DNS Notes for SRE & DevOps

The Domain Name System (DNS) is a fundamental component of the internet, responsible for translating human-readable domain names into machine-readable IP addresses. Understanding DNS is crucial for anyone involved in networking, web development, or IT administration. This guide will take you through DNS concepts from simple to complex, ensuring a clear and comprehensive understanding of how DNS works.

What is DNS?

• DNS (Domain Name System): A hierarchical and decentralized naming system that translates human-friendly domain names (e.g., www.example.com) into numerical IP addresses (e.g., 192.0.2.1) that computers use to identify each other on networks.

Purpose of DNS

• User Convenience: Humans find it easier to remember domain names than numerical IP addresses.

• Scalability: Allows the internet to scale by efficiently managing the mapping between billions of domain names and IP addresses.

• Flexibility: Enables easy changes to IP addresses without disrupting user access to services.

DNS as a Distributed Client-Server Database

Distributed Nature

• Decentralization: DNS information is spread across numerous servers worldwide rather than being stored in a single location.

• Hierarchical Structure: DNS uses a tree-like structure to organize domain names, allowing efficient and organized lookups.

Client-Server Model

• Clients (Resolvers): Devices or software applications that initiate DNS queries to translate domain names into IP addresses.

• Servers (Nameservers): Specialized servers that store DNS records and respond to queries from resolvers.

Types of DNS Servers

Root Servers

• Role in DNS Hierarchy:

  • Root servers are the starting point for DNS queries that cannot be resolved by local or intermediate DNS servers. They are the top-level servers in the DNS hierarchy.

• Functionality:

  • When a DNS resolver doesn't know the IP address of a domain, it queries a root server. The root server doesn't have the actual IP addresses for domain names but knows where to find the top-level domain (TLD) servers.

  • The root server responds by directing the resolver to the appropriate TLD server (e.g., .com, .org).

• Global Distribution:

  • There are 13 root server addresses, named from a.root-servers.net to m.root-servers.net, but these addresses correspond to hundreds of physical servers distributed globally to provide redundancy and reliability.

• Security and Management:

  • Root servers are managed by various organizations under the oversight of ICANN (Internet Corporation for Assigned Names and Numbers). Due to their critical role, root servers implement robust security measures, including DNSSEC, to ensure the integrity of DNS data.

TLD Servers

• Role in DNS Hierarchy:

  • TLD servers are responsible for handling requests for top-level domains (TLDs), such as .com, .org, .net, and country-specific TLDs like .uk and .jp.

• Functionality:

  • After receiving a query from a root server, the DNS resolver contacts the TLD server for the specific domain extension. For example, if you're querying example.com, the resolver is directed to the .com TLD server.

  • The TLD server holds information about the authoritative DNS servers that manage the specific domain (e.g., example.com) and directs the resolver to these authoritative servers.

• Management:

  • TLD servers are managed by various organizations. For example, Verisign manages the .com and .net TLDs, while each country manages its own country-code TLDs (ccTLDs), such as Nominet for .uk.

Authoritative Servers

• Role in DNS Hierarchy:

  • Authoritative servers hold the DNS records for specific domains and are the final stop in the DNS resolution process.

• Functionality:

  • When a DNS query reaches an authoritative server, this server provides the actual IP address or other DNS records (e.g., MX, CNAME) for the domain name in question.

  • These servers have the authoritative information because they store the zone files for their domain. The information they provide is considered definitive.

• Types of Authoritative Servers:

  • Primary (Master) Server: Holds the original copy of the zone file and is responsible for distributing updates to secondary (slave) servers.

  • Secondary (Slave) Server: Receives zone file data from the primary server and can provide DNS responses but cannot modify the zone data itself.

• Redundancy and Reliability:

  • Typically, a domain has multiple authoritative servers to ensure that DNS queries can be resolved even if one server is down.

