DNS – An Introduction

Though you may not know it, DNS (Or Domain Name System) is probably the most used things on the Internet. In fact, you’re using it right now. For those who don’t know what DNS is or does, it is the system we use to translate Domain Names to IP Addresses.

The World Before DNS

Back in the early days of the Internet (And by early, I mean before it was even *called* the Internet), all of the computers that were connected to one another could only be reached by using a series of numbers. To get to the computer you wanted to access you had to know the right number for it. It was kind of like the modern telephone network, where you have to know the phone number of the person you want to talk to. This being the time before anyone had a really easy way to remember all of the address numbers for the computers they had or wanted to access (aside from writing it all down on a piece of paper), a shortcut was very quickly developed, the HOSTS file.

A HOSTS file is a simple text file that was stored on the computer and allowed people to assign memorable names to the computer addresses they wanted to access. Instead of putting in a number like 123.231.123.231 to access a computer, users just had to put in the name that was assigned to that number. Keeping with the phone comparison, this was similar to having a phone number that, based on the letters assigned to each number on a phone, allows you to say “Call me at 1-555-MYPLACE”. This is both easier to remember and easier to communicate (As a side note, each computer still has a HOSTS file that you can use to assign a specific name to a specific number. In windows, the file is located at C:\Windows\System32\Drivers\Etc\HOSTS. You can play around with that and see what happens if you want. Many IT pranks involve modifying the HOSTS file, so it’s always good to know about it). The problem, though, was that each system had to have its own HOSTS file. So each computer had a completely unique set of data about which words translated to which numbers.

The unique HOSTS file on each computer lead to some issues, specifically it lead to a lot of work filling out the file for each computer you wanted to use, not to mention the problems that may occur when you want to communicate the location of some internet based resource to someone. So after a little while a central “authority” created a publicly available HOSTS file that could be obtained by anyone who didn’t want to fill out their HOSTS file with all the names and IPs they wanted or needed. This was a good short term solution, but after the Internet became “The Internet” (as opposed to its original name ARPANET), the size update frequency of the centralized HOSTS file became too overwhelming. This is when the need for a fully automated method of handling the word to number translation became apparent. Here is where DNS comes in to play.

What DNS Does

DNS was created to allow easy creation, distribution, and update of “Internet Names.” Internet Names are the words that we assign to numbers (IP Addresses). You use DNS every day without realizing it. In fact, you used it to get to this website.

DNS is, put simply, a group of servers that do nothing but maintain and distribute word to number translations (as well as number to word translations, but that piece, known as Reverse DNS, is beyond the scope of this article).

How DNS Works

DNS functions by separating lists of name to number translations in a group of similar names in “Domains”. Each dot in a URL represents a level of authority. For instance, in my blog’s URL, http://www.acbrownit.com, includes four levels of authority, with the authority level becoming more narrow as you move to the left in the URL.

The highest level of authority in a URL starts *before* the .com, with the International Assigned Numbers Authority (IANA). The IANA’s servers represent the core list of DNS records. If you would like to look at the full list of records, you can go to IANA’s website (you can click on each Zone to see the ownership records and servers that hold the database for that zone). Historically, IANA has maintained complete authority over Internet DNS records and was originally maintained by the US government. A few years ago, IANA was spun off into a separate, independent organization without any governmental oversight. About the same time, IANA opened the root DNS zones up to complete customization.

Originally, there were less than 200 root DNS zones, .com, .info, .org, .gov, and zones for each nation (.uk, .aus, .ca for the UK, Australia, and Canada, as examples). There were a few other zones, but IANA kept a pretty strict cap on DNS root zones to ensure that each DNS server on the Internet was capable of storing the entire DNS database, if necessary. Early Internet connected DNS servers had significantly more limitations than modern servers. The average smart watch has several orders of magnitude more processing and storage capacity than the earliest DNS servers, which put significant limits on the number of URLs available. With IANA removing the strict limits on root DNS zones, thousands are now available, including .APPLE (guess who owns that one), .BANANAREPUBLIC, and others. These newer root zones are often referred to as “Vanity” domains.

The COM domain is the next highest level of authority in my URL, and is referred to as a Top Level Domain (TLD). It is owned and maintained by Verisign Global Registry Services. Verisign’s DNS servers hold a list of records called a DNS Zone that points every domain that ends in .com to the authoritative servers used to store the zones for the next level of authority.

The ACBROWNIT domain is the next level of authority. This domain is “owned” by WordPress, but administered by…well, me. I pay a certain amount of money each year to maintain my rights to do whatever I want with the acbrownit.com domain, including move it to a different registrar like Godaddy, Network Solutions, or others, if I want to. WordPress also maintains the servers that provide access to my blog, and I pay a flat rate each year to use both services.

The next level of authority is completely managed by me, and represents what is called a DNS “A record”. “A Records” consist of a name and an IP address. In this case, the name is WWW and the IP address is 192.0.78.25. The IP is tied directly to the network where my blog’s data is stored.

The DNS Lookup Process

DNS lookup occurs according to the below flowchart. Please note, this is a very simplified version and leaves out a number of technical details, but should give you an idea of how things work.

