Domain Name System

From Wikipedia for FEVERv2
Jump to navigation Jump to search

"DNS" redirects here. Domain Name System_sentence_0

For other uses, see DNS (disambiguation). Domain Name System_sentence_1

The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. Domain Name System_sentence_2

It associates various information with domain names assigned to each of the participating entities. Domain Name System_sentence_3

Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. Domain Name System_sentence_4

By providing a worldwide, distributed directory service, the Domain Name System has been an essential component of the functionality of the Internet since 1985. Domain Name System_sentence_5

The Domain Name System delegates the responsibility of assigning domain names and mapping those names to Internet resources by designating authoritative name servers for each domain. Domain Name System_sentence_6

Network administrators may delegate authority over sub-domains of their allocated name space to other name servers. Domain Name System_sentence_7

This mechanism provides distributed and fault-tolerant service and was designed to avoid a single large central database. Domain Name System_sentence_8

The Domain Name System also specifies the technical functionality of the database service that is at its core. Domain Name System_sentence_9

It defines the DNS protocol, a detailed specification of the data structures and data communication exchanges used in the DNS, as part of the Internet Protocol Suite. Domain Name System_sentence_10

The Internet maintains two principal namespaces, the domain name hierarchy and the Internet Protocol (IP) address spaces. Domain Name System_sentence_11

The Domain Name System maintains the domain name hierarchy and provides translation services between it and the address spaces. Domain Name System_sentence_12

Internet name servers and a communication protocol implement the Domain Name System. Domain Name System_sentence_13

A DNS name server is a server that stores the DNS records for a domain; a DNS name server responds with answers to queries against its database. Domain Name System_sentence_14

The most common types of records stored in the DNS database are for Start of Authority (SOA), IP addresses (A and AAAA), SMTP mail exchangers (MX), name servers (NS), pointers for reverse DNS lookups (PTR), and domain name aliases (CNAME). Domain Name System_sentence_15

Although not intended to be a general purpose database, DNS has been expanded over time to store records for other types of data for either automatic lookups, such as DNSSEC records, or for human queries such as responsible person (RP) records. Domain Name System_sentence_16

As a general purpose database, the DNS has also been used in combating (spam) by storing a real-time blackhole list (RBL). Domain Name System_sentence_17

The DNS database is traditionally stored in a structured text file, the , but other database systems are common. Domain Name System_sentence_18

Function Domain Name System_section_0

An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. Domain Name System_sentence_19

For example, the domain name translates to the addresses (IPv4) and 2606:2800:220:1:248:1893:25c8:1946 (IPv6). Domain Name System_sentence_20

The DNS can be quickly and transparently updated, allowing a service's location on the network to change without affecting the end users, who continue to use the same hostname. Domain Name System_sentence_21

Users take advantage of this when they use meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates the services. Domain Name System_sentence_22

An important and ubiquitous function of the DNS is its central role in distributed Internet services such as cloud services and content delivery networks. Domain Name System_sentence_23

When a user accesses a distributed Internet service using a URL, the domain name of the URL is translated to the IP address of a server that is proximal to the user. Domain Name System_sentence_24

The key functionality of the DNS exploited here is that different users can simultaneously receive different translations for the same domain name, a key point of divergence from a traditional phone-book view of the DNS. Domain Name System_sentence_25

This process of using the DNS to assign proximal servers to users is key to providing faster and more reliable responses on the Internet and is widely used by most major Internet services. Domain Name System_sentence_26

The DNS reflects the structure of administrative responsibility in the Internet. Domain Name System_sentence_27

Each subdomain is a zone of administrative autonomy delegated to a manager. Domain Name System_sentence_28

For zones operated by a registry, administrative information is often complemented by the registry's RDAP and WHOIS services. Domain Name System_sentence_29

That data can be used to gain insight on, and track responsibility for, a given host on the Internet. Domain Name System_sentence_30

History Domain Name System_section_1

Using a simpler, more memorable name in place of a host's numerical address dates back to the ARPANET era. Domain Name System_sentence_31

