(Almost) Complete tutorial about DNS

I tried to write down everything I read about DNS, how it works and the necessary commands to work with it. This is not a complete tutorial on DNS but I guess it's good enough for start.

What is DNS

The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources.

Each device connected to the Internet has a unique IP address which other machines use to find the device. DNS servers eliminate the need for humans to memorize IP addresses such as 192.168.1.1 (in IPv4), or more complex newer alphanumeric IP addresses such as 2400:cb00:2048:1::c629:d7a2 (in IPv6).

How DNS works

So how does DNS actually work? First, the domain name needs to get translated into your host’s IP address. DNS matches human-friendly domain names like example.com to computer-friendly IP addresses like 192.0.2.8. This happens in a special text file called a zone file, which lists domains and their corresponding IP addresses (and a few other things). A zone file is like a phone book that matches names with street addresses.

Here’s how the DNS lookup process works:

Step 1 - You type a domain name like example.com into your browser’s address bar.

Step 2 - Your computer is connected to the internet through an internet service provider (ISP). Your ISP’s DNS resolver queries a root nameserver for the proper TLD nameserver. In other words, it asks the root nameserver, *Where can I find the nameserver for .com domains?*

So what is root nameserver? Well, The authoritative name servers that serve the DNS root zone, commonly known as the “root servers”, are a network of hundreds of servers in many countries around the world. They are configured in the DNS root zone as 13 named authorities, as follows.

HOSTNAME IP ADDRESSES MANAGER
a.root-servers.net 198.41.0.4, 2001:503:ba3e::2:30 VeriSign, Inc.
b.root-servers.net 199.9.14.201, 2001:500:200::b University of Southern California (ISI)
c.root-servers.net 192.33.4.12, 2001:500:2::c Cogent Communications
d.root-servers.net 199.7.91.13, 2001:500:2d::d University of Maryland
e.root-servers.net 192.203.230.10, 2001:500:a8::e NASA (Ames Research Center)
f.root-servers.net 192.5.5.241, 2001:500:2f::f Internet Systems Consortium, Inc.
g.root-servers.net 192.112.36.4, 2001:500:12::d0d US Department of Defense (NIC)
h.root-servers.net 198.97.190.53, 2001:500:1::53 US Army (Research Lab)
i.root-servers.net 192.36.148.17, 2001:7fe::53 Netnod
j.root-servers.net 192.58.128.30, 2001:503:c27::2:30 VeriSign, Inc.
k.root-servers.net 193.0.14.129, 2001:7fd::1 RIPE NCC
l.root-servers.net 199.7.83.42, 2001:500:9f::42 ICANN
m.root-servers.net 202.12.27.33, 2001:dc3::35 WIDE Project

Table 1 - list of root nameservers from IANA

Step 3 - The root nameserver responds with the IP address for the .com nameserver. The .com nameserver is also known as gtld-nameservers which are as follow:

HOST NAME IP ADDRESS(ES)
a.gtld-servers.net 192.5.6.30
2001:503:a83e:0:0:0:2:30
b.gtld-servers.net 192.33.14.30
2001:503:231d:0:0:0:2:30
c.gtld-servers.net 192.26.92.30
2001:503:83eb:0:0:0:0:30
d.gtld-servers.net 192.31.80.30
2001:500:856e:0:0:0:0:30
e.gtld-servers.net 192.12.94.30
2001:502:1ca1:0:0:0:0:30
f.gtld-servers.net 192.35.51.30
2001:503:d414:0:0:0:0:30
g.gtld-servers.net 192.42.93.30
2001:503:eea3:0:0:0:0:30
h.gtld-servers.net 192.54.112.30
2001:502:8cc:0:0:0:0:30
i.gtld-servers.net 192.43.172.30
2001:503:39c1:0:0:0:0:30
j.gtld-servers.net 192.48.79.30
2001:502:7094:0:0:0:0:30
k.gtld-servers.net 192.52.178.30
2001:503:d2d:0:0:0:0:30
l.gtld-servers.net 192.41.162.30
2001:500:d937:0:0:0:0:30
m.gtld-servers.net 192.55.83.30
2001:501:b1f9:0:0:0:0:30

Table 2 - list of gtld nameservers from IANA

Step 4 - The ISP’s DNS resolver uses the IP address it got from the root nameserver to ask the .comnameserver, *Where can I find the nameserver for example.com?

Step 5 - The .com nameserver responds with the IP address for the example.com nameserver.

Step 6 - The ISP’s DNS resolver reads the zone file from your domain’s nameserver.

Step 7 - The zone file shows which IP address goes with the domain.

Step 8 - Now that the ISP has the IP address for example.com, it (in short) returns this to your browser which then accesses the site’s web server.

The image below show the process of DNS resolution:

Figure 1 – DNS resolution process [1]

 

Authoritative vs. non-authoritative Nameserver

Basically, it's what the name says it is. An authoritative answer comes from a nameserver that is considered authoritative for the domain which it's returning a record for (one of the nameservers in the list for the domain you did a lookup on), and a non-authoritative answer comes from anywhere else (a nameserver not in the list for the domain you did a lookup on).

It's basically a distinction between a nameserver that's an official nameserver for the domain you're querying, and a nameserver that isn't. Nameservers that aren't authoritative are getting their answers second (or third or fourth...) hand - just relaying the information along from somewhere else.

So, for example, If I did an nslookup of maps.google.com right now, I would get a response from one of my configured nameservers. (Either from my ISP, or my domain.) It would come back as non-authoritative because neither my ISP's nameservers, nor my own are in the list of nameservers for google.com. They aren't Google's nameservers, so they're not the authoritative source that creates the NS records.

