What is DNS and why is it needed?

DNS (Domain Name System) is a distributed system for storing and processing information about domain names. In short, DNS allows us to use convenient textual website names instead of complex numeric IP addresses.

Understanding how DNS works is important for both IT professionals and ordinary users. If you're a developer or sysadmin, sooner or later you'll have to configure DNS records for your projects. If you are just actively using the Internet, basic knowledge of DNS will help you understand why a website may be inaccessible and how to solve this issue.

In this article, we will analyze in detail what DNS is, how it works, and what problems it solves. But first, we need to get acquainted with the basic concepts of IP addresses and domain names.

Basic concepts

Any computer or server connected to the Internet has a unique IP address. This is a numeric identifier consisting of 4 blocks of numbers separated by dots. For example, the IP address of Google servers is 142.250.185.78.

At their core, IP addresses are similar to phone numbers or postal codes. They are used to uniquely identify the sender and receiver of information on the network. The problem is that it is difficult for people to memorize and use these sets of numbers. It's much easier to type in a website's text name in a browser.

It may seem that there should be enough IP addresses for everyone. After all, if you take the standard IPv4 format (4 numbers from 0 to 255), you get more than 4 billion unique addresses (256^4 = 4,294,967,296). But already in 2011, the international pool of IPv4 addresses was completely exhausted!

Reasons for the IP address shortage:

• Rapid growth in the number of devices connected to the Internet (computers, smartphones, tablets, IoT)
• Inefficient distribution of addresses between organizations and countries at an early stage of Internet development
• Allocation of large blocks of addresses for special purposes (local networks, multicast, etc.).

To solve the problem, a new standard was developed - IPv6, which uses 128 bits for an address instead of 32. This gives a colossal address space of 340 sextillion (3.4×10^38) unique addresses.

The transition to IPv6 is already underway, but it will take many more years due to the need to update network hardware and software. In the meantime, NAT and private subnets remain the main way to save addresses.

But the Domain Name System (DNS) is a great way to make IP addresses easy to remember. It allows you to match a numeric IP address (142.250.185.78) with a text name (google.com).

Domain names have a hierarchical structure and are read from right to left. The rightmost element is the top-level domain. Next are the second and third level domains, etc.

Here is the structure of a domain name using the example of www.blog.example.com:

• .com is a top-level domain (TLD). There are hundreds of such domains: .com, .org, .net, .ua, .fr, etc.
• example - a second-level domain, it is unique within its TLD
• blog and www - third-level domains (subdomains), they are often used to host additional sections of a website

Anyone can register a domain name if it is not already taken. The international organization ICANN and authorized registrars are responsible for the registration and maintenance of top-level domains.

By registering a domain, you get the opportunity to specify DNS records for it and thus associate it with the IP addresses of the necessary servers. After that, people will be able to open your website, email, or other services by simply typing in a convenient domain name.

For a better understanding of the relationship between IP addresses and domains, you can draw an analogy with apartments and a multi-storey building. An IP address is like the number of a specific apartment where a website is located. And a domain name is the address of the building where this apartment is located.

When you type in www.example.com in your browser, a complex process of querying several DNS servers takes place behind the scenes. As a result, the domain name is converted to an IP address, and you are directed to the desired website. In the next section, we will analyze the stages of this process in detail.

How DNS works

The DNS can be thought of as a huge distributed database that stores information about the correspondence between domain names and IP addresses. This database is not centered on a single server, but is divided into many DNS servers around the world.

Key components of a distributed DNS system:

• A DNS server is a program running on a network node that stores a portion of the public database and responds to DNS queries. It accepts a request with a domain name and returns the corresponding IP address if it knows it.
• Zone - a part of the domain space (subtree) for which a particular DNS server is responsible. Example: .ua zone, com.ua zone, etc.
• Records - specific name-value mappings that are stored on DNS servers in text zone files. Example: blog.example.com = 192.168.0.100.

To understand how the process of converting a domain name to an IP address (resolving) works, let's take an example:

1. The user enters www.example.com in the browser and presses Enter.
2. The browser (DNS client) sends a request to resolve this name to the local DNS server (usually the server of the Internet provider).
3. The local server does not know the answer, so it sends a recursive query to the root DNS server.
4. The root server responds that it does not know the IP for www.example.com, but it does know the address of the .com zone DNS server (one level down).
5. The local server queries the .com zone DNS server.
6. The .com server also does not know the IP, but provides the address of the DNS server for the example.com zone.
7. The local server queries the DNS server of the example.com zone.
8. The example.com server finds the A-record for www.example.com and returns the corresponding IP address.
9. The local DNS server caches the response and sends it to the browser.
10. The browser accesses the IP address and loads the web page.

[Picture of the resolving sequence].

