The Domain Name System (DNS) is a hierarchical and distributed naming system for
computer
A computer is a machine that can be programmed to Execution (computing), carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as C ...
s, services, and other resources in the
Internet
The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
or other
Internet Protocol
The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.
IP h ...
(IP) networks. It associates various information with
domain name
A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As ...
s assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical
IP address
An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
es needed for locating and identifying computer services and devices with the underlying
network protocol
A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, syntax, semantics and synchroniza ...
s. The Domain Name System has been an essential component of the functionality of the Internet since 1985.
The Domain Name System delegates the responsibility of assigning domain names and mapping those names to Internet resources by designating
authoritative name server
A name server refers to the server component of the Domain Name System (DNS), one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names (example. ...
s for each domain. Network administrators may delegate authority over
sub-domain
In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is a part of another (main) domain. For example, if a domain offered an online store as part of their website example.com, it might use the subdomain shop.example.com .
Ov ...
s of their allocated name space to other name servers. This mechanism provides distributed and
fault-tolerant
Fault tolerance is the property that enables a system to continue operating properly in the event of the failure of one or more faults within some of its components. If its operating quality decreases at all, the decrease is proportional to the ...
service and was designed to avoid a single large central database.
The Domain Name System also specifies the technical functionality of the
database
In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases sp ...
service that is at its core. It defines the DNS protocol, a detailed specification of the data structures and data communication exchanges used in the DNS, as part of the
Internet Protocol Suite
The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...
.
The Internet maintains two principal
namespace
In computing, a namespace is a set of signs (''names'') that are used to identify and refer to objects of various kinds. A namespace ensures that all of a given set of objects have unique names so that they can be easily identified.
Namespaces ...
s, the domain name hierarchy and the
Internet Protocol
The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.
IP h ...
(IP)
address space
In computing, an address space defines a range of discrete addresses, each of which may correspond to a network host, peripheral device, disk sector, a memory cell or other logical or physical entity.
For software programs to save and retrieve st ...
s.
[RFC 781, ''Internet Protocol - DARPA Internet Program Protocol Specification'', Information Sciences Institute, J. Postel (Ed.), The Internet Society (September 1981)] The Domain Name System maintains the domain name hierarchy and provides translation services between it and the address spaces. Internet
name server
A name server refers to the server component of the Domain Name System (DNS), one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names (example. ...
s and a
communication protocol
A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, syntax, semantics (computer scien ...
implement the Domain Name System. A DNS name server is a server that stores the DNS records for a domain; a DNS name server responds with answers to queries against its database.
The most common types of records stored in the DNS database are for Start of Authority (
SOA),
IP address
An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
es (
A and
AAAA),
SMTP
The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typical ...
mail exchanger
Within the Internet email system, a message transfer agent (MTA), or mail transfer agent, or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host ...
s (MX), name servers (NS), pointers for
reverse DNS lookup
In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup o ...
s (PTR), and
domain name alias
A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) that maps one domain name (an alias) to another (the canonical name).
This can prove convenient when running multiple services (li ...
es (CNAME). Although not intended to be a general purpose database, DNS has been expanded over time to store records for other types of data for either automatic lookups, such as
DNSSEC
The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol ...
records, or for human queries such as ''responsible person'' (RP) records. As a general purpose database, the DNS has also been used in combating
unsolicited email
Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming).
The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...
(spam) by storing a
real-time blackhole list
A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whe ...
(RBL). The DNS database is traditionally stored in a structured text file, the
zone file
A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addr ...
, but other database systems are common.
The Domain Name System originally used the
User Datagram Protocol
In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages (transported as datagrams in packets) to other hosts on an Internet Protocol (IP) network. ...
(UDP) as transport over IP. Reliability, security, and privacy concerns spawned the use of the
Transmission Control Protocol
The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly ...
(TCP) as well as numerous other protocol developments.
Function
An often-used analogy to explain the DNS is that it serves as the
phone book
A telephone is a telecommunications device that permits two or more users to conduct a conversation when they are too far apart to be easily heard directly. A telephone converts sound, typically and most efficiently the human voice, into e ...
for the Internet by translating human-friendly computer
hostname
In computer networking, a hostname (archaically nodename) is a label that is assigned to a device connected to a computer network and that is used to identify the device in various forms of electronic communication, such as the World Wide Web. Hos ...
s into IP addresses. For example, the hostname
www.example.com
within the domain name
example.com
The domain names example.com, example.net, example.org, and example.edu are second-level domain names in the Domain Name System of the Internet. They are reserved by the Internet Assigned Numbers Authority (IANA) at the direction of the Internet ...
translates to the addresses (
IPv4
Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version de ...
) and (
IPv6
Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...
). The DNS can be quickly and transparently updated, allowing a service's location on the network to change without affecting the end users, who continue to use the same hostname. Users take advantage of this when they use meaningful Uniform Resource Locators (
URLs) and
e-mail address
An email address identifies an email box to which messages are delivered. While early messaging systems used a variety of formats for addressing, today, email addresses follow a set of specific rules originally standardized by the Internet Engineer ...
es without having to know how the computer actually locates the services.
An important and
ubiquitous
Omnipresence or ubiquity is the property of being present anywhere and everywhere. The term omnipresence is most often used in a religious context as an attribute of a deity or supreme being, while the term ubiquity is generally used to describe ...
function of the DNS is its central role in distributed Internet services such as
cloud service
Cloud computing is the on-demand availability of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the user. Large clouds often have functions distributed over multip ...
s and
content delivery network
A content delivery network, or content distribution network (CDN), is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing the service spatially re ...
s. When a user accesses a distributed Internet service using a URL, the domain name of the
URL is translated to the IP address of a server that is proximal to the user. The key functionality of the DNS exploited here is that different users can ''simultaneously'' receive different translations for the ''same'' domain name, a key point of divergence from a traditional phone-book view of the DNS. This process of using the DNS to assign proximal servers to users is key to providing faster and more reliable responses on the Internet and is widely used by most major Internet services.
The DNS reflects the structure of administrative responsibility on the Internet.
Each subdomain is a
zone
Zone or The Zone may refer to:
Places Climate and altitude zones
* Death zone (originally the lethal zone), altitudes above a certain point where the amount of oxygen is insufficient to sustain human life for an extended time span
* Frigid zone, ...
of administrative autonomy delegated to a manager. For zones operated by a
registry Registry may refer to:
Computing
* Container registry, an operating-system-level virtualization registry
* Domain name registry, a database of top-level internet domain names
* Local Internet registry
* Metadata registry, information system for re ...
, administrative information is often complemented by the registry's
RDAP and
WHOIS
WHOIS (pronounced as the phrase "who is") is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomou ...
services. That data can be used to gain insight on, and track responsibility for, a given host on the Internet.
History
Using a simpler, more memorable name in place of a host's numerical address dates back to the
ARPANET
The Advanced Research Projects Agency Network (ARPANET) was the first wide-area packet-switched network with distributed control and one of the first networks to implement the TCP/IP protocol suite. Both technologies became the technical fou ...
era. The Stanford Research Institute (now
SRI International
SRI International (SRI) is an American nonprofit scientific research institute and organization headquartered in Menlo Park, California. The trustees of Stanford University established SRI in 1946 as a center of innovation to support economic d ...
) maintained a text file named
HOSTS.TXT that mapped host names to the numerical addresses of computers on the ARPANET.