DNS Process

Every computer that has an Internet connection is configured with a DNS Server that acts as their primary point of contact for looking up DNS records. Usually, this service is provided by the company you purchase your Internet connection from. Most Internet Service Providers only allow their own customers to use their DNS servers. There are also a lot of “public” DNS servers that are owned by various companies. Public DNS servers are available to anyone who wants to use them, and most IT guys have at least a few memorized. The most common are owned by Google (8.8.8.8 and 8.8.4.4) or Level 3 (4.2.2.2). There are a number of sites that provide lists of publicly available DNS servers.

The End of This Post

So that was a lot of information that should help you to better understand how DNS works. Every computer uses it, and without it, the Internet would not be able to function as well as it does. Hopefully, you understand it a little better. You may never give a thought about it again, but it never hurts to know more about how things work. And for those who are just starting a career in tech or are budding hobbyists, this article should give you much needed information that will serve you well in the future.

Stay tuned for the next post on DNS, where I’ll cover some of the more technical parts of the protocol, including record types, how each record type functions, historical weaknesses in DNS that have been and still are exploited to spread malicious software or phishing email, and how you can use DNS to provide a little bit of failover capability to servers.

 

 

Advertisements

Resolving the Internal/External DNS zone Dilemma with Pinpoint DNS

Here’s an interesting trick that might help you resolve some of your DNS management woes, particularly if you have a different Public and Private DNS zone in your environment. For instance, you have a domain name of whatever.com externally, but use whatever.local internally. When your DNS is set up like that, all attempts to access systems using the whatever.com domain name will default to using the external, Public IP addresses assigned in that DNS zone. If you want to have internal, Private IP addresses assigned to those systems instead (which is common), you normally have to create an entire zone for whatever.com on your Internal DNS servers and populate it with A records for all the systems that exist in the public DNS zone. This technique, known as Split Horizon DNS or just Split DNS, results in additional administrative burden, since changes to the external DNS zone have to be replicated internally as well, and you have to spend time recreating all the DNS records that are already there. Luckily, there’s a little DNS trick you can use to get past this limitation: Pinpoint DNS.

Pinpoint DNS – What is it?

Put simply, Pinpoint DNS is a technique that utilizes some of the features of DNS to allow you to create a record for a single host name that exists in a different DNS zone than you usually use. For instance, instead of creating an entire Primary zone in your internal DNS for whatever.com, you can create a Pinpoint DNS record for really.whatever.com.

Make it So!

To implement Pinpoint DNS, all you have to do is create a new Primary DNS zone in DNS. Instead of naming the zone whatever.com, name the zone really.whatever.com. Once the zone is created, you can then assign an IP address to the root of that new zone (in Windows, this shows up as the IP being “Same as Parent”). Attempts to connect to really.whatever.com will resolve the root zone IP address, and you will be connected to whatever you set that IP to. So, instead of having an entire internal DNS zone full of DNS A records that you have to fill out, even if you only want an Internal IP on one of them, you can have a DNS zone for the single Internal IP record.

Downsides?

There really aren’t a lot of downsides to this, other than it could confuse people who aren’t familiar with the technique. It does look a little odd to see a lot of Forward Lookup Zones in DNS with only a single record in them, but that’s just aesthetic.

Functionally, as long as the DNS zones you create for Pinpoint records are AD integrated, there aren’t any technical downsides to this technique, but if you have a large, distributed DNS infrastructure that *isn’t* AD integrated, this technique will greatly increase administrative burden, since you have to create replication configurations for each Pinpoint record. If you run a DNS environment that isn’t part of Active Directory, Pinpoint DNS isn’t a good solution, because it increases the burden more than managing split horizon DNS.

DNS is a very light-weight protocol (having been designed in the late 70s), so replication traffic increases caused by having multiple Forward Lookup Zones is generally not an issue here.

Windows How To

To implement this, do the following:

  1. Open DNS Management (preferably a Domain Controller)
  2. Expand the DNS server that’s listed
  3. Right Click the Forward Lookup Zones entry and select New Zone to open the new zone wizard. Hit Next when the wizard opens.
  4. Make sure Primary DNS Zone is selected, and that the AD Integration option is checked. Click Next.
  5. Select the option to replication to all DCs in the Forest (particularly if you are in a multi-domain Forest. It’s not necessary for single domain forests, but it’s a good idea to set this anyway, in case that ever changes). Click Next.
  6. Enter the name of the zone. This will be the host name you’re assigning an IP to, so really.whatever.com for the previous example. Click Next.
  7. Select the option to only allow secure updates (It’s the default, anyway). Click Next, then Finish to finalize the wizard and create the zone.
  8. Expand your Forward Lookup Zones and you’ll see the zone there, like below:PinpointDNSZone
  9. Right Click the new Zone, select New Host (A or AAAA).
  10. In the wizard that appears, *leave the host name blank*. This is important, since it is the key part of Pinpoint DNS. An empty host name assigns the A record to the root domain.
  11. Enter the IP address you want to point to in the IP address field, then click Add Host. Your record should look like the one below:PinpointDNSRecord
  12. Verify the new record appears in the really.whatever.com zone, and shows as (Same as Parent).

Once that’s done, the next time you ping really.whatever.com (after running “ipconfig /flushdns” to clear your DNS cache, of course), you’ll receive the Internal IP address you assigned to the Pinpoint zone, and the rest of your external DNS records will remain managed by external DNS servers.