The Stanford Research Institute (now SRI International) maintained a text file named that mapped host names to the numerical addresses of computers on the ARPANET. Domain Name System_sentence_32

Elizabeth Feinler developed and maintained the first ARPANET directory. Domain Name System_sentence_33

Maintenance of numerical addresses, called the Assigned Numbers List, was handled by Jon Postel at the University of Southern California's Information Sciences Institute (ISI), whose team worked closely with SRI. Domain Name System_sentence_34

Addresses were assigned manually. Domain Name System_sentence_35

Computers, including their hostnames and addresses, were added to the primary file by contacting the SRI's Network Information Center (NIC), directed by Elizabeth Feinler, by telephone during business hours. Domain Name System_sentence_36

Later, Feinler set up a WHOIS directory on a server in the NIC for retrieval of information about resources, contacts, and entities. Domain Name System_sentence_37

She and her team developed the concept of domains. Domain Name System_sentence_38

Feinler suggested that domains should be based on the location of the physical address of the computer. Domain Name System_sentence_39

Computers at educational institutions would have the domain edu, for example. Domain Name System_sentence_40

She and her team managed the Host Naming Registry from 1972 to 1989. Domain Name System_sentence_41

By the early 1980s, maintaining a single, centralized host table had become slow and unwieldy and the emerging network required an automated naming system to address technical and personnel issues. Domain Name System_sentence_42

Postel directed the task of forging a compromise between five competing proposals of solutions to Paul Mockapetris. Domain Name System_sentence_43

Mockapetris instead created the Domain Name System in 1983. Domain Name System_sentence_44

The Internet Engineering Task Force published the original specifications in and in November 1983. Domain Name System_sentence_45

In 1984, four UC Berkeley students, Douglas Terry, Mark Painter, David Riggle, and Songnian Zhou, wrote the first Unix name server implementation for the Berkeley Internet Name Domain, commonly referred to as BIND. Domain Name System_sentence_46

In 1985, Kevin Dunlap of DEC substantially revised the DNS implementation. Domain Name System_sentence_47

Mike Karels, Phil Almquist, and Paul Vixie have maintained BIND since then. Domain Name System_sentence_48

In the early 1990s, BIND was ported to the Windows NT platform. Domain Name System_sentence_49

In November 1987, and superseded the 1983 DNS specifications. Domain Name System_sentence_50

Several additional Request for Comments have proposed extensions to the core DNS protocols. Domain Name System_sentence_51

Structure Domain Name System_section_2

Domain name space Domain Name System_section_3

The domain name space consists of a tree data structure. Domain Name System_sentence_52

Each node or leaf in the tree has a label and zero or more resource records (RR), which hold information associated with the domain name. Domain Name System_sentence_53

The domain name itself consists of the label, concatenated with the name of its parent node on the right, separated by a dot. Domain Name System_sentence_54

The tree sub-divides into zones beginning at the root zone. Domain Name System_sentence_55

A DNS zone may consist of only one domain, or may consist of many domains and sub-domains, depending on the administrative choices of the zone manager. Domain Name System_sentence_56

DNS can also be partitioned according to class where the separate classes can be thought of as an array of parallel namespace trees. Domain Name System_sentence_57

Administrative responsibility for any zone may be divided by creating additional zones. Domain Name System_sentence_58

Authority over the new zone is said to be delegated to a designated name server. Domain Name System_sentence_59

The parent zone ceases to be authoritative for the new zone. Domain Name System_sentence_60

Domain name syntax, internationalization Domain Name System_section_4

The definitive descriptions of the rules for forming domain names appear in , , , and . Domain Name System_sentence_61

A domain name consists of one or more parts, technically called labels, that are conventionally concatenated, and delimited by dots, such as Domain Name System_sentence_62

The right-most label conveys the top-level domain; for example, the domain name belongs to the top-level domain com. Domain Name System_sentence_63

The hierarchy of domains descends from right to left; each label to the left specifies a subdivision, or subdomain of the domain to the right. Domain Name System_sentence_64