[RFC 3467, "Role of the Domain Name System (DNS)", J.C. Klensin, J. Klensin (February 2003).] Elizabeth Feinler
Elizabeth Jocelyn "Jake" Feinler (born March 2, 1931) is an American information scientist. From 1972 until 1989 she was director of the Network Information Systems Center at the Stanford Research Institute (SRI International). Her group operated ...
developed and maintained the first ARPANET directory. Maintenance of numerical addresses, called the Assigned Numbers List, was handled by
Jon Postel
Jonathan Bruce Postel (; August 6, 1943 – October 16, 1998) was an American computer scientist who made many significant contributions to the development of the Internet, particularly with respect to standards. He is known principally for be ...
at the
University of Southern California
The University of Southern California (USC, SC, or Southern Cal) is a Private university, private research university in Los Angeles, California, United States. Founded in 1880 by Robert M. Widney, it is the oldest private research university in C ...
's
Information Sciences Institute
The USC Information Sciences Institute (ISI) is a component of the University of Southern California (USC) Viterbi School of Engineering, and specializes in research and development in information processing, computing, and communications techno ...
(ISI), whose team worked closely with SRI.
Addresses were assigned manually. Computers, including their hostnames and addresses, were added to the primary file by contacting the SRI
Network Information Center
The Network Information Center (NIC), also known as InterNIC from 1993 until 1998, was the organization primarily responsible for Domain Name System (DNS) domain name allocations and X.500 directory services. From its inception in 1972 until Oc ...
(NIC), directed by Feinler,
telephone
A telephone is a telecommunications device that permits two or more users to conduct a conversation when they are too far apart to be easily heard directly. A telephone converts sound, typically and most efficiently the human voice, into e ...
during business hours.
Later, Feinler set up a
WHOIS
WHOIS (pronounced as the phrase "who is") is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomou ...
directory on a server in the NIC for retrieval of information about resources, contacts, and entities. She and her team developed the concept of domains. Feinler suggested that domains should be based on the location of the physical address of the computer. Computers at educational institutions would have the domain ''
edu'', for example. She and her team managed the Host Naming Registry from 1972 to 1989.
By the early 1980s, maintaining a single, centralized host table had become slow and unwieldy and the emerging network required an automated naming system to address technical and personnel issues. Postel directed the task of forging a compromise between five competing proposals of solutions to
Paul Mockapetris
Paul V. Mockapetris (born 1948 in Boston, Massachusetts, US) is an American computer scientist and Internet pioneer, who invented the Internet Domain Name System (DNS).
Education
Mockapetris graduated from the Boston Latin School in 1966, rec ...
. Mockapetris instead created the Domain Name System in 1983 while at the
University of Southern California
The University of Southern California (USC, SC, or Southern Cal) is a Private university, private research university in Los Angeles, California, United States. Founded in 1880 by Robert M. Widney, it is the oldest private research university in C ...
.
The
Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
published the original specifications in RFC 882 and RFC 883 in November 1983. These were updated in RFC 973 in January 1986.
In 1984, four
UC Berkeley
The University of California, Berkeley (UC Berkeley, Berkeley, Cal, or California) is a public university, public land-grant university, land-grant research university in Berkeley, California. Established in 1868 as the University of Californi ...
students, Douglas Terry, Mark Painter, David Riggle, and Songnian Zhou, wrote the first
Unix
Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
name server
A name server refers to the server component of the Domain Name System (DNS), one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names (example. ...
implementation for the Berkeley Internet Name Domain, commonly referred to as
BIND
BIND () is a suite of software for interacting with the Domain Name System (DNS). Its most prominent component, named (pronounced ''name-dee'': , short for ''name daemon''), performs both of the main DNS server roles, acting as an authoritative n ...
.
In 1985, Kevin Dunlap of
DEC substantially revised the DNS implementation.
Mike Karels
Michael J. (Mike) Karels is an American Software Engineer and one of the key people in history of BSD UNIX.
A graduate of University of Notre Dame with a Bachelor of Science in Microbiology. Mike went on to University of California, Berkeley for ...
, Phil Almquist, and
Paul Vixie
Paul Vixie is an American computer scientist whose technical contributions include Domain Name System (DNS) protocol design and procedure, mechanisms to achieve operational robustness of DNS implementations, and significant contributions to open s ...
then took over BIND maintenance.
Internet Systems Consortium
Internet Systems Consortium, Inc., also known as ISC, is a Delaware-registered, 501(c)(3) non-profit corporation that supports the infrastructure of the universal, self-organizing Internet by developing and maintaining core production-quality so ...
was founded in 1994 by
Rick Adams,
Paul Vixie
Paul Vixie is an American computer scientist whose technical contributions include Domain Name System (DNS) protocol design and procedure, mechanisms to achieve operational robustness of DNS implementations, and significant contributions to open s ...
, and
Carl Malamud
Carl Malamud (born July 2, 1959) is an American technologist, author, and public domain advocate, known for his foundation Public.Resource.Org. He founded the Internet Multicasting Service. During his time with this group, he was responsible fo ...
, expressly to provide a home for BIND development and maintenance. BIND versions from 4.9.3 onward were developed and maintained by ISC, with support provided by ISC’s sponsors. As co-architects/programmers, Bob Halley and Paul Vixie released the first production-ready version of BIND version 8 in May 1997. Since 2000, over 43 different core developers have worked on BIND.
In November 1987, RFC 1034
and RFC 1035
superseded the 1983 DNS specifications. Several additional
Request for Comments
A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or g ...
have proposed extensions to the core DNS protocols.
Structure
Domain name space
The domain name space consists of a
tree data structure
In computer science, a tree is a widely used abstract data type that represents a hierarchical tree structure with a set of connected nodes. Each node in the tree can be connected to many children (depending on the type of tree), but must be conn ...
. Each node or leaf in the tree has a ''label'' and zero or more ''resource records'' (RR), which hold information associated with the domain name. The domain name itself consists of the label, concatenated with the name of its parent node on the right, separated by a dot.
The tree sub-divides into ''zones'' beginning at the
root zone. A
DNS zone
A DNS zone is a specific portion of the DNS namespace in the Domain Name System (DNS), which is managed by a specific organization or administrator. A DNS zone is an administrative space that allows for more granular control of the DNS componen ...
may consist of as many domains and sub domains as the zone manager chooses. DNS can also be partitioned according to ''class'' where the separate classes can be thought of as an array of parallel namespace trees.
Administrative responsibility for any zone may be divided by creating additional zones. Authority over the new zone is said to be ''delegated'' to a designated name server. The parent zone ceases to be authoritative for the new zone.
[
]
Domain name syntax, internationalization
The definitive descriptions of the rules for forming domain names appear in RFC 1035, RFC 1123, RFC 2181, and RFC 5892. A domain name
A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As ...
consists of one or more parts, technically called ''labels'', that are conventionally concatenated
In formal language theory and computer programming, string concatenation is the operation of joining character strings end-to-end. For example, the concatenation of "snow" and "ball" is "snowball". In certain formalisations of concatenat ...
, and delimited by dots, such as example.com.
The right-most label conveys the top-level domain
A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in ...
; for example, the domain name www.example.com belongs to the top-level domain ''com''.
The hierarchy of domains descends from right to left; each label to the left specifies a subdivision, or subdomain
In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is a part of another (main) domain. For example, if a domain offered an online store as part of their website example.com, it might use the subdomain shop.example.com .
Ov ...
of the domain to the right. For example, the label ''example'' specifies a subdomain of the ''com'' domain, and ''www'' is a subdomain of example.com. This tree of subdivisions may have up to 127 levels.
