Introduction to DNS
Posted on October 30, 2007
Filed Under Networking
If you could ask your computer how it feels about domain names, it would say “Looking up domain names is a big pain in my shiny metal tush.” Domain Names were not invented for the benefit of computers. They are purely for people.
Let’s say your name is Bob, and you want to register the domain name “example.com”.
(Example.com is reserved for use in examples such as this one, and it will never cause a conflict with a real .com domain. We want to avoid making up a domain name for our examples, because no matter how original we think we are, it is likely that someone somewhere is really using it!)
What does “registering” mean, exactly?
It means that the name “example.com” has been entered into a registry somewhere, which is operated by a registrar. To become a registrar requires a major investment in equipment and legal staff. It is much simpler to become a reseller for a registrar; that usually involves making a deposit with a registrar, in effect buying the right to create a certain number of domains “in advance.”
What does a registry do?
A registry does two things:
- The registry is a list of domains and their owners. It creates a connection, a link, between the domain name and the names and addresses of its owner or owners.
- It also provides a pointer to at least two nameservers for the domain. (For some reason, administrators always phrase this as “the name servers are authoritative for the domain.” I don’t know why that is better than saying they “have authority.”)
The nameservers provide the numeric Internet Protocol (IP) address for your domain when asked. An IP address is very much like a phone number. The process that makes it possible to look up the IP address of a domain is called Domain Name Service, or DNS.
Resolving a domain in DNS
Looking up the IP address begins with the root nameservers of the Internet, which are distributed all around the world. The registry function has been separated from the maintenance of the root nameservers, which made it possible to have competing registrars. All of the registrars have equal authority to add a domain name to the root nameservers (by telling the people who actually maintain them). There is no difference between a .com domain name that is purchased from Verisign and one that is purchased from Brand X, though Brand X may offer better customer service.
There are far too many domain names to have a single central place that holds all the details for every one of them. There does have to be a central registry that lists the domain names that exist, but the amount of information it keeps on each domain name is very limited. The details that make a site work (the address of the mail server as opposed to the web server, for instance) is much greater in volume and changes more often. The answer (in today’s Internet) is to delegate the responsibility for individual domains to local nameservers. Local, in this case, meaning “closer to the actual domain in question.”
“Resolving” a domain is the technical phrase for “looking it up.” It is almost exactly like looking up John Smith in the phone book to get his phone number. Instead of figuring out which John Smith is the one you want, though, the rules of the Internet say there can be only one example.com. There is a registrar that is responsible for all .com domains and it can say with certainty where to find the nameservers that have authority over example.com.
Since each local nameserver can easily handle a few hundred domains, the root nameservers gain a lot of leverage by referring all questions to them. The root nameserver doesn’t need to know anything about your domain other than “there is a nameserver somewhere that can provide information about it” so it can send people there as quickly as possible. It specifically does not know or care whether you provide web pages, or email, or streaming video.
Offloading the work to local nameservers in this way makes it possible for the root nameservers to keep up with the never-ending demand for additions, changes, and deletions. (How do they do that? “With great difficulty!” The root nameservers are maintained by the unsung heroes of the Net, and more than one kind of hardware and software is used to minimize the risk that a single bug could take down all of the root servers at once.)
So the registry provides two services: one is telling people that you own your domain; the other is telling the root nameservers which local nameserver gives “authoritative” answers for your domain. The root nameservers work at a very high level, of course. If you ask one of them about Bob’s example.com, it will simply refer you to a nameserver that handles the .com Top Level Domain, or “TLD”. A root nameserver is too busy to look any deeper than the very top level. The TLD nameserver for .com can look a little deeper: “example.com? Ask the nameserver at ns1.example.net or ns2.example.org.”
The .com root still doesn’t know what services you offer — your authoritative nameservers can provide clues about that in the form of “subdomains.”
Domain names DO NOT Begin with WWW
“www.example.com” is a subdomain of example.com. The domain name is example.com — it is not www.example.com, or news.example.com, or mail.example.com.
As the owner of a domain, you can add subdomains if you want to, but that is between you and your DNS provider. Your registry does not care, nor do they have a place to store that information.
Each of the “subdomain” examples above implies a service can be reached at that subdomain. Note that this is an arbitrary convention, not a technical requirement. By that, I mean it would not break anything if a machine named “mail.example.com” was really a webserver… but it might confuse your visitors.
The point is that the root nameservers don’t care about your subdomains and your domain name DOES NOT begin with www.
Creating a New Nameserver?
You can register a new nameserver, or “DNS host”, by asking your registry service for help. But please keep reading; it makes more sense to work with a DNS service provider than to set up your own small nameserver. Running one is a minor headache, and you need at least two.
When your domain name is registered, the TLD nameservers are told to connect that name with at least two nameservers somewhere. It’s up to you to make sure that the nitty-gritty details about your domain are kept up to date in those local nameservers; and to keep the registry up to date about which local nameservers you are using. Note the plural — one of the rules is that every domain must be served by at least two nameservers. Microsoft once found out about that the hard way — they used two nameservers, but they were both on the same local network; so when a single router broke, no one was able to access microsoft.com for a few days!
