(Almost) Complete tutorial about DNS
I tried to write down everything I read about DNS, how it works and the necessary commands to work with it. This is not a complete tutorial on DNS but I guess it's good enough for start.
What is DNS
The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources.
Each device connected to the Internet has a unique IP address which other machines use to find the device. DNS servers eliminate the need for humans to memorize IP addresses such as 192.168.1.1 (in IPv4), or more complex newer alphanumeric IP addresses such as 2400:cb00:2048:1::c629:d7a2 (in IPv6).
How DNS works
So how does DNS actually work? First, the domain name needs to get translated into your host’s IP address. DNS matches human-friendly domain names like example.com to computer-friendly IP addresses like 192.0.2.8. This happens in a special text file called a zone file, which lists domains and their corresponding IP addresses (and a few other things). A zone file is like a phone book that matches names with street addresses.
Here’s how the DNS lookup process works:
Step 1 - You type a domain name like example.com into your browser’s address bar.
Step 2 - Your computer is connected to the internet through an internet service provider (ISP). Your ISP’s DNS resolver queries a root nameserver for the proper TLD nameserver. In other words, it asks the root nameserver, *Where can I find the nameserver for .com domains?*
So what is root nameserver? Well, The authoritative name servers that serve the DNS root zone, commonly known as the “root servers”, are a network of hundreds of servers in many countries around the world. They are configured in the DNS root zone as 13 named authorities, as follows.
|a.root-servers.net||18.104.22.168, 2001:503:ba3e::2:30||VeriSign, Inc.|
|b.root-servers.net||22.214.171.124, 2001:500:200::b||University of Southern California (ISI)|
|c.root-servers.net||126.96.36.199, 2001:500:2::c||Cogent Communications|
|d.root-servers.net||188.8.131.52, 2001:500:2d::d||University of Maryland|
|e.root-servers.net||184.108.40.206, 2001:500:a8::e||NASA (Ames Research Center)|
|f.root-servers.net||220.127.116.11, 2001:500:2f::f||Internet Systems Consortium, Inc.|
|g.root-servers.net||18.104.22.168, 2001:500:12::d0d||US Department of Defense (NIC)|
|h.root-servers.net||22.214.171.124, 2001:500:1::53||US Army (Research Lab)|
|j.root-servers.net||126.96.36.199, 2001:503:c27::2:30||VeriSign, Inc.|
|k.root-servers.net||188.8.131.52, 2001:7fd::1||RIPE NCC|
|m.root-servers.net||184.108.40.206, 2001:dc3::35||WIDE Project|
Table 1 - list of root nameservers from IANA
Step 3 - The root nameserver responds with the IP address for the .com nameserver. The .com nameserver is also known as gtld-nameservers which are as follow:
|HOST NAME||IP ADDRESS(ES)|
Table 2 - list of gtld nameservers from IANA
Step 4 - The ISP’s DNS resolver uses the IP address it got from the root nameserver to ask the .comnameserver, *Where can I find the nameserver for example.com?
Step 5 - The .com nameserver responds with the IP address for the example.com nameserver.
Step 6 - The ISP’s DNS resolver reads the zone file from your domain’s nameserver.
Step 7 - The zone file shows which IP address goes with the domain.
Step 8 - Now that the ISP has the IP address for example.com, it (in short) returns this to your browser which then accesses the site’s web server.
The image below show the process of DNS resolution:
Figure 1 – DNS resolution process 
Authoritative vs. non-authoritative Nameserver
Basically, it's what the name says it is. An authoritative answer comes from a nameserver that is considered authoritative for the domain which it's returning a record for (one of the nameservers in the list for the domain you did a lookup on), and a non-authoritative answer comes from anywhere else (a nameserver not in the list for the domain you did a lookup on).
It's basically a distinction between a nameserver that's an official nameserver for the domain you're querying, and a nameserver that isn't. Nameservers that aren't authoritative are getting their answers second (or third or fourth...) hand - just relaying the information along from somewhere else.
So, for example, If I did an nslookup of maps.google.com right now, I would get a response from one of my configured nameservers. (Either from my ISP, or my domain.) It would come back as non-authoritative because neither my ISP's nameservers, nor my own are in the list of nameservers for google.com. They aren't Google's nameservers, so they're not the authoritative source that creates the NS records.
The list of authoritative nameservers for Google is below (from whois.internic.net).
Domain Name: GOOGLE.COM
Registrar: MARKMONITOR INC.