A label may contain zero to 63 characters. The null label, of length zero, is reserved for the root zone. The full domain name may not exceed the length of 253 characters in its textual representation.[ In the internal binary representation of the DNS the maximum length requires 255 octets of storage, as it also stores the length of the name.][
Although no technical limitation exists to prevent domain name labels using any character which is representable by an octet, hostnames use a preferred format and character set. The characters allowed in labels are a subset of the ]ASCII
ASCII ( ), abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices. Because of ...
character set, consisting of characters ''a'' through ''z'', ''A'' through ''Z'', digits ''0'' through ''9'', and hyphen. This rule is known as the ''LDH rule'' (letters, digits, hyphen). Domain names are interpreted in case-independent manner. Labels may not start or end with a hyphen.[RFC 3696, ''Application Techniques for Checking and Transformation of Names'', J. Klensin] An additional rule requires that top-level domain names should not be all-numeric.
The limited set of ASCII characters permitted in the DNS prevented the representation of names and words of many languages in their native alphabets or scripts. To make this possible, ICANN
The Internet Corporation for Assigned Names and Numbers (ICANN ) is an American multistakeholder group and nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces ...
approved the Internationalizing Domain Names in Applications
An internationalized domain name (IDN) is an Internet domain name that contains at least one label displayed in software applications, in whole or in part, in non-latin script or alphabet, such as Arabic, Bengali, Chinese ( Mandarin, simplifi ...
(IDNA) system, by which user applications, such as web browsers, map Unicode
Unicode, formally The Unicode Standard,The formal version reference is is an information technology Technical standard, standard for the consistent character encoding, encoding, representation, and handling of Character (computing), text expre ...
strings into the valid DNS character set using Punycode
Punycode is a representation of Unicode with the limited ASCII character subset used for Internet hostnames. Using Punycode, host names containing Unicode characters are transcoded to a subset of ASCII consisting of letters, digits, and hyphens, wh ...
. In 2009 ICANN approved the installation of internationalized domain name country code top-level domains (''ccTLD''s). In addition, many registries of the existing top-level domain names ( ''TLD''s) have adopted the IDNA system, guided by RFC 5890, RFC 5891, RFC 5892, RFC 5893.
Name servers
The Domain Name System is maintained by a distributed database
A distributed database is a database in which data is stored across different physical locations. It may be stored in multiple computers located in the same physical location (e.g. a data centre); or maybe dispersed over a network of interconnect ...
system, which uses the client–server model
The client–server model is a distributed application structure that partitions tasks or workloads between the providers of a resource or service, called servers, and service requesters, called clients. Often clients and servers communicate over ...
. The nodes of this database are the name server
A name server refers to the server component of the Domain Name System (DNS), one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names (example. ...
s. Each domain has at least one authoritative DNS server that publishes information about that domain and the name servers of any domains subordinate to it. The top of the hierarchy is served by the root name server
A root name server is a name server for the root zone of the Domain Name System (DNS) of the Internet. It directly answers requests for records in the root zone and answers other requests by returning a list of the authoritative name servers fo ...
s, the servers to query when looking up (''resolving'') a TLD
A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in ...
.
Authoritative name server
An ''authoritative'' name server is a name server that only gives answers
Answer commonly refers to response to a question.
Answer may also refer to:
* Answer (law), any reply to a question, counter-statement or defense in a legal procedure
Music
* Answer, an element of a fugue
Albums
* ''Answer'' (Angela Aki albu ...
to DNS queries from data that have been configured by an original source, for example, the domain administrator or by dynamic DNS methods, in contrast to answers obtained via a query to another name server that only maintains a cache of data.
An authoritative name server can either be a ''primary'' server or a ''secondary'' server. Historically the terms ''master/slave'' and ''primary/secondary'' were sometimes used interchangeably but the current practice is to use the latter form. A primary server is a server that stores the original copies of all zone records. A secondary server uses a special automatic updating mechanism in the DNS protocol in communication with its primary to maintain an identical copy of the primary records.
Every DNS zone must be assigned a set of authoritative name servers. This set of servers is stored in the parent domain zone with name server (NS) records.
An authoritative server indicates its status of supplying definitive answers, deemed ''authoritative'', by setting a protocol flag, called the "''Authoritative Answer''" (''AA'') bit
The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...
in its responses. This flag is usually reproduced prominently in the output of DNS administration query tools, such as dig
Digging, also referred to as excavation, is the process of using some implement such as claws, hands, manual tools or heavy equipment, to remove material from a solid surface, usually soil, sand or rock (geology), rock on the surface of Earth. Di ...
, to indicate ''that the responding name server is an authority for the domain name in question.''
When a name server is designated as the authoritative server for a domain name for which it does not have authoritative data, it presents a type of error called a "lame delegation" or "lame response".
Operation
Address resolution mechanism
Domain name resolvers determine the domain name servers responsible for the domain name in question by a sequence of queries starting with the right-most (top-level) domain label.
For proper operation of its domain name resolver, a network host is configured with an initial cache (''hints'') of the known addresses of the root name servers. The hints are updated periodically by an administrator by retrieving a dataset from a reliable source.
Assuming the resolver has no cached records to accelerate the process, the resolution process starts with a query to one of the root servers. In typical operation, the root servers do not answer directly, but respond with a referral to more authoritative servers, e.g., a query for "www.wikipedia.org" is referred to the ''org'' servers. The resolver now queries the servers referred to, and iteratively repeats this process until it receives an authoritative answer. The diagram illustrates this process for the host that is named by the fully qualified domain name
A fully qualified domain name (FQDN), sometimes also referred to as an ''absolute domain name'', is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including th ...
"www.wikipedia.org".
This mechanism would place a large traffic burden on the root servers, if every resolution on the Internet required starting at the root. In practice caching is used in DNS servers to off-load the root servers, and as a result, root name servers actually are involved in only a relatively small fraction of all requests.
Recursive and caching name server
In theory, authoritative name servers are sufficient for the operation of the Internet. However, with only authoritative name servers operating, every DNS query must start with recursive queries at the root zone of the Domain Name System and each user system would have to implement resolver software capable of recursive operation.
To improve efficiency, reduce DNS traffic across the Internet, and increase performance in end-user applications, the Domain Name System supports DNS cache servers which store DNS query results for a period of time determined in the configuration (''time-to-live
Time to live (TTL) or hop limit is a mechanism which limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or times ...
'') of the domain name record in question.
Typically, such caching DNS servers also implement the recursive algorithm necessary to resolve a given name starting with the DNS root through to the authoritative name servers of the queried domain. With this function implemented in the name server, user applications gain efficiency in design and operation.
The combination of DNS caching and recursive functions in a name server is not mandatory; the functions can be implemented independently in servers for special purposes.
Internet service providers
An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise privatel ...
typically provide recursive and caching name servers for their customers. In addition, many home networking routers implement DNS caches and recursion to improve efficiency in the local network.
DNS resolvers
The client side
Client-side refers to operations that are performed by the client in a client–server relationship in a computer network.
General concepts
Typically, a client is a computer application, such as a web browser, that runs on a user's local compute ...
of the DNS is called a DNS resolver. A resolver is responsible for initiating and sequencing the queries that ultimately lead to a full resolution (translation) of the resource sought, e.g., translation of a domain name into an IP address. DNS resolvers are classified by a variety of query methods, such as ''recursive'', ''non-recursive'', and ''iterative''. A resolution process may use a combination of these methods.
In a ''non-recursive query'', a DNS resolver queries a DNS server that provides a record either for which the server is authoritative, or it provides a partial result without querying other servers. In case of a caching DNS resolver, the non-recursive query of its local DNS cache
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
delivers a result and reduces the load on upstream DNS servers by caching DNS resource records for a period of time after an initial response from upstream DNS servers.