For example, the label example specifies a subdomain of the com domain, and www is a subdomain of Domain Name System_sentence_65

This tree of subdivisions may have up to 127 levels. Domain Name System_sentence_66

A label may contain zero to 63 characters. Domain Name System_sentence_67

The null label, of length zero, is reserved for the root zone. Domain Name System_sentence_68

The full domain name may not exceed the length of 253 characters in its textual representation. Domain Name System_sentence_69

In the internal binary representation of the DNS the maximum length requires 255 octets of storage, as it also stores the length of the name. Domain Name System_sentence_70

Although no technical limitation exists to use any character in domain name labels which are representable by an octet, hostnames use a preferred format and character set. Domain Name System_sentence_71

The characters allowed in labels are a subset of the ASCII character set, consisting of characters a through z, A through Z, digits 0 through 9, and hyphen. Domain Name System_sentence_72

This rule is known as the LDH rule (letters, digits, hyphen). Domain Name System_sentence_73

Domain names are interpreted in case-independent manner. Domain Name System_sentence_74

Labels may not start or end with a hyphen. Domain Name System_sentence_75

An additional rule requires that top-level domain names should not be all-numeric. Domain Name System_sentence_76

The limited set of ASCII characters permitted in the DNS prevented the representation of names and words of many languages in their native alphabets or scripts. Domain Name System_sentence_77

To make this possible, ICANN approved the Internationalizing Domain Names in Applications (IDNA) system, by which user applications, such as web browsers, map Unicode strings into the valid DNS character set using Punycode. Domain Name System_sentence_78

In 2009 ICANN approved the installation of internationalized domain name country code top-level domains (ccTLDs). Domain Name System_sentence_79

In addition, many registries of the existing top-level domain names (TLDs) have adopted the IDNA system, guided by , , , . Domain Name System_sentence_80

Name servers Domain Name System_section_5

The Domain Name System is maintained by a distributed database system, which uses the client–server model. Domain Name System_sentence_81

The nodes of this database are the name servers. Domain Name System_sentence_82

Each domain has at least one authoritative DNS server that publishes information about that domain and the name servers of any domains subordinate to it. Domain Name System_sentence_83

The top of the hierarchy is served by the root name servers, the servers to query when looking up (resolving) a TLD. Domain Name System_sentence_84

Authoritative name server Domain Name System_section_6

An authoritative name server is a name server that only gives answers to DNS queries from data that has been configured by an original source, for example, the domain administrator or by dynamic DNS methods, in contrast to answers obtained via a query to another name server that only maintains a cache of data. Domain Name System_sentence_85

An authoritative name server can either be a primary server or a secondary server. Domain Name System_sentence_86

Historically the terms master/slave and primary/secondary were sometimes used interchangeably but the current practice is to use the latter form. Domain Name System_sentence_87

A primary server is a server that stores the original copies of all zone records. Domain Name System_sentence_88

A secondary server uses a special automatic updating mechanism in the DNS protocol in communication with its primary to maintain an identical copy of the primary records. Domain Name System_sentence_89

Every DNS zone must be assigned a set of authoritative name servers. Domain Name System_sentence_90

This set of servers is stored in the parent domain zone with name server (NS) records. Domain Name System_sentence_91

An authoritative server indicates its status of supplying definitive answers, deemed authoritative, by setting a protocol flag, called the "Authoritative Answer" (AA) bit in its responses. Domain Name System_sentence_92

This flag is usually reproduced prominently in the output of DNS administration query tools, such as dig, to indicate that the responding name server is an authority for the domain name in question. Domain Name System_sentence_93

Operation Domain Name System_section_7

DNS message format Domain Name System_section_8

The DNS protocol uses two types of DNS messages, queries and replies; both have the same format. Domain Name System_sentence_94

Each message consists of a header and four sections: question, answer, authority, and an additional space. Domain Name System_sentence_95

A header field (flags) controls the content of these four sections. Domain Name System_sentence_96

