You may already know that Domain Name Services are the means through which IP addresses are converted to and from easy to remember names like  wikipedia.orgashtonmackenzie.com, or champlain.edu. Let’s explore how these services work and why they are more important than they seem.

This will be a series!

Check back at this page as I will be adding more articles over time.

How DNS affects development

DNS is very important for development because it allows us to write calls to resources outside of a program in a resilient way. IP addresses are not always static, sometimes they change. Additionally, if we make a call to a larger outside service, that service may have multiple public IP addresses that their service lives behind. We don’t want to have to hard-code trying all of them, that’s what their equipment is for! Big services like that will have a service called a load balancer, whose job it will be to quickly and effectively match incoming requests with available servers to serve the request.

By using the domain name service, we get to leave the question of which server answers our request and where that server actually is up to that server owner’s systems administration team. This is great! Everyone likes this.

Who is in charge of DNS? The answer may surprise you!

There is no singular DNS authority or governing body. DNS is actually a huge collaboration spanning the entire world. There are standards that the community adheres to, and some bigger players that exert more influence, but ultimately DNS is based on adding trusted information to the network, and letting it propagate across multiple resolving servers so that other users like you can access it.

There is however, a committee supervising the root DNS. While these servers are important, do not confuse the influence that the ICANN committee for supervising the root DNS has with outsize influence over the entire Internet. As you will see, the root DNS is responsible for directing requests to top level domains, and it is entirely possible to use a DNS system to navigate to top level domains that are outside this influence. Corporate intranets do this all the time, as well as regional mesh networks and other alternative Internets.

How DNS Works (usually)

Usually, your request starts at a phone or a computer. You want to access a resource, and chances are it’s not the first time. Your web browser will ask your operating system to make a DNS request on its behalf, and more often than not, your computer actually remembers the answer that it had last time and uses that. Frequently, routers also have caching domain name services like this, and Internet Service Providers will also have caching domain name servers that perform the same function for all of their customers, which increases performance in that area since once one person wants a web page, everyone who comes next doesn’t have to wait as long for a response.

There are many types of answers you can get back. These depend on whether the server is in the legacy IPv4 address space ( looks like numbers in format ###.###.###.###, example 163.114.216.17 , styled as A as in A record) or in the modern IPv6 address space (looks like letters and numbers in format ????:????:????:????:##, example 2402:cf80:107::49, and styled as AAAA). These also depend on the type of role the server plays, as certain server roles like mail exchange server have their own DNS references.

An Example of a DNS Request

dig is a command line tool that can be used to make DNS requests. Below, I make a request to see what address is referenced by mx.ashtonmackenzie.com, as if I were sending an email to an @ashtonmackenzie.com email.I got the answer, which in this case was 150.238.58.140, but I also got additional information that there are name servers that handle “Authority” over this domain. Note that several NS or name server records are listed as having authority over my domain. This is because of the way DNS is structured. Jump below for a “full DNS request” explanation and I’ll meet you there for the rest of the story.

21:20 ~ % dig mx.ashtonmackenzie.com

; <<>> DiG 9.10.6 <<>> mx.ashtonmackenzie.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64673
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mx.ashtonmackenzie.com.		IN	A

;; ANSWER SECTION:
mx.ashtonmackenzie.com.	300	IN	A	150.238.58.140

;; AUTHORITY SECTION:
ashtonmackenzie.com.	172621	IN	NS	ns4cfn.name.com.
ashtonmackenzie.com.	172621	IN	NS	ns2bls.name.com.
ashtonmackenzie.com.	172621	IN	NS	ns1dhl.name.com.
ashtonmackenzie.com.	172621	IN	NS	ns3jnr.name.com.

;; ADDITIONAL SECTION:
ns1dhl.name.com.	172621	IN	A	163.114.216.17
ns2bls.name.com.	172621	IN	A	163.114.216.49
ns3jnr.name.com.	34850	IN	A	163.114.217.17
ns4cfn.name.com.	122227	IN	A	163.114.217.49
ns1dhl.name.com.	172621	IN	AAAA	2a00:edc0:107::1
ns2bls.name.com.	172621	IN	AAAA	2402:cf80:107::1
ns3jnr.name.com.	34850	IN	AAAA	2a00:edc0:107::49
ns4cfn.name.com.	122227	IN	AAAA	2402:cf80:107::49

;; Query time: 24 msec
;; SERVER: 10.0.5.1#53(10.0.5.1)
;; WHEN: Sat Nov 12 20:59:01 EST 2022
;; MSG SIZE  rcvd: 332

How a full a DNS request to a root DNS works

You know how links tend to have . in them? These are really important for DNS, because they separate a domain into zones. Everyone cares about their own zone only. There’s a .org zone, a .edu zone, and many more. mx.ashtonmackenzie.com will be in the .com zone.

At the end of every link you copy or type into your web browser, there is a secret . at the end of it. This is the root zone and implies that if your device can’t find a DNS service to answer its request, that it will fall back on and ask the root DNS servers for help.

In this example, let’s pretend we’re following an email client on a computer as it attempts to send an email for my @ashtonmackenzie.com email address. In order to do that, it needs to know where the mail server is.