In a ''recursive query'', a DNS resolver queries a single DNS server, which may in turn query other DNS servers on behalf of the requester. For example, a simple stub resolver running on a home router
A residential gateway is a small consumer-grade gateway_(telecommunications), gateway which bridging (networking), bridges network access between connected local area network (LAN) hosts to a wide area network (WAN) (such as the Internet) via a mod ...
typically makes a recursive query to the DNS server run by the user's ISP
An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...
. A recursive query is one for which the DNS server answers the query completely by querying other name servers as needed. In typical operation, a client issues a recursive query to a caching recursive DNS server, which subsequently issues non-recursive queries to determine the answer and send a single answer back to the client. The resolver, or another DNS server acting recursively on behalf of the resolver, negotiates use of recursive service using bits in the query headers. DNS servers are not required to support recursive queries.
The ''iterative query'' procedure is a process in which a DNS resolver queries a chain of one or more DNS servers. Each server refers the client to the next server in the chain, until the current server can fully resolve the request. For example, a possible resolution of www.example.com would query a global root server, then a "com" server, and finally an "example.com" server.
Circular dependencies and glue records
Name servers in delegations are identified by name, rather than by IP address. This means that a resolving name server must issue another DNS request to find out the IP address of the server to which it has been referred. If the name given in the delegation is a subdomain of the domain for which the delegation is being provided, there is a circular dependency
In software engineering, a circular dependency is a relation between two or more modules which either directly or indirectly depend on each other to function properly. Such modules are also known as mutually recursive.
Overview
Circular depend ...
.
In this case, the name server providing the delegation must also provide one or more IP addresses for the authoritative name server mentioned in the delegation. This information is called ''glue''. The delegating name server provides this glue in the form of records in the ''additional section'' of the DNS response, and provides the delegation in the ''authority section'' of the response. A glue record is a combination of the name server and IP address.
For example, if the authoritative name server
A name server refers to the server component of the Domain Name System (DNS), one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names (example. ...
for example.org is ns1.example.org, a computer trying to resolve www.example.org first resolves ns1.example.org. As ns1 is contained in example.org, this requires resolving example.org first, which presents a circular dependency. To break the dependency, the name server for the top level domain
A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in ...
org includes glue along with the delegation for example.org. The glue records are address records that provide IP addresses for ns1.example.org. The resolver uses one or more of these IP addresses to query one of the domain's authoritative servers, which allows it to complete the DNS query.
Record caching
A standard practice in implementing name resolution in applications is to reduce the load on the Domain Name System servers by caching results locally, or in intermediate resolver hosts. Results obtained from a DNS request are always associated with the time to live
Time to live (TTL) or hop limit is a mechanism which limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timesp ...
(TTL), an expiration time after which the results must be discarded or refreshed. The TTL is set by the administrator of the authoritative DNS server. The period of validity may vary from a few seconds to days or even weeks.
As a result of this distributed caching architecture, changes to DNS records do not propagate throughout the network immediately, but require all caches to expire and to be refreshed after the TTL. RFC 1912 conveys basic rules for determining appropriate TTL values.
Some resolvers may override TTL values, as the protocol supports caching for up to sixty-eight years or no caching at all. Negative caching
In computer programming, negative cache is a cache that also stores "negative" responses, i.e. failures. This means that a program remembers the result indicating a failure even after the cause has been corrected. Usually negative cache is a desig ...
, i.e. the caching of the fact of non-existence of a record, is determined by name servers authoritative for a zone which must include the Start of Authority (SOA) record when reporting no data of the requested type exists. The value of the ''minimum'' field of the SOA record and the TTL of the SOA itself is used to establish the TTL for the negative answer.
Reverse lookup
A reverse DNS lookup
In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup o ...
is a query of the DNS for domain names when the IP address is known. Multiple domain names may be associated with an IP address. The DNS stores IP addresses in the form of domain names as specially formatted names in pointer (PTR) records within the infrastructure top-level domain arpa. For IPv4, the domain is in-addr.arpa. For IPv6, the reverse lookup domain is ip6.arpa. The IP address is represented as a name in reverse-ordered octet representation for IPv4, and reverse-ordered nibble representation for IPv6.
When performing a reverse lookup, the DNS client converts the address into these formats before querying the name for a PTR record following the delegation chain as for any DNS query. For example, assuming the IPv4 address 208.80.152.2 is assigned to Wikimedia, it is represented as a DNS name in reverse order: 2.152.80.208.in-addr.arpa. When the DNS resolver gets a pointer (PTR) request, it begins by querying the root servers, which point to the servers of American Registry for Internet Numbers
The American Registry for Internet Numbers (ARIN) is the regional Internet registry for Canada, the United States, and many Caribbean and North Atlantic islands. ARIN manages the distribution of Internet number resources, including IPv4 and IPv ...
(ARIN) for the 208.in-addr.arpa zone. ARIN's servers delegate 152.80.208.in-addr.arpa to Wikimedia to which the resolver sends another query for 2.152.80.208.in-addr.arpa, which results in an authoritative response.
Client lookup
Users generally do not communicate directly with a DNS resolver. Instead DNS resolution takes place transparently in applications such as web browser
A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...
s, e-mail client
An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.
A web application which provides message management, composition, and reception functio ...
s, and other Internet applications. When an application makes a request that requires a domain name lookup, such programs send a resolution request to the DNS resolver
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
in the local operating system, which in turn handles the communications required.
The DNS resolver will almost invariably have a cache (see above) containing recent lookups. If the cache can provide the answer to the request, the resolver will return the value in the cache to the program that made the request. If the cache does not contain the answer, the resolver will send the request to one or more designated DNS servers. In the case of most home users, the Internet service provider to which the machine connects will usually supply this DNS server: such a user will either have configured that server's address manually or allowed DHCP
The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a cli ...
to set it; however, where systems administrators have configured systems to use their own DNS servers, their DNS resolvers point to separately maintained name servers of the organization. In any event, the name server thus queried will follow the process outlined above, until it either successfully finds a result or does not. It then returns its results to the DNS resolver; assuming it has found a result, the resolver duly caches that result for future use, and hands the result back to the software which initiated the request.
Broken resolvers
Some large ISPs have configured their DNS servers to violate rules, such as by disobeying TTLs, or by indicating that a domain name does not exist just because one of its name servers does not respond.
Some applications such as web browsers maintain an internal DNS cache to avoid repeated lookups via the network. This practice can add extra difficulty when debugging DNS issues as it obscures the history of such data. These caches typically use very short caching times on the order of one minute.
Internet Explorer
Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
represents a notable exception: versions up to IE 3.x cache DNS records for 24 hours by default. Internet Explorer 4.x and later versions (up to IE 8) decrease the default timeout value to half an hour, which may be changed by modifying the default configuration.
When Google Chrome
Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS ...
detects issues with the DNS server it displays a specific error message.
Other applications
The Domain Name System includes several other functions and features.
Hostnames and IP addresses are not required to match in a one-to-one relationship. Multiple hostnames may correspond to a single IP address, which is useful in virtual hosting
Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers). This allows one server to share its resources, such as memory and processor cycles, without requiring all ...
, in which many web sites are served from a single host. Alternatively, a single hostname may resolve to many IP addresses to facilitate fault tolerance
Fault tolerance is the property that enables a system to continue operating properly in the event of the failure of one or more faults within some of its components. If its operating quality decreases at all, the decrease is proportional to the ...
and load distribution
In computing, load balancing is the process of distributing a set of tasks over a set of resources (computing units), with the aim of making their overall processing more efficient. Load balancing can optimize the response time and avoid unevenl ...
to multiple server instances across an enterprise or the global Internet.
