This article discusses DNS, a foundational service for the internet that helps users browse the web while enabling organizations to access their internal resources through host naming.

What is DNS?

Imagine yourself holding a package. In this package, there contains an item you wish to send to someone via your local postal service. However, you only know the recipient’s name, let’s say David, and lack information on where he lives. How shall you inquire about David’s address? If you have his phone number, suppose you could call him directly and ask. Otherwise, you might have to make a chain of phone calls or perhaps conduct some online searching to discern David’s whereabouts in order to finally label the package and send it off. At the heart of the internet, a similar system is instilled to ensure that our web searches and requests are fulfilled in a manner that negates the need for us to manually search or memorize addresses. This networking technology is called DNS, or the Domain Name System. Its job is to take a domain name, like YouTube.com, and find its applicable Internet Protocol address, that is, the address that is currently hosting the YouTube webserver you are trying to contact.

Why is DNS Necessary?

Client devices, whether they be smartphones, laptops, tablets, etc., all rely on data interpretation to operate. They only “see” in binary, which are representative of bits, the smallest unit of data. It is the “on” or “off” (one or zero) state of these binary bits that make up an IP address, which is comprised of a network and host portion respectively. Your client is able to read and perceive this IP address as an appropriate destination on the internet. One small problem: it remains difficult for most of us humans to memorize several long strings of numbers, almost akin to memorizing an address book. Consider the IPv4 address 223.24.16.20 as an example. This address alone would be annoying to have to commit to memory, but with the push to transition a majority of the internet’s addressing to IPv6 (which contains four times the bits compared to IPv4), an address like EF22:5534:1B04:A377:FFCA:12EB:DB90:C467 may be equally difficult if not worse to recall.

To see this process in action on a Windows machine, simply perform an nslookup. To do so, open your command line prompt by typing “cmd” into the taskbar’s search function and selecting “Command Prompt”, then type “nslookup google.com” into the command window that just opened and hit enter. This command will run a query on the current IP addressing for Google. Your DNS server address should be displayed, and the command will also relay the IP addresses found for your query. Try copying the IPv4 address (or pick one of them, if multiple appeared) and pasting it into the address bar of your favorite web browser. Hitting enter should take you to Google.com if the IP address is correct.

Most IP addresses constantly change (dynamic), especially since we have burned through our supply of IPv4 addresses years ago. Although some IPs are statically assigned, they can also be released at any time depending on circumstances. Confusion would ensue among the populace if the IP addresses for their favorite websites suddenly changed, causing everyone to scramble and search for the new addresses, perhaps calling or asking others for the latest server IPs which would create a similar situation to our package example above. By the time everyone realizes the correct addresses, they likely will have changed again. Therefore, DNS was implemented as a means to efficiently browse websites without having to know the destination IP. Even now, most of us do not fret about DNS because our ISP typically operate their own default DNS servers that we, the customers, utilize.

Additionally, companies tend to use DNS to create internally designated zones to access their organization’s servers and resources, keeping their data and information on-prem while allowing the ease that comes with implementing hostnames rather than relying on IP addressing to navigate.

How Does DNS Work?

As discussed, DNS operates by resolving the hostname or fully qualified domain name (FQDN) to an IP address. It does so by accepting DNS requests from a client device, checking its own server for that particular hostname’s IP address, and sending the resolution back to said client as a DNS reply. However, the client will attempt to resolve a hostname first by checking if the address is contained within its DNS cache or hosts/lmhosts files, any of which can store name resolutions. If the address is outdated, the client will then initiate the process above, sending a DNS request to its applicable DNS server. As aforementioned, most users use their ISP’s own DNS by default, but there are public DNS servers out there that consumers can manually configure in their client or router settings, such as Cloudflare (1.1.1.1) or Google (8.8.8.8). Now, what happens if even the DNS server in question does not know a website’s IP address? That is where recursion comes into play. The DNS server will start searching for the domain’s IP from the highest authority in DNS and work its way down from there.

Root DNS Servers to the Rescue!

Across the globe, there exists a special group of 13 DNS servers. The purpose of these servers, known as the root servers or authoritative name servers, are to provide replies to recursive DNS queries for the top-level domains, that is, domains like .com, .net, .gov, .org, etc. The IPs of these DNS servers seldom change, if at all. When a DNS server like Cloudflare or similar starts recursion for YouTube.com, it will first ask the root DNS server, “who is serving the top-level domain ‘.com’?” as an example. The root server will reply, “The X DNS server is serving for the ‘.com’ domain”. Cloudflare will then repeat the process to DNS server X, asking who is serving the IP for “YouTube.com”. DNS server X will reply with the server that knows where YouTube.com is located. Cloudflare will finally request the IP from the DNS server that knows YouTube’s destination and then serve the IP address to any clients that are requesting YouTube.com. To see a full list of the root DNS servers and their locations, check out IANA‘s website to view the hostnames, IPv4, and IPv6 addresses of each server. Quite fascinating to know that these servers are responsible for allowing the internet to run much more smoothly.

How to Create Your Own Recursive DNS Server, and a Few Misconceptions to Consider:

A fun project you can try is to self-host your very own DNS server with recursive capabilities. An on-prem server can potentially allow you to experience increased networking performance due to having a DNS cache on your local network ready to serve IPs obtained from authoritative name servers. That said, for many users, the DNS options provided by their ISP or other public providers offer competitive performance as they currently stand. All things considered, I do not particularly recommend hosting DNS if increased privacy is desired. I would rather opt for a VPN or proxy service for that, and this is because DNS, by default, is unencrypted. There are ways to encrypt the DNS traffic by allowing it to traverse a VPN, or via DNS over TLS/HTTPS, but all these options are frivolous because your ISP will still know what website you are trying to visit as soon as your client navigates there, undermining the whole point of encrypted DNS. With a VPN, Your DNS traffic will be routed through a secure tunnel initially, albeit ending up unencrypted by the time it sends a DNS request through your VPN server.

However, this has not stopped companies like Google from natively using encryption when sending DNS queries from Chrome web browsers. Although superfluous in this particular use case, privacy and encryption are always important considerations.

All of this is to say, do not stress if your DNS is unencrypted. Some server, somewhere, will know what what website you are trying to visit. What is important, rather, is that your communication to and from that website is encrypted. This means that the only concern, in theory, is what content you are sending to the website in question. With this in mind, creating a DNS server is quick and easy if you have some spare or cheap hardware lying around, like a Raspberry-Pi. One way to do this is using a piece of software called Unbound in conjunction with Pi-Hole to create a recursive, ad-blocking DNS server, which can not only observe incoming DNS queries and block malicious or ad-heavy domains, but be preconfigured with blacklists of your choosing as well! Some enterprise-grade networking companies have even started rolling out ad-blocking functionality in their routing equipment. What a time to be alive!

Thank you all for reading, my fellow tech enthusiasts! Feel free to leave comments below.