
DNS 101: An Introduction to Domain Name Servers - tcarriga
https://www.redhat.com/sysadmin/dns-domain-name-servers
======
codercotton
I built a simple DNS (and HTTP headers, and SSL) tool that some may like -
[https://DNSApe.com](https://DNSApe.com)

~~~
tazard
That's very nice, thanks for building & sharing!

~~~
codercotton
Thanks!

------
gambler
_> Domain names provide the internet much more user-friendly way of
referencing servers_

Too bad some people decided that this "friendly name service" should also be
the centerpiece of all encryption on the web, as well as the only thing that
prevents websites from reading each other's client-side data.

~~~
nine_k
What else should have been used?

(Please note that in 1993 a typical PC would spend significant amount of CPU
to decrypt even 3des, and encryption beyond 40 bits of key was restricted in
the US and not allowed for export.)

~~~
gambler
The question is not what should have been used. The question is what should be
used right now.

------
buzzdenver
The part I don't fully get is how TLD servers, like .com work. Do they have a
list of registrar DNS servers defined, and they ask them if somebody wants to
resolve a domain they do not know about?

~~~
nitinag
Registrars provide the nameservers you give them to the TLD itself. So,
resolution doesn't depend on the registrar's infrastructure unless you're
using the registrar's nameservers directly.

It works like this: Root -> TLD -> NS -> NS -> ETC.

Root Servers are fixed and everything drills down from there:
[https://www.iana.org/domains/root/servers](https://www.iana.org/domains/root/servers)

A visual example of how the nameserver hops work starting from the root using
the nameserver delegation view feature of our dns lookup tool:
[https://www.misk.com/tools/#dns/news.ycombinator.com@i.root-...](https://www.misk.com/tools/#dns/news.ycombinator.com@i.root-
servers.net)

(Disclosure: I work @ Misk.com, an ICANN accredited registrar, our link above)

~~~
buzzdenver
Thank you for the reply. Can you explain how "provide" works in your first
sentence? How does the .com TLD server know who registered google.com ? Seems
like TLD servers still have to know the list of possible registrars where one
can register a domain for their TLD.

~~~
LIV2
Yes, registrars have an agreement with the TLDs and have API access that
allows them to submit requests for DNS delegation, transfers, registrations,
creating glue records etc.

The registrar will send a request to the TLD to essentially ask that they
delegate your domain to a specified nameserver which will add records to the
TLDs zone for your domain

------
octosphere
DNS was always a thorn in my side. I never liked the way it was a single point
of failure and the first thing attackers looked at when analyzing traffic.
Luckily with things like DoH[0], looking at DNS traffic is a lot less invasive
in terms of privacy.

And even more lucky, and something that serves us all is Mozilla's attempt to
bake this as the default (DoH) in their mainline browsers. My only complaint
being that they use Cloudflare as the default & Cloudflare acts as a honeypot
for Internet traffic. If they (Mozilla) could move away from Cloudflare as a
partner then that would be great. (Of course this demands a new privacy-
respecting provider to serve requests for the user :p)

[0]
[https://en.wikipedia.org/wiki/DNS_over_HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS)

~~~
darkarmani
> I never liked the way it was a single point of failure

What? I don't understand what the single point is here.

The webserver you are trying to connect to has a higher failure rate than DNS.

~~~
MayeulC
True, however the failure rate of _all_ of the webservers you might want to
connect to is much lower than the DNS server's.

Moreover, the DNS failure might not come from the DNS server, but a
misconfigured computer/router/DHCP server, etc. And it depends a lot on your
DNS server itself. It is a single point (chain, if you want) of failure, and
tends to fail quite often, in my experience.

~~~
wcip
What about the failure rate of _all_ the DNS servers? It's not like someone
set up a Windows Server box and we all share it. Google's DNS server at
8.8.8.8 for example uses some sort of complex multihoming/multicast setup and
is globally distributed. I trust DNS to work more than any other service on
the internet. It's a triumph of software engineering. The Roman aqueduct of
the internet.

~~~
waste_monk
AFAIK they use Anycast for the multihoming [0] - It follows the normal routing
process, but the anycasted network is announced from multiple sites instead of
just one.

AFAIK Google have ~19 data centres, and DNS / 8.8.8.8 is probably being served
from all or most of them. So it is indeed very reliable.

[0]
[https://en.wikipedia.org/wiki/Anycast](https://en.wikipedia.org/wiki/Anycast)

------
agret
Interesting article but needs a bit more depth, for instance it mentions
incredibly briefly the MX record

 _> The PTR (or reverse) record query is used to validate that the IP address
is assigned to the same host that is resolved in the Mail eXchanger (MX)
record query_

It does not explain that when you try to send an email the MX record is what
is referenced as to where the email should go, it also neglects to mention
"round-robin" DNS or Anycast DNS which are used by to distribute the web and
an important part of modern day internet usage.

------
mampersat
Sad that Dyn.com is no longer part of this discussion

------
darkhorn
Any idea on why I cannot get reverse DNS when I dig IP address of my web site
from my work computer? No issue from home.

~~~
neuronflux
Perhaps an issue with your local DNS server. Use Google's public resolver to
test.

    
    
      dig @8.8.8.8 -x <ip address>

------
cassianoleal
All you need to know about DNS in 15 minutes.

[https://www.youtube.com/watch?v=4ZtFk2dtqv0](https://www.youtube.com/watch?v=4ZtFk2dtqv0)

~~~
teh_klev
I read the article twice in under seven minutes and also didn't have to put up
with a grown adult pretending to be a cat.

~~~
nine_k
YouTube allows speed-up up to 2x. 1.5x is great when you have to listen to
spoken text not available otherwise.

~~~
teh_klev
There's some textual detail in the video that seems important to his
presentation which could be missed at 2x/1.5x and I like listening to things
at normal speed. Listening any faster would probably make his speech
affectation even more deeply annoying. It's just a terrible presentation.

------
gerdesj
I was trundling along quite happily (had to squint or sigh a few times) until
I hit this:

"The name of the root is the empty string (" ") generally denoted with a dot
(.):"

... and left.

~~~
yjftsjthsd-h
Why? Do you think it's untrue, or overly pedantic, or...? AFAIK that's just a
simple factually-correct statement.

~~~
gerdesj
Which is it? " " or ".". That's an easy way to confuse people whilst trying to
be complete. This is supposed to be a 101 class.

. is the designation for root in DNS but it is not spelt out except where it
is!

For example: In a (BIND) zone file you terminate an entry with . otherwise it
is considered relative to the "current" domain. When you type into your
browser something like www.example.com you don't include a trailing dot.

Finally, the empty string was shown like this: " ". That's a space.

So, that's why I switched off.

