Open in app

Sign in

Write

Sign in

DNS Deep Dive

A Q&A to try to understand DNS in depth

Basil A.
16 min readMay 6, 2023

After reading many articles on how DNS works, I always felt I had something missing. There was a gap in my understanding of DNS records and server types.

Later, I decided to try another approach, to learn how DNS works via a Q&A session with ChatGPT. I was impressed with the results. Forget all the AI frenzy going around, and look at it from a research perspective, ChatGPT is one hell of a tool for research and deep diving into subjects. You can always ask for extra clarification on any point why reading ChatGPT explanations.

So here I go, my Questions and Answers to ChatGPT that now probably makes me a DNS expert…

What are the types of dns servers?

There are several types of DNS (Domain Name System) servers that are used to manage and resolve domain names to IP addresses. Here are some of the most common types of DNS servers:

  1. Recursive DNS Servers: These DNS servers are used by end-users to resolve domain names to IP addresses. When a recursive DNS server receives a query for a domain name, it will either provide the IP address if it has the information cached or it will recursively query other DNS servers to find the answer.
  2. Authoritative DNS Servers: These DNS servers hold the official DNS records for a domain name. When a recursive DNS server queries an authoritative DNS server, it can provide the IP address of the domain name being queried.
  3. Root DNS Servers: These DNS servers are responsible for the root zone of the DNS system. They maintain a list of the top-level domain (TLD) servers (such as .com, .org, .net, etc.) and direct queries for these TLDs to the appropriate TLD server.
  4. TLD (Top-Level Domain) DNS Servers: These DNS servers are responsible for the domain names in a specific TLD (such as .com, .org, .net, etc.). They provide information on the authoritative DNS servers for the domain names within their TLD.
  5. Caching DNS Servers: These DNS servers store recently accessed DNS information in memory so that they can respond more quickly to future queries for the same domain name.
  6. Forwarding DNS Servers: These DNS servers are configured to forward queries for certain domain names to another DNS server instead of resolving the query themselves.

These are some of the main types of DNS servers, and each plays an important role in the DNS system.

How many root DNS servers are there?

There are 13 root DNS servers in the world, which are operated by different organizations under contract with the Internet Corporation for Assigned Names and Numbers (ICANN). These root DNS servers are critical components of the global DNS infrastructure, as they serve as the initial point of contact for all DNS queries.

Each root DNS server is assigned a unique IP address, and they are distributed geographically across the world to ensure that DNS queries can be handled quickly and reliably from anywhere. The 13 root DNS servers are identified by the letters A through M, and their IP addresses are listed publicly in various places, including on the ICANN website.

It’s worth noting that while there are only 13 root DNS servers, they do not contain all of the DNS records for every domain name on the Internet. Instead, they provide information about the authoritative DNS servers for each top-level domain (such as .com, .org, etc.), which in turn provide more specific DNS information for individual domain names.

Which organizations operate these 13 root dns servers?

The operation of the 13 root DNS servers is a collaborative effort among several organizations under contract with the Internet Corporation for Assigned Names and Numbers (ICANN). These organizations are known as the Root Zone Maintainer (RZM) organizations and include:

  1. Verisign, Inc. (operates two root servers, labeled A and J)
  2. University of Southern California, Information Sciences Institute (operates root server D)
  3. Cogent Communications (operates root server M)
  4. University of Maryland (operates root server G)
  5. Internet Systems Consortium, Inc. (operates root server F)
  6. NASA Ames Research Center (operates root server E)
  7. U.S. Department of Defense Network Information Center (operates root server B)
  8. Naval Research Laboratory (operates root server C)
  9. Internet Assigned Numbers Authority (IANA) (operates root server H)
  10. Netnod Internet Exchange AB (operates root server I)
  11. RIPE NCC (Réseaux IP Européens Network Coordination Centre) (operates root server K)
  12. Information Technology and Network Services (IT&NS) of the University of Tokyo (operates root server L)
  13. National Internet Exchange of India (NIXI) (operates root server N)

These organizations work together to ensure that the root DNS servers are maintained and operated in a reliable and secure manner, and that the global DNS system continues to function smoothly.

