(You must already be logged in to Gitlab or you’ll hit a 404)
How the Domain Name System (DNS) works
The following is background information on how DNS servers work, specifically in relation to Bytemark’s content DNS and resolving DNS services. These services are important to owners of virtual machines or Dedicated Servers, especially those wanting to host the DNS service for their own domains.
It is assumed you understand what an IP address is, and know the process of registering and using a domain through a domain registrar while possibly being “a little fuzzy” about what the DNS actually does.
The difference between Content and Resolving DNS services
From our experience, people expect DNS servers to provide a single service: to
convert names such as
www.bytemark.co.uk to IP addresses such as
22.214.171.124. Although many DNS servers around the internet operate in this simplistic
manner, this view is not a thorough understanding of the system, and may result
in security issues if a systems administrator new to DNS tries to set up a server in this fashion. DNS servers should provide one of two services: content or resolution services.
A content server is one which actually contains authoritative DNS records. These records are just single pieces of information such as:
- the name
www.bytemark.co.ukrefers to IP address
- the domain
bytemark.co.ukshould have its mail delivered to address
- the IP address
126.96.36.199has the name
These records are “authoritative” because the person who owns the server claims that they are correct in the global naming system, and is asserting that a content DNS service provide these answers to anybody who asks for them. Content servers are usually authoritative for a fixed set of domains, owned or administered by the person who has set the server up.
If a content server does not itself know the answer to a particular DNS query, it may know that the domain has been delegated to another server, and so may answer with a referral instead. A referral is a hint to the client making the request that it will find the answer from another content server.
A resolving server’s job is not to return any authoritative information directly. Its job is to search for information on behalf of clients, and to return it. A resolving server usually remembers past queries so that if a lot of people ask for the same information, it can return it quickly without having to search for it twice. Hence a resolving server is sometimes known as a ‘DNS cache’ or ‘caching DNS resolver’. Most organisations providing internet access to a group of people maintain their own resolving server or servers. They are necessary part of the internet infrastructure because:
Most DNS information does not change most of the time. Hence it makes sense for an organisation to set up their own server which will be able to more quickly return DNS information that is commonly requested by that particular organisation.
Resolving a DNS query from scratch can be a complicated procedure, and most internet software (e.g., email clients, web browsers) does not need to know how to do it. A commonly-used server to do the job means internet applications need only have to deal with issuing a single question and receiving a single answer.
How a DNS query is resolved
Below we explain what happens when you type
www.bytemark.co.uk into your
computer’s web browser.
Your web browser asks the resolving DNS server what the address of
www.bytemark.co.ukis. Your computer already knows where the local resolving DNS server is through its network configuration. For customers on the Bytemark network, the resolving DNS servers are
188.8.131.52. On a linux machine these addresses are listed in
The Resolving DNS server does not know the address. So it asks a root server the same question. The 13 root servers have globally well-known IP addresses, and are run by a US-based company called ICANN
The root server replies that it does not know, but it gives the address of the server which knows about
.ukdomains. All UK domains are managed by a non-profit organisation called Nominet
The resolving DNS server asks the
.ukserver what the address of
.ukserver replies that it does not know, but it gives the address of the server which knows about
.bytemark.co.ukdomain. This server is (finally!) at an IP address which we manage, on one of our servers. We pay Nominet an annual fee (via a domain registrar) to maintain this referral for our domain, and for them to maintain the address as belonging to us.
The resolving DNS server asks the
.bytemark.co.ukserver what the address of
Our server answers the query with the IP address of
www.bytemark.co.uk, and marks the response as “authoritative”. This is an assertion that the answer is correct and complete. It also adds to its reply that “this data is valid for 24 hours”, so that anyone who is asking can confidently re-use the information for that time without having to issue another query.
The resolving DNS server finally has its answer, and can reply back to the web browser with the IP address. Crucially it marks its answer as “non-authoritative”, so that the web browser knows it has the information indirectly.
The commercial side
Given the above, you should be able to see the technical side of what has
become quite a slick commercial process. Your domain registrar, to whom you pay
£10 or so per year for their services per domain, ensures that your chosen name
is redirected at the content servers of your choice. Your registrar usually has
paid to have indirect access to the servers that run the top-level internet
domains such as
.co.uk and so on.
If you want to tell your registrar that you wish to handle your own DNS, you need to give them a minimum of two content server IP addresses to delegate to, and after that the technical control over your domain is yours. You need to ensure that the IP addresses which you nominate will respond authoritatively to queries for your domain; if they do not, you have what is sometimes called a ‘lame delegation’.
If you are using Bytemark Hosting’s Virtual Machine service, you will be able to send DNS data to any of our DNS servers through our Content DNS service of course you can set up your own Virtual Machine to server DNS data as well.
Multiple answers to DNS queries
Our example above makes a simplification: it pretends that DNS queries only
ever have one answer. In fact, certain queries usually return more than one
answer. For instance if you ask what the address of
www.yahoo.com is, you’ll
(at the time of writing) get 13 different IPs supplied in the response. Each IP
will still respond with Yahoo’s home page, so that if one of them falls over,
the others will still keep Yahoo’s front page visible.
In the example, if you ask which server is responsible for the
you will get five different IPs supplied in response. All of them should serve
the same data; it is very important that machine which server content DNS data
for “top-level” domains are always available.
While you can perform the same trick for your own web or mail services if you need resilience, you will be forced to supply more than one DNS server when you ask your registrar to re-delegate your domain. That is to say, it is a condition of owning a domain that you must have two separate IPs which will answer authoritatively for it. Our Content DNS Service makes this easy to manage.
- Dan Bernstein explains the importance of separating DNS caches from DNS servers.
- Squish.net dns checker: A service allowing you to check a complete DNS traversal.