The header section consists of the following fields: Identification, Flags, Number of questions, Number of answers, Number of authority resource records (RRs), and Number of additional RRs. Domain Name System_sentence_97

Each field is 16 bits long, and appears in the order given. Domain Name System_sentence_98

The identification field is used to match responses with queries. Domain Name System_sentence_99

The flag field consists of sub-fields as follows: Domain Name System_sentence_100

Domain Name System_table_general_0

Header flags formatDomain Name System_table_caption_0
FieldDomain Name System_header_cell_0_0_0 DescriptionDomain Name System_header_cell_0_0_1 Length (bits)Domain Name System_header_cell_0_0_2
QRDomain Name System_cell_0_1_0 Indicates if the message is a query (0) or a reply (1)Domain Name System_cell_0_1_1 1Domain Name System_cell_0_1_2
OPCODEDomain Name System_cell_0_2_0 The type can be QUERY (standard query, 0), IQUERY (inverse query, 1), or STATUS (server status request, 2)Domain Name System_cell_0_2_1 4Domain Name System_cell_0_2_2
AADomain Name System_cell_0_3_0 Authoritative Answer, in a response, indicates if the DNS server is authoritative for the queried hostnameDomain Name System_cell_0_3_1 1Domain Name System_cell_0_3_2
TCDomain Name System_cell_0_4_0 TrunCation, indicates that this message was truncated due to excessive lengthDomain Name System_cell_0_4_1 1Domain Name System_cell_0_4_2
RDDomain Name System_cell_0_5_0 Recursion Desired, indicates if the client means a recursive queryDomain Name System_cell_0_5_1 1Domain Name System_cell_0_5_2
RADomain Name System_cell_0_6_0 Recursion Available, in a response, indicates if the replying DNS server supports recursionDomain Name System_cell_0_6_1 1Domain Name System_cell_0_6_2
ZDomain Name System_cell_0_7_0 Zero, reserved for future useDomain Name System_cell_0_7_1 3Domain Name System_cell_0_7_2
RCODEDomain Name System_cell_0_8_0 Response code, can be NOERROR (0), FORMERR (1, Format error), SERVFAIL (2), NXDOMAIN (3, Nonexistent domain), etc.Domain Name System_cell_0_8_1 4Domain Name System_cell_0_8_2

After the flag, the header ends with four 16-bit integers which contain the number of records in each of the sections that follow, in the same order. Domain Name System_sentence_101

Question section Domain Name System_section_9

The question section has a simpler format than the resource record format used in the other sections. Domain Name System_sentence_102

Each question record (there is usually just one in the section) contains the following fields: Domain Name System_sentence_103

Domain Name System_table_general_1

Resource record (RR) fieldsDomain Name System_table_caption_1
FieldDomain Name System_header_cell_1_0_0 DescriptionDomain Name System_header_cell_1_0_1 Length (octets)Domain Name System_header_cell_1_0_2
NAMEDomain Name System_cell_1_1_0 Name of the requested resourceDomain Name System_cell_1_1_1 VariableDomain Name System_cell_1_1_2
TYPEDomain Name System_cell_1_2_0 Type of RR (A, AAAA, MX, TXT, etc.)Domain Name System_cell_1_2_1 2Domain Name System_cell_1_2_2
CLASSDomain Name System_cell_1_3_0 Class codeDomain Name System_cell_1_3_1 2Domain Name System_cell_1_3_2

The domain name is broken into discrete labels which are concatenated; each label is prefixed by the length of that label. Domain Name System_sentence_104

DNS protocol transport Domain Name System_section_10

DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests. Domain Name System_sentence_105

DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. Domain Name System_sentence_106

When the length of the answer exceeds 512 bytes and both client and server support EDNS, larger UDP packets are used. Domain Name System_sentence_107

Otherwise, the query is sent again using the Transmission Control Protocol (TCP). Domain Name System_sentence_108

TCP is also used for tasks such as zone transfers. Domain Name System_sentence_109

Some resolver implementations use TCP for all queries. Domain Name System_sentence_110