DNS serves other purposes in addition to translating names to IP addresses. For instance, mail transfer agent
The mail or post is a system for physically transporting postcards, letters, and parcels. A postal service can be private or public, though many governments place restrictions on private systems. Since the mid-19th century, national postal syst ...
s use DNS to find the best mail server to deliver e-mail
Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" meant ...
: An MX record
A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. It is a resource record in the Domain Name System (DNS). It is possible to configure several MX records, typically p ...
provides a mapping between a domain and a mail exchanger; this can provide an additional layer of fault tolerance and load distribution.
The DNS is used for efficient storage and distribution of IP addresses of blacklisted email hosts. A common method is to place the IP address of the subject host into the sub-domain of a higher level domain name, and to resolve that name to a record that indicates a positive or a negative indication.
For example:
* The address 102.3.4.5 is blacklisted. It points to 5.4.3.102.blacklist.example, which resolves to 127.0.0.1.
* The address 102.3.4.6 is not blacklisted and points to 6.4.3.102.blacklist.example. This hostname is either not configured, or resolves to 127.0.0.2.
E-mail servers can query blacklist.example to find out if a specific host connecting to them is in the blacklist. Many of such blacklists, either subscription-based or free of cost, are available for use by email administrators and anti-spam software.
To provide resilience in the event of computer or network failure, multiple DNS servers are usually provided for coverage of each domain. At the top level of global DNS, thirteen groups of root name servers
A root name server is a name server for the root zone of the Domain Name System (DNS) of the Internet. It directly answers requests for records in the root zone and answers other requests by returning a list of the authoritative name servers f ...
exist, with additional "copies" of them distributed worldwide via anycast
Anycast is a network addressing and routing methodology in which a single destination IP address is shared by devices (generally servers) in multiple locations. Routers direct packets addressed to this destination to the location nearest the se ...
addressing.
Dynamic DNS
Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information.
The term is used to desc ...
(DDNS) updates a DNS server with a client IP address on-the-fly, for example, when moving between ISPs or mobile hot spots, or when the IP address changes administratively.
DNS message format
The DNS protocol uses two types of DNS messages, queries and replies; both have the same format. Each message consists of a header and four sections: question, answer, authority, and an additional space. A header field (''flags'') controls the content of these four sections.[
The header section consists of the following fields: ''Identification'', ''Flags'', ''Number of questions'', ''Number of answers'', ''Number of authority resource records'' (RRs), and ''Number of additional RRs''. Each field is 16 bits long, and appears in the order given. The identification field is used to match responses with queries. The flag field consists of sub-fields as follows:
After the flag, the header ends with four 16-bit integers which contain the number of records in each of the sections that follow, in the same order.
]
Question section
The question section has a simpler format than the resource record format used in the other sections. Each question record (there is usually just one in the section) contains the following fields:
The domain name is broken into discrete labels which are concatenated; each label is prefixed by the length of that label.
Resource records
The Domain Name System specifies a database of information elements for network resources. The types of information elements are categorized and organized with a list of DNS record types
This list of DNS record types is an overview of resource records (RRs) permissible in zone files of the Domain Name System
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resour ...
, the resource records (RRs). Each record has a type (name and number), an expiration time (time to live
Time to live (TTL) or hop limit is a mechanism which limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timesp ...
), a class, and type-specific data. Resource records of the same type are described as a ''resource record set'' (RRset), having no special ordering. DNS resolvers return the entire set upon query, but servers may implement round-robin ordering to achieve load balancing. In contrast, the Domain Name System Security Extensions
The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol ...
(DNSSEC) work on the complete set of resource record in canonical order.
When sent over an Internet Protocol
The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.
IP h ...
network, all records use the common format specified in RFC 1035:
''NAME'' is the fully qualified domain name of the node in the tree . On the wire, the name may be shortened using label compression where ends of domain names mentioned earlier in the packet can be substituted for the end of the current domain name.
''TYPE'' is the record type. It indicates the format of the data and it gives a hint of its intended use. For example, the ''A'' record is used to translate from a domain name to an IPv4 address
Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version d ...
, the ''NS'' record lists which name servers can answer lookups on a DNS zone
A DNS zone is a specific portion of the DNS namespace in the Domain Name System (DNS), which is managed by a specific organization or administrator. A DNS zone is an administrative space that allows for more granular control of the DNS componen ...
, and the ''MX'' record specifies the mail server used to handle mail for a domain specified in an e-mail address.
''RDATA'' is data of type-specific relevance, such as the IP address for address records, or the priority and hostname for MX records. Well known record types may use label compression in the RDATA field, but "unknown" record types must not (RFC 3597).
The ''CLASS'' of a record is set to IN (for ''Internet'') for common DNS records involving Internet hostnames, servers, or IP addresses. In addition, the classes Chaos
Chaos or CHAOS may refer to:
Arts, entertainment and media Fictional elements
* Chaos (''Kinnikuman'')
* Chaos (''Sailor Moon'')
* Chaos (''Sesame Park'')
* Chaos (''Warhammer'')
* Chaos, in ''Fabula Nova Crystallis Final Fantasy''
* Cha ...
(CH) and Hesiod
Hesiod (; grc-gre, Ἡσίοδος ''Hēsíodos'') was an ancient Greek poet generally thought to have been active between 750 and 650 BC, around the same time as Homer. He is generally regarded by western authors as 'the first written poet i ...
(HS) exist. Each class is an independent name space with potentially different delegations of DNS zones.
In addition to resource records defined in a zone file
A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addr ...
, the domain name system also defines several request types that are used only in communication with other DNS nodes (''on the wire''), such as when performing zone transfers (AXFR/IXFR) or for EDNS
Extension Mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol which had size restrictions that the Internet engineering community deemed too limited for increasing fun ...
(OPT).
Wildcard records
The domain name system supports wildcard DNS record A wildcard DNS record is a record in a DNS zone that will match requests for non-existent domain names. A wildcard DNS record is specified by using a * as the leftmost label (part) of a domain name, e.g. *.example.com. The exact rules for when a wil ...
s which specify names that start with the ''asterisk label'', '*', e.g., *.example.[, ''The Role of Wildcards in the Domain Name System'', E. Lewis (July 2006)] DNS records belonging to wildcard domain names specify rules for generating resource records within a single DNS zone by substituting whole labels with matching components of the query name, including any specified descendants. For example, in the following configuration, the DNS zone ''x.example'' specifies that all subdomains, including subdomains of subdomains, of ''x.example'' use the mail exchanger (MX) ''a.x.example''. The A record for ''a.x.example'' is needed to specify the mail exchanger IP address. As this has the result of excluding this domain name and its subdomains from the wildcard matches, an additional MX record for the subdomain ''a.x.example'', as well as a wildcarded MX record for all of its subdomains, must also be defined in the DNS zone.
x.example. MX 10 a.x.example.
*.x.example. MX 10 a.x.example.
*.a.x.example. MX 10 a.x.example.
a.x.example. MX 10 a.x.example.
a.x.example. AAAA 2001:db8::1
The role of wildcard records was refined in , because the original definition in was incomplete and resulted in misinterpretations by implementers.
Protocol extensions
The original DNS protocol had limited provisions for extension with new features. In 1999, Paul Vixie published in RFC 2671 (superseded by RFC 6891) an extension mechanism, called Extension Mechanisms for DNS
Extension Mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol which had size restrictions that the Internet engineering community deemed too limited for increasing fun ...
(EDNS) that introduced optional protocol elements without increasing overhead when not in use. This was accomplished through the OPT pseudo-resource record that only exists in wire transmissions of the protocol, but not in any zone files. Initial extensions were also suggested (EDNS0), such as increasing the DNS message size in UDP datagrams.