How many servers is a single root dns server comprised of?

Each root DNS server is comprised of multiple servers, which are known as instances or copies. The number of instances varies depending on the specific root DNS server and its operator, but most root DNS servers have multiple instances distributed across different geographic locations to ensure redundancy and fault tolerance.

For example, Verisign, which operates two of the root DNS servers (labeled A and J), has more than 60 instances of these servers located around the world. Each instance is a physically separate server that is configured identically to the other instances, and they all contain the same data.

This redundancy and distribution of instances helps to ensure that the root DNS servers can handle a high volume of queries from anywhere in the world, and that if one instance or location goes offline, the others can continue to provide service. It also helps to protect against attacks on the DNS system, as it would be difficult for a single attacker to take down all of the instances of a root DNS server at once.

How does the routing happen to a root DNS server that has many geographically dispersed instances?

The routing to the geographically dispersed instances of a root DNS server is handled using a technique called anycast. Anycast is a network addressing and routing methodology that allows multiple servers to share the same IP address, with the routing infrastructure selecting the closest or most optimal instance based on the geographic location of the requester.

In the case of the root DNS servers, each instance has the same IP address, which is advertised using Border Gateway Protocol (BGP) to routers on the internet. When a DNS query is made to the root DNS server’s IP address, the routing infrastructure on the internet selects the closest instance based on the routing information it has received via BGP.

The selection process is based on the geographical proximity of the requesting DNS resolver to the various instances of the root DNS server, and the routing infrastructure chooses the instance that can provide the fastest response time. This means that DNS queries are automatically routed to the closest instance of the root DNS server, which helps to minimize latency and improve the performance of the DNS resolution process.

It’s worth noting that anycast routing is not a perfect solution, and there are some situations where it may not work as expected. For example, if there is a problem with the routing infrastructure or the geographic location of the DNS resolver is not accurately detected, the request may be routed to a suboptimal instance of the root DNS server. However, anycast routing is generally considered to be an effective way to distribute and balance traffic across multiple geographically dispersed instances of a DNS server.

Can you give examples of problems that might occur in the routing infrastructure?

Yes, there are several issues that can occur in the routing infrastructure that could affect the proper functioning of anycast routing and the routing to the geographically dispersed instances of a root DNS server. Here are a few examples:

  1. BGP hijacking: BGP (Border Gateway Protocol) is the protocol that is used to exchange routing information between different networks on the internet. BGP hijacking occurs when an attacker gains control of a BGP router and announces fraudulent routing information to misdirect traffic to a different network or server. In the context of anycast routing for the root DNS servers, BGP hijacking could cause traffic to be routed to an incorrect or malicious server, rather than the intended root DNS server instance.
  2. Congestion or network outages: Network congestion or outages can occur due to a variety of reasons, such as natural disasters, equipment failures, or deliberate attacks. If there is congestion or an outage on a particular network segment that is used for routing to a root DNS server instance, requests may be routed to a suboptimal instance, resulting in slower response times or even failed queries.
  3. Incorrect geolocation data: Anycast routing relies on accurate geolocation data to determine the closest instance of a root DNS server for a given request. However, if the geolocation data is incorrect or out-of-date, requests may be routed to a suboptimal instance that is farther away, resulting in slower response times.
  4. Inaccurate network measurements: Anycast routing also relies on accurate network measurements, such as round-trip times and latency, to determine the optimal instance of a root DNS server for a given request. However, inaccurate measurements can result in suboptimal routing decisions, leading to slower response times or even failed queries.

These are just a few examples of issues that can occur in the routing infrastructure and affect anycast routing to the geographically dispersed

Are DNS resolvers and recursive dns servers the same thing?

In the context of the Domain Name System (DNS), DNS resolvers and recursive DNS servers are similar but not exactly the same thing.

