for zzz.jvns.ca? J
f authoritative nameservers/
* doubleclick.net? .
_____ doesn't exist
\ said... or I could LIE! J ad domain,
definitely here's an IP that
o exists will show you ads!
resolver
PiHole blocks ads this way. This is called "DNS hijacking".
Hide all output. Only show the record content. Traces how the domain
gets resolved, starting
Useless by itself, but at the root nameservers.
; $ dig +short example.com ;
dig +noall +authority Will This avoids all the caches,
■ 93.184.216.34 I
just show you the "Authority" which is useful to make sure
section of the response. you set your record correctly.
aetaddrirvfo
One weird thing about DNS reason 1: many (but not all!!) ... and not using getaddrinfo
is that different programs programs use the function might give a different result
on a single computer can getaddrinfo for DNS lookups...
get different results for use getaddrinfop -♦the program might not use
the same domain name.
ping Q don't!) ^'9 /etc/hosts (dig doesn't)
Let's talk about why!
program ^function3 resolver So if you see an error message like
-►the program might use
"getaddrinfo: nodename or servname a different DNS resolver
^^
*
problem" <server) not provided...", that's a DNS error. (some browsers do this)
reason 2: there are you can have multiple glibc and musl getaddrinfo
many different versions getaddrinfos on your are configured with
of getaddrinfo... computer at the same time /etc/resolv.conf
f IP of resolver to use
the one in glibc ; # Generated byj NetworkManager:
For example on a Mac, there's
-» the one in musl libc your system getaddrinfo, but ! nameserver 19Z.168.1.1 :
-»the one in Mac OS you might also be running a ! nameserver fd13:d987:748a::1 ■
container that's using must. On a Mac, /etc/resolv.conf exists,
And of course, they all behave but it's not used by the system
slightly differently :) getaddrinfo.
search domains 2.1
In an internal network (like many DNS lookup functions the base domain is
in a company or school), support "local" domain names
called a "search domain"
sometimes you can connect
to a machine by just typing On Linux, search domains are
its name, like this: configured in /etc/resolv.conf
Example:
$ ping labcomputer-23
; search degrassi.ca ■
Let's talk about how that (server)
this^tells getaddrinfo to turn
works! (the function appends a base
domain degrassi.ca to the end) lab23 into lab23.degrassi.ca
*
happy eyeballs using IPv6 isn't IP addresses
always easy have owners
If your domain has both an A
You can find any IP's owner
and an AAAA record, clients -►not all web hosts give you by looking up its ASN
will use an algorithm called an IPv6 address ("Autonomous System Number").
"happy eyeballs11 to decide
whether IPv4 or IPv6 will be -» lots of ISPs don't support (except local IPs like
faster. IPv6 (mine doesn't!) 192.168.X.X, 127.x.x.x,
10.x.x.x, 172.16.x.x)
* yes that is the real name
CNAME records (H 2H
there are 2 ways to set CNAME records redirect what actually happens
up DNS for a website every DNS record, not during a CNAME redirect
© set an A record with an IP just the IP
's the A record for www.cats.com?3
www.cats.com A 1.2.3.4
I like to use them whenever www.cats.com CNAME cats.github.io
possible so that if my web
@ set a CNAME record with a
host's IP changes, I don't okay, I'll look up
domain name the A record for
need to change anything! cats.github.io! authoritative
www.cats.com CNAME cats.github.io resolver
nameserver
rules for when you can use CNAME records some DNS providers have
workarounds to support
Q you can only set CNAME records on subdomains (like CNAME for root domains
www.example.com), not root domains (like example.com)
(5) if you have a CNAME record for a subdomain, that Look up "CNAME flattening"
subdomain can't have any other records or "ANAME" to learn more.
(technically you can ignore these rules, but it can cause problems, the
RFCs say you shouldn't, and many DNS providers enforce these rules)
MX records El 15
there are two important MX records tell you copy and paste
problems in email the mail server for your MX records
a domain
*you're probably using\
From: kermit@frog.com an email service like '
To: julia@example.com $ dig +short MX gmail.com
Fastmail/Gmail, so
5 gmail-smtp-in.1.google.com.
just copy the records
they're also used for TXT records can some other record types
email security contain many strings CAA: restrict who can issue
(SPF/DKIM/DMARC) certificates for your domain
Each string is at most 256
should we create a DNS characters, and clients will PTR: reverse DNS -- map IP
record type for SPF? . concatenate them together. addresses to domain names
(look these up with dig -x)
You'll see this in DKIM records,
because they're usually more SRV: holds both an IP
(not a historically accurate summary
the design process for SPF records)
than 256 characters. address and a port number
"thanks Tor reading
As with everything, 1 think, the best way to learn more about DNS is to
experiment and break things. So this zine comes with a playground!
* » I I t > I I f I t f / , x
1 https://messwithdns.net ~
' 1 >! ! till I I ' ' ' X
___________________ credits________
Cover art: Vladimir Kasikovic
Copy editing: Gersande La Fleche
Technical review: Ray Bejjani
Editing: Dolly Lanuza, kamal Marhubi
Pairing: Marie Claire LeBlanc Flanagan
Any remaining errors: mine <!>
* wizardzines.com ☆