Domain Name System (DNS) is a distributed database that maps domain names to IP addresses. For example, if your website server IP is 203.0.113.1, configure the DNS record of your domain name such as www.example.com to point to this IP. When users access www.example.com, the DNS system automatically resolves the IP, eliminating the need to remember complex numbers.
Domain hierarchy
Domain names use a hierarchical structure for naming. Each host or router connected to the Internet has a unique hierarchical name. Domain names consist of a sequence of labels separated by periods.
Examples:
.com is a top-level domain (TLD).
aliyun.com is a primary domain. In most cases, a primary domain indicates the name of an enterprise.
example.aliyun.com is a subdomain.
www.example.aliyun.com is a subdomain of example.aliyun.com.
DNS resolution
DNS hierarchy
The following table describes the four types of DNS servers required for DNS resolution:
Type | Capability |
Root name server | Also known as the root server. If the local DNS server fails to resolve the requested domain name, the local DNS server forwards the DNS request to the root server. The root server then returns the IP address of the TLD server to the local DNS server. |
TLD name server | Also known as the TLD server. A TLD name server manages its registered second-level domains, such as www.example.com. The .com TLD domain server returns the IP address of the authoritative name server where the primary domain example.com is stored. |
Authoritative name server | Also known as NS. An authoritative name server is the authority within a particular DNS zone and is responsible for maintaining the mappings between domain names and IP addresses within the zone. Alibaba Cloud DNS serves as an authoritative name server. |
Local DNS server | Also known as the local DNS. A local DNS server responds to recursive requests from clients and forwards the requests to other DNS servers that may return DNS results until the DNS resolution is complete. You can also select a local DNS server from DNS servers assigned by Internet service providers (ISPs) or from public DNS servers such as Google Public DNS and 114DNS. |
A dedicated name server is responsible for managing all domain names at each domain level. The root server stores information about top-level domains. Name servers for each domain level store the IP addresses of the lower-level name servers to facilitate DNS queries.
Resolution process
The following section describes the process of DNS resolution when a user accesses a website by using the domain name example.com.
1. The user enters example.com in a web browser to initiate a query to the local DNS server. If the DNS result is cached in the local DNS server, the local DNS server directly returns the IP address that corresponds to the domain name example.com to the web browser. In this case, skip to Step 9. If no DNS result is cached in the local DNS server, proceed to Step 2.
2. The local DNS server initiates a query to the root server.
3. The root server returns the IP address of the .com TLD server to the local DNS server.
4. The local DNS server initiates a query for the domain name example.com to the .com TLD server.
5. The .com TLD server returns the IP address of the example.com authoritative name server to the local DNS server.
6. The local DNS server initiates a query to the example.com authoritative name server.
7. The example.com authoritative name server returns the IP address that corresponds to the domain name examle.com to the local DNS server.
8. The local DNS server returns the requested IP address to the web browser.
9. The web browser accesses the web server by using the IP address.
10. The web server returns the web page in the browser.
Public authoritative DNS resolution
In the DNS resolution process, the authoritative name server returns the actual IP address corresponding to a domain name, such as example.com. Public authoritative DNS services, such as Alibaba Cloud DNS, deploy globally distributed authoritative DNS servers to provide reliable and authoritative resolution.
System architecture
Control layer: Located in the China (Zhangjiakou) region, this layer provides services through the console and OpenAPI. It lets you add, delete, modify, query, and store data of domain name resolution, configuration, and logs.
Resolution layer: A globally deployed cluster of resolution servers that accepts DNS records distributed by the control layer. The resolution responds to query requests for DNS records. The nodes cover major continents and regions.
Advantages
Stability: Globally distributed DNS clusters with mutual backup ensure 100% SLA-guaranteed resolution services and data consistency.
Safety: With a global bandwidth of 10 Tbit/s and multiple large traffic scrubbing centers, our system defends against over 100 million DNS query attacks per second.
Speed: Global node coverage enables nearby user access, delivering faster resolution and lower latency.
NoteGlobal nodes: US (Virginia), US (Silicon Valley), Mexico, Indonesia (Jakarta), Malaysia (Kuala Lumpur), Singapore, Japan (Tokyo), Japan (Tokyo), UAE (Dubai), Germany (Frankfurt), UK (London), Thailand (Bangkok), South Korea (Seoul), Philippines (Manila), China (Hong Kong), China (Beijing), China (Shanghai), China (Shenzhen), China (Hangzhou), China (Chengdu), China (Qingdao), China (Dalian), China (Xi'an), China (Tianjin), China (Taiyuan), China (Zhengzhou), China (Wuhan - Local Region), and China (Nanjing - Local Region).
The clusters may be adjusted based on Alibaba Cloud's infrastructure and are not covered under the service SLA commitment.
High performance: Thousands of domain name changes can be distributed to global service nodes within one second. The system processes more than 100 billion DNS queries for users daily.
Terms
Recursive query
A recursive query is a kind of query, in which the DNS server that received your query will perform all the necessary operations to return an accurate query result. If the DNS server cannot match the requested result in its cache, the server forwards the request to other servers and returns the query result.
Iterative query
In an iterative query, the DNS server returns the best answer it has. If the DNS server does not have the requested resource record in the cache, it responds with a reference to a DNS server for a lower level of the domain name. Then, the client sends a query to the lower-level DNS server. This process continues with additional DNS servers until the final answer is returned.
DNS cache
The DNS cache stores DNS records close to the clients that initiate requests, which means that DNS records can be cached in a variety of locations. This mechanism is designed to streamline the recursive query process and allow users to obtain request results faster.
TTL
The time to live (TTL) specifies the longest period of time that a DNS record can be cached on a local DNS server. Once the TTL expires, the local DNS server deletes the record. If a user sends a request to the domain again afterward, the local DNS server makes a new recursive or iterative query.
IPv4/IPv6 dual stack
IPv4/IPv6 dual stack is a protocol stack that allows a system to use both IPv6 and IPv4.
DNS flood attack
In a DNS flood attack, the attacker uses a large number of puppet machines to send a multitude of DNS requests to a DNS server. If the number of DNS queries per second exceeds the maximum capacity of the DNS server, the resolution of the domain name times out, and the business may become unavailable.
URL forwarding
URL forwarding, also known as URL redirection, navigates a user from a source URL to a target URL based on settings on the DNS server.
ECS
EDNS Client Subnet (ECS) is an extension to the DNS protocol that allows a DNS resolver to send the IP address of a client to an authoritative DNS server.
DNSSEC
Domain Name System Security Extensions (DNSSEC) introduces digital signatures to verify the authenticity and integrity of DNS response packets. DNSSEC can prevent attacks such as DNS spoofing, protect users from being redirected to fraudulent URLs, and finally improve the trust of users on the Internet.