About DNS

KALM-150x150"Tom provides a brief explanation of Domain Name Servers, what they do and don’t do, and why they are important to your every day browsing.

Featuring Tom Merritt.



A special thanks to all our supporters–without you, none of this would be possible.

Thanks to Kevin MacLeod of Incompetech.com for the theme music.

Thanks to Garrett Weinzierl for the logo!

Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit

Send us email to [email protected]

Episode Script
Maybe you keep hearing people say DNS

Or claiming DNS isn’t really secure

You know it has something to do with domain names but what is it?

Let’s help you Know a Little More about DNS

DNS stands for the Domain Name System. It’s essentially the system that lets you type google.com when you want Google search rather than having to remember something like
That string of numbers is an Internet Protocol Address or IP address. That’s actually how computers on the internet talk to each other. They identify as numbers.
Domain Names are associated with those numbers. When you type in a domain name in a browser the browser goes and looks up in a table which number (or more often range of numbers) goes with that domain name so it can find it on the internet. The same way you just go to your friends name in your phone’s contact list to call them. You don’t tap in their phone number by hand.
The Domain Name System provides a worldwide distributed directory of which domain names go with which numbers. It’s not just one table (anymore) it’s lots of tables on lots of servers around the world. So DNS also defines a communication protocol for how all those directories communicate with each other so that any computer can find another on the Internet.
It did start as one text file, HOSTS.TXT on a machine at the Stanford Research Institute developed and maintained by Elizabeth Feinler. She mapped host names to the numbers she found in the Assigned Numbers List handled by Jon Postel at USC. That file lasted a long time. Feinler and her team managed that list for the ARPANET– and later Internet– until 1989.
But along the way that host table became slow and unwieldy. So Paul Mockapetris took on the task of automating it and published the original spec for the domain name system in November 1983.
Four UC Berkeley students wrote a UNIX implementation of the spec called the Berkeley Internet Name Domain or BIND. BIND is still the most widely used DNS software on the Internet. And yes it has been updated several times since then.
The domain name system itself is made up of multiple domains. The most familiar is of course .com. There’s also .org, .net .fr .biz and on and on. Each of those domains has an authority responsible for assigning domain names and mapping them to the corresponding numbers. Each domain has multiple name servers that you can call on to find which domain name goes with which IP addresses.
But its not just one server with all the addresses. In fact the process involves different servers for different parts of the domain name.
You see the domain name itself consists of multiple labels. Lets take http://www.knowalittlemore.com The right most label is the top-level domain .com. Each label to the left specifies a subdivision. So the first to the left is knowalittlemore which is the domain of this show. For websites usually the last label is www to specific you mean the web server on that domain. So when you type in http://www.knowalittlemore.com you go to the website for knowalittlemore.com not the email server. If you’re thinking you don’t type in www ever well browsers can add it for you and you can figure your nameserver to assume www was meant if nothing else (like say SMTP for email) is to the left.
Each label in your domain name can have up to 63 characters. A full domain name with all subdivisions can’t be longer than 253 characters in text or 255 octets of storage in binary.
The characters in a domain name are officially A-Z, 0 through 9 and the hyphen. However the Internationalizing Domain Names in Applications or IDNA system can map international characters into this set so locals can use their own alphabet.
Each domain, like .com. .uk. etc has a set of authoritative name servers that are either primary or secondary. A primary server has the original up to date copy of all domain records. Secondary servers communicate with the primary to automatically update.
In practice information is cached to speed things up and you’re almost always calling on cached information when you browse. But let’s pretend there was no cache available and you want to go to knowalittlemore.com. The request would start by finding the closest root name server. These are spread throughout the world. The root name server would direct you to the nearest .com name server, that server would then tell you which IP address goes with knowalittlemore.com you’d check there to find out which server is the web server at http://www.knowalittlemore.com and potentially with more complicated requests, onward until you get the exact server you’re looking for.
With all these intermediaries it’s possible for malicious actors to figure out how to insert themselves and give you the wrong IP address for a domain that would then take you to a malicious version of the site that might look just like the real site but infect you with malware or something.
Domain Name System Security Extensions or DNSSEC requires each level of DNS server to digitally sign its requests to assure they haven’t been intercepted. It is deployed at the root level but has not been fully deployed across the system because of complexity and also reasons.
As I said, in practice so much of the process is cached that root name servers get a very small fraction of requests, otherwise they’d get overloaded. Records may be cached in your browser, in your router by your ISP and so on. Cached records have a time to live set on their records so they are forced to go update and look for changes regularly so they stay pretty well up to date.
The name servers record more than just domain name and corresponding IP address. It also includes mail exchanges, known as MX records, domain name aliases known as CNAME as well as responsible persons, there’s even a real-time blackhole list or RBL for combating spam.
And it can do more than just tell you what domain name goes with what address. The DNS can provide the IP address that is closest to the requesting computer. This function is essential to cloud services and content delivery networks. Netflix doesn’t have one machine at Netflix.com. It has thousands and the Domain Name System is the first step in routing your Netflix app to the closest set of Netflix servers so you have the least delay in getting that episode of Stranger Things.
OK so I know a lot of you have questions about registering domains and how that fits in let’s touch on that briefly.
To register a domain name and get its record created in the DNS directory you need to deal with an official domain name registrar. The registrar is different from the registry. Each domain like .com or .us has a registry. The registrar is contracted to handle requests for domain names and collect and verify the information that is then entered into the directory by the registry. Registrars can and do charge fees for this.
And yes registry and registrar are different and really should have been named something that made that a little more obvious.
Let’s use an example for .com authorized registrars – like say hover.com– must pay the registry – in the case of .com that’s Verisign. The registrar also pays a small administration fee to ICANN for each domain it handles. The price the public pays the registrar is these fees plus some markup. The maximum registration period is 10 years, though some registrars offer longer periods by legally binding themselves to renew the domain at the end of each ten year period.
There are usually more than one registrar per domain and in fact registrars usually handle more than one domain. Registrars can also authorize resellers as affiliates.
So there you have it. You pay a registrar to register a domain name with a registry and then when someone looks up your domain name the domain name system directory, or likely a cached copy of it will point a browser to the IP address of your web server.
In other words, I hope you know a little more about DNS.