The DNS is a technology that most IT managers don’t think much about; it works well and usually does not require much attention to support organizational objectives. This glossary of terms is intended to help IT managers re-familiarize themselves with key terms when they are considering signing up for a secondary DNS service like CIRA Anycast DNS.
Anycast refers to an addressing or routing method where queries are routed to the nearest node from several options. With respect to the DNS, an anycast network refers to answering DNS queries from the geographically closest node where all nodes share the same IP address. This has the benefit of protecting the DNS at any given node from malicious activity or failures at other nodes. Anycast nodes can be configured as global or local nodes. Local nodes provide lower latency, improve reliability and keep service local at wide-area links. Global nodes are distributed across the entire Internet.
The authoritative nameserver refers to a server in the DNS that responds to questions about names in a zone. It is distinguished from a recursive DNS server in that recursive nameservers ask questions of authoritative name servers. Authoritative nameservers only provide answers about zones that
are locally configured as authoritative zones. Hybrid nameservers are configured to act both authoritatively and recursively concurrently but are no longer recommended. Different “views” should be used to logically separate recursive from authoritative traffic.
Berkeley Internet Name Domain (BIND)
BIND (Berkeley Internet Name Domain) is the most widely used nameserver software on the Internet. It originated at the University of California at Berkeley in the early 1980s as open-source software that implements the DNS protocols for the Internet. It is an enterprise-class component of the software stack with respect to query volume and stability. The software has three parts: (1) a DNS server, (2) a DNS resolver library, (3) software tools for testing.
Border Gateway Protocol (BGP)
The BGP is a system routing protocol for routing information on the Internet (versus internal networks). It is a highly scalable and robust protocol that uses route parameters to define routing policies and maintain a stable routing environment. This protocol allows gateway hosts in a network of autonomous
systems to exchange routing information. The BGP has a few high-level features that make it important for the functionality of the Internet, including sending updated information only when a change is detected and a local preference attribute to reduce latency. It is
the latter that can be used in an anycast network for increasing performance and security.
Canonical Name (CNAME)
A resource record in the DNS that specifies a domain name is an alias for another domain name and not for an IP address. For instance, [blog.cira.ca CNAME dog. cira.ca]. It allows the running of multiple services (i.e. web server and FTP server) on different ports but sharing the same IP address.
Delegation describes the action of delegating a server to be the authoritative name server for a domain name. This can be delegating responsibility for name resolution to a server owned by a DNS supplier or one of your own servers. For example, the .CA ccTLD delegates its subdomains, such as “companyexample.ca,” to other servers.
Distributed Denial of Service (DDoS) (on DNS)
A Distributed Denial of Service describes a scenario where servers get overwhelmed by multiple queries from distributed queriers, generally from bots, with the intention of overwhelming the service and making it unavailable to answer legitimate queries. Like all services on the Internet, the DNS is susceptible to attacks aimed at saturating the authoritative server’s Internet connectivity with bad data. If an attack is of large enough scale, this resource exhaustion means that valid queries are never received, and thus answers can never be provided. While malicious activity targeted against the DNS are less common than other attacks on the application layer, DDoS against the DNS are still a large and growing problem.
Domain (or domain name)
A domain name is registered with, and delegated from the authoritative parent. For example, gc.ca is a domain name delegated to the Government of Canada (GoC) by CIRA. The GoC leases the right to the domain name gc.ca, but in the context of GoC’s own DNS server administration, “gc.ca” is a
zone that they must configure on their DNS servers. Further, “parl.gc.ca” and “health.gc.ca” may be part of the gc.ca zone, or they may be delegated to their subordinate organizations. If the latter were true, “parl.gc.ca” and “health.gc.ca” would also be referred to as “zones.”
Domain Name System Security Extensions (DNSSEC)
The Internet was designed to be open and trustworthy and the DNS protocol, as it was originally designed, met these objectives. As the Internet has grown it has remained open - but its trustworthiness is being challenged. DNS spoofing is the practice of assuming the DNS name of another system by compromising a DNS server for a valid domain. DNSSEC enables DNS records to be signed cryptographically allowing a server to validate the the response it receives is genuine. This is analogous to SSL, but for the DNS. It requires additional administration by the host organization, but helps to protect their customers from man-in-the-middle type attacks.
