DNS resolution basics
The most basic function of DNS (Domain Name System) is resolving domain names (like example.org
) to IPs (at the time of writing, 93.184.215.14
and 2606:2800:21f:cb07:6820:80da:af6b:8b2c
). This document serves as basic explanation of how that is achieved.
DNS nameservers
For the purpose of this explanation, there are two types of nameservers:
- Authoritative nameservers, which directly serve the information about a domains in form of DNS records
- Recursive nameservers, which ask ("resolve") the records by connecting to authoritative servers, according to the hierarchy (recursively resolving a record)
DNS zones and hierarchy
Domains are subdivided into a hierarchy; For instance, example.org.
is comprised of the following zones:
example.org.
Authoritative nameserve for the example.org zoneorg.
Authoritative nameserver for the org zone.
The root name servers
Note: a domain which includes the trailing dot is called a Fully Qualified Domain Name (FQDN) and is what is mainly used when talking to DNS servers
The root nameservers contain the addresses of the nameservers that are authoritative for the org zone in so called NS records. The org zone, again, contains NS records that point to the nameservers of the example.org zone.
This hierachy can be visualized using the +trace
option of dig
when querying one of the root nameservers:
# Get the A record of example.org from a.root-servers.net
$ dig +trace A example.org @a.root-servers.net
. 518400 IN NS a.root-servers.net.
;; Received 811 bytes from 2001:503:ba3e::2:30#53(a.root-servers.net) in 7 ms
org. 172800 IN NS b2.org.afilias-nst.org.
;; Received 442 bytes from 2001:503:ba3e::2:30#53(a.root-servers.net) in 7 ms
example.org. 3600 IN NS b.iana-servers.net.
;; Received 88 bytes from 2001:500:48::1#53(b2.org.afilias-nst.org) in 17 ms
example.org. 3600 IN A 93.184.215.14
;; Received 104 bytes from 2001:500:8d::53#53(b.iana-servers.net) in 104 ms
Note: anwsers truncated for better readability
But what do the individual anwsers of the nameservers say?
a.root-servers.net.
is authoritative for the.
zoneb2.org.afilias-nst.org.
is authoritative fororg.
b.iana-servers.net.
is authoritative forexample.org.
There can also be multiple nameservers authoritative for a single zone.
Walking the entire hierachy every time to resolve a single domain is slow and produces unessesary load on the root nameservers. This is where recursive nameservers come in. Recursive nameservers cache responses from the different nameservers in the DNS hierachy according to the TTL (Time-to-Live) of each record.
Doing a normal query to a recursive nameserver returns the IP address directly because it is most likely already cached:
# Get the A record of example.org from 1.1.1.1
$ dig +short A example.org @1.1.1.1
93.184.215.14
This caching is why DNS propagation is slow, so it may be a good idea to lower the TTL of records before migrating to check if everything worked faster.
The remaining TTL is also returned by the recursive DNS servers:
;; ANSWER SECTION:
example.org. 1863 IN A 93.184.215.14
^ Remaining TTL in seconds
;; ANSWER SECTION:
example.org. 1709 IN A 93.184.215.14
^ Remaining TTL in seconds
The hierarchy is a big reason why DNS seems so slow - while at your authoritative DNS server the changes you make will be instant, other servers down the line will cache your records according to the TTL (Time-to-Live) you set. This is also why lowering the TTL is a good idea when migrating servers - it will take less time to propagate.
wth is a SOA then?
SOA
(Start of Authority) is a meta record containing data about the zone. Most notably:
- the main nameserver
- the zone serial number (incrementing with every change in the zone, is used to detect when a zone has changed)
- zone admin contact
- various TTLs
Of note, while it is standard to properly configure your SOA, you can find some domains in the wild which have semi-bogus SOA records and still work just fine:
$ dig +short SOA lea.pet
a.misconfigured.dns.server.invalid. hostmaster.lea.pet. 2024071306 10800 3600 604800 3600
DNS delegations and glue records
As outlined above, a zone needs to have an authoritative nameserver at least one level above itself. That is, example.org.
needs to have a NS record set at org.
. For this purpose, TLDs allow the owner of a domain to set NS records directly with them, which are later used by downstream resolvers to connect a domain to the correct nameserver.
This solves half of the chicken-and-egg problem; The other half is much more peculiar - what if your authoritative NS serves records about itself? That is, what if example.org
's NS is ns1.example.org
? That's where glue records come in: Outside of allowing owners to set NS records, all TLDs also allow the owner to conditionally set A/AAAA records directly with them, to avoid this exact problem.
Generally, you only need to set A/AAAA glue records when you host your own NSes under the same domain. Otherwise, setting the nameservers normally will be enough.