Dynamic zone updates
Dynamic DNS updates use the UPDATE DNS opcode to add or remove resource records dynamically from a zone database maintained on an authoritative DNS server. The feature is described in RFC 2136. This facility is useful to register network clients into the DNS when they boot or become otherwise available on the network. As a booting client may be assigned a different IP address each time from a DHCP
The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a cli ...
server, it is not possible to provide static DNS assignments for such clients.
Transport protocols
From the time of its origin in 1983 the DNS has used the User Datagram Protocol
In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages (transported as datagrams in packets) to other hosts on an Internet Protocol (IP) network. ...
(UDP) for transport over IP. Its limitations have motivated numerous protocol developments for reliability, security, privacy, and other criteria, in the following decades.
;DNS over UDP/53 (Do53): UDP reserves port number
In computer networking, a port is a number assigned to uniquely identify a connection endpoint and to direct data to a specific service. At the software level, within an operating system, a port is a logical construct that identifies a specific ...
53 for servers listening to queries.[ Such queries consist of a clear-text request sent in a single UDP packet from the client, responded to with a clear-text reply sent in a single UDP packet from the server. When the length of the answer exceeds 512 bytes and both client and server support ]Extension Mechanisms for DNS
Extension Mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol which had size restrictions that the Internet engineering community deemed too limited for increasing fun ...
(EDNS), larger UDP packets may be used. Use of DNS over UDP is limited by, among other things, its lack of transport-layer encryption, authentication, reliable delivery, and message length.
;DNS over TCP/53 (Do53/TCP): In 1989, RFC 1123 specified optional Transmission Control Protocol
The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly ...
(TCP) transport for DNS queries, replies and, particularly, zone transfers. Via fragmentation of long replies, TCP allows longer responses, reliable delivery, and re-use of long-lived connections between clients and servers.
;DNS over TLS (DoT): DNS over TLS
DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by prevent ...
emerged as an IETF standard for encrypted DNS in 2016, utilizing Transport Layer Security (TLS) to protect the entire connection, rather than just the DNS payload. DoT servers listen on TCP port 853. RFC 7858 specifies that opportunistic encryption and authenticated encryption may be supported, but did not make either server or client authentication mandatory.
;DNS over HTTPS (DoH): DNS over HTTPS
DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-i ...
was developed as a competing standard for DNS query transport in 2018, tunneling DNS query data over HTTPS, which transports HTTP over TLS. DoH was promoted as a more web-friendly alternative to DNS since, like DNSCrypt, it uses TCP port 443, and thus looks similar to web traffic, though they are easily differentiable in practice. DoH has been widely criticized for decreasing user anonymity relative to DoT.
;Oblivious DNS (ODNS) and Oblivious DoH (ODoH): Oblivious DNS (ODNS) was invented and implemented by researchers at Princeton University
Princeton University is a private university, private research university in Princeton, New Jersey. Founded in 1746 in Elizabeth, New Jersey, Elizabeth as the College of New Jersey, Princeton is the List of Colonial Colleges, fourth-oldest ins ...
and the University of Chicago
The University of Chicago (UChicago, Chicago, U of C, or UChi) is a private research university in Chicago, Illinois. Its main campus is located in Chicago's Hyde Park neighborhood. The University of Chicago is consistently ranked among the b ...
as an extension to unencrypted DNS, before DoH was standardized and widely deployed. Apple and Cloudflare subsequently deployed the technology in the context of DoH, as Oblivious DoH (ODoH). ODoH combines ingress/egress separation (invented in ODNS) with DoH's HTTPS tunneling and TLS transport-layer encryption in a single protocol.
;DNS over TOR: DNS may be run over virtual private network
A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
s (VPNs) and tunneling protocol
In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network (such as the Internet ...
s. A use which has become common since 2019 to warrant its own frequently used acronym is DNS over Tor
Tor, TOR or ToR may refer to:
Places
* Tor, Pallars, a village in Spain
* Tor, former name of Sloviansk, Ukraine, a city
* Mount Tor, Tasmania, Australia, an extinct volcano
* Tor Bay, Devon, England
* Tor River, Western New Guinea, Indonesia
Sc ...
. The privacy gains of Oblivious DNS can be garnered through the use of the preexisting Tor network of ingress and egress nodes, paired with the transport-layer encryption provided by TLS.
;DNS over QUIC (DoQ): by the Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
describes DNS over QUIC
QUIC (pronounced "quick") is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google, implemented, and deployed in 2012, announced publicly in 2013 as experimentation broadened, and described at an IETF meet ...
.
;DNSCrypt: The DNSCrypt
DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. It was originally designed by Frank Denis and Yecheng Fu.
Although multiple free and open so ...
protocol, which was developed in 2011 outside the IETF
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
standards framework, introduced DNS encryption on the downstream side of recursive resolvers, wherein clients encrypt query payloads using servers' public keys, which are published in the DNS (rather than relying upon third-party certificate authorities) and which may in turn be protected by DNSSEC signatures. DNSCrypt uses either TCP or UDP port 443, the same port as HTTPS encrypted web traffic. This introduced not only privacy regarding the content of the query, but also a significant measure of firewall-traversal capability. In 2019, DNSCrypt was further extended to support an "anonymized" mode, similar to the proposed "Oblivious DNS," in which an ingress node receives a query which has been encrypted with the public key of a different server, and relays it to that server, which acts as an egress node, performing the recursive resolution. Privacy of user/query pairs is created, since the ingress node does not know the content of the query, while the egress nodes does not know the identity of the client. DNSCrypt was first implemented in production by OpenDNS
OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbre ...
in December of 2011. There are several free and open source software implementations that additionally integrate ODoH. It is available for a variety of operating systems, including Unix, Apple iOS, Linux, Android, and MS Windows.
Security issues
Originally, security concerns were not major design considerations for DNS software or any software for deployment on the early Internet, as the network was not open for participation by the general public. However, the expansion of the Internet into the commercial sector in the 1990s changed the requirements for security measures to protect data integrity
Data integrity is the maintenance of, and the assurance of, data accuracy and consistency over its entire Information Lifecycle Management, life-cycle and is a critical aspect to the design, implementation, and usage of any system that stores, proc ...
and user authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
.
Several vulnerability issues were discovered and exploited by malicious users. One such issue is DNS cache poisoning
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g ...
, in which data is distributed to caching resolvers under the pretense of being an authoritative origin server, thereby polluting the data store with potentially false information and long expiration times (time-to-live). Subsequently, legitimate application requests may be redirected to network hosts operated with malicious intent.
DNS responses traditionally do not have a cryptographic signature
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...
, leading to many attack possibilities; the Domain Name System Security Extensions
The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol ...
(DNSSEC) modify DNS to add support for cryptographically signed responses. DNSCurve
DNSCurve is a proposed secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein.
Description
DNSCurve uses Curve25519 elliptic curve cryptography to establish keys used by Salsa20, paired with the message authentication ...
has been proposed as an alternative to DNSSEC. Other extensions, such as TSIG TSIG (transaction signature) is a computer-networking protocol defined
in RFC 2845. Primarily it enables the Domain Name System (DNS) to authenticate updates to a DNS database. It is most commonly used to update Dynamic DNS or a secondary/slave D ...
, add support for cryptographic authentication between trusted peers and are commonly used to authorize zone transfer or dynamic update operations.
