You certainly know that the internet has a multitude of websites. To access them, you normally enter an address in the corresponding field of your browser, for example, www.google.com, www.gradinmath.com or www.ealecrim.net. But, do you have any idea how the computer can locate these sites, regardless of where they are hosted? It is at this point that the work of DNS (which stands for Domain Name System based on abbreviationfinder.org) servers “comes into play”. In this article, you will know what it is, understand how DNS works and learn related concepts, such as DNSSEC.
Every website or service on the internet needs an IP address (be it IPv4 or IPv6). With this feature, it is possible to locate the server (or set of servers) that hosts the website and, thus, access its pages. At the time of writing this article, Gradinmath’s IP was 126.96.36.199.
Well then. Try to memorize this number. Decorated? Congratulations! Now, wait a few minutes and try to remember this IP address again. Difficult, right? Now, imagine having to remember the IPs of all the websites you access daily, such as Facebook, Twitter, e-mail, news portals, etc. Yes, it is practically impossible and nothing practical, is it?
That’s basically why we use domain names to access internet sites. With this, the user does not need to know, for example, the Gradinmath IP address to access it, just know his domain, in this case, www.gradinmath.com. It is a very practical scheme, after all, memorizing names is much easier than saving numerical strings. In addition, even if you don’t remember a name exactly, you can type it in a search engine and it will help you find it.
The point is that, despite the use of domains, websites still need IP addresses, after all, the names were created to facilitate human understanding, not computers. And the DNS is responsible for linking a domain to IPs.
Domain Name System (DNS) servers
The Internet’s Domain Name System (DNS) services are, in a nutshell, large databases spread on servers located in various parts of the world. When you type an address into your browser, such as www.gradinmath.com, your computer asks your Internet service provider’s DNS servers (or others you have specified) to find the IP address associated with that domain. If these servers do not have this information, they communicate with others that they may have.
It helps in this work that the domains are organized hierarchically. First we have the root server (root server), which can be understood as the primary DNS service and is represented by a point at the end of the address, as the following example shows:
Note that if you type the address exactly as above – with a period at the end – in your browser, the program will find the site normally. However, it is not necessary to include this point, since the servers involved already know of its existence.
The internet has (at least until the date of publication of this text) thirteen root servers, ten of which are located in the United States, two in Europe (Stockholm and Amsterdam) and one in Asia (Tokyo). When a failure occurs, the others are able to keep the network running smoothly.
The hierarchy is followed with domains that we know a lot, such as.com,.net,.org,.info,.edu,,.me and several others. These are called gTLDs (Generic Top Level Domains).
There are also country-oriented endings, called ccTLDs (Country Code Top Level Domains). For example: for Brazil,.ar for Argentina,.fr for France and so on. There are combinations too, like.com and.blog.
Then there are the names that companies and people can register with these domains, such as the word gradinmath on gradinmath.com or google on google.com.
With the hierarchy, finding out which IP and, consequently, which server is associated with a domain – a process called name resolution – is easier, since this mode of operation allows a distributed work scheme, where each level of the hierarchy has specific DNS services.
To better understand, see this example: suppose you want to visit the website www.gradinmath.com. To do this, your provider’s DNS service (or one that you specify) will try to find out if it knows how to locate that site. If not, it will first consult the root server. This, in turn, will indicate the DNS server ending in, which will continue the process until it reaches the server that responds for the gradinmath.com domain, which will finally inform the associated IP, that is, on which server the website is. in question.
DNS servers that account for certain domains are called authoritative. The services responsible for receiving DNS queries from client machines and trying to get responses from external servers are called recursive.
Note, in the illustration, the distribution scheme: DNS servers point to each other, until the destination is found. In the case of the root server, it has merely a list of the DNS services responsible for the gTLD and ccTLD domains, and these are in charge of proceeding with the procedure.
The gTLD and ccTLD domains are administered by different entities, which also account for their DNS servers. For example: the termination is controlled by Registro.
Suppose you have visited a website that has never been resolved by your provider’s DNS service, so that the provider has to consult other DNS servers (using the aforementioned hierarchical search scheme). To prevent this search from having to be done again when another provider’s user tries to access the same site, the DNS service may store the information from the first query for some time. Thus, in another equal request, the server will already know which IP is associated with the site in question. This is known as a DNS cache.
In the beginning, the DNS cache only held data for positive queries, that is, when a website is found. However, DNS services also started to store negative results, from non-existent or non-localized sites, such as when we typed the wrong address, for example.
The cache information is stored for a certain period of time through a parameter known as TTL (Time to Live). This is used to prevent the recorded information from becoming out of date. The TTL time period varies depending on the settings determined for the server.
Thanks to this, the work of the DNS services of the root servers and the subsequent ones is minimized.
At this point, you already know that DNS servers play an important role on the internet. The problem is that the DNS can also be a “victim” of malicious actions.
Imagine, for example, that an individual with great knowledge on the subject has devised a scheme to be able to capture customer name resolution requests from a particular provider. When successful, he may try to target a fake address instead of a website that a user wants to visit. Realize the risk: if the user does not realize that he was directed to a fake page, he can provide sensitive data, such as a credit card number.
To avoid problems like these, DNSSEC (DNS Security Extensions) was created, which consists of a specification that adds security features to DNS.
DNSSEC essentially considers the aspects of authenticity and integrity of procedures involving DNS. But, contrary to what some people initially think, it cannot provide protection against intrusions or DoS attacks, for example, although it can help, in a way.
Basically, DNSSEC uses a scheme that involves public and private keys, which is explained in this article on digital signatures and certificates. With that, you can be sure that the correct servers are responding to DNS lookups.
The DNSSEC implementation must be carried out by the entities responsible for the administration of the domains, reason why this resource is not yet used to the full. Fortunately, in relation to Brazil, the country was one of the first to deal with this when implementing DNS in addresses, and at the time of publication of this text, this protection was mandatory in the.jus and.b domains. br (termination for banks).
To learn more about DNSSEC in Brazilian fields, the main registro/suporte/tutoriais/dnssec.html.
Free DNS services: OpenDNS and Google Public DNS
When you hire an internet access service, by default, you start using the provider’s DNS servers. The problem is that, often, these servers may not work properly: the connection is established, but the browser cannot find any pages; website access may be slow because DNS services are slow to respond; anyway.
A solution to problems like these is to adopt alternative and specialized DNS services, which are optimized to offer the best possible performance and are less susceptible to failure. The best known are OpenDNS and, more recently, Google Public DNS. Both services are free and almost always work very satisfactorily.
Enjoying OpenDNS is very easy: just use the service’s two IPs. Are they:
- Primary : 188.8.131.52
- Secondary : 184.108.40.206
The secondary service is a replica of the primary; if it cannot be accessed for any reason, the second is the immediate alternative.
These addresses can be configured on your own computer or on network equipment, such as Wi-Fi routers. If you use Windows 7, for example, you can configure it as follows:
Go to Start / Control Panel / Networks and Internet / Network and Sharing Center / Change adapter settings. Now, you must right-click on the icon that represents your connection and choose Properties. Then, on the Network tab, select the TCP / IP Protocol Version 4 (TCP / IPv4) option and click Properties. Enable the Use the following DNS server addresses option. In the Preferred DNS server field, enter the primary DNS address. In the field below, enter the secondary address.
Obviously, this type of configuration can also be done on Mac OS X, Linux and other operating systems, just look for guidance on how to do it in manuals or help files. The same goes for many network equipment.
Note that OpenDNS does not require registration, but it is possible to do so on the service’s website in order to take advantage of other resources, such as domain blocking and access statistics, for example.
Google Public DNS
The Google Public DNS is another type of service that stands out. Despite not offering as many features as OpenDNS, it is strongly focused on security and performance, in addition, of course, being the responsibility of one of the largest internet companies in the world. Their addresses have a great advantage: they can be decorated more easily. Check out:
- Primary : 220.127.116.11
- Secondary : 18.104.22.168
Google Public DNS also has IPv6 addresses :
- Primary : 2001: 4860: 4860 :: 8888
- Secondary : 2001: 4860: 4860 :: 8844
If you want to have your own website, like myname.com or myname.net, you need to register the domain. If it has to end with, the procedure can be done at Registro. For international domains (.com,.net,.org, among others) there are several companies that offer this service, with GoDaddy being the best known.
The first step is to check if the domain you want is available, that is, if it has not already been registered by someone else or by a company. All registration services provide a field where you can do this verification.
If the domain is free (no one is using it), you can register for the service and pay a fee, which varies according to the company and the type of domain. However, it is worth noting that the registration only applies to the chosen termination. If you register a domain namequalquer.com, for example, you will need to register for namequalquer.net.
The registration is valid for at least 365 days, and can also be registered for two or more years. If you want to continue using it, you must renew it before expiration, otherwise you will risk losing it. Generally, the registry company issues an e-mail notice to warn of the need for renewal, simply paying a new fee for this process to take effect.
It turns out that simply registering a domain is not enough to get your website up and running. You must also choose a company to host it. There are several companies that provide this type of service, with the most varied prices. You can search for “website hosting” on Google to try to find the best service for you.
When you have chosen a hosting service, you must associate your account with the registered domain. It is easy to do this: the hosting service will provide at least two DNS addresses (name servers) that you must enter in the panel offered by the company where you registered the domain. These addresses usually have the following format:
Realize that, when performing this procedure, the entity responsible for managing your domain will be able to inform which DNS services answer for the server hosting your website, making it possible to be found.
Types of DNS records
When you register a domain and contract a hosting service, it can offer subdomains based on your address so that you can access e-mail services, FTP server, among others, for example: ftp.yoursite.com or mail.your site. In addition, you may also want a subdomain for certain purposes, such as creating a blog within your site: blog.yoursite.com.
This is possible thanks to some DNS records (parameters), which must be inserted in specific server configuration files. However, in the case of hosting services, it is often possible to change these parameters through a control panel or a specific page for this.
Here are the most common records:
A records : basically, they associate one or more IP addresses to one or more domains. AAAA can be used for IPv6 addresses;
CNAME (Canonical Name) records : these are used to create redirects to domains or subdomains. It is this parameter that should be used, for example, to create an address of the type blog.seusite.com ;
MX records (Mail Exchanger): these are the parameters that must be configured for e-mail accounts in the domain (@ seuite.com);
NS (Name Server) records : indicate which servers act as the site’s DNS service. These are the addresses mentioned in the topic about domain registrations;
PTR (Pointer) records : inform which domains are associated with certain IPs, almost if it were the reverse of A records;
SRV records (short for Service): indicate the location of certain services within the domain;
SOA (Start of Authority) records : indicate the beginning of a zone, that is, of a set of records located within a DNS namespace. Each zone must have an SOA record;
TXT records (short for Text): used to insert comments or guidelines.
Here are some examples:
These DNS records must be edited, for example, for those who create Google Apps accounts. Through this service, the user can use Google tools – such as Gmail – in a way linked to his domain. Thus, it is possible, for example, to have the site seuite.com hosted on any server, but to have email accounts @ yoursite.com managed by Google Apps, even with the latter not hosting the site.
Please note that any changes to DNS records should be made very carefully – an error can simply prevent the site from being located.
The use of DNS is not limited to the internet. This feature can (and is) used on local networks or extranets, for example. Its implementation can be done in almost any operating system, being very common in platforms based on Unix and Windows. The best known tool for DNS is BIND, which is maintained by the Internet Systems Consortium.