how a dns query works [closed]

domain-name-system

DNS resolution can get pretty hairy when you start to consider things like caching and anycast, but let's keep it simple for now.

Here are snippets of digs next to snippets of tcpdumps of a query for www.google.com to a freshly started nameserver, so no caching is being used. I've trimmed some of the timestamps for legibility.

First, the local nameserver (here 192.168.10.10) asks one of the root servers (in this case h.root-servers.net, 128.63.2.53) the query "what is the A record for www.google.com?" h.root-servers.net is not authoritative for www.google.com, but it does have a delegation for .com, so it returns that.

192.168.10.10.17203 > 128.63.2.53.53: 29969 [1au] A? www.google.com. (43)
128.63.2.53.53 > 192.168.10.10.17203: 29969- 0/15/16 (719)

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; AUTHORITY SECTION:
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.

Second, the local nameserver then chooses one of the nameservers from the list returned by h.root-servers.net and sends the same query: "what is the A record for www.google.com?" In this case the nameserver queried was f.gtld-servers.net (192.35.51.30). f.gtld-servers.net, which is authoritative for .com, has responded with the nameserver delegations for the zone google.com

192.168.10.10.65182 > 192.35.51.30.53: 58632 [1au] A? www.google.com. (43)
192.35.51.30.53 > 192.168.10.10.65182: 58632- 0/4/5 (179)

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; AUTHORITY SECTION:
google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns3.google.com.
google.com.             172800  IN      NS      ns4.google.com.

Getting closer! Now the local nameserver picks one of the nameservers in the last response and asks it the same question. In this case, it asks ns2.google.com (216.239.34.10). ns2.google.com responds that www.google.com is actually a CNAME (canonical name) record for www.l.google.com

192.168.10.10.4767 > 216.239.34.10.53: 15830 [1au] A? www.google.com. (43)
216.239.34.10.53 > 192.168.10.10.4767: 15830*- 6/0/0 CNAME[|domain]

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         604800  IN      CNAME   www.l.google.com.

Very close! Now we just need the address of www.l.google.com. Now because we already know the nameservers for google.com, we just ask one of them. In this case, we ask ns3.google.com (216.239.36.10) "what is the A record for www.l.google.com.?" It responds with the address, and we have our answer:

192.168.10.10.63657 > 216.239.36.10.53: 62511 [1au] A? www.l.google.com. (45)
216.239.36.10.53 > 192.168.10.10.63657: 62511*- 5/0/0 A[|domain]

;; QUESTION SECTION:
;www.l.google.com.              IN      A

;; ANSWER SECTION:
www.l.google.com.       300     IN      A       74.125.232.116
www.l.google.com.       300     IN      A       74.125.232.112
www.l.google.com.       300     IN      A       74.125.232.115
www.l.google.com.       300     IN      A       74.125.232.113
www.l.google.com.       300     IN      A       74.125.232.114

Huzzah!

Anyway, I hope that's enough to get your started. There are a lot of great resources out there. The O'Reilly book "DNS and BIND" is very useful.

I highly highly highly recommend installing dig to use for seeing how the DNS queries go. For example, you can use dig +trace to easily see the delegation path to a host:

; <<>> DiG 9.7.0-P1 <<>> +trace www.google.com
;; global options: +cmd
.                       516930  IN      NS      k.root-servers.net.
.                       516930  IN      NS      g.root-servers.net.
.                       516930  IN      NS      h.root-servers.net.
.                       516930  IN      NS      j.root-servers.net.
.                       516930  IN      NS      a.root-servers.net.
.                       516930  IN      NS      m.root-servers.net.
.                       516930  IN      NS      b.root-servers.net.
.                       516930  IN      NS      f.root-servers.net.
.                       516930  IN      NS      d.root-servers.net.
.                       516930  IN      NS      c.root-servers.net.
.                       516930  IN      NS      l.root-servers.net.
.                       516930  IN      NS      i.root-servers.net.
.                       516930  IN      NS      e.root-servers.net.
;; Received 244 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 492 bytes from 202.12.27.33#53(m.root-servers.net) in 45 ms

google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns3.google.com.
google.com.             172800  IN      NS      ns4.google.com.
;; Received 168 bytes from 192.33.14.30#53(b.gtld-servers.net) in 42 ms

www.google.com.         604800  IN      CNAME   www.l.google.com.
www.l.google.com.       300     IN      A       74.125.232.115
www.l.google.com.       300     IN      A       74.125.232.113
www.l.google.com.       300     IN      A       74.125.232.116
www.l.google.com.       300     IN      A       74.125.232.114
www.l.google.com.       300     IN      A       74.125.232.112
;; Received 132 bytes from 216.239.34.10#53(ns2.google.com) in 131 ms

Notice how similar it is to the trace of the query earlier? Hope that helps.


It is slightly more complicated as DNS is quite heavily cached. Your local machine may even have the data cached and the lookup goes no further than that.

Your machine will query it's own cache and if that fails it will query the primary DNS server it has been told about. This may be a caching DNS server and my have the result in it's cache in which case the record is returned to you and the lookup ends. It is also most likely a recursive DNS server and will now do the leg work for your machine.

If the primary DNS server doesn't have the information it will query the root name servers they will respond with (in your example) the TLD name servers for .com

A query will be sent to the .com TLD servers which will respond with the address of the authoritative name server for google.com

A query will be sent to the authoritative name server for google.com requesting the www.google.com record. This will be found and returned to the primary DNS server which will cache it and return the record to you.

Related

How to find RAID configuration/level and RPM speed having only remote access to the server?
e2fsck on large filesystem fails with Error : Memory Allocation Failed
Why does Postfix deliver mails locally instead of relaying them to Google Apps?
What to do with an out-of-warranty Barracuda Spam/Web filter?
Apache reverse proxy error page when proxied server is down
Why shouldn't root be allowed to login via ssh?
LVM mirroring VS RAID1
Setup IIS 7.5 with multiple website bindings and SSL?
Should old servers be retired
Quick way to restore or reload /etc/fstab settings?
Why buy high end hardware firewalls?
When exim4 sends HELO/EHLO, how do I configure which host name it sends?