The list of authoritative nameservers for Google is below (from whois.internic.net).

Domain Name: GOOGLE.COM

Registrar: MARKMONITOR INC.

Whois Server: whois.markmonitor.com

Name Server: NS1.GOOGLE.COM

Name Server: NS2.GOOGLE.COM

Name Server: NS3.GOOGLE.COM

Name Server: NS4.GOOGLE.COM

Updated Date: 20-jul-2011

Creation Date: 15-sep-1997

Expiration Date: 14-sep-2020

What is A and AAAA records

An A record points your domain or subdomain to your host’s IP address, which allows web traffic to reach your host. This is the core function of DNS. A typical A record looks like either of the following:

example.com     A       12.34.56.78

hello.example.com       A       12.34.56.78

 

You can point different subdomains to different IP addresses. If you want to point every subdomain of example.com to your host’s IP, you can use an asterisk (*) as your subdomain:

*.example.com   A       12.34.56.78

An AAAA record is just like an A record, but for IPv6 IP addresses. A typical AAAA record looks like the following:

example.com     AAAA        0123:4567:89ab:cdef:0123:4567:89ab:cdef

 

What is CNAME record

A CNAME record or Canonical Name record matches a domain or subdomain to a different domain. With a CNAME record, DNS lookups use the target domain’s DNS resolution as the alias’s resolution. Here’s an example:

alias.com       CNAME   example.com.

example.com     A       12.34.56.78

 

With this setup, when alias.com is requested, the initial DNS lookup will find the CNAME entry with the target of example.com. A new DNS lookup will be started for example.com, which will find the IP address 12.34.56.78. Finally, visitors to alias.com will be directed to 12.34.56.78.

 

What is SOA record

An SOA record or Start of Authority record labels a zone file with the name of the host where it was originally created. Next, it lists the contact email address for the person responsible for the domain. There are also various numbers, which we’ll get into in detail in a moment. First, here’s a typical SOA record:

@   In SOA ns1.website.com. admin.example.com. 2013062147 14400 14400 1209600 86400

Note: The administrative email address is written with a period (.) instead of an @ symbol.

Here’s what the numbers mean:

The single nameserver mentioned in the SOA record is considered the primary master for the purposes of Dynamic DNS and is the server where zone file changes get made before they are propagated to all other nameservers.

When there is no answer for some records, the SOA returned. why? For example, when we query AAAA records of a domain which has no AAAA record, the returned answer contains SOA.

The reason that this occurs is for Negative Response Caching. i.e. if you do a AAAA query for www.example.com and that record doesn't exist then the fact that it doesn't exist will be added to the cache of the intermediate servers.

In order for those intermediate servers to know how long to cache that response for they need the SOA record, because that is where TTL is defined.

 

How to use dig command in Linux to test all the above data

Well, let me explain a little about the dig command in Linux. dig is a little DNS lookup utility in Linux which can give you lots of useful information. The first time I used dig, it was a little difficult for me to understand it since it has tons of options. You can start with digwebinterface [3], which is a web based interface for dig command. So let’s do some example to understand the dig command better.

Let’s see what the authoritative nameservers of smaroofi.com domain are:

>> dig NS +nocomments +noquestion +nostat +noadditional +nocmd smaroofi.com

The result is:

smaroofi.com.                  877    IN      NS      ns2.mizbandp.com.

smaroofi.com.                  877    IN      NS      ns3.mizbandp.com.

smaroofi.com.                  877    IN      NS      ns1.mizbandp.com.

smaroofi.com.                  877    IN      NS      ns4.mizbandp.com.

 

The number in the result (i.e., 877) is the TTL (time to live) value which says the query is valid for next 877 seconds and as you can see, my domain has four authoritative nameserver.

What if I want to use a different DNS service to perform the query like google public DNS service? This is the command.

>> dig NS +nocomments +noquestion +nostat +noadditional +nocmd smaroofi.com @8.8.8.8

As you can see, using @[DNS service] you can make dig to perform query through a mentioned DNS service.

There are some other options like +[no]comments, +[no]stats, +[no]additional, +[no]cmd and etc. each one of these options gives you extra information and you can omit this information by adding a ‘no’ word before each one of them. For example, a complete output of the A record of my domain is:

>> dig A +comments +question +stat +additional +cmd smaroofi.com @8.8.8.8

The result explained in the figure below.

 

dig command parts

Figure 2 – the result of the A record for smaroofi.com

 

If you just want the answer without any extra information, you can use +short in the command.

 

>> dig A +short smaroofi.com @8.8.8.8

Result is:

37.187.134.89

 

Now let’s say you have a file domain_names.txt with 10 lines each of which is a domain name and you want the A records of all the domain (i.e., query in batch mode):

>> dig A +short @8.8.8.8 -f domain_names.txt

And if you want to trace the result from root servers all the way to nameserver, you just need to add +trace option.

>> dig A @8.8.8.8 +trace smaroofi.com

So as you see, the dig command is a very handy tool for DNS queries.

 

References:

  1. https://www.linode.com/docs/networking/dns/dns-records-an-introduction/
  2. https://serverfault.com/questions/765025/soa-record-in-aaaa-query-reply-when-ipv6-is-not-supported
  3. https://www.digwebinterface.com
  4. https://linux.die.net/man/1/dig
  5. https://www.cloudflare.com/learning/dns/what-is-dns/
  6. https://www.iana.org/domains/root/servers