Domains are not owned by organizations, but are registered for a period of time. Domains are registered through registrars who act like resellers for the top level domain registries such as .CA (CIRA) and .com (Verisign). DNS Query Since an IP address is the underlying method by which computers/devices can talk to each other, and since human readable words are the method by which web addresses are navigated, a DNS query is used to ask what human readable address corresponds to what IP address.
DNS Resolver (or Recursive DNS Server)
Computers that respond to queries to resolve a domain name into an IP address.
DNS spoofing is the practice of fooling an organization’s recursive nameservers into accepting a bogus answer to a DNS question and having it accepted and stored in its cache. This is generally accomplished by spoofing (or forging) large numbers of illegitimate answers towards the recursive nameservers before the real authoritative servers have time to send the real answer.
Dynamic DNS (DDNS)
On the public Internet, DDNS is used to refer to a method of automatically (and in real-time) updating a nameserver in the DNS using TSIG without manual editing. It is most often used to provide a mechanism to propagate the DNS for dynamic IP addresses.
Forward lookup describes using a domain name to find an IP address. In practice, the URL address that someone types into their browser gets sent to the DNS to deliver the IP address. By contrast, a reverse lookup uses an IP address to find a domain name.
Fully Qualified Domain Name (FQDN)
A FQDN is a domain name that specifies its exact location in the tree hierarchy of the DNS (for example, “targetpage.example.ca”). It specifies all domain levels including the top-level and the root. Many DNS resolvers process a name without a dot by automatically appending the systems default.
A global node in the DNS is available to answer queries from anywhere on the Internet. Their existence on the Internet is advertised so that other hosts can announce them to their peers. In effect a global node is accessible from anywhere on the Internet.
Global Server Load Balancing (GSLB)
GSLBs are geographically distributed servers with authoritative nameservers running at each site where each domain is a sub-domain (ns1, ns2, ns3, etc). Load balancing is used to manage the traffic across the servers. Balancing can be simply a round-robin between the servers or via more intelligent protocols to manage traffic for reduced latency.
Internet Protocol V4 is the system that routes most traffic on the Internet. It is a connectionless protocol for packet switched networks based on best-effort delivery. It uses 32 bit addresses typically expressed in a human-friendly dotted decimal notation (i.e. 255.255.255.1). IPv4 numbers were "exhausted" in 2011 with the large numbers of devices in the world with IPv6 set-up as the next generation protocol, although at present most global traffic remains IPv4.
IPv6 is the latest version of the Internet Protocol that provides the location system for devices on the Internet. It uses a 128-bit address to allow a virtually limitless number of addresses (2^128) when compared to what is currently in use with IPv4. IPv6 also has technical advantages that limit the expansion of routing tables, enable multicast addressing, and assist with security. IPv6 addresses are eight groups of four hexadecimal digits (2001:0db8:85a3:0000:0000:8a2e:0370:7334).
The DNS server will not get the complete answer to a query, but gives back a referral to the server that may have the complete answer. It will not query the root server on behalf of the original query. In this way the original requester, or DNS client, will be responsible for making a query to the next DNS server until it locates a DNS server that is authoritative, or until it times out.
Latency (of the DNS)
Latency describes the time between the end-user requesting DNS resolution and the response from the server. Although DNS latency it is not reflected in organizations’ web server logs, it adds to the total load time of your website to the end user.
Load balancing describes how traffic is managed between multiple servers located in a server cluster or node. Similar to any redundant infrastructure it can be managed with a simple round-robin approach or an intelligent approach to sending traffic to the least busy server in the node.
A local node in the DNS is announced with the noexport BGP so that hosts do not announce them to their peers. They are typically located in local IXPs that are peered within the local community (such as a specific country). This makes the local nodes primarily accessible to local queries and mitigates the risk of malicious activity that is not peered to the local node.
A nameserver is a server on the Internet that answers DNS queries. A nameserver may be authoritative (providing answers) or recursive (asked questions on behalf of a third-party). A domain may be delegated to authoritative DNS servers that are subordinates to that domain (ie: NS01.CIRA.CA is a DNS server for CIRA.CA), or to nameservers outside of that domain (NS1.D-ZONE. CA is a DNS server for CIRA.CA).
A DNS Node is a server or cluster of servers that answers DNS queries.
Primary DNS (server)
The Primary DNS is used to describe the server that is the primary source of valid zone files for the DNS records. This can be deployed to answer queries on the Internet or it can be kept as a hidden master for zone administration and communication only to secondary servers that are set-up to answer queries.