Resource records Domain Name System_section_11

The Domain Name System specifies a database of information elements for network resources. Domain Name System_sentence_111

The types of information elements are categorized and organized with a list of DNS record types, the resource records (RRs). Domain Name System_sentence_112

Each record has a type (name and number), an expiration time (time to live), a class, and type-specific data. Domain Name System_sentence_113

Resource records of the same type are described as a resource record set (RRset), having no special ordering. Domain Name System_sentence_114

DNS resolvers return the entire set upon query, but servers may implement round-robin ordering to achieve load balancing. Domain Name System_sentence_115

In contrast, the Domain Name System Security Extensions (DNSSEC) work on the complete set of resource record in canonical order. Domain Name System_sentence_116

When sent over an Internet Protocol network, all records use the common format specified in : Domain Name System_sentence_117

Domain Name System_table_general_2

Resource record (RR) fieldsDomain Name System_table_caption_2
FieldDomain Name System_header_cell_2_0_0 DescriptionDomain Name System_header_cell_2_0_1 Length (octets)Domain Name System_header_cell_2_0_2
NAMEDomain Name System_cell_2_1_0 Name of the node to which this record pertainsDomain Name System_cell_2_1_1 VariableDomain Name System_cell_2_1_2
TYPEDomain Name System_cell_2_2_0 Type of RR in numeric form (e.g., 15 for MX RRs)Domain Name System_cell_2_2_1 2Domain Name System_cell_2_2_2
CLASSDomain Name System_cell_2_3_0 Class codeDomain Name System_cell_2_3_1 2Domain Name System_cell_2_3_2
TTLDomain Name System_cell_2_4_0 Count of seconds that the RR stays valid (The maximum is 2−1, which is about 68 years)Domain Name System_cell_2_4_1 4Domain Name System_cell_2_4_2
RDLENGTHDomain Name System_cell_2_5_0 Length of RDATA field (specified in octets)Domain Name System_cell_2_5_1 2Domain Name System_cell_2_5_2
RDATADomain Name System_cell_2_6_0 Additional RR-specific dataDomain Name System_cell_2_6_1 Variable, as per RDLENGTHDomain Name System_cell_2_6_2

NAME is the fully qualified domain name of the node in the tree. Domain Name System_sentence_118

On the wire, the name may be shortened using label compression where ends of domain names mentioned earlier in the packet can be substituted for the end of the current domain name. Domain Name System_sentence_119

TYPE is the record type. Domain Name System_sentence_120

It indicates the format of the data and it gives a hint of its intended use. Domain Name System_sentence_121

For example, the A record is used to translate from a domain name to an IPv4 address, the NS record lists which name servers can answer lookups on a DNS zone, and the MX record specifies the mail server used to handle mail for a domain specified in an e-mail address. Domain Name System_sentence_122

RDATA is data of type-specific relevance, such as the IP address for address records, or the priority and hostname for MX records. Domain Name System_sentence_123

Well known record types may use label compression in the RDATA field, but "unknown" record types must not (). Domain Name System_sentence_124

The CLASS of a record is set to IN (for Internet) for common DNS records involving Internet hostnames, servers, or IP addresses. Domain Name System_sentence_125

In addition, the classes Chaos (CH) and Hesiod (HS) exist. Domain Name System_sentence_126

Each class is an independent name space with potentially different delegations of DNS zones. Domain Name System_sentence_127

In addition to resource records defined in a , the domain name system also defines several request types that are used only in communication with other DNS nodes (on the wire), such as when performing zone transfers (AXFR/IXFR) or for EDNS (OPT). Domain Name System_sentence_128

Wildcard DNS records Domain Name System_section_12

The domain name system supports wildcard DNS records which specify names that start with the asterisk label, '*', e.g., *.example. Domain Name System_sentence_129

DNS records belonging to wildcard domain names specify rules for generating resource records within a single DNS zone by substituting whole labels with matching components of the query name, including any specified descendants. Domain Name System_sentence_130

