How the Domain Name System (DNS) works
Here is some background information on how DNS servers work, specifically in
relation to Bytemark Hosting’s content DNS and resolving DNS services. These are both important to owners of virtual machines or dedicated hosts, especially those wanting to host the DNS service for their own domains.
It is assumed you understand what an IP address is, and know the process of registering and using a domain through a domain registrar while being “a little fuzzy” about what the DNS actually does.
The difference between Content and Resolving DNS services
From our experience, people expect DNS servers to provide a single service: to convert names such as www.bytemark.co.uk to IP addresses such as 22.214.171.124. Although many DNS servers around the internet operate in this simplistic manner, this view is not a thorough understanding of the system, and may result in insecurities if a systems administrator new to DNS tries to set up a server in this fashion. DNS servers should provide one of two services: content or resolution services.
A content server is one which actually contains authorititive DNS records. These records are just single pieces of information such as:
- the name
www.bytemark.co.ukrefers to IP address
- the domain
bytemark.co.ukshould have its mail delivered to address
- the IP address
126.96.36.199has the name
And so on. These records are “authoratitive” because the person who owns the server claims that they are correct in the global naming system, and is providing a content DNS service to provide these answers to anybody who asks for them. Content servers are usually authoratitive for a fixed set of domains, owned or administered by the person who has set the server up.
If a content server does not itself know the answer to a particular DNS query, it may know that the domain has been delegated to another server, and so may answer with a referral instead. A referral is a hint to the client making the request that it will find the answer from another content server.
A resolving server’s job is not to return any authoratitive information directly. Its job is to search for information on behalf of clients, and to return it. A resolving server usually remembers past queries so that if a lot of people ask for the same information, it can return it quickly without having to search for it twice. Hence a resolving server is sometimes known as a “DNS cache” or “caching DNS resolver”. Most organisations providing internet access to a group of people maintain their own resolving server or servers. They are necessary part of the internet infrastructure because:
- Most DNS information does not change most of the time. Hence it makes sense for an organisation to set up their own server which will be able to more quickly return DNS information that is commonly requested by that particular organisation.
- Resolving a DNS query from scratch can be a complicated procedure, and most internet software (email clients, web browsers) does not need to know how to do it. A commonly-used server to do the job means internet applications need only have to deal with issuing a single question and receiving a single answer.
How a DNS query is resolved
Below we explain what happens when you type
www.bytemark.co.uk into your computer’s web browser.
- Your web browser asks the resolving DNS server what the address of
www.bytemark.co.ukis. Your computer already knows where the local resolving DNS server is through its network configuration. For customers on the Bytemark network, the resolving DNS servers are
188.8.131.52. On a linux machine these addresses are listed in
- The Resolving DNS server does not know the address. So it asks a root server the same question. The 13 root servers have globally well-known IP addresses, and are run by a US-based company called ICANN
- The root server replies that it does not know, but it gives the address of the server which knows about
.ukdomains. All UK domains are managed by a non-profit organisation called Nominet
- The resolving DNS server asks the
.ukserver what the address of
.ukserver replies that it does not know, but it gives the address of the server which knows about
.bytemark.co.ukdomain. This server is (finally!) at an IP address which we manage, on one of our
servers. We pay Nominet an annual fee (via a domain registar) to maintain this referral for our domain, and for them to maintain the address as belonging to us.
- The resolving DNS server asks the
.bytemark.co.ukserver what the address of
- Our server answers the query with the IP address of www.bytemark-hosting.co.uk, and marks the response as “authoratitve”. This is an assertion that the answer is correct and complete. It also adds to its reply that “this data is valid for 24 hours”, so that anyone who is asking can confidently re-use the information for that time without having to issue another query.
- The resolving DNS server finally has its answer, and can reply back to the web browser with the IP address. Crucially it marks its answer as “non-authoratitive”, so that the web browser knows it has the information indirectly.
The commercial side
So from the above, you should be able to see the technical side of what has become quite a slick commercial process. Your domain registrar, to whom you pay £10 or so per year for his services per domain, ensures that your chosen name is redirected at the content servers of your choice. Your registrar usually has paid to have indirect access to the servers that run the top-level internet domains such as .com, .net, .co.uk and so on.
If you want to tell your registar that you wish to handle your own DNS, you need to give them a minimum of two content server IP addresses to delegate to, and after that the technical control over your domain is yours. You need to ensure that the IP addresses which you nominate will respond authoratitively to queries for your domain; if they do not, you have what is sometimes called a “lame delegation”.
If you are using Bytemark Hosting’s Virtual Machine service, you will be able to send DNS data to any of our DNS servers through our Content DNS service of course you can set up your own Virtual Machine to server DNS data as well.
Multiple answers to DNS queries
Our example above makes a simplification: it pretends that DNS queries only ever have one answer. In fact, certain queries usually return more than one answer. For instance if you ask what the address of
www.yahoo.com is, you’ll (at the time of writing) get 13 different IPs supplied in the response. Each IP will still respond with Yahoo’s home page, so that if one of them falls over, the others will still keep Yahoo’s front page visible.
In the example, if you ask which server is responsible for the
.uk domain, you will get five different IPs supplied in
response. All of them should serve the same data; it is very important that machine which server content DNS data for “top-level” domains are always available.
While you can perform the same trick for your own web or mail services if you need resilience, you will be forced to supply more than one DNS server when you ask your registrar to redelegate your domain. That is to say, it is a condition of “owning” a domain that you must have 2 separate IPs which will answer authoratitively for it. Our Content DNS Service makes this easy to manage.
- Jonathan de Boyne Pollard explains content and resolving DNS
- Dan Bernstein explains the importance of separating DNS caches from DNS servers
- Squish.net dns checker: A service allowing you to check a complete DNS traversal.
Search for documents by tag:
“Thanks a million for your help and support this afternoon in diagnosing and fixing the timeout issues we were experiencing - since your latest intervention and update we've not seen a single request fail and the platform appears quite stable ... I'm incredibly grateful for the willingness, speed and skill by which you rolled up your sleeves and dived in to fix the issues.”