If one of the DNS servers in the chain is unresponsive, then the resolving will not complete and the site will not open. That is why it is so important to ensure the fault tolerance of the DNS infrastructure.

Note that the browser receives the final IP address from the local DNS server, not directly from example.com. The local server caches (temporarily stores) the responses so that the chain does not have to start over when you make repeated requests.

Root DNS servers play a key role in this process. These are 13 logical servers (a-m.root-servers.net) that are responsible for top-level domains and redirect requests to lower levels. Physically, these servers are duplicated and distributed around the world using the Anycast technique to increase fault tolerance and response speed.

For example, the root server i.root-servers.net has 69 addresses around the world (as of 2023). Thanks to this, the response time for requests does not exceed 300 ms.

Domain hierarchy

The DNS system has a hierarchical structure that defines the levels and subordination of domains to each other. You can think of it as an upside-down tree

At the very top is the root (.), followed by top-level domains (TLDs), then second-level domains (SLDs), and so on. The lower the domain in the hierarchy, the more specific it is and the more it is subordinate to the higher ones.

Examples of domains of different levels:

• Top level: .com, .net, .org, .ua, .uk, .de
• The second level: example.com, google.com, wikipedia.org
• The third level (subdomains): blog.example.com, www.google.com, en.wikipedia.org

A domain name is read from right to left. The last (rightmost) element is called the first (top) level domain. Each subsequent element on the left is a lower-level domain in relation to the previous one.

For example, in the name blog.example.com, .com is the first level domain, example is the second level, and blog is the third level.

There are top-level domains:

• General (gTLD) - .com, .net, .org, etc. Initially intended for certain types of organizations (commercial, non-profit, educational, etc.), but now they can be registered for any purpose.
• National (ccTLDs) - are tied to countries and territories. Example: .ua (Ukraine), .uk (UK), .fr (France), .de (Germany). Each zone has its own requirements for registrants.
• New gTLDs - appeared after 2001 to expand the namespace and competition. Example: .blog, .shop, .club, .io, and others. In total, there are more than 1200 of them.

ICANN (Internet Corporation for Assigned Names and Numbers), an international non-profit organization, is responsible for delegating names in top-level domains. It defines registration rules, approves registrars, and monitors the stability of the DNS system.

To register a second-level domain, you contact a registrar accredited by ICANN to work in the desired domain zone. For example, if you want a domain in the .UA zone, you go to a Ukrainian registrar. If you need a .COM domain, you go to an international one.

At the same time, you can create subdomains (third, fourth level, etc.) for your second-level domain and fully manage them yourself. This scheme allows you to provide both global administration of the domain space (through ICANN) and flexibility of management for end users.

Understanding the domain hierarchy is important for the proper configuration of the DNS infrastructure. Names must be unique at their level, but can be repeated at lower levels in different branches.

For example, there are domains blog.example.com and blog.sample.com - they are located at the same level (third), but in different subtrees (example.com and sample.com). But the two domains blog.example.com and wiki.example.com will not conflict, since they are located at different levels of the same subtree.

This tree-based system allows you to flexibly structure the domain space and avoid name conflicts. In the next section, we'll take a closer look at the types of DNS records that allow you to associate domains with IP addresses and other data.

Types of DNS records and their purpose

All information in the DNS is stored in the form of records of a certain type (Resource Record, RR). Each record consists of several text fields and is always associated with a specific domain name.

Main types of records:

• A (Address) - maps a domain name to an IPv4 address. Example: example.com. IN A 192.0.2.1. This is the most common type of record used to associate a domain with a web server IP address.
• AAAA (IPv6 Address) - analogous to the A record, but for 128-bit IPv6 addresses. Example: Example.com. IN AAAA 2001:db8::1.
• CNAME (Canonical Name) - associates one domain name (alias) with another (canonical). When a client requests an alias name, the DNS server responds with the canonical name. This allows multiple names to be mapped to the same IP address. Example: www.example.com. IN CNAME example.com.
• MX (Mail Exchange) - indicates the mail server for the domain. The entry has a numerical priority (the lower the number, the higher the priority). Mail servers are polled in ascending priority until a response is received. Example: example.com. IN MX 10 mail1.example.com.
• NS (Name Server) - associates the domain with the DNS server responsible for it. This record must be present for each domain, the server name is specified in full (with a dot at the end). Example: example.com. IN NS ns1.example.com.
• TXT (Text) - contains arbitrary text information for the domain. Often used to verify domain ownership (for example, when configuring DKIM or SPF). Example: Example. IN TXT "v=spf1 a mx ~all"
• SRV (Service) - points to servers for specific services (XMPP, SIP, LDAP, etc.). The entry specifies the protocol, service name, port number, and priority. Example: _sip._tcp.example.com. IN SRV 0 5 5060 sipserver.example.com.