Whois Server: whois.markmonitor.com
Name Server: NS1.GOOGLE.COM
Name Server: NS2.GOOGLE.COM
Name Server: NS3.GOOGLE.COM
Name Server: NS4.GOOGLE.COM
Updated Date: 20-jul-2011
Creation Date: 15-sep-1997
Expiration Date: 14-sep-2020
What is A and AAAA records
An A record points your domain or subdomain to your host’s IP address, which allows web traffic to reach your host. This is the core function of DNS. A typical A record looks like either of the following:
example.com A 220.127.116.11
hello.example.com A 18.104.22.168
You can point different subdomains to different IP addresses. If you want to point every subdomain of example.com to your host’s IP, you can use an asterisk (*) as your subdomain:
*.example.com A 22.214.171.124
An AAAA record is just like an A record, but for IPv6 IP addresses. A typical AAAA record looks like the following:
example.com AAAA 0123:4567:89ab:cdef:0123:4567:89ab:cdef
What is CNAME record
A CNAME record or Canonical Name record matches a domain or subdomain to a different domain. With a CNAME record, DNS lookups use the target domain’s DNS resolution as the alias’s resolution. Here’s an example:
alias.com CNAME example.com.
example.com A 126.96.36.199
With this setup, when alias.com is requested, the initial DNS lookup will find the CNAME entry with the target of example.com. A new DNS lookup will be started for example.com, which will find the IP address 188.8.131.52. Finally, visitors to alias.com will be directed to 184.108.40.206.
What is SOA record
An SOA record or Start of Authority record labels a zone file with the name of the host where it was originally created. Next, it lists the contact email address for the person responsible for the domain. There are also various numbers, which we’ll get into in detail in a moment. First, here’s a typical SOA record:
@ In SOA ns1.website.com. admin.example.com. 2013062147 14400 14400 1209600 86400
Note: The administrative email address is written with a period (.) instead of an @ symbol.
Here’s what the numbers mean:
- Serial number: The revision number for this domain’s zone file. It changes when the file gets updated.
- Refresh time: The amount of time (in seconds) a secondary DNS server will keep the zone file before it checks for changes.
- Retry time: The amount of time a secondary DNS server will wait before retrying a failed zone file transfer.
- Expire time: The amount of time a secondary DNS server will wait before expiring its current zone file copy if it cannot update itself.
- Minimum TTL: The minimum amount of time other servers should keep data cached from this zone file.
The single nameserver mentioned in the SOA record is considered the primary master for the purposes of Dynamic DNS and is the server where zone file changes get made before they are propagated to all other nameservers.
When there is no answer for some records, the SOA returned. why? For example, when we query AAAA records of a domain which has no AAAA record, the returned answer contains SOA.
The reason that this occurs is for Negative Response Caching. i.e. if you do a AAAA query for www.example.com and that record doesn't exist then the fact that it doesn't exist will be added to the cache of the intermediate servers.
In order for those intermediate servers to know how long to cache that response for they need the SOA record, because that is where TTL is defined.
How to use dig command in Linux to test all the above data
Well, let me explain a little about the dig command in Linux. dig is a little DNS lookup utility in Linux which can give you lots of useful information. The first time I used dig, it was a little difficult for me to understand it since it has tons of options. You can start with digwebinterface , which is a web based interface for dig command. So let’s do some example to understand the dig command better.
Let’s see what the authoritative nameservers of smaroofi.com domain are:
>> dig NS +nocomments +noquestion +nostat +noadditional +nocmd smaroofi.com
The result is:
smaroofi.com. 877 IN NS ns2.mizbandp.com.
smaroofi.com. 877 IN NS ns3.mizbandp.com.
smaroofi.com. 877 IN NS ns1.mizbandp.com.
smaroofi.com. 877 IN NS ns4.mizbandp.com.
The number in the result (i.e., 877) is the TTL (time to live) value which says the query is valid for next 877 seconds and as you can see, my domain has four authoritative nameserver.
What if I want to use a different DNS service to perform the query like google public DNS service? This is the command.
>> dig NS +nocomments +noquestion +nostat +noadditional +nocmd smaroofi.com @220.127.116.11
As you can see, using @[DNS service] you can make dig to perform query through a mentioned DNS service.
There are some other options like +[no]comments, +[no]stats, +[no]additional, +[no]cmd and etc. each one of these options gives you extra information and you can omit this information by adding a ‘no’ word before each one of them. For example, a complete output of the A record of my domain is:
>> dig A +comments +question +stat +additional +cmd smaroofi.com @18.104.22.168
The result explained in the figure below.
Figure 2 – the result of the A record for smaroofi.com
If you just want the answer without any extra information, you can use +short in the command.
>> dig A +short smaroofi.com @22.214.171.124
Now let’s say you have a file domain_names.txt with 10 lines each of which is a domain name and you want the A records of all the domain (i.e., query in batch mode):
>> dig A +short @126.96.36.199 -f domain_names.txt
And if you want to trace the result from root servers all the way to nameserver, you just need to add +trace option.
>> dig A @188.8.131.52 +trace smaroofi.com
So as you see, the dig command is a very handy tool for DNS queries.