Lesson 16: DNS¶
Homepage | Content | Slides | Video |
Warning
This lesson is under construction. Use it for learning purposes at your own peril.
If you have any feedback, please fill out our General Feedback Survey.
Overview
Problems DNS Solves¶
The Domain Name System (DNS) translates human-readable URLs (devopsbootcamp.osuosl.org) into computer IP addresses (140.211.15.183).
It works by storing records in a distributed tree-like hierarchy. It was designed like this because it scales well.
Obligatory History Lesson¶
To really explain DNS you need to understand the history of the entire internet. Unfortunately we don’t have time for that but we can do a quick overview.
The pre-cursor to the Internet was ARPANET. To use ARPANET people had to remember addresses for each machine they wanted to connect to (1 was MIT, 2 was Yale, 3 was Harvard, 4 was AT&T for example), similar to modern IP addresses or Phone Numbers.
Since numbers are hard to remember, people shared a file called HOSTS.TXT which was a mapping between computer addresses and common aliases.
HOSTS.TXT circa 1977:
MIT 1
Yale 2
Harvard 3
ATT 4
...
This worked but did not scale well with the ‘net, as you can imagine (think: Sharing a word document with 500 friends, all making changes).
HOSTS.TXT a few years later:
...
joeBillson 14895
susan-gill 15832
...
Back between 1983 - 1987 a lot of really smart people in a lot of smart Universities and Organizations developed DNS to solve this problem. There have since been many implementations of the DNS protocol, and additions to it’s functionality, but the core design is about the same.
How DNS Works¶
To explain how DNS works, let’s work through a simple example of how a computer finds the address of a computer based on it’s name.
- Computer A wants to fetch data from devopsbootcamp.osuosl.org. (notice the . at the end of the address).
- Computer A checks the local cache.
- If the address isn’t in the cache, A contacts the DNS root server. (We’re actually skipping a few layers of cache. Read up for more info on that.)
- One of the root nodes tells A to check the org node.
- The org node is contacted and tells A to check the osuosl node.
- The osuosl node tells it to check the devopsbootcamp node.
This tries to demonstrate the fact that DNS starts by checking it’s cache, then starts at the top of the DNS tree and works it’s way down. Each server has authority over a certain domain and directs traffic to the next step down.
A DNS Request¶
To further elaborate, because DNS really does need a lot of examples to make sense, here is a DNS request from a different angle.
- A computer makes a request for http://osuosl.org..
- This request gets sent to the root (.) of the DNS tree.
- The root sends it off to the org (top level domain) branch.
- The org node sends it off to the osuosl (domain) branch.
- The osuosl node sends it to the devopsbootcamp (subdomain) branch.
DNS Records¶
There are a few core types of DNS records, each serving their own purpose.
Acronym | Name |
A, AAAA | IP Addresses |
MX | SMTP Mail Exchangers |
NS | Name Servers |
SOA | DNS Zone Authority |
PTR | Pointers for Reverse DNS Lookups |
CNAME | Domain Name Aliases |
A Records¶
The A record is used to map an IP address to a domain name. This is as close to a ‘regular’ record as you can get.
AAAA records are the same as A records, except that they map to IPv6 (xx:xx:xx:xx:xx:xx) addresses instead of IPv4 (xxx.xxx.xxx.xxx) addresses.
One can have more than one A record per domain
osuosl.org. 300 IN A 140.211.15.183
In the following example, osuosl.org. is the query, and 140.211.15.183 is the ‘answer’. 300 is the TTL (expiration time), and IN A is the type
MX Records¶
The MX record is for tracking mail servers.
When you send an email to someuser@example.org the mail program does a lookup for the MX record of example.org. Multiple MX records can have separate priority (in this example they are all the same).
osuosl.org. 3600 IN MX 5 smtp3.osuosl.org.
osuosl.org. 3600 IN MX 5 smtp4.osuosl.org.
osuosl.org. 3600 IN MX 5 smtp1.osuosl.org.
osuosl.org. 3600 IN MX 5 smtp2.osuosl.org.
NS Records¶
Servers with a NS record are allowed to speak with authority on a domain and DNS requests.
NS records are the type of record identifying nodes in the DNS hierarchy instead of just the websites DNS maps.
NS records point to other domains (which have A records).
osuosl.org. 86258 IN NS ns1.auth.osuosl.org.
osuosl.org. 86258 IN NS ns2.auth.osuosl.org.
osuosl.org. 86258 IN NS ns3.auth.osuosl.org.
SOA (Authority) Records¶
SOA is the record for proving authority over a site or zone.
For example, the head of the org hierarchy has a SOA record proving its authority over org websites.