Caching Servers

• Role in DNS Hierarchy:

  • Caching servers store DNS query results temporarily to reduce the load on authoritative servers and speed up the resolution process for repeated queries.

• Functionality:

  • When a DNS resolver queries a domain name, the caching server stores the response in its cache for a specified time (determined by the TTL, or Time-To-Live, value).

  • For subsequent requests for the same domain, the caching server can respond directly from its cache, reducing latency and avoiding the need to traverse the entire DNS hierarchy again.

  • TTL (Time-To-Live): Each DNS record has a TTL value that specifies how long it should be cached before the resolver needs to query the authoritative server again for an updated record.

• Negative Caching:

  • Caching servers also store negative responses (e.g., if a domain doesn't exist), preventing repeated queries for the same non-existent domain, which improves efficiency.

• Security Considerations:

  • Caching can introduce security concerns, such as cache poisoning, where a malicious actor injects false DNS data into the cache. Modern DNS implementations use techniques like DNSSEC to mitigate these risks.

DNS Resolvers

What is a DNS Resolver?

• Definition: A DNS resolver is a component that initiates and sequences the process of translating a domain name into an IP address.

• Function: It queries multiple DNS servers in a specific order to resolve a domain name.

Types of Resolvers

• Stub Resolver:

  • Description: A simple resolver embedded in end-user devices.

  • Function: Sends queries to a recursive resolver and waits for the response.

• Recursive Resolver:

  • Description: A resolver that performs the full DNS lookup process on behalf of the stub resolver.

  • Function: Contacts multiple DNS servers (from root to authoritative) to resolve the query fully and returns the result to the stub resolver.

DNS Hierarchy and Components

DNS Hierarchical Structure

• Root Level:

  • Root Servers: The starting point of the DNS lookup process. There are 13 logical root servers (labeled A through M), each with multiple instances worldwide for redundancy and load balancing.

• Top-Level Domains (TLDs):

  • Generic TLDs (gTLDs): Common domains like .com, .org, .net.

  • Country Code TLDs (ccTLDs): Country-specific domains like .us, .uk, .jp.

  • Sponsored TLDs: Domains managed by private organizations with specific purposes, like .edu, .gov.

• Second-Level Domains:

  • Examples: In www.example.com, example is the second-level domain.

• Subdomains:

  • Examples: In mail.example.com, mail is a subdomain of example.com.

Nameservers

• Definition: Servers that hold DNS records for specific domains and respond to DNS queries.

• Requirement: Each domain must have at least two nameservers for redundancy and reliability.

• Types of Nameservers:

  • Authoritative Nameservers: Provide definitive answers for DNS queries about domains under their control.

  • Caching Nameservers: Store DNS query results temporarily to speed up subsequent requests for the same domain.

DNS Zones and Zone Files

DNS Zones

• Definition: A portion of the DNS namespace that is managed by a specific organization or administrator.

• Function: Organizes DNS data to simplify management and delegation.

• Example: example.com and its subdomains can be part of a single zone or divided into multiple zones.

Zone Delegation

• Definition: The process of assigning responsibility for a subdomain to another nameserver.

• Mechanism: Achieved by adding NS (Name Server) records in the parent zone that point to the nameservers of the delegated zone.

• Purpose: Allows decentralized management and scalability by distributing control over different parts of the DNS namespace.

DNS Zone Files

• Definition: Plaintext files that contain DNS records for a zone.

• Components:

  • SOA (Start of Authority) Record: Specifies authoritative information about the zone, including the primary nameserver and contact details.

  • Resource Records: Entries that map domain names to IP addresses and other information.

• Location: Stored on authoritative nameservers responsible for the zone.

DNS Queries and Responses

Types of DNS Queries

• Recursive Query:

  • Description: The resolver demands a complete answer, and the queried DNS server must respond with the requested record or an error.

  • Process: The server performs all necessary lookups, traversing the DNS hierarchy until it finds the answer.