A DNS resolver is a client-side application or service that sends DNS queries to a DNS server and receives the corresponding DNS response. DNS resolvers are typically used by end-user devices, such as computers and smartphones, to resolve domain names into IP addresses.

A recursive DNS server, on the other hand, is a DNS server that performs the entire DNS resolution process on behalf of the DNS resolver. When a DNS resolver sends a query to a recursive DNS server, the recursive DNS server will either respond with the requested IP address, or it will recursively query other DNS servers on behalf of the resolver until it can provide a complete answer.

In practice, many DNS resolvers are configured to use a recursive DNS server as their upstream DNS server. This means that the DNS resolver sends its queries to the recursive DNS server, which then performs the DNS resolution process on behalf of the resolver.

So while DNS resolvers and recursive DNS servers are not exactly the same thing, they are closely related and often used together in the DNS resolution process.

How many TLD dns servers are there?

There are many Top-Level Domain (TLD) DNS servers, with each TLD having its own set of DNS servers. The number of TLD DNS servers depends on the number of TLDs that exist in the DNS system.

As of May 2023, there are more than 1,500 TLDs in the DNS system, which means that there are also more than 1,500 sets of TLD DNS servers. Each TLD typically has multiple DNS servers to provide redundancy and ensure that the TLD remains available even if some of the DNS servers fail or become unavailable.

For example, the .com TLD, which is one of the most widely used TLDs, has 13 DNS servers that are operated by different organizations. These servers are spread across different locations around the world and use anycast routing to ensure that queries are directed to the nearest available server. Other TLDs may have different numbers of DNS servers depending on the size and complexity of the TLD.

Overall, the DNS system relies on a complex network of servers, including the root DNS servers, TLD DNS servers, and authoritative DNS servers for individual domain names, to provide reliable and fast DNS resolution services.

How many authoritative dns servers are there?

The number of authoritative DNS servers varies depending on the number of registered domain names and the number of name servers associated with each domain name. In general, there are millions of authoritative DNS servers in the world.

Every domain name has at least one authoritative DNS server, which is responsible for providing the IP address information for that domain name. For example, if you want to visit a website with the domain name “example.com”, your DNS resolver will send a query to the authoritative DNS server(s) for the “com” TLD to find the IP address of the authoritative DNS server(s) for the “example.com” domain. Your resolver will then send a query to the authoritative DNS server(s) for “example.com” to get the IP address of the web server hosting the website.

Large websites and organizations may have many authoritative DNS servers to provide redundancy and ensure that their domain name resolution remains available even if some servers fail or become unavailable. For example, some popular websites may have hundreds or even thousands of authoritative DNS servers distributed across different locations around the world.

Overall, the number of authoritative DNS servers is constantly changing as new domain names are registered and existing domain names are updated.

How many dns resolvers are running on my laptop?

It’s difficult to say exactly how many DNS resolvers are running on your laptop without more information about your system and network configuration.

In general, most modern operating systems such as Windows, macOS, and Linux have a built-in DNS resolver that is responsible for resolving domain names into IP addresses. This resolver is typically implemented as a system service or daemon that runs in the background and handles DNS queries from other applications running on your system.

In addition to the built-in DNS resolver, you may have installed additional DNS resolver software on your system, such as DNSCrypt or DNS over HTTPS (DoH) clients. These tools can help improve your privacy and security by encrypting DNS traffic and bypassing certain types of network restrictions.

To determine how many DNS resolvers are running on your laptop, you can check the list of running processes in your operating system’s task manager or system monitor and look for processes related to DNS resolution. However, keep in mind that some DNS resolvers may run as background services or daemons that do not have a visible process in the task manager.

What about the browser, does it act as a dns resolver?

Yes, web browsers can act as DNS resolvers. When you type a domain name into the address bar of your web browser, the browser sends a DNS query to a DNS resolver to get the IP address of the server hosting the website.

By default, most web browsers use the DNS resolver configured in the operating system’s network settings. However, some web browsers, such as Mozilla Firefox and Google Chrome, have built-in DNS resolvers that can be configured to use alternative DNS servers, such as DNS-over-HTTPS (DoH) servers.

