Site Logo
Site Logo Close menu
Products Overview

ProVision Core

IPAM ReView

ProVision Suite

DNS Controller DHCP Controller Peering Manager
Resource Manager Global Commander REST API

ProVision Family

ManyCast DNS API Composer Platform
Service Overview
ProVision Jumpstart
Data Normalization
ProVision OEM
Solutions Overview

By Role

CIOs & CTOs Network Architect Network Admin DNS Zone Admin

By Industry

Enterprise SaaS & Cloud Service Providers Education

By Company Type

Small & Medium Business Multi-Cloud & Hybrid Consultancies Enterprise
Resources Overview
Blogs
Case Studies
Press Releases
Whitepapers

Blogs

A Guide to DNS Basics: How and Why

What is DNS?

Devices on networks are identified with numbers, known as addresses. A reader of this blog is likely to be familiar with the original, widely-used address system: IPv4. A great deal of information about a device is derived from or connected to its address. But people struggle remembering numbers, so there’s a translation system: DNS. It is our address book system for network devices.

DNS stands for the Domain Name System. DNS is an hierarchical naming system that maps names to IP addresses assigned to devices (computers, services, and other resources) connected to the internet or private networks. DNS translates human-readable domain names (e.g., www.example.com) into IP addresses (like 203.0.113.0) needed for network communication. It also supports various other record types for different services. It can also get a name from an IP address. This is called reverse DNS.

Resolvers and Authorities

When you click on a link for a web page – or type one into your browser – your operating system will try to find the IP address for the DNS name in the URL. It might already have it in a cache, especially if you opened that page earlier in the day. But it might need to find out the IP address, especially if you just turned on your computer or phone or have never visited the website in question before.

This lookup process is a complex yet rapid sequence of events that unfolds behind the scenes to connect you to your desired destination. Central to this process are two key players: DNS resolversandDNS authorities. While they work in concert to make the internet user-friendly, they have distinct and separate roles.

The DNS Resolver

Think of a DNS resolver, often called a recursive resolver (because it checks each level of the domain name), as a librarian. Its primary job is to find the (numerical) IP address associated with a human-readable domain name. A computer’s operating system typically connects to a resolver operated by their internet service provider (ISP) or a public resolver (like 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) and typically manages connections to and queries of a resolver.

There are two main methods a resolver can use:

  • Recursive Resolution: Here a single request is sent to a resolver (server) asking for the IP address. The resolver assumes the full responsibility for finding the answer. It will query a series of other DNS servers until it finds the definitive IP address and returns that final answer to your computer.
  • Iterative Resolution: In this less common scenario, the resolver queries another DNS server, which might not have the final answer but will provide a referral to another, more specific server. The resolver must then “iterate” and query this new server, and so on, until it finds the authoritative source.

Resolvers also maintain a cacheof recent address searches. In the case of a recently visited website, the resolver will have the IP address stored, allowing it to respond almost instantly without going through the full lookup process. This caching by operating systems and resolvers explains the speed of visits to websites that have been previously visited.

The DNS Authority

A DNS authority, or authoritative nameserver, is the ultimate source of truth for a specific domain. It’s the repository for the official records for a domain. For any given domain there are almost always at least two, for redundancy. In some cases, many, to cut down on back-and-forth time over long distances. There’s a primary and one or more secondary authoritative servers. The secondaries copy their records from the primary.

These records are stored in a DNS zone file, a simple file that contains all the DNS information for a particular domain. The zone file includes various types of records, such as:

  • A Record (Address Record): Maps a host name to an IPv4 address.
  • AAAA Record (IPv6 Address Record): Maps a DNS name to an IPv6 address.
  • CNAME Record (Canonical Name Record): Forwards one DNS name or subdomain to another name.
  • MX Record (Mail Exchange Record): Provides the name of the mail server for the domain. That name can then be resolved to an IP address.
  • NS Record (Name Server Record): Specifies the authoritative nameservers for the domain.
  • PTR Record (Pointer Record): Provides a name from an address (reverse DNS).

When a domain owner wants to change where their website is hosted or update their email provider, they modify these records on their authoritative nameserver.