• Iterative Query:

  • Description: The resolver allows the DNS server to return the best answer it has, which may be a referral to another DNS server.

  • Process: The resolver repeats the process with each referred server until it obtains the final answer.

DNS Query Process Example

1. User enters www.example.com into a browser.

2. Stub Resolver on the user's device sends a recursive query to a local recursive resolver.

3. Recursive Resolver checks its cache; if not found, it queries a Root Server.

4. Root Server responds with the address of the relevant gTLD Server for .com.

5. Recursive Resolver queries the gTLD Server, which responds with the address of Authoritative Nameserver for example.com.

6. Recursive Resolver queries the Authoritative Nameserver, which responds with the IP address for www.example.com.

7. Recursive Resolver returns the IP address to the Stub Resolver, which passes it to the user's application.

8. User's browser connects to the web server at the provided IP address.

DNS Caching and Negative Caching

DNS Caching

• Definition: The temporary storage of DNS query results by resolvers and nameservers.

• Purpose:

  • Performance Improvement: Reduces latency by avoiding repeated lookups for the same domain.

  • Reduced Load: Decreases the number of queries sent to higher-level DNS servers.

• TTL (Time To Live): Each cached record has a TTL value determining how long it should be stored before expiring.

Negative Caching

• Definition: Caching of negative responses, i.e., information about non-existent domains or failed lookups.

• Introduction: Made mandatory by RFC 2308 to improve efficiency.

• Purpose:

  • Error Prevention: Prevents repeated queries for domains that do not exist, reducing unnecessary traffic.

  • Performance: Improves response times by quickly returning cached negative results.

• TTL for Negative Caching: Typically shorter than positive caching to allow for quick updates if a previously non-existent domain becomes available.

DNS Caching in Linux Systems

• NSCD (Name Service Caching Daemon):

  • Function: Provides caching for various name service requests, including DNS.

  • Configuration: Controlled by /etc/nscd.conf.

• NSSwitch Configuration:

  • File: /etc/nsswitch.conf.

  • Function: Determines the order and method of name resolution sources (e.g., local files, DNS, NIS).

  • Example Entry: hosts: files dns means the system will first check local files (/etc/hosts) before querying DNS.

DNS Message Format

Structure of DNS Messages

DNS messages are structured data packets used for both queries and responses. They have a standardized format consisting of several sections.

Sections of a DNS Message

1. Header:

   • Fields Include:

     • ID: A unique identifier for matching requests and responses.

     • Flags: Indicate query/response status, recursion desired, authoritative answer, etc.

     • Counts: Number of entries in each of the following sections.

2. Question:

   • Contains:

     • QNAME: The domain name being queried.

     • QTYPE: The type of record requested (e.g., A, AAAA, MX).

     • QCLASS: Typically IN for internet.

3. Answer:

   • Contains: Resource records answering the query.

4. Authority:

   • Contains: Resource records pointing to authoritative nameservers.

5. Additional:

   • Contains: Additional helpful information, such as IP addresses for the authoritative servers listed.

DNS Transport Protocols: UDP and TCP

UDP (User Datagram Protocol)

• Usage:

  • Standard Queries: Most DNS queries and responses use UDP on port 53.

• Advantages:

  • Efficiency: Lower overhead, faster transmission suitable for small messages.

• Limitations:

  • Size Restriction: Traditional DNS over UDP limits message size to 512 bytes (extended by EDNS0).

TCP (Transmission Control Protocol)

• Usage:

  • Large Responses: If a DNS response exceeds 512 bytes or if truncation occurs, TCP is used.

  • Zone Transfers: DNS zone transfers between servers use TCP to ensure reliable and ordered delivery.

• Advantages:

  • Reliability: Ensures data integrity and correct sequencing of packets.

• Considerations:

  • Overhead: More resource-intensive than UDP due to connection establishment and teardown.

DNS Extensions and EDNS0

Need for DNS Extensions

• Challenges:

  • Limited Message Size: Traditional DNS had a maximum message size of 512 bytes, insufficient for modern requirements like DNSSEC.