Some domain names may be used to achieve spoofing effects. For example, and are different names, yet users may be unable to distinguish them in a graphical user interface depending on the user's chosen typeface
A typeface (or font family) is the design of lettering that can include variations in size, weight (e.g. bold), slope (e.g. italic), width (e.g. condensed), and so on. Each of these variations of the typeface is a font.
There are list of type ...
. In many fonts the letter ''l'' and the numeral ''1'' look very similar or even identical. This problem is acute in systems that support internationalized domain name
An internationalized domain name (IDN) is an Internet domain name that contains at least one label displayed in software applications, in whole or in part, in non-latin script or alphabet, such as Arabic, Bengali, Chinese (Mandarin, simplified ...
s, as many character codes in ISO 10646
ISO is the most common abbreviation for the International Organization for Standardization.
ISO or Iso may also refer to: Business and finance
* Iso (supermarket), a chain of Danish supermarkets incorporated into the SuperBest chain in 2007
* Iso ...
may appear identical on typical computer screens. This vulnerability is occasionally exploited in phishing
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
.
Techniques such as forward-confirmed reverse DNS
Forward-confirmed reverse DNS (FCrDNS), also known as full-circle reverse DNS, double-reverse DNS, or iprev, is a networking parameter configuration in which a given IP address has both forward (name-to-address) and reverse (address-to-name) Domain ...
can also be used to help validate DNS results.
DNS can also "leak" from otherwise secure or private connections, if attention is not paid to their configuration, and at times DNS has been used to bypass firewalls by malicious persons, and exfiltrate data, since it is often seen as innocuous.
Privacy and tracking issues
Originally designed as a public, hierarchical, distributed and heavily cached database, DNS protocol has no confidentiality controls. User queries and nameserver responses are being sent unencrypted which enables network packet sniffing, DNS hijacking
DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server unde ...
, DNS cache poisoning
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g ...
and man-in-the-middle attacks. This deficiency is commonly used by cybercriminals and network operators for marketing purposes, user authentication on captive portals and censorship
Censorship is the suppression of speech, public communication, or other information. This may be done on the basis that such material is considered objectionable, harmful, sensitive, or "inconvenient". Censorship can be conducted by governments ...
.
User privacy is further exposed by proposals for increasing the level of client IP information in DNS queries (RFC 7871) for the benefit of Content Delivery Networks
A content delivery network, or content distribution network (CDN), is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing the service spatially re ...
.
The main approaches that are in use to counter privacy issues with DNS:
*VPN
A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
s, which move DNS resolution to the VPN operator and hide user traffic from local ISP,
*Tor
Tor, TOR or ToR may refer to:
Places
* Tor, Pallars, a village in Spain
* Tor, former name of Sloviansk, Ukraine, a city
* Mount Tor, Tasmania, Australia, an extinct volcano
* Tor Bay, Devon, England
* Tor River, Western New Guinea, Indonesia
Sc ...
, which replaces traditional DNS resolution with anonymous .onion
.onion is a special-use top level domain name designating an anonymous onion service, which was formerly known as a "hidden service", reachable via the Tor network. Such addresses are not actual DNS names, and the .onion TLD is not in the I ...
domains, hiding both name resolution and user traffic behind onion routing
Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is transmitted through a series of net ...
counter-surveillance,
* Proxies and public DNS servers, which move the actual DNS resolution to a third-party provider, who usually promises little or no request logging and optional added features, such as DNS-level advertisement
Advertising is the practice and techniques employed to bring attention to a product or service. Advertising aims to put a product or service in the spotlight in hopes of drawing it attention from consumers. It is typically used to promote a ...
or pornography blocking.
**Public DNS servers can be queried using traditional DNS protocol, in which case they provide no protection from local surveillance, or DNS over HTTPS
DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-i ...
, DNS over TLS
DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by prevent ...
and DNSCrypt
DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. It was originally designed by Frank Denis and Yecheng Fu.
Although multiple free and open so ...
, which do provide such protection
Solutions preventing DNS inspection by local network operator are criticized for thwarting corporate network security policies and Internet censorship. They are also criticized from a privacy point of view, as giving away the DNS resolution to the hands of a small number of companies known for monetizing user traffic and for centralizing DNS name resolution, which is generally perceived as harmful for the Internet.
Domain name registration
The right to use a domain name is delegated by domain name registrars which are accredited by the Internet Corporation for Assigned Names and Numbers
The Internet Corporation for Assigned Names and Numbers (ICANN ) is an American multistakeholder group and nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces ...
(ICANN) or other organizations such as OpenNIC
OpenNIC (also referred to as the OpenNIC Project) is a user-owned and -controlled top-level Network Information Center that offers a non-national alternative to traditional top-level domain (TLD) registries such as ICANN. As of January 2017, Open ...
, that are charged with overseeing the name and number systems of the Internet. In addition to ICANN, each top-level domain (TLD) is maintained and serviced technically by an administrative organization, operating a registry. A ''registry'' is responsible for operating the database of names within its authoritative zone, although the term is most often used for TLDs. A ''registrant'' is a person or organization who asked for domain registration. The registry receives registration information from each domain name ''registrar'', which is authorized (accredited) to assign names in the corresponding zone and publishes the information using the WHOIS
WHOIS (pronounced as the phrase "who is") is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomou ...
protocol. As of 2015, usage of RDAP is being considered.
ICANN publishes the complete list of TLDs, TLD registries, and domain name registrars. Registrant information associated with domain names is maintained in an online database accessible with the WHOIS service. For most of the more than 290 country code top-level domain
A country code top-level domain (ccTLD) is an Internet top-level domain generally used or reserved for a country, sovereign state, or dependent territory identified with a country code. All ASCII ccTLD identifiers are two letters long, and all t ...
s (ccTLDs), the domain registries maintain the WHOIS (Registrant, name servers, expiration dates, etc.) information. For instance, DENIC
DENIC eG is the manager of the .de domain, the country-code top-level domain for Germany.
It was founded in 1996 and is organised as a non-regulated not-for-profit cooperative. DENIC provides the Domain Name System (DNS) as well as registrat ...
, Germany NIC, holds the DE domain data. From about 2001, most Generic top-level domain
Generic top-level domains (gTLDs) are one of the categories of top-level domains (TLDs) maintained by the Internet Assigned Numbers Authority (IANA) for use in the Domain Name System of the Internet. A top-level domain is the last level of eve ...
(gTLD) registries have adopted this so-called ''thick'' registry approach, i.e. keeping the WHOIS data in central registries instead of registrar databases.
For top-level domains on COM and NET, a ''thin'' registry model is used. The domain registry (e.g., GoDaddy
GoDaddy Inc. is an American publicly traded Internet domain registrar and web hosting company headquartered in Tempe, Arizona, and incorporated in Delaware.
, GoDaddy has more than 21 million customers and over 6,600 employees worldwide. The co ...
, BigRock and PDR, VeriSign
Verisign Inc. is an American company based in Reston, Virginia, United States that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the , , and gener ...
, etc., etc.) holds basic WHOIS data (i.e., registrar and name servers, etc.). Organizations, or registrants using ORG on the other hand, are on the Public Interest Registry
Public Interest Registry is a not-for-profit based in Reston, Virginia, created by the Internet Society in 2002 to manage the .ORG top-level domain. It took over operation of .ORG in January 2003 and launched the .NGO and .ONG top-level domains in ...
exclusively.
Some domain name registries, often called ''network information centers'' (NIC), also function as registrars to end-users, in addition to providing access to the WHOIS datasets. The top-level domain registries, such as for the domains COM, NET, and ORG use a registry-registrar model consisting of many domain name registrars. In this method of management, the registry only manages the domain name database and the relationship with the registrars. The ''registrants'' (users of a domain name) are customers of the registrar, in some cases through additional subcontracting of resellers.