This is not an exhaustive list, but these are the most common types of records. Here is how they can be used for the site www.example.com:

In this configuration:

• The site is accessible at both example.com and www.example.com (via CNAME)
• The web server is located at IP address 192.0.2.1 (A-record)
• Mail for the domain is processed by the mail.example.com server (MX record)
• SPF settings for anti-spam are specified (TXT record)
• The SIP server for IP telephony is located at sip.example.com and port 5060.

By changing DNS records, you can flexibly manage the routing of requests to your domain and balance the load between servers. When you move your website to another hosting service, it is enough to change just one A-record so that traffic goes to the new IP address.

Practical benefits of DNS

The DNS domain name system is of great practical benefit to all Internet users. It makes the web more friendly and empowers website owners. Let's highlight the main advantages:

Convenience for users

Imagine that DNS does not exist. Then you would have to enter an IP address in your browser every time you wanted to go to a website, for example, 104.18.18.18 instead of example.com. It's doubtful that the Internet would have become so widespread in that case.

DNS allows you to use easy-to-remember text names for websites instead of numeric IP addresses. It is much easier to type wikipedia.org than 208.80.154.224. This is especially important for commercial projects - the apple.com domain will be more effective than a numbered address for both advertising and user loyalty.

Flexibility for website owners

With the help of DNS records, domain owners get a lot of opportunities to manage the operation of their resources:

• Redirecting requests using CNAME records. For example, you can direct users from blog.example.com to www.example.com/blog. Or you can link the shop.example.com subdomain to the shopify.com online store system.
• Load distribution between servers. One domain can be mapped to several A-records by specifying the IP addresses of different servers. The DNS server will return them in turn (round-robin). This way, the load from visitors will be distributed among the servers.
• Separate servers for different tasks. You can move the mail server to a separate machine and specify its address in the MX record. The same goes for FTP, SSH, and other services. This makes it easier to scale and administer large projects.

Decentralization of management

The DNS is a distributed system, and no one owns it alone. The management of top-level domains is decentralized between ICANN and hundreds of registrars. And millions of ordinary website owners are already responsible for subdomains.

This scheme provides flexibility, scalability, and resilience of DNS. There is no single point of failure, and local failures do not affect the entire system. DNS servers work as a well-coordinated mechanism without a single control center.

Caching for fast response times

The DNS system has a built-in response caching rule. This means that during a repeated request, the local DNS server will not query authoritative servers again, but will return the domain from its memory.

Thanks to this, in most cases, resolving is very fast - within 1-100 ms. Users receive a response almost instantly, although under the hood, there is a complex process of polling many geographically distributed servers.

Additional business opportunities

DNS provides businesses with additional opportunities for branding, customer acquisition, and process automation:

• Employee addresses in the corporate domain (for example, john@company.com), which increases trust and brand recognition in correspondence.
• Create different subdomains for language versions of the website (en.example.com, es.example.com), regions (eu.example.com, asia.example.com), or new products (game.example.com).
• Setting up SPF and DKIM records to verify email authenticity, fight spam and phishing.
• Integration with CDNs to speed up the loading of content from geographically close points of presence of the provider.

But even for small non-commercial sites, the benefits of DNS are invaluable. A second-level domain is inexpensive ($5-20 per year), but it allows you to be remembered by people, easily share links, and experiment with different services and hosting.

Without exaggeration, DNS has become the foundation of the modern Internet and allowed it to gain massive popularity among ordinary users. But behind this convenience are complex technologies, and security issues come to the fore.

DNS security and stability

DNS is a critical infrastructure for the Internet. If the system stops functioning, all websites will become inaccessible. And if the data in the DNS is incorrect, users may end up on fake or malicious resources.

Therefore, the issues of security, stability, and protection against attacks come to the fore when designing and maintaining a DNS. Let's take a look at the main risks and methods of preventing them.

Attacks on DNS

In recent years, there have been numerous attempts to attack the DNS infrastructure as a whole, as well as individual providers and domain owners. The most common types of attacks:

• Cache poisoning - IP address substitution in the DNS server cache. Incorrect addresses are returned to clients, and their traffic is directed to the wrong sites. In 2008, Dan Kaminsky discovered a vulnerability that allowed such an attack to be carried out in seconds. After that, all DNS server vendors released patches.
• DNS hijacking is the redirection of DNS requests to malicious servers. It can occur due to configuration errors or compromise of the domain registrar. For example, in 2013, attackers gained control of the rbc.ru domain and displayed a fake version of the RBC website for several hours.
• DDoS (distributed denial of service) is a distributed denial of service attack. It occurs when DNS servers are flooded with a huge number of false requests to take up all the system's resources and make it inaccessible. The largest DDoS attack to date occurred in October 2016, with peak traffic reaching 1.2 TB/s. The target of the attack was the Dyn provider, which led to the inaccessibility of Twitter, Netflix, CNN, and many other sites.

