The first web-published book, on 2000-01-07.

Internet > How the Internet works > Domain Name System >

Domain Name Servers

Initially, all the hosts in the Internet will be in the domain 'ARPA'. As soon as is practical a second domain, 'DDN', will be introduced. Other domains may be added after that...

- Jon Postel; The Domain Names Plan and Schedule; RFC 881; November 1983.

The Domain Name System (DNS) servers distribute the job of mapping domain names to IP addresses among servers allocated to each domain.

Each second-level domain must have at least one domain name server responsible for maintenance of information about that domain and all subsidiary domains, and response to queries about those domains from other computers on the Internet. For example, management of domain name information and queries for the LivingInternet.com domain is handled by a specific DNS server that takes care of the load required. This distributed architecture was designed to enable the Internet to grow, where as the number of domains grew, the number of DNS servers can grow to keep pace with the load.

Today, everyone who registers a second-level domain name must at the same time designate two DNS servers to manage queries and return the current IP address for addresses in that domain. The primary domain name server is always consulted first, and the secondary domain name server is queried if the primary doesn't answer, providing a backup and important support to overall Internet reliability.

The application that underlies almost all DNS server software on the Internet is a free open source software program called BIND, currently maintained by the Internet Systems Consortium. When your computer was added to the Internet, one of the initial setup tasks was to specify a default domain name server, usually maintained by your local Internet Service Provider, and almost certainly a variant of the BIND server software.

When your computer tries to access a domain like "www.livinginternet.com", the domain name system works like this:

  • Your computer asks your default DNS server if it knows the IP address for www.livinginternet.com. If the DNS server has been asked that question recently, then it will have the answer stored in its local cache, and can answer immediately.
  • Otherwise, your DNS server queries the central zone files for the address of the primary domain name server for livinginternet.com, and is answered with something like "ns1.livinginternet.com".
  • Your DNS server will ask the livinginternet.com DNS server for the IP address of www.livinginternet.com, which will then look up the answer and send it back.
  • Your DNS server will store the IP address returned in its local cache, and make the address available to your computer.
  • Your computer then contacts www.livinginternet.com with the standard Internet routing protocols by using the returned IP address.
The IP address assigned to a computer may change frequently because of physical moves or network reconfigurations. The major advantage of the network of DNS servers is that domain names stay the same even when IP addresses change, and so the domain name servers can transparently take care of the mapping.

Security. There are a range of good security practices built in to the design of the DNS, although versions of the BIND server software itself have periodically been found to be vulnerable, often through buffer overrun attacks. If you run DNS server software, you should always make sure it is up-to-date with the latest version and patches. DNS server vulnerabilities typically affect the systems running the servers, which is generally Internet Service Providers, and so are not a direct threat to the home user unless you are running one at home.

A major extension to security of the DNS was introduced in 1997 with the DNS Security (DNSSEC) standard described in RFC 2065, updated in 1999 with RFC 2535, which provided DNS servers with secure data integrity and system authentication through the use of public key cryptography digital signatures.

Resources. The following references provide additional information about DNS servers:

  • NSLOOKUP -- provides reports on domain name servers.
  • BIND -- the standard DNS server application, maintained by the Internet Software Consortium.
__