Recursive server (also called recursive resolver)
Recursive server receives user-generated queries, checks its cache, and if not present, spawns its own set of queries to the respective authorities for each level (DNS Root, TLD, Second-level, etc.) and provides an answer back to the initial querier.
The DNS server that receives your query will do the job fetching the answer and, if needed, query other DNS servers on the Internet to get the answer. This is done if it does not have the answer to the DNS request in a zone file or in its cache.
A registry is the organization responsible for the management of the top-level domain name such as .CA or .com. The registry is mandated by the Internet Assigned Numbers Authority (IANA) as a department of ICANN, to manage the domain name based on a set of guidelines set out in their mandate. This includes generic top level domains (gTLD), such as .net, .org, .com, the new gTLDs, and a domain for every country code (ccTLD) such as .CA for Canada, and .uk for the United Kingdom. These domains are under the responsibility of the registry to manage.
Real Time Traffic Management (RTTM)
RTTM describes the managing of DNS traffic globally that routes traffic either to a geographically close node or a global node based on what servers deliver the lowest latency and fastest speed. In this scenario, servers are constantly being monitored rather than simply relying on geography or round-robin type techniques for traffic management.
A reverse DNS lookup is the system of looking up a domain name when you have the IP address.
Root servers (or Root)
The DNS is organized as a hierarchy and at the top of it is the root domain. The root domain contains all the top-level domain (TLD) names such as .CA and .com and can be envisioned as an empty string that occurs after the TLD. In the DNS, the authoritative nameservers that serve the root zone are called root servers. They are a network of servers throughout the world. Recursive resolvers need to configure a root hints file that contains the names and IP address of root servers so they can bootstrap DNS resolution.
Secondary DNS (server)
Secondary DNS is a term most often applied to a backup to the primary DNS server and describes a redundant name service on a separate network to prevent downtime. In an anycast cloud it is used to describe the servers that are set-up to answer DNS queries and it receives zone files from the primary server.
Start of Authority (SoA Record)
The NS (Name Server) resource record identifies the name servers, not the SoA. The SoA contains the “source host” (generally, RFC-specified, but not always true), but that could be ANY identifier string, which is often but not limited to the name of the “hidden master” used to create the zone.
Time to Live (TTL)
In order to facilitate updating the DNS servers across the Internet the zone file in the authoritative name server specifies a TTL, which is to say how long a given recursive server should keep the DNS information in cache. In this way servers don’t need to reach back to the authoritative server every time they need to respond to a query. It is not advantageous to set an arbitrarily low TTL because it results in recursive servers needing to ask questions about a given domain more often, which could be perceived as latency by the querier. It is also not advantageous to set an arbitrarily high value, because it can reduce the domain owner’s ability to work around network issues or changes, as the “old data” may be cached on any number of recursive servers across the world until this counter ceases.
TLD (top-level domain)
The root is the highest level in the domain hierarchy and the root zone contains the delegations of all of the world’s TLDs. TLDs are delegated to specific countries and organizations by ICANN. Within this grouping there are broadly two types of TLDs. Country Code TLDs (ccTLD) are assigned to specific countries such as .CA, .UK, and .SE. Generic TLDs (gTLD) are not country-specific and include some of the larger TLDs by volume such as .com and .net, in addition to a large number of new gTLDs.
Transaction Signature (TSIG)
TSIG is the mechanism for sending zone updates securely between nodes/servers. It is the networking protocol used by the DNS to ensure that the information from a certain server is actually from that server by using a form of key-based infrastructure defined in RFC 2845. Because the DNS works in a
question-answer model, TSIG is essential to ensure that the answer is sent based on more than just the IP address it originated from.
Broadly applied, unicast is the communication from a single sender to a single receiver on a network. As it applies to the DNS, it is a one-to-one association between a network address and the endpoint. In other words, if the unicast DNS has two records (ns1 and ns2) then each of them correspond to exactly one server. This does not preclude building redundancy at unicast nodes or having more than one node online to answer queries, but it does not afford the full suite of benefits of an anycast solution for external DNS resolution.
A DNS zone references the domain name space where administration is delegated to a single manager. It is implemented in the domain nameserver. It is organized into zones to allow delegation of responsibility over sub-domains to the relevant authorities. Top-level domains, such as .CA, manage a zone in the DNS where the sub domains live. In this way a zone always has a domain boundary in which it operates.