When a browser sends a DNS query, it typically uses a system library called the “resolver library” to perform the DNS resolution process. The resolver library sends the DNS query to the configured DNS resolver, receives the DNS response, and then returns the IP address to the browser, which can then establish a connection with the server hosting the website.

Overall, web browsers are just one of many applications that rely on DNS resolution to access resources on the Internet, and they use the same underlying DNS resolution process as other applications running on your computer.

What are the type of dns records?

There are many different types of DNS records, each with its own specific purpose. Some of the most commonly used DNS record types include:

  1. A (Address) record: maps a domain name to an IPv4 address
  2. AAAA (IPv6 Address) record: maps a domain name to an IPv6 address
  3. CNAME (Canonical Name) record: maps an alias or nickname to the canonical name of a domain or subdomain
  4. MX (Mail Exchange) record: specifies the mail servers responsible for accepting email messages for a domain
  5. TXT (Text) record: stores arbitrary text data about a domain, often used for domain verification or security purposes
  6. NS (Name Server) record: specifies the authoritative name servers for a domain
  7. SOA (Start of Authority) record: contains administrative information about a DNS zone, such as the primary name server, zone serial number, and refresh interval

In addition to these common record types, there are many others that are used for specific purposes, such as SRV (Service) records for identifying servers that provide particular services, PTR (Pointer) records for reverse DNS lookups, and SPF (Sender Policy Framework) records for email authentication.

DNS records are typically managed by the domain name owner or their DNS provider, and can be updated or modified as needed to reflect changes in the domain’s configuration or hosting environment.

Can you teach me how to use the dig command to navigate those dns record types?

Sure, I can give you a brief overview of how to use the dig command to retrieve DNS records for a domain.

The dig command is a powerful tool that allows you to perform DNS queries and retrieve information about DNS records for a domain. To use dig, you'll need to have a terminal or command prompt open on your computer.

Here’s an example of how to use the dig command to retrieve the A (Address) record for a domain:

dig example.com A

In this example, example.com is the domain name that you want to retrieve the A record for, and A is the record type that you want to retrieve.

The dig command will send a DNS query to the DNS server configured on your system and retrieve the A record for the domain. The output will include information about the query and the response, such as the IP address associated with the domain:

; <<>> DiG 9.16.15 <<>> example.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36720
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
example.com.        3599    IN  A   93.184.216.34
;; Query time: 51 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue May 04 13:42:18 EDT 2021
;; MSG SIZE  rcvd: 58

In this output, the IP address 93.184.216.34 is the address associated with the domain example.com.

You can also use the dig command to retrieve other types of DNS records, such as MX records, by specifying the record type as an argument:

dig example.com MX

This will retrieve the MX (Mail Exchange) records for the domain example.com.

There are many other options and features available in the dig command that allow you to customize your DNS queries and retrieve specific types of information about DNS records. You can find more information about the dig command by typing man dig in a terminal or command prompt.

What happens if I run dig on the .com TLD only

If you run the dig command on the .com top-level domain (TLD) only, it will return information about the authoritative name servers for that TLD.

You can retrieve this information by specifying the domain name com. (note the trailing dot) and the NS record type:

dig com. NS

The output will include a list of authoritative name servers for the .com TLD, along with their IP addresses:

;; ANSWER SECTION:
com.            172800  IN  NS  a.gtld-servers.net.
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  m.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800  IN  A   192.5.6.30
b.gtld-servers.net. 172800  IN  A   192.33.14.30
c.gtld-servers.net. 172800  IN  A   192.26.92.30
d.gtld-servers.net. 172800  IN  A   192.31.80.30
e.gtld-servers.net. 172800  IN  A   192.12.94.30
f.gtld-servers.net. 172800  IN  A   192.35.51.30
g.gtld-servers.net. 172800  IN  A   192.42.93.30
h.gtld-servers.net. 172800  IN  A   192.54.112.30
i.gtld-servers.net. 172800  IN  A   192.43.172.30
j.gtld-servers.net. 172800  IN  A   192.48.79.30
k.gtld-servers.net. 172800  IN  A   192.52.178.30
l.gtld-servers.net. 172800  IN  A   192.41.162.30
m.gtld-servers.net. 172800  IN  A   192.55.83.30

In this output, you can see that the .com TLD is served by 13 authoritative name servers, which are listed in the ANSWER SECTION of the output. In the ADDITIONAL SECTION, you can see the IP addresses of those name servers.

