The Domain Name System (DNS) is a foundational component of the internet, serving as the critical link between human-readable domain names and machine-readable IP addresses. At the core of the DNS infrastructure are DNS servers—specialized systems that store and distribute the hierarchical mappings between domains and IPs. In this in-depth guide, we‘ll explore the inner workings of DNS servers, their role in internet performance and security, and expert tips for optimization.
Understanding the DNS Hierarchy
DNS follows an inverted tree structure, with the DNS root at the top. The root DNS servers are responsible for storing information about the Top-Level Domains (TLDs), like .com, .org, and .net. Below the TLDs are the second-level domains (like google.com), and so on. Each level of the hierarchy delegates responsibility for storing DNS records to the level below it.
When a DNS client (like a web browser) needs to look up the IP address for a domain name, it begins by querying a recursive DNS resolver. The resolver starts at the root and follows the delegation chain until it reaches the authoritative nameserver for the domain, which provides the final answer.
Source: Wikimedia Commons
DNS Query Process and Caching
At each level of the DNS hierarchy, DNS servers cache the results of previous queries to improve performance. The typical DNS query process looks like this:
-
Browser cache: The browser checks its local cache for a valid record matching the domain name. If found, the IP is returned immediately.
-
OS cache: If not found in the browser cache, the operating system‘s DNS cache is checked next.
-
Router cache: Home routers usually have a built-in DNS cache to speed up queries for devices on the local network.
-
ISP recursive resolver cache: The ISP‘s recursive DNS resolver maintains a cache of previous lookups. If the record is found here, it‘s returned to the client.
-
Root server: If the ISP‘s resolver doesn‘t have the record cached, it begins recursively querying the hierarchical DNS system, starting with one of the root servers.
-
TLD server: The root server refers the resolver to the Top-Level Domain (TLD) name servers for the domain (e.g. the .com servers).
-
Authoritative server: The TLD servers refer the resolver to the domain‘s authoritative nameserver, which returns the final IP address for the domain.
At each step, the returned record is cached by the resolver with a time-to-live (TTL) value set by the authoritative server. Typical TTL values range from a few minutes to a few days. Caching greatly reduces the load on upstream DNS servers and improves resolution performance.
DNS Message Format and Resource Records
DNS messages are typically transmitted over UDP port 53, with a default size limit of 512 bytes. If a response exceeds 512 bytes, the server sets a flag indicating that the client should retry over TCP.
A DNS message consists of a header and four sections:
- Header: Contains fields indicating if the message is a query or response, the type of query, and various flags.
- Question: Specifies the domain name and record type being queried.
- Answer: Contains the resource records (RRs) answering the query.
- Authority: Contains RRs pointing to authoritative name servers for the domain.
- Additional: Contains RRs providing additional information related to the query.
Some of the most common DNS record types include:
- A: Maps a domain name to an IPv4 address
- AAAA: Maps a domain name to an IPv6 address
- CNAME: Defines an alias for a domain name
- MX: Specifies the mail server responsible for handling email for a domain
- NS: Identifies the authoritative name servers for a domain
- SOA: Specifies authoritative information about a DNS zone
- TXT: Allows administrators to insert arbitrary text into the DNS (often used for email authentication)
DNS and Internet Performance
The performance of DNS has a significant impact on the overall speed and responsiveness of the internet. A 2012 study by Pingdom found that the average DNS lookup time for the top 50 websites was 20.04 ms, while the average page load time was 7.72 seconds—meaning DNS accounted for just 0.3% of the total page load time.
However, DNS can also be a major bottleneck, especially for high-traffic websites and applications. A 2018 report by ThousandEyes found that 68% of the most popular web domains had DNS performance issues, with 28% having errors or timeouts.
Some key factors affecting DNS performance include:
- Network latency: The physical distance and number of hops between the client and the DNS server can add significant delay.
- Server load: High-traffic domains can overwhelm under-provisioned DNS servers, leading to slower response times and dropped queries.
- Caching: Effective caching at each level of the DNS hierarchy is crucial for minimizing the number of recursive queries and improving performance.
- Security: DNS security measures like DNSSEC validation and DDoS protection can add processing overhead and latency.
To improve DNS performance, organizations can implement techniques like anycast routing, load balancing, and using a managed DNS service provider with a globally distributed anycast network.
Public DNS Providers
For individual users and small businesses, using a public DNS provider can offer better performance and security than relying on the default DNS servers provided by your ISP. Some of the most popular public DNS providers include:
- Google Public DNS: 8.8.8.8 and 8.8.4.4
- Boasts a global anycast network with low latency worldwide
- Supports DNSSEC validation
- Cloudflare DNS: 1.1.1.1 and 1.0.0.1
- Focuses on privacy, promising to never log client IP addresses
- Uses DNSSEC and DNS-over-HTTPS for enhanced security
- Quad9: 9.9.9.9 and 149.112.112.112
- Emphasizes security, with built-in blocklists for malicious domains
- Operated by the nonprofit Quad9 foundation
- OpenDNS: 208.67.222.222 and 208.67.220.220
- Owned by Cisco and targeted at both home and business users
- Offers optional content filtering and phishing protection
A 2019 performance study by DNSPerf found that Cloudflare had the lowest worldwide latency at 4.98 ms, followed by Google (8.23 ms), OpenDNS (8.26 ms), and Quad9 (10.38 ms).
