DNS In General
All DNS servers fall into one of four categories:
- Recursive Resolvers
- Root Nameservers
- TLD Nameservers
- Authoritative Nameservers
A recursive resolver (also known as a DNS recursor) is almost always the first stop in a DNS query. The recursive resolver acts as a middleman between a client and a DNS nameserver.
DNS primarily uses
UDPon port number
53to serve requests. DNS queries consist of a single
UDPrequest from the client followed by a single
UDPreply from the server. When the length of the answer exceeds 512 bytes and both client and server support
UDPpackets are used. Otherwise, the query is sent again using the
TCPis also used for tasks such as zone transfers. Some resolver implementations use
TCPfor all queries.
The DNS protocol uses two types of DNS messages, queries and replies, and they both have the same format. Each message consists of,
- a header
Identification(used to match responses with queries)
- a single bit which indicates if the message is a query (0) or a reply (1)
- four bits indicating the type of query, or the type of query this message is a response to. 0 is a standard query, 1 is an inverse query, 2 is a server status request.
- a single-bit indicates if the DNS server is authoritative for the queried hostname
- a single-bit indicates if the client wants to send a recursive query (“RD”).
- a single-bit indicates if the replying DNS server supports recursion (“RA”), as not all DNS servers are configured to do this task.
- ?-bit indicates if the message was truncated for some reason (“TC”)
- four-bit is used for error codes
- Number of
- Number of
- Number of
authority Resource Records (RRs)
- Number of
additional Resource Records (RRs)
- and four sections:
Type Of Record
Arecord - The record that holds the IP address of a domain.
CNAMErecord - Forwards one domain or subdomain to another domain, does NOT provide an IP address.
TXTrecord - Lets an admin store text notes in the record.
NSrecord - Stores the name server for a DNS entry.
SOArecord - Stores admin information about a domain. The “start of authority” record can store important info about the domain such as the email address of the administrator, when the domain was last updated, and how long the server should wait between refreshes.
SRVrecord - Specifies a port for specific services. Ex.
[@_sip._tcp.example.com.] [SRV] [8080 example2.com] [TTL],
_sipindicates the type of service,
_tcpindicates the protocol, and
8080indicates the port.
PTRrecord - Provides a domain name in reverse-lookups, which return the domain associated with a given IP address.
|NAME||Name of the node to which this record pertains.
|TYPE||Type of RR in numeric form (e.g., 15 for MX RRs)||2|
|CLASS||Class code, basically
|TTL||Count of seconds that the RR stays valid (The maximum is 231−1, which is about 68 years)||4|
|RDLENGTH||Length of RDATA field (specified in octets)||2|
|RDATA||Additional RR-specific data||Variable, as per RDLENGTH|
aaaaaa.bbbbbb.cccccc --^-- --^-- --^-- label label label
label may contain zero to 63 characters. The null label, of length zero, is reserved for the root zone.
DNS Setting In Linux (Ubuntu)
nameserver: at most 3 IP address. For multiple servers, the resolver library queries them in the order listed. The algorithm used here is,
- try first nameserver
- if the query times out, try next
- … until finish all (up to) 3 nameservers
- if the maximum number of retries have made, stop; else go back to step 1
search: Search list for host-name lookup. By default, it contains only the local domain name, ex,
my-mac.my-domain. Query having w/o
.(dot)in it will be attempted using each component of the search path in turn until a match is found. The search list is limited to six domains.
ndots: sets a threshold for the number of dots which must appear in a name given to before an initial absolute query will be made. The default for n is 1, meaning that if there are any dots in a name, the name will be tried first as an absolute name before any
searchlist elements are appended to it. Ex. Query
example.comwill be firstly send before searching for
Comes with the stock Ubuntu 16.04.
To find the dnsmasq config,
ps -ef | grep dnsmasq #/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --cache-size=0 --conf-file=/dev/null --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d
To see NetworkManager managed
nmcli d show enp0 ^ *your major NIC*
Detailed info of dnsmasq,
Ways To Override DNS Conf
If use DHCP to get the dynamic IP.
#/etc/dhcp/dhcp.conf supersede domain-name-servers 188.8.131.52,184.108.40.206,220.127.116.11;
#/etc/resolv.conf nameserver 18.104.22.168
echo 'server=22.214.171.124' > /etc/NetworkManager/dnsmasq.d/use-cloudflare-dns systemctl restart NetworkManager
For example, assuming the IPv4 address
126.96.36.199is assigned to Wikimedia, it is represented as a DNS name in reverse order:
188.8.131.52.in-addr.arpa. When the DNS resolver gets a pointer (PTR) request, it begins by querying the root servers, which point to the servers of American Registry for Internet Numbers (ARIN) for the
208.in-addr.arpazone. ARIN’s servers delegate
152.80.208.in-addr.arpato Wikimedia to which the resolver sends another query for
184.108.40.206.in-addr.arpa, which results in an authoritative response.
Clients can notify their respective DNS server of the updated IP address they had received from a DHCP server or through self-configuration.
If we use a single, combined DNS+DHCP solution which can maintain the consistency between both tables by itself, there’s no need to enable DDNS.
Else, we need to either,
- enable DDNS for clients notifying DNS server with the new IP address allocated by DHCP server, or,
- let DHCP server to notify DNS server the new assignments directly
DNS In Docker
For containers NOT using default
bridge network, Dockerd will config DNS in the container as,
There’s an embedded DNS server handling all DNS queries from containers (also for inter-container name resolving)
If no config flag, docker use filtered host’s
/etc/resolv.conf. Fliter will eliminate
nameserver 127.0.1.1. Since
127.0.0.0/8of host can’t be accessed within containers except for
--network=host. If empty after filtered,
220.127.116.11is added by default
/etc/resolv.confinside the container are managed by Dockerd. So, to change the config, use
docker run --[flags]instead of editing the files inside the container or using mount.
--dns. The IP address of a DNS server.
- For multiple DNS servers, use multiple flags
container:/etc/resolv.confwill always be
127.0.0.11which will not be effected by this flag
- Instead, input value of
--dnsis keeped and used by the embedded DNS server to forward the DNS query if embedded DNS server is unable to resolve a name resolution request from the containers
- If you need access to the host’s
dnsmasq), modify DNS service on the host to listen on a non-localhost address which is reachable within the container. (^stackoverflow)
--dns-search. A DNS search domain to search non-fully-qualified hostnames
- For multiple DNS search prefixes, use multiple flags
--hostname. The hostname a container uses for itself. Defaults to the container’s ID if not specified
DNS In K8s
Be aware that CoreDNS does NOT have a native recursive resolver. ^
DNS can be use for service discovery by,
SRVrecords in DNS as database and,
- Service actively send DDNS request to DNS to update the
However, DNS-SD also have cons:
- Uncontrolled TTLs
- Delay between the moment a node failure is detected and the moment the clients execute their DNS service discovery queries
- while most JSON/REST implementations use long-polling mechanisms to trigger updates on the clients instantaneously
Build Your Own Dns Server
Be aware if the DNS has looped dependencies.