- A DNS server is authoritative if it has a Start of Authority (SOA) record for a domain
- The root-servers contain SOA records for the TLDs and gTLDs
- The NS servers for each (g)TLD contain SOA records for each registered domain
- ... and so on...
osuosl.org. 86400 IN SOA ns1.auth.osuosl.org. ...
CNAME Records¶
CNAME is an record for aliasing old names to redirect to new names.
bar.example.com. 86400 IN CNAME foo.example.com
NXDOMAIN Records¶
Tells you there is no answer to a query:
Host something.invalid.osuosl.org not found: 3(NXDOMAIN)
Some ISPs and others never serve NXDOMAINS, instead they point you at themselves.
The Root¶
Because DNS is setup in a Hierarchy there has to be a top. We call the top the root of the DNS tree.
$ dig ns .
;; ANSWER SECTION:
. 512297 IN NS i.root-servers.net.
. 512297 IN NS e.root-servers.net.
. 512297 IN NS d.root-servers.net.
. 512297 IN NS j.root-servers.net.
. 512297 IN NS b.root-servers.net.
. 512297 IN NS a.root-servers.net.
. 512297 IN NS f.root-servers.net.
. 512297 IN NS h.root-servers.net.
. 512297 IN NS g.root-servers.net.
. 512297 IN NS c.root-servers.net.
. 512297 IN NS m.root-servers.net.
. 512297 IN NS k.root-servers.net.
. 512297 IN NS l.root-servers.net.
The Thirteen¶
Because it is very time consuming to make a DNS request across the world there are actually 13 DNS root servers spread out across the world.
Each runs on as few as 1 (USC) servers, or as many as 155 (ICANN)
- Information Sciences Institute - USC
- Cogent Communications
- University of Maryland
- NASA
- Internet Systems Consortium
- USA DOD
- USA Army
- Netnod (Autonomica) - Sweden
- RIPE NCC
- ICANN
- WIDE - Japan
Tool: dig¶
dig is a command-line tool for performing DNS lookups.
Syntax:
dig @server name type
Examples:
dig @ns1.osuosl.org osuosl.org A
This queries the nameserver ns1.osuosl.org for DNS records relating to osuosl.org of type A (IPv4 Address)
Example: Recursive Request¶
In this example we follow the path that your browser uses to find the location of a sever given the domain name.
Quick note this example completely ignores caching, which is a very big part of DNS lookups. This is a pure view of a DNS lookup, sans-cache.
First we query a NS record for .:
$ dig ns .
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS i.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS b.root-servers.net.
etc...
Next we query NS for org.:
$ dig ns com. @a.root-servers.net
;; QUESTION SECTION:
;org. IN NS
;; AUTHORITY SECTION:
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
etc...
;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
etc...
Next we query NS for osuosl.org.:
$ dig ns osuosl.org. @199.19.56.1
;; QUESTION SECTION:
;osuosl.org. IN NS
;; AUTHORITY SECTION:
osuosl.org. 86400 IN NS ns3.auth.osuosl.org.
osuosl.org. 86400 IN NS ns2.auth.osuosl.org.
osuosl.org. 86400 IN NS ns1.auth.osuosl.org.
;; ADDITIONAL SECTION:
ns1.auth.osuosl.org. 86400 IN A 140.211.166.140
ns2.auth.osuosl.org. 86400 IN A 140.211.166.141
ns3.auth.osuosl.org. 86400 IN A 216.165.191.53
Next we query A for osuosl.org.:
$ dig a osuosl.org. @140.211.166.140
;; QUESTION SECTION:
;osuosl.org. IN A
;; ANSWER SECTION:
osuosl.org. 300 IN A 140.211.15.183
;; AUTHORITY SECTION:
osuosl.org. 86400 IN NS ns1.auth.osuosl.org.
osuosl.org. 86400 IN NS ns2.auth.osuosl.org.
osuosl.org. 86400 IN NS ns3.auth.osuosl.org.
;; ADDITIONAL SECTION:
ns1.auth.osuosl.org. 86400 IN A 140.211.166.140
ns2.auth.osuosl.org. 86400 IN A 140.211.166.141
ns3.auth.osuosl.org. 3600 IN A 216.165.191.53
And there you have it! We have successfully traversed the DNS tree to find osuosl.org. Of course there is a lot of cache involved so the process is much faster than this, but it’s good to practice anyway.
TODO: Traverse the DNS Tree with dig¶
Can you traverse the DNS tree to get to these websites? Give it a try!
- github.com
- web.archive.org
- en.wikipedia.org
Further Reading¶
- Try running dig on some of your favorite websites and see what you find.
- Read the manpage on dig and see what else you can find in the output.
- Try registering your own domain name and run a website using the Github Student Pack resources like Digital Ocean and DNSimple.