Wednesday August 30, 2006 at 23:22
Subject: How DNS resolution works.
Keywords:
DNS, Technical
Posted by: Sean Reifschneider
Brett
Cannon on his blog recently discussed some details on how DNS
resolution is done. I thought I would expand on it some, by way of an
example and looking at the wire protocol.
Here is a screen shot of the packets that are being sent over the wire
related to a request for "www.mit.edu". If you wish to follow along, you
can download the packet dump and run "wireshark dns-mit.dump" to get more
details about what is happening on the wire.
Feel free to grap the packet capture and see what's happening.
"wireshark" (previously known as "ethereal"), converts packets into
something that's easily understandable, and provides kind of a navigation
interface to "drilling down" into the packets. You should definitely think
about following along.
The first packet is a query for "www.mit.edu" from one of the root name
servers. This information is pulled from the cache in /var/named/named.ca
("ca" as in "cache").
The second packet is a query to get a new copy of the root zone. The
response to this query is in packet 5, which contains a new copy of the
root zone. Packet 5 does indeed list the destination IP address used in
the first two packets as a root server.
How do I know that packet 6 is a response to packet 2 and not packet
1? Both 1 and 2 were sent to the same host... If you are following along
in wireshark, and click on packet 2 and packet 5, you will see they have
the same Transaction ID, 0x53ba.
Packet 3 is a response to packet 1, listing the servers for the "edu"
zone, one of which is the destination that packet 4 is sent to.
Packet 4 is another request for www.mit.edu, to one of the edu servers.
The response to packet 4 is in packet 6.
Packet 6 includes the list of DNS servers for mit.edu, including
18.72.0.151.
Packet 7 is sent to that mit.edu DNS server, again asking for
www.mit.edu. Note that so far the queries have been of type "A". Packet 8
is a response, giving the address (what the "A" query is asking for) of
www.mit.edu.
Packet 9 is an "AAAA" request for www.mit.edu, going to another of the
DNS servers we received in packet 6. This is an example of the
load-balancing which DNS does, the different queries went to different
listed DNS servers. "AAAA" records request the IPv6 address, where the A
request is for the IPv4 address.
Packet 10 is a response to packet 9, the response length was 0, there
are no "AAAA" records for www.mit.edu.
Packet 11 is a request for the "MX" record (mail exchanger) for
www.mit.edu, and packet 12 is a 0-length response -- there is no mail
server for www.mit.edu. This request was made because running "host
www.mit.edu" also does an MX query.
(Post Reply)
Feel free to grap the packet capture and see what's happening.
"wireshark" (previously known as "ethereal"), converts packets into
something that's easily understandable, and provides kind of a navigation
interface to "drilling down" into the packets. You should definitely think
about following along.
The first packet is a query for "www.mit.edu" from one of the root name
servers. This information is pulled from the cache in /var/named/named.ca
("ca" as in "cache").
The second packet is a query to get a new copy of the root zone. The
response to this query is in packet 5, which contains a new copy of the
root zone. Packet 5 does indeed list the destination IP address used in
the first two packets as a root server.
How do I know that packet 6 is a response to packet 2 and not packet
1? Both 1 and 2 were sent to the same host... If you are following along
in wireshark, and click on packet 2 and packet 5, you will see they have
the same Transaction ID, 0x53ba.
Packet 3 is a response to packet 1, listing the servers for the "edu"
zone, one of which is the destination that packet 4 is sent to.
Packet 4 is another request for www.mit.edu, to one of the edu servers.
The response to packet 4 is in packet 6.
Packet 6 includes the list of DNS servers for mit.edu, including
18.72.0.151.
Packet 7 is sent to that mit.edu DNS server, again asking for
www.mit.edu. Note that so far the queries have been of type "A". Packet 8
is a response, giving the address (what the "A" query is asking for) of
www.mit.edu.
Packet 9 is an "AAAA" request for www.mit.edu, going to another of the
DNS servers we received in packet 6. This is an example of the
load-balancing which DNS does, the different queries went to different
listed DNS servers. "AAAA" records request the IPv6 address, where the A
request is for the IPv4 address.
Packet 10 is a response to packet 9, the response length was 0, there
are no "AAAA" records for www.mit.edu.
Packet 11 is a request for the "MX" record (mail exchanger) for
www.mit.edu, and packet 12 is a 0-length response -- there is no mail
server for www.mit.edu. This request was made because running "host
www.mit.edu" also does an MX query.
What does this all mean in English
When you get a domain name, you are getting a listing in the parent zone, for example "com" or "org" or "ca". In other words, the information that came back in packet 6, above. Getting DNS registration does not provide people a way to find services in your domain, it provides a way for people to find your DNS servers. In order for people to find your services, you need both the glue in the parent zone (for people to find where your DNS server is), but you also need the final DNS server which resolves the requests (packets 7, 9, and 11). So that is why doing a web site requires domain registration, DNS service, and web hosting.(Post Reply)