Let’s look at this the way a device is going to look at it. Using the example mx.ashtonmackenzie.com. , we actually need to start first by reversing this whole name because DNS resolution is read from the right to the left, in order of authority. Since the root domain name servers issue references to all the ICANN accepted top level domains, that is why a reference to the root domain servers is implied at the end of every request.

Your device has, for whatever reason, recently flushed its DNS cache at the same improbable time as has your router and your ISP’s DNS service, so it’s time to go ask who is in charge of the .com top level domain.

We’ll follow along with dig. I’ll ask CloudFlare’s Quad 1 DNS for who is in charge of the .com top level domain, since their DNS has an easy-to-remember address of 1.1.1.1 (or quadruple one).

21:21 ~ % dig @1.1.1.1 -q com  

; <<>> DiG 9.10.6 <<>> @1.1.1.1 -q com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53707
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;com.				IN	A

;; AUTHORITY SECTION:
com.			84	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1668305238 1800 900 604800 86400

;; Query time: 25 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Nov 12 21:21:14 EST 2022
;; MSG SIZE  rcvd: 105

If you’re in a corporate environment and you have occasional links that end in something like .local that only work inside your corporate network – this is why! Only your corporate DNS knows what is meant by .local and other DNS is unable to fulfill this request with the expected answer.

In this case, we’ve got a result that a top level domain name service is a great choice for helping us out, and they’re the Authoritative Domain Name Server. This is indicated by the SOA (start of authority) record type, and means that this top level domain service dictates where the .com name servers are, and other DNS simply resolves and caches from them.

Next, we can ask the top level domain server for who is in charge of the ashtonmackenzie domain.

21:30 ~ % dig @a.gtld-servers.net -q ashtonmackenzie.com

; <<>> DiG 9.10.6 <<>> @a.gtld-servers.net -q ashtonmackenzie.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57333
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ashtonmackenzie.com.		IN	A

;; AUTHORITY SECTION:
ashtonmackenzie.com.	172800	IN	NS	ns1dhl.name.com.
ashtonmackenzie.com.	172800	IN	NS	ns2bls.name.com.
ashtonmackenzie.com.	172800	IN	NS	ns3jnr.name.com.
ashtonmackenzie.com.	172800	IN	NS	ns4cfn.name.com.

;; ADDITIONAL SECTION:
ns1dhl.name.com.	172800	IN	A	163.114.216.17
ns1dhl.name.com.	172800	IN	AAAA	2a00:edc0:107::1
ns2bls.name.com.	172800	IN	A	163.114.216.49
ns2bls.name.com.	172800	IN	AAAA	2402:cf80:107::1
ns3jnr.name.com.	172800	IN	A	163.114.217.17
ns3jnr.name.com.	172800	IN	AAAA	2a00:edc0:107::49
ns4cfn.name.com.	172800	IN	A	163.114.217.49
ns4cfn.name.com.	172800	IN	AAAA	2402:cf80:107::49

;; Query time: 28 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Sat Nov 12 21:30:38 EST 2022
;; MSG SIZE  rcvd: 313

Heyy, we’ve seen some of these guys before! They’re the name.com servers that my domain name registrar operates. Great!

So we can finally figure out where to point our email… by asking the name.com nameserver.

21:31 ~ % dig @ns1dhl.name.com -q mx.ashtonmackenzie.com

; <<>> DiG 9.10.6 <<>> @ns1dhl.name.com -q mx.ashtonmackenzie.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55765
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mx.ashtonmackenzie.com.		IN	A

;; ANSWER SECTION:
mx.ashtonmackenzie.com.	300	IN	A	150.238.58.140

;; Query time: 14 msec
;; SERVER: 163.114.216.17#53(163.114.216.17)
;; WHEN: Sat Nov 12 21:31:59 EST 2022
;; MSG SIZE  rcvd: 67

Success! Now the email client will know to use 150.238.58.140 as the intermediate destination for my email to my @ashtonmackenzie.com address, at least until the next time it forgets. That 300 there means that it’ll forget in 300 seconds, and consider the information stale at that time. But in the meantime, the mail exchange server has picked up the email I wanted to send and is making DNS requests of its own, to get the email to my intended recipient. Very cool!

DNS is an extremely attractive target for malicious actors

A final note on DNS – domain names are your identity and trust zones. Domain name services are extremely attractive targets to compromise, because doing so allows a malicious actor to essentially change all the road signs and direct traffic to fake versions of websites. This can let that malicious actor steal confidential information like passwords and corporate secrets. So when working with API calls to domain name services to update a record, try to use secure DNS when possible. Don’t try to evade corporate DNS by changing the server your workstation requests against while it’s in the corporate network unless someone at your organization is authorized to make that change.

Conclusion

DNS is a critical part of the Internet. A domain name is composed of zones separated by the .. Information about DNS records is stored in many places and can be accessed in order of authority. Steps must be taken to protect DNS from malicious influence.

Thank you for reading. Please let me know if there are any clarifications I can make or further questions I can answer either down in the comments, on LinkedIn, or if you are also at Flatiron please feel free to hit me up on Slack.

Related Posts