MEETINGS| EVENTS | BBS| MAP | MEMBERSHIP| LINKS | PICTURES| CLUB INFO
Two years ago, logicbbs.org lost connectivity to the internet, because our DNS server (hosted by Planix) went off the internet. Recently (December 13, 2004), we lost connectivity again because our server changed IP addresses, to 69.17.158.109. What is DNS, why is it so important, and how do you use it?
DNS - an address book for the internet
The domain name system is made of an array of servers that act as a directory or address book for computers on the internet. Every computer is identified by a 32-bit number of the form x.x.x.x, where x ≤ 255. This is called an IP address, and under our current version of IPv4 (internet protocol version 4), every single computer directly connected to the internet has a unique IP address. For example, the BBS has an IP address of 69.17.158.109.
It is a great hassle to remember the IP address of each computer you want to connect to; for example, it's a pain to type 216.239.59.104 every time you want to connect to Google. Therefore, DNS maps text (such as www.google.ca) to an IP address (216.239.59.104), transparently and almost instantly!
Domain formats
Before we discuss DNS, we need to know about domains.
With reference to www.logicbbs.org:
org is a top-level domain, or TLD.
logicbbs is a second-level domain. When you "register a domain", this is what you register.
www is a third-level domain, often called a "subdomain".
Higher level domains are possible, too.
DNS is recursive
When you type logicbbs.org into your web browser, your computer will not know what or where "logicbbs.org" is. It needs an IP address, not a text string. Therefore, your computer will query your ISP's DNS server or name server, which can provide an answer. It returns the IP address of logicbbs.org, which your computer can use to contact the BBS so you can login to the FirstClass server.
What if your ISP doesn't know what logicbbs.org maps to? This will happen if your ISP doesn't have logicbbs.org cached. It needs to look somewhere else; therefore, your ISP's DNS is recursive. There exist 13 root DNS servers on the internet, which are supercomputers that take general queries from all the world's DNS servers. Your ISP asks one of these servers, which then directs it the group of servers that serve the .org top-level domain (TLD). The .org TLD DNS servers can then tell you that the name server record of logicbbs.org is hosted by ns.planix.net, whose IP address is 204.29.161.33.
Your ISP then queries ns.planix.net about logicbbs.org. It finally returns the DNS record you need: 69.17.158.109. The ISP's DNS server returns this data to your computer, which can finally connect to the BBS. Figure 1 illustrates this process.
Figure 1| You | <==> | ISP DNS | If cached: return 69.17.158.109 | ||
| You | <==> | ISP DNS | <==> | root servers | direct to .org DNS servers |
| ISP DNS | <==> | .org TLD DNS servers | direct to ns.planix.net | ||
| ISP DNS | <==> | ns.planix.net (204.29.161.33) | returns DNS record of logicbbs.org | ||
| You | <==> | ISP DNS | contact you with IP of logicbbs.org | ||
Caching
Caching is a feature of DNS. It occurs on both your local machine and on your ISP's DNS. Why cache?
a) Caching minimises the number of DNS queries made. If you access logicbbs.org very frequently, it makes no sense to query your ISP's DNS every time you logon, because chances are the IP address is the same. Your computer stores 69.17.158.109, and reuses it.
b) Caching also allows a large DNS server, like that of your ISP, to rapidly return requests. Since many other users probably access commonly used domains such as google.ca or apple.com, it is reasonable to cache the IP addresses of these very popular websites.
Making DNS record changes
Where caching is a problem is when DNS addresses change quickly. How does ns.planix.net tell all the world's ISP DNS servers that logicbbs.org's IP address has changed? The solution is to specify an expiry for each cached record. This is set in the TTL (time to live) entry in the DNS record, and is specified in seconds. TTL values are usually 86400 seconds or 1 day. All cached records that are a day old are refreshed.
There is no way to speed up refreshing. Therefore, a cached record whose IP address is outdated needs to be refreshed before users can access the requested server using DNS. This is why there is a delay; logicbbs.org won't work for several hours if its IP address changes.
When DNS servers go bad
What happens of ns.planix.net goes down? Most users would not notice a problem for several hours, because of caching. Your ISP will diligently return the cached value of 69.17.158.109 to your logicbbs.org queries until the DNS record expires. It then tries to refresh the record by contacting ns.planix.net -- but that server is dead. Your ISP assumes the worst, and returns a "this record does not exist" error message. Your browser then pops up with an unfriendly "could not lookup logicbbs.org". The result? logicbbs.org stops working.
