A Domain Name System (DNS) is essentially the phone book for any network – including the internet. Every time you are surfing the web, whether you realize it or not, you are using DNS. Without this option, you would have to remember every system’s IP address to visit the particular site you wanted. For instance, instead of remembering a name like www.google.com, you would have to remember 74.125.239.82. Instead of www.amazon.com, you would have to remember 205.251.242.54 – and every backup IP address that they use for load balancing the traffic. For something as fundamental to the internet as DNS has become, most users have little or no understanding of how it works. In fact, they may never even know that it exists until it stops working.
Domain Name System Providers
There are many different providers of DNS, including the Internet Service Provider (ISP) at your home or business, Google, Level 3, OpenDNS, DynDNS, etc. These providers maintain the “phonebook” and translate your request into its corresponding IP address – a job that carries great responsibility. If your DNS provider does not correctly resolve your request, or maliciously (and intentionally) redirects your browser to malware, it can cause serious problems, including viruses or worms. If a URL cannot be resolved at all, your browser will typically display an error or a blank page. Your home ISP will often provide features like search assist or phishing block to help protect you while you are searching the web. Google (located at IP addresses 8.8.8.8 and 8.8.4.4) and Level 3 (located at IP addresses 4.2.2.1 and 4.2.2.2) provide unfiltered DNS servers (which is to say that they don’t block any requests), in case your ISP’s servers seem to be filtering or monitoring your requests. OpenDNS and DynDNS, on the other hand, offer services (both paid and free) that allow you to control what kind of sites you wish to block and what sites you wish to allow. Paid accounts often give you more control, even down to individual sites rather than categories of sites. This is a popular method for securing your home internet service and protecting your kids from looking at content that you don’t want them to see. It is also good for protecting you from phishing scams that are prevalent on the internet today.
DNS Records
There are several different types of address records managed within DNS, and each serves a different purpose.
A Records: Basic DNS records are called A Records and they are address records for a hostname. For example, if you look at the A Records for www.google.com, you will find several entries that include 74.125.227.209, 74.125.227.210, 74.125.227.211, 74.125.227.212, and 74.125.227.208, as well as one that looks different than the others: 2607:f8b0:4000:803::1013. This one is IPv6 (a new, updated addressing scheme for the internet that allows for more addresses) where the others are IPv4 (the old-school addressing scheme). Having multiple records like this doesn’t give true load balancing. For example, if you surf to www.google.com and DNS tells your system that it needs to contact 74.125.227.209 and it doesn’t respond, your system doesn’t ask again and get 74.125.227.210 and continue. It will ask the question once and if it gets an answer (even one that states the address can’t be resolved), your browser will attempt to connect to it and return the web page or a “page doesn’t exist” error page.
MX Records: Some DNS records are also used to route email around the internet. These particular DNS records are known as MX (Mail eXchange) records and usually point to a group of computers that are responsible for receiving mail for the organization. Each entry will have a priority associated with it; this provides a fail-over, so if one mail server isn’t responding, the sending mail server can try the next one in the list.
NS Records: So what are DNS servers called in DNS records? NS, or Name Servers, are the servers that are responsible (have authority for) the domain zones they host. This also helps with replicating the changes in the DNS zone between servers that are responsible for each DNS zone.
Pointer (PTR) Records: PTR records are reverse records and help with security on the internet. When your system receives an email, it will do a reverse DNS (rDNS) lookup to see what domain name it came from. Then it compares this with the MX records to see if this server is registered as an email server. If not, it can reject the email as spam. PTR records are also used in network troubleshooting when the IP address is not known but the system name is not. PING and TRACERT (trace route) commands will show you the IP address and the DNS name.
Canonical Name (CNAME) Records: Another popular record type is a CNAME record. It can be thought of as an alias record and it is used when one IP address is used for multiple services. For example, you might have a website named www.yourwebsite.com that has an IP address of 10.1.2.3, but you also have other services you wish to publish, such as FTP. Rather than making another A Record for ftp.yourwebsite.com, you can make a CNAME for ftp.yourwebsite.com and point it (alias) to www.yourwebsite.com. When/if you change the IP address for your web site by changing providers, then you only have to update one record, the A Record, for www.yourwebsite.com and all of your CNAME records will automatically be redirected to the proper IP address. There are some rules that should be followed with CNAME records:
1. Never point a MX record to a CNAME
2. Never point a NS record to a CNAME,
3. Never point a CNAME to a CNAME (as this could create a never ending loop)
Corporate DNS used for Active Directory Domains takes this farther and includes records that help computer systems authenticate on the network what domain controller is “closer” (reachable in fewer network hops), what file server is closer, what the email server auto-setup should be, etc. These records include SRV (for “Service”) records that are used for Kerberos, LDAP, and other services the domain needs to function.
So what system holds the DNS for domain servers (Active Directory)? Active Directory servers run a DNS service that clients (other computers on the internal network) will utilize for all DNS needs, including DNS for servers external to the domain. It is up to the internal DNS servers to decide if the request is for an internal or private record or for a public record. If it needs a public record there are several ways a DNS server can find the information:
1. It can point to a set of servers either for all domains or for just a specific domain.
2. It can use root hints to direct traffic to the proper public DNS servers.
3. It can also use a combination of the two, depending on the needs of the organization.
If you have an Active Directory environment and you point your client (or the DNS client on a domain controller/DNS server) to a public DNS server, your domain will not function properly. The public DNS servers will not have the records for your private DNS zone and will not have any way to get them if your client requests it. This will prevent your computer from authenticating on the domain, joining the domain, connecting to your email server, surfing your corporate intranet, or other tasks.
What is Split DNS?
If you are in a corporate environment and you have a web server that you list as www.yourwebsite.com with a public DNS record of 74.125.227.210 (note: this is Google’s IP address, used only as an example) but you are inside your network and your firewall will not allow traffic to go out and make a u-turn and come back in, you will not be able to get to the website. How do you resolve this for your internal clients? You make a split DNS. This means that there is a public DNS zone for yourwebsite.com that contains an A Record for www that resolves to 74.125.227.210 and you have an internal DNS zone (on your domain controller or domain DNS server) that also has a zone for yourwebsite.com, but it has an A Record for www that resolves to 10.1.2.3 (the internal IP address for the same web server). Now your client that is on the inside of your corporate network can communicate with your web server at www.yourwebsite.com. If this is a mobile device, you could move between networks (corporate, public Wi-Fi, home, etc) and still have access to the website. Of course with this split DNS zone, you will have to enter every record that is in the public DNS zone or you will break the other records while on the internal network.
Another split DNS zone implementation is to do it just for the record you wish to redirect. You would create a DNS zone for www.yourwebsite.com and have the default record resolve to 10.1.2.3. This way, you only have to maintain one record internally, instead of every record that is in the public DNS zone.
When properly implemented, DNS is almost unnoticeable. On the other hand, it can create a lot of headaches if something goes wrong, and that’s when it’s important to have a clear understanding of how all of the pieces fit together.
Need help with your Domain Name System? Segue has experienced system administrators ready to help troubleshoot DNS problems, or any of the other potential issues that can pop up in your Active Directory environment.