The Domain Name System (DNS) is a nearly indispensable system for the internet to function. It converts a domain name (e.g., example.com) into an IP address (also known as a network address).
The DNS service runs on DNS servers (thanks Captain Obvious), and there are 2 types:
- Authoritative DNS: Contains the DNS zones they manage
- Recursive DNS: Resolves DNS queries by consulting authoritative servers
Thus the fabulous world of DNS is constituted.
But what is a DNS zone?
A DNS zone is, in a way, the filing cabinet that contains all the DNS records for the domain name.
For example, my domain name gkaelin.com contains several records, including graph.gkaelin.com, or web02.gkaelin.com
There are several types of recording:
- A: the current records which are the IPV4 addresses, and allow to convert the address typed in a browser into a network address for example
- AAAA: the same thing, but this time in IPV6
- CNAME: Aliases that can point to an A or AAAA record of the same domain, or a completely different one that we do not manage
- SOA: Contains fundamental information about the DNS zone, including:
- The primary server of the zone
- The email address of the DNS zone manager
- The serial number (incremented with each registration modification)
- The delay in seconds that defines the time before secondary DNS updates their zone
- The delay in seconds before secondary DNS servers should attempt zone synchronization in case of failure
- The lifetime of the zone on the secondary servers (after this time, they refuse to respond to requests if there has been no refresh from the primary server
- The default lifetime of the zone (sets the default lifetime of records)
- NS: Defines the secondary DNS servers for this zone
- MX: Record used by email servers. It defines the server address so that the domain can receive emails.
- PTR: Allows you to obtain the FQDN linked to an IP address (used for example for email sending servers)
- SRV: Special records specifying additional options in applications, such as the port, path, or protocol for a CalDAV calendar.
- TXT: Record where various information is entered as text. These include:
- SPF: Allows you to define that an IP address can send emails as the domain
- DKIM: Is a digital signature that certifies that an email has not been altered during transmission
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Allows you to define policies if SPF and DKIM are in error
- Various verification methods: If it is necessary to prove that you are the owner of a domain, some providers require that a series of characters be added
- CAA: Allows you to specify which entities can issue SSL certificates related to this domain
- TLSA: Allows you to link a TLS certificate, or a private key to a domain, which therefore allows you to store the fingerprint, and strengthen the security of certificate validation control
- TSIG: Allows DNSSEC (Secure DNS)
How does DNS resolution work?
DNS resolution is the process of converting a domain name (e.g., google.ch) into an IP address. Machines wishing to make DNS requests will first query the DNS resolver server, which will then contact the corresponding authoritative server. The steps in this process are as follows (let's take my domain name as an example):
- The client asks the DNS resolver (another name for recursive DNS) for the IP address of the domain name (gkaelin.com)
- The resolver separates the DNS name at the points (we will then have gkaelin, and com)
- It starts by asking the root servers (global servers managing TLDs (.com, .ch)) which is the authoritative server for the zone. The information returned depends on the NS records entered in the zone.
- Once known, the resolver contacts the authoritative server and obtains the desired IP address
The resolver can manage a local cache, the lifetime of the cached record depends on the configuration defined in the DNS zone.
DNS service is very important for browsing the internet. It is widely used on reverse proxies (used to provide multiple websites on the same IPv4 address for example), or to ensure that access to an internal site encrypted with a certificate is valid (the domain name entered must be entered in the certificate provided by the server to ensure that the connection is secure, and that there is no connection hijacking.
ICANN: the domain name manager
ICANN is a non-profit organization whose mission is to regulate the allocation of these domain names. They manage a directory of existing domain names on the internet, including information on the owner and/or technical and billing contacts. Domain names are paid, but the price varies depending on the TLD chosen. For example, a .ch will cost around 10 CHF, while a .swiss will be closer to 100 CHF.
The task of billing and selling domain names is delegated to registrars who are local to the country and generally only manage a few TLDs. They can offer domain names for all TLDs, but this is rare.
On the other hand, if you want to manage a local DNS zone (as for an LDAP directory, or even simplify internal access to certain services), it will not be necessary to take a domain name. We find in particular the TLDs .local, or .lan
DNS in web3
In recent years, Web 3 has begun to gain popularity, especially thanks to the development of blockchains in recent years. DNS service has therefore undergone an evolution, and this is what we will explore now.
In web3, DNS has several additional roles, including:
- Alias to an Ethereum or other cryptocurrency address
- Representation of a digital identity (certification of a person for authentication management, for example)
So, there is no longer a central authority that manages all domain names, but this time this role is decentralized in the blockchain. It is possible to order classic domain names (.ch .com), but it can be expensive. However, technically, the operation is very interesting. The renewal process is a little different. Indeed, when a resolution is necessary, the resolver server will not contact a DNS root, but will look in the blockchain to find the domain name, and execute a smart contract to obtain the IP. It is therefore necessary to have a DNS resolver server with the capacity to download the blockchain locally (a classic DNS cannot do this)