However, there is a solution. DNS accomodates secondary servers, which can respond to DNS queries when the primary server (ns.planix.net) is down. logicbbs.org subscribes to secondary DNS service from DynDNS, which mirrors the DNS records of ns.planix.net. In fact, the .org TLD DNS servers know the addresses of all DNS servers for logicbbs.org. A modified diagram can be drawn.
Figure 2| You | <==> | ISP DNS | If cached: return 69.17.158.109 | ||
| You | <==> | ISP DNS | <==> | root servers | direct to .org DNS servers |
| ISP DNS | <==> | .org TLD DNS servers | direct to ns.planix.net | ||
| ISP DNS | <==> | ns.planix.net, ns1.mydyndns.org, ns2.mydyndns.org, etc. | returns DNS record of logicbbs.org | ||
| You | <==> | ISP DNS | contact you with IP of logicbbs.org | ||
If the primary DNS server (ns.planix.net) is down, then your ISP's DNS queries ns1.mydyndns.org, ns2.mydyndns.org, etc. until it finds a response for logicbbs.org. The working server then returns the DNS record, providing the IP address of logicbbs.org. Secondary DNS provides a level of redundancy for a domain, as they respond to DNS queries when the primary DNS server is down.
Modifying name servers for a domain
Registration of domain names is done through an ICANN-accredited registrar, which acts on your behalf to fill out appropriate documentation for registration of the second-level domain. Such a registrar is Network Solutions*, and through this company, logicbbs.org was registered. Network Solutions also specifies the designated DNS servers (or Name Servers) for your domain, and submits this information to the root and/or top-level domain (TLD) DNS servers (e.g. .com, .org, .net, .ca)
You can use any DNS server you like to host your domain's DNS record, and name server changes are made through your domain's registrar (for logicbbs.org, it's Network Solutions). Through Network Solutions, it was specified that the primary DNS server for logicbbs.org is ns.planix.net, and the secondary DNS servers are ns1.mydyndns.org, ns2.mydyndns.org, ns3.mydyndns.org, ns4.mydyndns.org, and ns5.mydyndns.org. IP addresses for each name server are also entered. With this, the .org TLD DNS servers know that these servers host the DNS record of logicbbs.org, and knows where to direct DNS queries.
One can change name servers for a domain easily, through Network Solutions. This would need to be done if Planix were to go down for one month, and a replacement primary DNS provider was needed. Like DNS record changes through Planix, changing name servers is also delayed, requiring up to 48 hours to propagate through all DNS servers worldwide.
Subdomains and mail exchanges
All of this works fine for logicbbs.org, where one physical IP address hosts all services (pop3, smtp, http, fcp) that that LOGIC needs. What if you have a very busy site, and you want to delegate specific addresses to different computers? For example, utoronto.ca brings users to the main U of T server, but chem.utoronto.ca brings users to a different computer. How is this done using DNS?
The DNS record can specify a number of IP addresses for different subdomains. Each entry is called an A record. For example:
www.utoronto.ca points to 128.100.132.30All these different IP addresses are unique computers that serve different subdomains. This feature allows a web administrator to divide the load; rather than have one machine host all services, many machines host different pages at unique addresses. In the case of smtp2.ns.utoronto.ca, which is an SMTP (mail) server, there are several A records for one domain. This allows the DNS server to rotate between the three machines, further dividing the load.
If LOGIC had more hardware, we might have mail.logicbbs.org pointing to our mail server, fc.logicbbs.org pointing to our FirstClass server, and www.logicbbs.org pointing to our HTTP (web) server.
All of this is great for specific addresses, but what about mail? Mail rarely has subdomains, and mail is almost always sent to the top-level domain name (e.g. @logicbbs.org, @utoronto.ca). How does DNS tell mail servers where to direct messages?
Again, DNS can handle e-mail via mail exchange (MX) entries in a DNS record. These MX entries are separate from the A records, and can direct mail to specific mail servers. For example, the MX record for utoronto.ca points to smtp2.ns.utoronto.ca, whose domain name can then be queried to give one of three possible IP addresses (see above). With the MX record, an e-mail server knows which IP address a message can be directed. This is explained below in a step-wise format.