RFC documents
The Domain Name System is defined by Request for Comments
A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or g ...
(RFC) documents published by the Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
(Internet standard
In computer network engineering, an Internet Standard is a normative specification of a technology or methodology applicable to the Internet. Internet Standards are created and published by the Internet Engineering Task Force (IETF). They allow ...
s). The following is a list of RFCs that define the DNS protocol.
Standards track
* , ''Domain Names - Concepts and Facilities''
* , ''Domain Names - Implementation and Specification''
* , ''Requirements for Internet Hosts—Application and Support''
* , ''Incremental Zone Transfer in DNS''
* , ''A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)''
* , ''Dynamic Updates in the domain name system (DNS UPDATE)''
* , ''Clarifications to the DNS Specification''
* , ''Negative Caching of DNS Queries (DNS NCACHE)''
* , ''Non-Terminal DNS Name Redirection''
* , ''Secret Key Transaction Authentication for DNS (TSIG)''
* , ''Indicating Resolver Support of DNSSEC''
* , ''DNSSEC and IPv6 A6 aware server/resolver message size requirements''
* , ''DNS Extensions to Support IP Version 6''
* , ''Handling of Unknown DNS Resource Record (RR) Types''
* , ''Domain Name System (DNS) Case Insensitivity Clarification''
* , ''The Role of Wildcards in the Domain Name System''
* , ''HMAC SHA TSIG Algorithm Identifiers''
* , ''DNS Name Server Identifier (NSID) Option''
* , ''Automated Updates of DNS Security (DNSSEC) Trust Anchors''
* , ''Measures for Making DNS More Resilient against Forged Answers''
* , ''Internationalized Domain Names for Applications (IDNA):Definitions and Document Framework''
* , ''Internationalized Domain Names in Applications (IDNA): Protocol''
* , ''The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)''
* , ''Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)''
* , ''Extension Mechanisms for DNS (EDNS0)''
* , ''DNS Transport over TCP - Implementation Requirements''
Proposed security standards
* , ''DNS Security Introduction and Requirements''
* , ''Resource Records for the DNS Security Extensions''
* , ''Protocol Modifications for the DNS Security Extensions''
* , ''Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records''
* , ''Minimally Covering NSEC Records and DNSSEC On-line Signing''
* , ''DNS Security (DNSSEC) Hashed Authenticated Denial of Existence''
* , ''Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC''
* , ''Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)''
* , ''Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC''
* , ''The EDNS(0) Padding Option''
* , ''Specification for DNS over Transport Layer Security (TLS)''
* , ''Usage Profiles for DNS over TLS and DNS over DTLS''
* , ''DNS Queries over HTTPS (DoH)''
Experimental RFCs
* , ''New DNS RR Definitions''
Best Current Practices
* , ''Selection and Operation of Secondary DNS Servers'' (BCP 16)
* , ''Classless IN-ADDR.ARPA delegation'' (BCP 20)
* , ''DNS Proxy Implementation Guidelines'' (BCP 152)
* , ''Domain Name System (DNS) IANA Considerations'' (BCP 42)
* , ''DNS Root Name Service Protocol and Deployment Requirements'' (BCP 40)
Informational RFCs
These RFCs are advisory in nature, but may provide useful information despite defining neither a standard or BCP. (RFC 1796)
* , ''Choosing a Name for Your Computer'' (FYI 5)''
* , ''Domain Name System Structure and Delegation''
* , ''Common DNS Operational and Configuration Errors''
* , ''The Naming of Hosts''
* , ''Application Techniques for Checking and Transformation of Names''
* . ''Threat Analysis of the Domain Name System (DNS)''
* , ''Requirements for a Mechanism Identifying a Name Server Instance''
* , ''Internationalized Domain Names for Applications (IDNA):Background, Explanation, and Rationale''
* , ''Mapping Characters for Internationalized Domain Names in Applications (IDNA) 2008''
* , ''DNS Privacy Considerations''
* , ''Decreasing Access Time to Root Servers by Running One on Loopback''
* , ''DNS Query Name Minimisation to Improve Privacy''
* , ''DNS Terminology''
Unknown
These RFCs have an official status of Unknown
Unknown or The Unknown may refer to:
Film
* The Unknown (1915 comedy film), ''The Unknown'' (1915 comedy film), a silent boxing film
* The Unknown (1915 drama film), ''The Unknown'' (1915 drama film)
* The Unknown (1927 film), ''The Unknown'' (1 ...
, but due to their age are not clearly labeled as such.
* , ''Domain Requirements'' – Specified original top-level domains
* , ''Domain Administrators Guide''
* , ''Domain Administrators Operations Guide''
* , ''DNS Encodings of Network Names and Other Types''
See also
* Alternative DNS root
The Internet uses the Domain Name System (DNS) to associate numeric computer IP addresses with human-readable names. The top level of the domain name hierarchy, the DNS root, contains the top-level domains that appear as the suffixes of all Intern ...
* Comparison of DNS server software
This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.
Servers compared
Each of these DNS servers is an independent implementati ...
* Domain hijacking
Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar software systems.
This can be devastating to ...
* DNS hijacking
DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server unde ...
* DNS management software
DNS management software is computer software that controls Domain Name System (DNS) server clusters. DNS data is typically deployed on multiple physical servers. The main purposes of DNS management software are:
*to reduce human error when editin ...
* DNS over HTTPS
DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-i ...
* DNS over TLS
DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by prevent ...
* Hierarchical namespace
In computing, a namespace is a set of signs (''names'') that are used to identify and refer to objects of various kinds. A namespace ensures that all of a given set of objects have unique names so that they can be easily identified.
Namespaces ...
* IPv6 brokenness and DNS whitelisting
* Multicast DNS
In computer networking, the multicast DNS (mDNS) protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a Zero-configuration_networking#Name_service_discovery, zero-configuration service, u ...
* Public recursive name server
A public recursive name server (also called public DNS resolver) is a name server service that networked computers may use to query the Domain Name System (DNS), the decentralized Internet naming system, in place of (or in addition to) name servers ...
* resolv.conf
resolv.conf is the name of a computer file used in various operating systems to configure the system's Domain Name System (DNS) resolver. The file is a plain-text file usually created by the network administrator or by applications that manage ...
* Split-horizon DNS
In computer networking, split-horizon DNS (also known as split-view DNS, split-brain DNS, or split DNS) is the facility of a Domain Name System (DNS) implementation to provide different sets of DNS information, usually selected by the source addre ...
* List of DNS record types
This list of DNS record types is an overview of resource records (RRs) permissible in zone files of the Domain Name System
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resour ...
* List of managed DNS providers
This is a list of notable managed DNS providers in a comparison table. A managed DNS provider offers either a web-based control panel or downloadable software that allows users to manage their DNS traffic via specified protocols such as: DNS Fai ...
* Zone file
A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addr ...
* DNS leak A DNS leak refers to a security flaw that allows DNS requests to be revealed to ISP DNS servers, despite the use of a VPN service to attempt to conceal them.
Although primarily of concern to VPN users, it is also possible to prevent it for proxy an ...
References
Sources
*
External links
*
Zytrax.com
Open Source Guide – DNS for Rocket Scientists.
Internet Governance and the Domain Name System: Issues for Congress
Congressional Research Service
The Congressional Research Service (CRS) is a public policy research institute of the United States Congress. Operating within the Library of Congress, it works primarily and directly for members of Congress and their committees and staff on a c ...
*
Mess with DNS
– site where you can do experiments with DNS.
{{Authority control
Computer-related introductions in 1983
Application layer protocols
Internet Standards