Within those authoritative nameservers, you then have the option to use all the features that you may have read about in (other people’s) tutorials on BIND (the Berkeley Internet Name Daemon). You can say that mail will go to a special address by setting up MX records. You can say that one machine will be known by three different names by creating CNAME records. All of that is handled by your nameservers. The root nameservers do not know or care about it. Their job is done as soon as they point people to your local nameserver.
Let’s say you want to move your webservers to a new provider. But the new provider cannot update the authoritative (local) nameserver at your old provider’s hosting site. It’s up to you, as the domain owner, to notify your registry and have the new provider’s nameservers made authoritative over your domain name.
You can complete such a move without any downtime. The secret is that it’s perfectly okay for your new provider to continue to point to the old servers until the new servers are in place and ready to do business. Then the new ISP can update their nameservers, and queries will begin go to the new servers in a matter of minutes. It takes much longer — two days is common — for the registry to change which nameservers are authoritative for your domain, so the trick is to do that well in advance. Your (new) ISP can make changes to their own nameservers much more quickly than that, but it only works if you have given them authority over your domain and allowed enough time for that news to get around.
The root nameservers are updated much more frequently than they used to be, but you should still allow a day for everyone to realize that your server has a new address. When someone visits you, the numeric address is cached or saved at many steps along the way. Eventually the saved copies will be scribbled over, but it takes a while.
It can work the other way, too; set up your new servers, and tell your old ISP to point to them while you’re waiting for the change at the registry service to “propagate” to the root nameservers and make the new ISP authoritative. That can be trickier when you’re an ex-customer, but most ISP’s will go along with the idea as long as you haven’t burned your bridges. This is, however, a good reason to handle your own domain name registrations rather than leaving it in the hands of your ISP. Always make sure that YOU are the administrative contact, the domain owner, not your ISP. They can be the technical contact, who has little or no authority to make changes. You do not want to involve a lawyer to get possession of your domain name back from your ISP.
To make this a “Hands-On How-To,” let’s register a domain. To start the process, we’ll go to an OpenSRS reseller. OpenSRS is a registrar established by Tucows as a way for small businesses to purchase domains in bulk for their own use or for resale. If you ever have a problem with a domain you registered with an OpenSRS reseller, you can contact Tucows directly or you can ask another OpenSRS reseller for help — if your reseller falls down an open manhole, your domain does not go with him. This is an extra level of protection you don’t always get dealing with other registries or their resellers.
Our hosting company, brasscannon.net, just happens to be an OpenSRS reseller for the .com, .org, and .net domains.
Pick the link “Let’s register a domain!” You need to verify that the name you want is available; there’s a link to check it using “whois,” which will do a lookup in the master registry that is shared by all the commercial registrars.
If you want to register a name within a national domain such as .uk, .mx, .br, or .ar, you should visit the national domain name authority at www.nic.[two-letter country code] — for example, www.nic.br is the National NIC for Brazil, while www.nic.ar is Argentina.
So, wombatnecrophilia.com is available? Pull out your credit card and grab it. Remember you’re in competition with everyone else on the planet, so don’t put this on your to-do list for later. There is nothing sadder than a company that spends thousands of dollars on stationery and advertising, only to find that some chump has picked up “their” domain name merely because he thought it was cute. Remember this: Thinking up a clever name does not make it “your” domain name. Registering it does.
The next step in the process is to set up an account (or “profile”) with the registry. This profile is simply a way to establish your identity and do the bookkeeping and billing. Please, please write down the username and password you set up. Most of the delays in handling customers’ problems happen because they have simply forgotten their passwords.
A lot of people ask if they can change their domain name. They have wonderful excuses; sometimes they say they misspelled it on the form, or sometimes they just admit that they thought of one they like better. The short answer is “No, you can’t change it.” The name is the domain. Changing a domain name would be like trying to change your wife’s name on your marriage license. “Whoops, I meant to marry Cindy Crawford. Can I change the name on the marriage license?” No, you can’t.
Fortunately, you don’t have to divorce one domain to marry another. You should count yourself lucky if it turns out that Cindy is still available, and cough up another $70, or whatever your registry service wants ($18 per year if you use brasscannon.net). If Cindy is taken, well, see above — complaining that someone else registered “your” name doesn’t do any good. Why not? Because it was NOT your domain name. You didn’t register it. Someone else did, so it’s their domain name. It’s really just that simple.
What About Recycling an Old Domain?
Some people ask about getting a domain name that has expired. Frankly, that strikes me as a bad idea. It’s much easier to make a new reputation than to overcome the poor one someone else may have incurred. The matter may be moot; there are persistent rumors that the major registries are refusing to return expired names to the pool of available names (Why? One theory is that they hope to auction them for more than the standard new registration fee. No one seems to know.) I do know that if you let a domain expire, the standard practice is now to put it into a “redemption period” where only the original owner can buy it back, but at several times the normal price.