Making custom DNS lookups
Computers running Mac OS X always have a program called lookupd running in the background. The process, owned by root, is called upon to make DNS queries when needed for your machine. These queries are made to your ISP's DNS servers, whose IP addresses are entered under System Preferences: Network: DNS Servers. If you are on DHCP (i.e. a connection with dynamic IPs), then the DNS Servers field may be blank; the servers are automatically assigned. Those who are curious can find their DNS servers under System Profiler: Network: DNS Servers.
You can arbitrarily make a DNS query using the commands nslookup or dig. These commands can also be accessed via a GUI through Applications: Utilities: Network Utility: Lookup.
Terminal syntax is as follows:
dig domain nameserver type
nslookup domain nameserver
where nameserver and type are optional.
Examples:
dig logicbbs.org returns the IP address of logicbbs.org as well as nameservers for this domain.
dig logicbbs.org mx returns the mail exchanger (MX) record for logicbbs.org
dig logicbbs.org ns.planix.net mx bypasses your ISP's DNS servers and queries Planix directly for the MX record of logicbbs.org.
nslookup logicbbs.org returns the IP address of logicbbs.org.
nslookup logicbbs.org ns.planix.net returns the IP address of logicbbs.org by querying Planix.
Notes:
1) lookupd not only finds and stores DNS information, but also other information about your system. Type man lookupd into the Terminal for more information.
2) You can type man dig to find more information about dig.
DNS zone files
A zonefile is the physical document that contains the DNS record. It always has a specific format, with abbreviations that indicate which domain points where. The example below has been simplified for pedagogical purposes.
IN NS ns.planix.com
IN NS ns1.mydyndns.org
IN NS ns2.mydyndns.org
IN MX 10 mail
IN A 69.17.158.109
www IN A 69.17.158.109
mail IN A 69.17.158.109
The first three lines describe valid name servers for logicbbs.org. The following two entries indicate that the mail exchanger for logicbbs.org has a priority of 10 and messages should be directed to mail.logicbbs.org. Priority values indicate where to send e-mail if a server is unavailable; the lower the priority value, the higher the priority of that server. Mail servers send e-mail to the server with the lowest priority value, and then work their way up the values listed as necessary.
The last two lines indicate that logicbbs.org (the second-level domain) points to 69.17.158.109. The www and mail subdomains (www.logicbbs.org, mail.logicbbs.org) also point to 69.17.158.109.
The DNS record is the reason why some internet addresses do not need the www prefix, while others do. If that particular domain has a www A record that differs from the basic A record, then anydomain.com may be different from www.anydomain.com, and the former may not work. Other sites, like logicbbs.org, have both the top-level domain and the www subdomain pointing to the same IP address, which reduces confusion and ambiguity.
Hosting DNS
DNS servers most often run a program called BIND, or Berkeley Internet Name Domain. BIND is an industrial-strength server program, which, like Apache, is runs on Unix and is open source. BIND is difficult to use and configure, and is often the target of potential security attacks. Server administrators running BIND should be careful to secure their servers and patch all security holes.
Apple also produced MacDNS, a bare-bones DNS server for the classic Mac OS. It can act as a primary DNS server and has a graphical user interface (GUI) for setting up name server entries, so zonefile configuration is done transparently in the background.
DNS can also be hosted by third-parties. ZoneEdit is a very popular free DNS service, which provides a web-based interface for setting up DNS records and zonefiles. ZoneEdit even provides services beyond basic DNS, such as mail and web address forwarding. If you have your own domain but no means to run your own DNS server, ZoneEdit is a great service to use.
For a more poweful solution, DynDNS provides Custom DNS services for an annual fee. Both of these companies also provide secondary DNS hosting, where their DNS servers mirror a pre-existing DNS record.
For more information on BIND under Mac OS X and MacDNS, see the links below.
Your own domain - a case study
So, what do you need to know about DNS if you register your own internet domain name? I will summarise everything I have mentioned in a case study: setting up your own domain name and server.
Registering the domain name
To register your domain name, you need to find an ICANN-accredited registrar. You find such a registrar (e.g. Network Solutions), fill out your personal details and desired domain name (domain.com), and agree to pay $40/year to keep this domain name registered. Network Solution contacts ICANN, registers domain.com and provides you with a parked domain. These domains point to Network Solutions' own servers, and provide a generic "Under Construction" message. Network Solutions uses its own DNS servers and its own records to accomplish this. Domain registration is instantaneous as registration is electronic, but it takes at least several hours before your domain can be accessed by users, due to delays in DNS propagation.