  • New Features: The need for additional capabilities such as extended error codes and security features.

EDNS0 (Extension Mechanisms for DNS 0)

• Definition: A protocol extension that enhances DNS by allowing larger message sizes and additional features.

• Features:

  • Increased Message Size: Supports UDP message sizes up to 4096 bytes.

  • Optional Data: Allows for additional options and flags to be included in DNS messages.

• Benefits:

  • Support for DNSSEC: Larger message sizes accommodate cryptographic signatures and keys.

  • Enhanced Functionality: Enables future extensions without overhauling the existing DNS protocol.

• Implementation: Included as additional records in the DNS message's additional section.

DNS Resource Records

Common Resource Record Types

• A (Address) Record:

  • Purpose: Maps a domain name to an IPv4 address.

  • Example: example.com. IN A 93.184.216.34

• AAAA Record:

  • Purpose: Maps a domain name to an IPv6 address.

  • Example: example.com. IN AAAA 2606:2800:220:1:248:1893:25c8:1946

• CNAME (Canonical Name) Record:

  • Purpose: Aliases one domain name to another.

  • Example: www.example.com. IN CNAME example.com.

• MX (Mail Exchange) Record:

  • Purpose: Specifies mail servers responsible for receiving email for the domain.

  • Example: example.com. IN MX 10 mail.example.com.

• PTR (Pointer) Record:

  • Purpose: Maps an IP address to a domain name (reverse DNS lookup).

  • Example: 34.216.184.93.in-addr.arpa. IN PTR example.com.

• SOA (Start of Authority) Record:

  • Purpose: Provides authoritative information about the zone, including primary nameserver and contact email.

• TXT (Text) Record:

  • Purpose: Holds arbitrary text data, often used for verification, SPF records, and other metadata.

Advanced Resource Record Types

• DNAME (Delegation Name) Record:

  • Purpose: Redirects an entire subtree of the DNS namespace to another domain.

  • Difference from CNAME: While CNAME applies to a single node, DNAME applies to all subdomains beneath it.

---

CNAME Chaining and Its Implications

What is CNAME Chaining?

• Definition: The practice of pointing a CNAME record to another CNAME record, creating a chain of aliases before reaching the final A or AAAA record.

Considerations and Best Practices

• Performance Impact:

  • Increased Latency: Each additional lookup adds delay to the resolution process.

  • Failure Points: More links in the chain increase the risk of resolution failure.

• RFC Recommendations:

  • Limit Chains: It's recommended to avoid long CNAME chains; some resolvers may not follow more than a certain number of CNAME redirects.

• Use Cases:

  • CDN and Load Balancing: Sometimes used for dynamic DNS setups where targets change frequently.

DNS Zone Transfers

Purpose of Zone Transfers

• Definition: The process of copying DNS zone data from a primary (master) nameserver to secondary (slave) nameservers.

• Purpose:

  • Redundancy: Ensures multiple servers have up-to-date DNS records.

  • Load Distribution: Balances query load across multiple servers.

  • Fault Tolerance: Provides backup in case the primary server fails.

Types of Zone Transfers

• Full Zone Transfer (AXFR):

  • Description: Transfers the entire zone file from the master to the slave server.

  • Usage: Used when initializing a slave server or when significant changes occur.

• Incremental Zone Transfer (IXFR):

  • Description: Transfers only the changes made since the last successful transfer.

  • Usage: More efficient for frequent, small updates.

Security Considerations

• Access Control:

  • Restriction: Zone transfers should be restricted to trusted servers to prevent data leakage.

  • Methods: Use of IP address filtering, TSIG (Transaction SIGnature) keys for authentication.

• Encryption:

  • TLS Support: Modern DNS implementations support encrypting zone transfers to protect data integrity and confidentiality.

References

1. https://datatracker.ietf.org/doc/html/rfc1035