Great! Now I Need Mail, and a Web Server–
Whoa, Nelly! For the purpose of our example, we are not dealing with the other services which a registry company might also offer — because Web forwarding and email forwarding are not a built-in part of the domain registry business. They make sense as a product offering, yes, but DNS is complicated enough without adding them to our discussion here.
However, even the most basic registry service must provide ‘dummy’ DNS so that there will be an entry for the domain in the root nameservers. Remember: A domain only exists as long as the root DNS servers point to it.
It’s “dummy” DNS because you can’t use it for anything. If someone asks whether your domain exists, the registry servers will say “yes,” but they won’t send any traffic to you. If you actually want people to come to your web site or send you email, you need to have real DNS set up somewhere.
Don’t Create a New DNS Server
The easiest answer I’ve found to that is a company called Zoneedit. Their services are free for basic users (up to five domains); it’s far easier to use them than to run your own DNS servers. If you want “dynamic DNS” to be able to find your cable modem when you’re on the road, there are programs you can run on your home PC to look up your current address and update your information at ZoneEdit quickly enough to be useful. (DynSite for Windows is one.) Most cable companies will frown on you running a webserver or FTP site, but will wink at using ssh or PCAnywhere to “phone home” occasionally.
If you’re going over the five-for-free limit with ZoneEdit, or if you’re concerned about uptime for a mission-critical site, take a look at DNS Made Easy. They provide five nameservers for each domain you register. I’ve found their web interface to be easy to use, their nameservers reliable, and their prices reasonable for the next big jump for a former ZoneEdit user, up to fifty domains.
As soon as your domain is registered, you can go to www.zoneedit.com and find out which two DNS servers they have assigned to handle your domain. Then you come back to your registry and update their records to point to the Zoneedit nameservers. (It seems awkward to go back and forth, I know, but you can hardly ask a DNS provider to assign servers for a domain that does not yet exist.) Using DNS Made Easy is simpler because you’ll always be using the same five nameservers, so you can enter them while you’re setting up the domain.
The last piece of the puzzle is the actual server to which the DNS points. That needs to be a machine whose address stays the same more often than not, and its numeric address is the one you will enter into the name servers.
One thing you should know is that many domains can share one IP address. In that case, the web server looks at the domain name you’re asking for before it decides which page to serve. This is called “named virtual hosting” and it avoids wasting a lot of IP addresses. The DNS for all those domains still works the same; it ends up pointing to that shared address.
If you have a DSL line or a cable modem and find that it keeps the same IP address “most of the time,” there are a number of tools you can use to update your DNS records automatically at Zoneedit or DNS Made Easy. I recommend DynSite for Windows by Noel Danjou. It’s very convenient to be able to find your home network by name when you’re travelling on business; of course, the Windows box in that scenario is tucked out of harm’s way behind a firewall. It sends out an occasional update when/if your home IP address changes; the machine to which you connect should be a Linux box or a Mac, something that can stand up to what the Internet throws at it.
And by the way…
Domain names do not begin with “www.”
Got a letter from a domain name customer who, quite reasonably, wanted to know whether he was getting what he had paid for. Here’s my reply, with the original message quoted (domain names have been changed to protect the innocent):
> Hello! > > Yesterday when I tried to use the WHOIS command the response was: > > Initial server used for this query: whois.internic.net > > No match found for www.example.com. > Match obtained for example.com from rs.someregistry.net: > > (Some information about the person who is writing to me) >
This is as it should be. Please understand that domain names DO NOT begin with www. Your domain name is example.com and it is registered with [our registry service]. That is all correct.
Your domain name IS NOT www.example.com. The “www.” prefix indicates a service that your domain provides. If you have a webserver, your DNS server somewhere will assign an IP address to it. Then your domain will offer that service to people who come to that subdomain within your domain. If you set up a mail server, you may want to direct people to it by calling it mail.example.com. The principle is the same — the name of the domain is still example.com.
The purpose of the domain name registry and the “root nameservers” is to enable visitors to find your DNS server. It is then the purpose of your DNS server to point visitors to any of the individual machines within your domain.
My correspondent went on to try something quite sensible - he tried to resolve the name “www.example.com” using nslookup:
> $ nslookup www.example.com > Server: ns1.someprovider.com > Address: 10.12.12.11 <-- this is the address of a local nameserver > > *** localhost can’t find www.example.com: Non-existent host/domain > > Why didn’t this work?
The nameserver at your ISP knows about example.com, but it does not know about www.example.com, because you have not set that up yet. Setting up the members, the machines that “live” in your domain, is one of your responsibilities as the owner of the domain. If you have a webserver, which is not necessarily the case, then it’s up to you to decide whether anyone can get to it by using the www. prefix, which is not a requirement; it’s just something that people take for granted, so it might be a good idea. It’s perfectly fine to have one machine with one address and make both example.com and www.example.com point to that address.
But www.example.com is set up on your local authoritative nameservers; it does not exist in the Root nameservers nor does it appear in your “whois” listing.
Comments
Leave a Reply
You must be logged in to post a comment.