Setting up your own server
Obviously, you want to replace the "Under Construction" page with something useful. You could fire up Web Sharing (Apache, httpd) and FTP access (ftpd) under System Preferences: Sharing in Mac OS X to host your own server. You find your IP address through Network Utility or through your internet router - suppose it is 10.0.0.1.
Suppose you also want to have a mail server, but do not know how to configure this under OS X. You can register for paid third-party mail hosting through companies like Everyone.net.
Now that you have your server up and running, you need to configure domain.com to point to your IP address.
Configuring DNS
Because you want a reliable DNS provider, you register with DynDNS and sign up for Custom DNS. You will then setup your A records, indicating that you want domain.com to point to 10.0.0.1. You also want to make www.domain.com point to 10.0.0.1, so you setup a www record to this effect. Finally, ftp.domain.com should also point to 10.0.0.1, so a ftp record is also created.
Since mail will not be routed through 10.0.0.1 but through Everyone.net, you configure two things:
a) an A record for mail.domain.com that points to Everyone.net's IP address.
b) a MX record for domain.com, which directs mail to mail.domain.com.
| IN NS | ns1.mydyndns.org | |
| IN NS | ns2.mydyndns.org | |
| A | 10.0.0.1 | |
| MX | mail.domain.com | |
| www | IN A | 10.0.0.1 |
| ftp | IN A | 10.0.0.1 |
| IN A | 208.184.100.4 |
where 208.184.100.4 is the IP address of Everyone.net's mail server.
The priority of mail.domain.com is 0. You can specify any priority, because there is only one mail server.
Changing your name server
After your web servers and DNS servers are properly configured, you notify Network Solutions that you no longer want to use their DNS servers, but you want to specify your own. You enter the name servers for DynDNS (ns1.mydyndns.org, ns2.mydyndns.org, etc.). These changes take effect immediately, but take time to propagate through the internet.
After 48 hours, all your services will be active and accessible via domain.com, www.domain.com, ftp.domain.com, and mail.domain.com!
Implications for security and reliability
A final note on security. As I describe above, the world's DNS network is coordinated by thirteen root servers, which direct queries to other arrays of servers that handle top-level domains. The root servers hold the fabric of DNS together and are absolutely critical to DNS. Without them, DNS queries would fail, and the address book collapses. Although the thirteen root servers are extremely powerful, connected to the world's internet backbones, and geographically distributed, they are nonetheless the Achilles' heel of the internet. It is conceivable that a DoS (denial of service) attack may be mounted against these root servers, flooding them with bogus requests for data. This would bring down DNS and knock billions of users off the Internet.
It has been said that such an attack is conceivable but unlikely, because people with the know-how to attempt such an attack use and love the internet, and it is illogical for such people to disable something they consider a tool. However, the possibility exists, and the centralized nature of DNS is a weakness of the Internet.
Links
BIND - DNS software
http://www.isc.org/sw/bind/
CIRA - Canadian Internet Registration Authority
http://www.cira.ca/
DynDNS - DNS provider
http://www.dyndns.org/
Everyone.net - third-party mail hosting
http://www.everyone.net/
ICANN - the Internet Corporation for Assigned Names and Numbers
http://www.icann.org/
Internic.net Directory of Accredited Registrars
http://www.internic.net/regist.html
MacDevCenter - BIND in Mac OS X
http://www.macdevcenter.com/pub/a/mac/2003/04/15/bind.html
MacDNS - DNS program for the classic Mac OS
http://download.info.apple.com/Apple_Support_Area/Apple_Software_Updates/English-North_American/Macintosh/Networking-Communications/Other_N-C/MacDNS_1.0.4_Info.txt
http://download.info.apple.com/Apple_Support_Area/Apple_Software_Updates/English-North_American/Macintosh/Networking-Communications/Other_N-C/MacDNS_1.0.4.smi.bin
Network Solutions - an (expensive) registrar
http://www.networksolutions.com/
Note: NetSol overcharges for domains, because they used to have a monopoly over the business. Shop around before registering a domain; a registrar is a registrar, it makes little difference which one you bring your business to. Domains can cost as little as $10 (or even less).
Planix - Unix consulting
http://www.planix.com/
ZoneEdit - Free DNS provider
http://www.zoneedit.com/
References
DynDNS, How DNS Works, http://www.dyndns.org/support/kb/howdnsworks.html
ICANN, http://www.icann.org/
ZoneEdit, http://www.zoneedit.com/