A Step-by-Step DNS Lookup

DNS resolvers and a DNS authority work together in DNS lookups:

  • A domain URL, like www.example.com, is typed into a browser.
  • The computer in use checks its local cache. If the IP address isn’t there, it sends a recursive query to its configured DNS resolver (usually provided by an ISP). 
  • Querying the Root Server: The resolver starts at the top of the DNS hierarchy by querying a root nameserver. The root server almost certainly doesn’t know the full IP address involved but knows where to find the servers that handle the .com top-level domain. It responds to the resolver with the address of the .com nameserver.
  • Querying the Top-Level Domain Server: The resolver then queries the .com  nameserver. This server doesn’t store the IP for www.example.com either, but routes to the authoritative nameserver responsible for the example.com domain. It provides the address of that authoritative nameserver to the resolver.
  • Reaching the Authority: The resolver now sends a query to the example.com authoritative nameserver. This server holds the official zone file for the example.com domain.
  • The Authoritative Answer: The authoritative nameserver checks its zone file, finds the A and/or AAAA record for www.example.com, and returns the corresponding IP address (e.g., 203.0.113.0/24 ) to the resolver.
  • Returning Home: The resolver now has the definitive answer. It sends this IP address to your computer.
  • Making the Connection: Your browser now has the IP address it needs and can establish a direct connection with the web server at that address, and the webpage begins to load.

In essence, the DNS resolver is the proactive investigator that navigates the vast network of DNS servers, while the DNS authority is the final, definitive source that provides the crucial piece of information to complete the puzzle. This separation of roles creates a resilient and efficient system that powers our daily internet experience.

Keeping Authorities and Resolvers Separate

The importance of keeping authorities and resolvers separate has been recognized since the mid-1990s. Initially, the reasoning focused on resilience: if an authoritative DNS server is the subject of a DDoS attack, other parts of the network must be able to continue working. When a single machine provides both services, everything relying on the resolver will lose the ability to get the addresses for names not already in their own cache.

But the growth in the importance of the internet – and so the DNS – has led to two other reasons growing importance: 

  • Integrity: if an authoritative server is compromised, it can tell lies about the name it is authoritative for. But if it is also a resolver, it can tell lies about any name it is asked about. Users could be sent to malicious web sites. 
  • Reflection: an amplification attack relies on DNS answers being larger than queries. An attacker asks a DNS question while impersonating a victim’s IP address, which is where the answer is sent. If a resolver is also an authoritative server it can be tricked into attacking a victim.

Split Views

Your company’s network probably has some devices that need network access but shouldn’t be reachable across the internet. Printers are a classic example. In most cases, you only need to print a document if you are in the same building as the printer. At best, making a printer accessible to the whole internet could lead to wasted paper. At worst, it could lead to information loss, as printers often store a copy of everything they’ve printed for the last few days on in internal memory.

This is why many companies have two views of the DNS: one for inside the company and another for everyone else. The inside view lets you find printers, private file servers, and anything else the rest of the world doesn’t need access to. The external view has information about your website, mail servers, and other information people need to contact you.

You probably also want DNS names for mobile devices, like laptops. You might not want those names in the global DNS, especially if they give insight to how you manage your network. DHCP (Dynamic Host Configuration Protocol) provides essential configuration information to devices when they connect to a network, like what IP address to use, and what resolver to use. If your DHCP and DNS servers are integrated, the DHCP server can tell the DNS server your host name when you connect. But your public DNS can publish a generic DNS name like employee.example.com that hides the identifying information your IT team might value in logs.

Reverse DNS

Reverse DNS (rDNS) is a method used to resolve an IP address to its corresponding host name. This is the opposite of forward DNS, which resolves a domain name to an IP address. While not essential for basic internet browsing, reverse DNS plays a crucial role in various network services, particularly in filtering spam emails.

How Reverse DNS Works

Reverse DNS lookups are performed using a special type of DNS record called a Pointer Record. This record maps an IP address back to a domain name.

The process involves a specific domain space called .in-addr.arpa for IPv4 addresses and .ip6.arpa for IPv6 addresses. To perform a reverse lookup, an IPv4 address’s elements (octets) are reversed and .in-addr.arpa is appended to them. For example, to find the domain name for the IP address 192.0.2.1, a DNS query would be made for the record of 1.2.0.192.in-addr.arpa.

Why Reverse DNS is Important

The primary application of reverse DNS is to verify the legitimacy of incoming email servers. Many mail servers are configured to perform a reverse DNS lookup on the IP address of the sending server. If no valid Pointer record is found, or if the name looks like it’s assigned to a home instead of a mail server, like customer.example.net, the email may be flagged as spam or rejected altogether.

Get in touch with us, we can help you find the right solution for you.

Schedule a Demo