Managed DNS Providers
For businesses and enterprises that need advanced traffic management and security features, using a managed DNS provider can offer significant benefits over running in-house DNS servers. Managed DNS providers offer services like:
- Global traffic load balancing: Route traffic to the closest or best-performing endpoint based on factors like geographic location, server load, and network conditions.
- Active failover: Automatically detect and route around DNS server outages and failures.
- DDoS mitigation: Block and absorb DDoS attacks aimed at DNS infrastructure.
- DNSSEC signing and validation: Automatically sign zones with DNSSEC and validate signatures on incoming responses.
Some of the leading managed DNS providers include Dyn (owned by Oracle), Akamai, NS1, Amazon Route 53, and Azure DNS.
DNS Flag Day and Eliminating Legacy Systems
On February 1st, 2019, the DNS community organized "DNS Flag Day"—a coordinated effort by major DNS software and service providers to eliminate support for legacy DNS implementations that don‘t fully comply with the EDNS (Extension Mechanisms for DNS) standard. EDNS is necessary for supporting features like DNSSEC, DNS cookies, and larger UDP packet sizes.
DNS server operators were encouraged to test their systems for compatibility and update or replace legacy software before the deadline. The effort was largely successful, with minimal disruption to the global DNS infrastructure.
DNS over HTTPS and Privacy Concerns
Traditional DNS operates over unencrypted UDP or TCP connections, meaning that DNS queries and responses can be easily intercepted and monitored by network operators and ISPs. This has raised concerns about privacy and censorship, leading to the development of encrypted DNS protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT).
With DoH, DNS queries are encrypted and sent over the HTTPS port 443, making them indistinguishable from normal HTTPS web traffic. This means that ISPs and network operators can no longer see which domains a user is querying—a feature that has been controversial among ISPs and governments that rely on DNS monitoring for everything from ad targeting to censorship.
Despite the pushback, all major web browsers now support DoH, with Firefox enabling it by default in the US. Cloudflare and Google also offer public DoH resolvers as part of their DNS services.
The Politics of DNS Governance
The DNS root zone is managed by the Internet Corporation for Assigned Names and Numbers (ICANN), a non-profit organization that oversees the allocation of IP addresses and domain names. ICANN delegates the operation of the root zone to Verisign, which manages the root servers under the Internet Assigned Numbers Authority (IANA) functions contract.
This arrangement has been controversial, with some arguing that ICANN has too much power over the internet and that the US government has undue influence over ICANN. In 2016, control of the IANA functions was transitioned from the US Department of Commerce to the global multistakeholder community, a move that was seen as a step towards making ICANN more accountable and transparent.
DNS as a Naming Layer for Blockchain
Beyond its core function of mapping domain names to IP addresses, DNS is increasingly being used as a naming layer for other systems and protocols. One emerging use case is using DNS to create human-readable names for cryptocurrency addresses and blockchain assets.
The Ethereum Name Service (ENS) is a decentralized naming system built on the Ethereum blockchain that allows users to register .eth domain names and associate them with Ethereum addresses, smart contracts, and other metadata. Similarly, the Interplanetary File System (IPFS) uses the InterPlanetary Name System (IPNS) to map human-readable names to IPFS content hashes.
Other projects like Handshake and Unstoppable Domains are creating blockchain-based alternatives to the DNS root zone, with the goal of creating a more decentralized and censorship-resistant naming system.
DNS Security Best Practices
Securing the DNS infrastructure is crucial for protecting against attacks like DNS hijacking, cache poisoning, and DDoS. Some best practices for DNS security include:
- DNSSEC: Use DNSSEC to cryptographically sign DNS records and prevent tampering and spoofing.
- Access control: Restrict access to DNS servers and only allow queries from authorized clients.
- Rate limiting: Implement rate limiting to prevent excessive queries and DDoS attacks.
- Anycast: Use anycast routing to distribute DNS servers across multiple locations and improve resilience.
- Monitoring: Regularly monitor DNS logs and traffic for signs of suspicious activity.
- Patching: Keep DNS server software up-to-date and promptly patch any known vulnerabilities.
The Future of DNS
As the internet continues to evolve, so too will the Domain Name System. In the short term, we can expect to see continued adoption of security features like DNSSEC and DoH, as well as the growth of managed DNS services and blockchain-based naming systems.
Longer term, the rise of new technologies like 5G, Internet of Things (IoT), and edge computing may require new approaches to DNS that can handle the scale and complexity of billions of connected devices. Proposed ideas include using machine learning and artificial intelligence to automatically optimize DNS routing and performance, as well as creating new DNS record types specifically for IoT devices.
Whatever the future holds, it‘s clear that DNS will continue to play a critical role in the functioning of the internet. By understanding how DNS works and following best practices for performance and security, organizations can ensure that their online presence remains fast, reliable, and secure for years to come.