By default, the dig command will use the DNS resolver configured on your system to send the query and retrieve the response. If you want to specify a different DNS resolver, you can use the @ option followed by the IP address of the resolver:

dig com. NS

How does dns over https work and why was it invented?

DNS over HTTPS (DoH) is a protocol that encrypts DNS queries and responses using the HTTPS protocol, typically over port 443. The goal of DoH is to provide privacy and security for DNS queries, making it more difficult for third parties to intercept and read DNS traffic.

Traditionally, DNS queries are sent in plaintext, which means that anyone who has access to the network traffic can see which websites you are accessing. This could include internet service providers, governments, and malicious actors who might use this information for surveillance, censorship, or hacking.

DoH encrypts DNS queries using the same encryption used for HTTPS traffic, which makes it much more difficult for anyone to eavesdrop on the traffic and intercept the queries. The encrypted DNS queries are sent to a DNS resolver that supports DoH, which then sends the queries to authoritative DNS servers to retrieve the DNS records for the requested domain. The resolver encrypts the DNS responses using HTTPS before sending them back to the client.

DoH was invented to address the privacy and security concerns related to DNS queries. By encrypting DNS traffic, DoH prevents third parties from intercepting and reading DNS queries, which can include sensitive information like the domain names of websites that a user is visiting. It also prevents DNS-based attacks like DNS spoofing, DNS cache poisoning, and man-in-the-middle attacks, which can lead to phishing, malware, and other security threats.

DoH has been controversial because it can make it more difficult for network operators to monitor and filter DNS traffic for security or content filtering purposes. However, proponents argue that it is an important tool for protecting user privacy and security, particularly in situations where internet access is censored or monitored by governments or other actors.

Where can i find dns resolvers that support dns over https

There are many DNS resolvers that support DNS over HTTPS. Here are a few examples:

  1. Cloudflare: Cloudflare’s DNS resolver supports DNS over HTTPS and can be accessed at the IP addresses 1.1.1.1 and 1.0.0.1. They also provide an encrypted DNS service called 1.1.1.1 for Families that blocks malware and adult content.
  2. Google: Google’s DNS resolver supports DNS over HTTPS and can be accessed at the IP addresses 8.8.8.8 and 8.8.4.4. They also provide an encrypted DNS service called Google Public DNS that blocks malicious domains and provides enhanced security features.
  3. Quad9: Quad9’s DNS resolver supports DNS over HTTPS and can be accessed at the IP addresses 9.9.9.9 and 149.112.112.112. They provide a free, public DNS service that blocks malicious domains and offers privacy and security features.
  4. OpenDNS: OpenDNS’s DNS resolver supports DNS over HTTPS and can be accessed at the IP addresses 208.67.222.222 and 208.67.220.220. They provide a secure, cloud-delivered network security service that blocks malware, phishing, and other security threats.

There are also many other DNS resolvers that support DNS over HTTPS, so it’s worth doing some research to find one that meets your needs.

On which network port does dns over https work

DNS over HTTPS (DoH) typically uses the same port as HTTPS traffic, which is port 443. This is the default port used for secure web traffic, so it is a natural choice for DoH traffic as well. By using the same port as HTTPS, DoH can easily bypass firewalls and other network security measures that might be in place to block non-standard ports.

It’s worth noting that some DNS resolvers that support DoH might allow for other ports to be used, but port 443 is the most commonly used port for DoH traffic.

DNS
Software Engineering

--

--

Basil A.

Written by Basil A.

74 Followers

A Software Engineer with interests in System Design and Software Engineering done right.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams