DNS Explained

Alright, let's start this explanation with what DNS is in the first place. The best way I like to describe DNS to people at work is as the following that they seem to understand pretty well is that DNS is like a contacts list, instead of remember a 10-digit phone number, you can just go to "Mom" and the contact list will take care of converting the name to a phone number.

However, DNS is much more complex than that when you break it down to its components. Notably there are two types of servers that are really important to know (Authoritative and Recursive) and there is a chain of servers to get to a domain.

What is an authoritative DNS server?

An authoritative DNS server is (to continue our metaphor) the "final phone book" for a lookup and contains the "truth" for providing IP address information. Some important information here is that there might be multiple authoritative DNS servers in the DNS query chain (which will be explained). When you perform a DNS lookup for kilgore.dev the authoritative DNS server for kilgore will respond with 172.67.196.49 (by default dig uses A records) which is an authoritative response. No other DNS server has this information, and this is the final response.

A really important example of authoritative DNS servers would be the "root" DNS servers. These servers contain the DNS information required for all the "Top Level Domains (TLDs)" like .com (192.31.80.30), .dev (216.239.60.105), .net (192.12.94.30), etc. Without the root DNS servers, the internet would not work at all. If you're interested in what this ends up looking like, you can view the root DNS zone file.

What is a recursive DNS server?

A recursive DNS server is a type of DNS server that most people are at least somewhat familiar with. This is a server/service like 1.1.1.1 from Cloudflare or 8.8.8.8 from Google. These DNS servers perform a DNS chain lookup on the behalf of a client, this reduces the total required lookups on the client side down to one, instead of the at least 2 (and potentially many more) that would be required if the client were to perform the full lookup itself.

When you perform a DNS lookup using nslookup (windows) you might notice that the results include "Non-authoritative answer:" at the top. This is an indicator that nslookup performed a query to a recursive DNS server.

What are DNS records?

OK, now that we understand what authoritative and recursive DNS servers are, what are DNS records?

DNS records are the actual responses that the DNS servers will provide. Or to keep up with the contact list metaphor, it's the individual phone numbers, email addresses, etc. that you have stored under a contact. DNS servers just like a contact list have multiple types of records and there are three primary ones we care about when explaining DNS.

The first record that's super important when talking about DNS is a record type known as an NS record. This record type provides information on who the authortative DNS servers are for a given domain. These records are the ones that allow DNS to function as it does.

The second record type that is important to this conversation would be A records. These records return the IPv4 addresses that actually point to a webserver, service, or really anything with IPv4 enabled. These are the records that your browser, computer, and other devices and software use to determine which servers to query for information.

The third record type is an AAAA, this record type does the exact same thing as an A record, except it provides an IPv6 result.

How are DNS records queried?

OK, now that we have all the pre-requisites out of the way, we can actually get into the nitty gritty of everything. For example, purposes we're going to use kilgore.dev as the domain we're attempting to get an A record for.

To start our journey, we first need to make the query with the full DNS domain name which is actually kilgore.dev. Why the extra period at the end? Each period represents a change in DNS authority, the period at the very end represents the root DNS servers we have previously looked at. Wait, why is it at the end then? The root DNS period is at the end because unlike humans writing a domain, the DNS lookup process actually reads domains backwards! This actually makes a ton of sense when you also realize that the TLD is also at the end!

So now that we know that DNS queries are actually processed in reverse, let's start using dig to follow the chain ourselves. The first step is to query one of the root DNS servers for the authoritative DNS servers for the dev TLD, this can be done using the following command dig NS dev. @198.41.0.4. This returns several domains, these domains have been "glued" for the root which for our purposes isn't that important, in the "additional section" we'll find several IP addresses, both A records and AAAA records. We only need to choose one of them to query next.

Now that we have the authoritative DNS server IPs for the dev TLD, we now need to get the authoritative DNS server records for the kilgore domain under the dev TLD. This can be done by running dig NS kilgore.dev. @216.239.60.105 this will return a couple of DNS authoritative results for the kilgore.dev. domain. You'll note that this site's DNS is operated by a 3rd party called Cloudflare.

Now that we know the authoritative DNS records for the kilgore.dev. domain, we can now query them for an A record. In dig this can be done by running dig A kilgore.dev. @kara.ns.cloudflare.com. (Note that dig automatically performs the required DNS lookups to get the IPs for the Cloudflare authoritative DNS server). This command will then respond with multiple A records that can then be used by a browser, operating system, etc. to send and receive information from those servers.

Where does a recursive DNS server come in?

You'll note that through the entire process of manually going through the DNS queries all the results returned "Authoritative" this is because we were querying the authoritative DNS servers directly. So, one might ask where recursive DNS servers come in, and why do we even use them.

Recursive DNS servers take everything we did previosuly (four DNS queries) and do it on the backend, so the client itself only has to send one DNS query (reducing data usage, and latency) and it also makes it possible to cache the results. By caching the results recursive DNS servers can help significantly reduce the load on root DNS servers and even domain DNS servers, while also potentially massivily increasing the speed at which a response is given. Additionally recursive DNS servers can also send specific queries to internal DNS authortative DNS servers for services like Active Directory, the local TLD, and more. Some DNS recursive services have also been configured to block dangerous domains that spread malware, phishing attacks, etc. which due to the policies and agreements that TLD operators have with ICANN they cannot do.

Recap and why the tree picture

So to recap, there are three types of DNS records, A, AAAA, and NS. A and AAAA contain the IP address of the actual server that contains the content being accessed. The NS record is the IP or domain of the authoritative DNS server. Additionally, domains are read by the DNS clients in reverse starting with the root servers, then TLD, then domain, and finally any subdomains that might be configured.

We also learned that there are two DNS server types, one being authoritative which is the source of truth for translating domains to IP addresses, and we also have recursive servers which take a complex chain of DNS queries and simplifies it for end clients to one query. Recursive DNS servers also can have additional tasks such as caching responses, blocking malware, phishing, ads, etc. and can also help resolve private TLDs and domains to internal authoritative servers that are not on the public internet.

So now, why does the tree picture represent this DNS post? Because DNS is essentially a tree, at the very bottom you have the roots, then you have the TLDs which are the main branches, then each domain is a branch off those main TLD branches, and each smaller branch or leaf after that is a subdomain.