Often, attacks are used in combination - for example, first, the domain's DNS records are changed, and then the site is disabled by a huge number of requests.

DNS protection methods

A set of organizational and technical measures is used to protect against attacks, errors, and improve the stability of the DNS:

• DNSSEC (Domain Name System Security Extensions) is a set of specifications for authenticating data in the DNS using digital signatures. Each level of the hierarchy signs the keys of the lower level, creating a chain of trust. This protects against IP address spoofing in DNS responses.
• Anycast is a load-balancing method in which one IP address is announced on several servers at once. The client's request goes to the closest server in the pool, which allows you to distribute traffic and increase resistance to attacks. For example, Cloudflare's DNS service uses Anycast and has more than 275 locations around the world.
• Request filtering and reputation analysis at the level of registrars, providers, and DDoS protection services. Malicious traffic is cut off before it reaches the target servers.
• Restricting the recursion zone - configuring DNS servers to process recursive queries only from trusted clients (for example, only from the provider's internal network). Recursion allows you to make nested queries to other servers, which increases the load and vulnerability.
• Set the TTL (time to live) of records to optimal values. With a low TTL, records will be updated frequently, creating an additional load. If the TTL is too high, clients will receive outdated data for a long time.
• Monitor the availability and response time of DNS servers to quickly detect problems and DDoS attacks. For example, free projects nic.ru and dnsmon.org monitor DNS root servers.
• Redundancy of servers and communication channels so that in the event of a failure, part of the infrastructure continues to work.
• Updating DNS server software and timely remediation of identified vulnerabilities.

These measures provide a basic level of protection, but it is important to understand that it is impossible to protect against all threats 100% of the time. New attacks and vulnerabilities will continue to emerge, and the DNS system must adapt to the changing threat landscape.

The future of DNS and alternatives

For almost 40 years of its existence, the DNS system has been constantly evolving, gaining new features and additional standards. The current DNS specification (including DNSSEC) is more than 2000 pages of RFC text. And this process is ongoing.

Among the new proposals for the development of DNS:

• DNS over HTTPS (DoH) - sending DNS queries over the secure HTTPS protocol to hide their content from providers and prevent spoofing. Integrated into the latest versions of Chrome, Firefox, and Edge browsers.
• DNS over TLS (DoT) is similar to DoH, but uses a different encryption mechanism and a dedicated port 853.
• DANE (DNS-based Authentication of Named Entities) - storing cryptographic certificates to confirm the authenticity of a server (for example, web or mail) directly in DNS, in the form of a special TLSA record. It can be used as a supplement or replacement for public key infrastructure (PKI).
• DNAME - alias records for redirecting all subdomains. Unlike CNAMEs, which are created for each subdomain separately, a single DNAME record redirects all child domains at once.

These and many other innovations are gradually being implemented by various players - browsers, operating systems, DNS server providers, and domain registrars. But so far, none of them has become a common reality.

Also, DNS is not perfect, and it has fundamental flaws:

• Centralized management at the level of domain registrars and ICANN. Although DNS is called a distributed database, the key role is played by centralized organizations that control top-level domains.
• Lack of privacy - any provider (including registrars and cafes with free Wi-Fi) can see what sites you open.
• Text protocol without encryption.
• Restrictions only on site names - you cannot make an alias for a specific page of a site or its copy in IPFS.

This generates interest in alternative name resolution systems, including:

• ENS (Ethereum Name Service) is a domain name system on the Ethereum blockchain. Allows you to register .eth domains and associate them with wallets, smart contracts, and websites hosted in IPFS.
• Handshake is a decentralized analogue of DNS on its own blockchain. Unlike ICANN, it is community-driven and censorship-resistant.
• OpenNIC is an alternative DNS root zone independent of ICANN. The community of enthusiasts is developing more than 20 new domain zones - .geek, .indy, .null, and others.

These alternatives are not yet widespread (with the exception of ENS in the cryptocurrency world), but they show the public demand for a freer, more censorship-resistant and less centralized naming system.

An interesting area of development is the integration of DNS with decentralized web technologies and peer-to-peer networks. This will make it possible to associate DNS names not only with IP addresses, but also with file hashes in networks such as IPFS, BitTorrent, and Filecoin.

There is also a request for human-readable addresses for specific pages of websites, not just domains. The current URL standard is too complicated to memorize and communicate to other people. A simpler and shorter form of addressing can give a new impetus to the development of the Internet.

To summarize, the DNS is evolving and adapting to new challenges. The emergence of technologies such as blockchain and global decentralized repositories provides a basis for experimentation and evolution of the traditional domain name system. Which of the innovations will gain mass acceptance and which alternatives will be in demand largely depends on the needs of users and businesses.