For example, in the following configuration, the DNS zone x.example specifies that all subdomains, including subdomains of subdomains, of x.example use the mail exchanger (MX) a.x.example. Domain Name System_sentence_131

The A record for a.x.example is needed to specify the mail exchanger IP address. Domain Name System_sentence_132

As this has the result of excluding this domain name and its subdomains from the wildcard matches, an additional MX record for the subdomain a.x.example, as well as a wildcarded MX record for all of its subdomains, must also be defined in the DNS zone. Domain Name System_sentence_133

The role of wildcard records was refined in , because the original definition in was incomplete and resulted in misinterpretations by implementers. Domain Name System_sentence_134

Protocol extensions Domain Name System_section_13

The original DNS protocol had limited provisions for extension with new features. Domain Name System_sentence_135

In 1999, Paul Vixie published in (superseded by ) an extension mechanism, called Extension mechanisms for DNS (EDNS) that introduced optional protocol elements without increasing overhead when not in use. Domain Name System_sentence_136

This was accomplished through the OPT pseudo-resource record that only exists in wire transmissions of the protocol, but not in any zone files. Domain Name System_sentence_137

Initial extensions were also suggested (EDNS0), such as increasing the DNS message size in UDP datagrams. Domain Name System_sentence_138

Dynamic zone updates Domain Name System_section_14

Dynamic DNS updates use the UPDATE DNS opcode to add or remove resource records dynamically from a zone database maintained on an authoritative DNS server. Domain Name System_sentence_139

The feature is described in . Domain Name System_sentence_140

This facility is useful to register network clients into the DNS when they boot or become otherwise available on the network. Domain Name System_sentence_141

As a booting client may be assigned a different IP address each time from a DHCP server, it is not possible to provide static DNS assignments for such clients. Domain Name System_sentence_142

Security issues Domain Name System_section_15

Originally, security concerns were not major design considerations for DNS software or any software for deployment on the early Internet, as the network was not open for participation by the general public. Domain Name System_sentence_143

However, the expansion of the Internet into the commercial sector in the 1990s changed the requirements for security measures to protect data integrity and user authentication. Domain Name System_sentence_144

Several vulnerability issues were discovered and exploited by malicious users. Domain Name System_sentence_145

One such issue is DNS cache poisoning, in which data is distributed to caching resolvers under the pretense of being an authoritative origin server, thereby polluting the data store with potentially false information and long expiration times (time-to-live). Domain Name System_sentence_146

Subsequently, legitimate application requests may be redirected to network hosts operated with malicious intent. Domain Name System_sentence_147

DNS responses traditionally do not have a cryptographic signature, leading to many attack possibilities; the Domain Name System Security Extensions (DNSSEC) modify DNS to add support for cryptographically signed responses. Domain Name System_sentence_148

DNSCurve has been proposed as an alternative to DNSSEC. Domain Name System_sentence_149

Other extensions, such as TSIG, add support for cryptographic authentication between trusted peers and are commonly used to authorize zone transfer or dynamic update operations. Domain Name System_sentence_150

Some domain names may be used to achieve spoofing effects. Domain Name System_sentence_151

For example, and are different names, yet users may be unable to distinguish them in a graphical user interface depending on the user's chosen typeface. Domain Name System_sentence_152

In many fonts the letter l and the numeral 1 look very similar or even identical. Domain Name System_sentence_153

This problem is acute in systems that support internationalized domain names, as many character codes in ISO 10646 may appear identical on typical computer screens. Domain Name System_sentence_154

This vulnerability is occasionally exploited in phishing. Domain Name System_sentence_155

Techniques such as forward-confirmed reverse DNS can also be used to help validate DNS results. Domain Name System_sentence_156

DNS can also "leak" from otherwise secure or private connections, if attention is not paid to their configuration, and at times DNS has been used to bypass firewalls by malicious persons, and exfiltrate data, since it is often seen as innocuous. Domain Name System_sentence_157

Privacy and tracking issues Domain Name System_section_16

Originally designed as a public, hierarchical, distributed and heavily cached database, DNS protocol has no confidentiality controls. Domain Name System_sentence_158

User queries and nameserver responses are being sent unencrypted which enables network packet sniffing, DNS hijacking, DNS cache poisoning and man-in-the-middle attacks. Domain Name System_sentence_159

This deficiency is commonly used by cybercriminals and network operators for marketing purposes, user authentication on captive portals and censorship. Domain Name System_sentence_160

User privacy is further exposed by proposals for increasing the level of client IP information in DNS queries () for the benefit of Content Delivery Networks. Domain Name System_sentence_161

The main approaches that are in use to counter privacy issues with DNS: Domain Name System_sentence_162

Domain Name System_unordered_list_0

  • VPNs, which move DNS resolution to the VPN operator and hide user traffic from local ISP,Domain Name System_item_0_0
  • Tor, which replaces traditional DNS resolution with anonymous .onion domains, hiding both name resolution and user traffic behind onion routing counter-surveillance,Domain Name System_item_0_1
  • Proxies and public DNS servers, which move the actual DNS resolution to a third-party provider, who usually promises little or no request logging and optional added features, such as DNS-level advertisement or pornography blocking.Domain Name System_item_0_2
    • Public DNS servers can be queried using traditional DNS protocol, in which case they provide no protection from local surveillance, or DNS-over-HTTPS, DNS-over-TLS and DNSCrypt, which do provide such protectionDomain Name System_item_0_3

Solutions preventing DNS inspection by local network operator are criticized for thwarting corporate network security policies and Internet censorship. Domain Name System_sentence_163

They are also criticized from privacy point of view, as giving away the DNS resolution to the hands of a small number of companies known for monetizing user traffic and for centralizing DNS name resolution, which is generally perceived as harmful for the Internet. Domain Name System_sentence_164

Domain name registration Domain Name System_section_17

The right to use a domain name is delegated by domain name registrars which are accredited by the Internet Corporation for Assigned Names and Numbers (ICANN) or other organizations such as OpenNIC, that are charged with overseeing the name and number systems of the Internet. Domain Name System_sentence_165

In addition to ICANN, each top-level domain (TLD) is maintained and serviced technically by an administrative organization, operating a registry. Domain Name System_sentence_166

A registry is responsible for operating the database of names within its authoritative zone, although the term is most often used for TLDs. Domain Name System_sentence_167

A registrant is a person or organization who asked for domain registration. Domain Name System_sentence_168

The registry receives registration information from each domain name registrar, which is authorized (accredited) to assign names in the corresponding zone and publishes the information using the WHOIS protocol. Domain Name System_sentence_169

As of 2015, usage of RDAP is being considered. Domain Name System_sentence_170

ICANN publishes the complete list of TLDs, TLD registries, and domain name registrars. Domain Name System_sentence_171

Registrant information associated with domain names is maintained in an online database accessible with the WHOIS service. Domain Name System_sentence_172

For most of the more than 290 country code top-level domains (ccTLDs), the domain registries maintain the WHOIS (Registrant, name servers, expiration dates, etc.) information. Domain Name System_sentence_173

For instance, DENIC, Germany NIC, holds the DE domain data. Domain Name System_sentence_174

From about 2001, most Generic top-level domain (gTLD) registries have adopted this so-called thick registry approach, i.e. keeping the WHOIS data in central registries instead of registrar databases. Domain Name System_sentence_175

For top-level domains on COM and NET, a thin registry model is used. Domain Name System_sentence_176

The domain registry (e.g., GoDaddy, BigRock and PDR, VeriSign, etc., etc.) holds basic WHOIS data (i.e., registrar and name servers, etc.). Domain Name System_sentence_177

Organizations, or registrants using ORG on the other hand, are on the Public Interest Registry exclusively. Domain Name System_sentence_178

Some domain name registries, often called network information centers (NIC), also function as registrars to end-users, in addition to providing access to the WHOIS datasets. Domain Name System_sentence_179

The top-level domain registries, such as for the domains COM, NET, and ORG use a registry-registrar model consisting of many domain name registrars. Domain Name System_sentence_180

In this method of management, the registry only manages the domain name database and the relationship with the registrars. Domain Name System_sentence_181

The registrants (users of a domain name) are customers of the registrar, in some cases through additional subcontracting of resellers. Domain Name System_sentence_182

RFC documents Domain Name System_section_18

Standards Domain Name System_section_19

The Domain Name System is defined by Request for Comments (RFC) documents published by the Internet Engineering Task Force (Internet standards). Domain Name System_sentence_183

The following is a list of RFCs that define the DNS protocol. Domain Name System_sentence_184

Domain Name System_unordered_list_1

  • , Domain Names - Concepts and FacilitiesDomain Name System_item_1_4
  • , Domain Names - Implementation and SpecificationDomain Name System_item_1_5
  • , Requirements for Internet Hosts—Application and SupportDomain Name System_item_1_6
  • , Incremental Zone Transfer in DNSDomain Name System_item_1_7
  • , A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)Domain Name System_item_1_8
  • , Dynamic Updates in the domain name system (DNS UPDATE)Domain Name System_item_1_9
  • , Clarifications to the DNS SpecificationDomain Name System_item_1_10
  • , Negative Caching of DNS Queries (DNS NCACHE)Domain Name System_item_1_11
  • , Non-Terminal DNS Name RedirectionDomain Name System_item_1_12
  • , Secret Key Transaction Authentication for DNS (TSIG)Domain Name System_item_1_13
  • , Indicating Resolver Support of DNSSECDomain Name System_item_1_14
  • , DNSSEC and IPv6 A6 aware server/resolver message size requirementsDomain Name System_item_1_15
  • , DNS Extensions to Support IP Version 6Domain Name System_item_1_16
  • , Handling of Unknown DNS Resource Record (RR) TypesDomain Name System_item_1_17
  • , Domain Name System (DNS) Case Insensitivity ClarificationDomain Name System_item_1_18
  • , The Role of Wildcards in the Domain Name SystemDomain Name System_item_1_19
  • , HMAC SHA TSIG Algorithm IdentifiersDomain Name System_item_1_20
  • , DNS Name Server Identifier (NSID) OptionDomain Name System_item_1_21
  • , Automated Updates of DNS Security (DNSSEC) Trust AnchorsDomain Name System_item_1_22
  • , Measures for Making DNS More Resilient against Forged AnswersDomain Name System_item_1_23
  • , Internationalized Domain Names for Applications (IDNA):Definitions and Document FrameworkDomain Name System_item_1_24
  • , Internationalized Domain Names in Applications (IDNA): ProtocolDomain Name System_item_1_25
  • , The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)Domain Name System_item_1_26
  • , Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)Domain Name System_item_1_27
  • , Extension Mechanisms for DNS (EDNS0)Domain Name System_item_1_28
  • , DNS Transport over TCP - Implementation RequirementsDomain Name System_item_1_29

Proposed security standards Domain Name System_section_20

Domain Name System_unordered_list_2

  • , DNS Security Introduction and RequirementsDomain Name System_item_2_30
  • , Resource Records for the DNS Security ExtensionsDomain Name System_item_2_31
  • , Protocol Modifications for the DNS Security ExtensionsDomain Name System_item_2_32
  • , Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource RecordsDomain Name System_item_2_33
  • , Minimally Covering NSEC Records and DNSSEC On-line SigningDomain Name System_item_2_34
  • , DNS Security (DNSSEC) Hashed Authenticated Denial of ExistenceDomain Name System_item_2_35
  • , Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSECDomain Name System_item_2_36
  • , Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)Domain Name System_item_2_37
  • , Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSECDomain Name System_item_2_38
  • , The EDNS(0) Padding OptionDomain Name System_item_2_39
  • , Specification for DNS over Transport Layer Security (TLS)Domain Name System_item_2_40
  • , Usage Profiles for DNS over TLS and DNS over DTLSDomain Name System_item_2_41
  • , DNS Queries over HTTPS (DoH)Domain Name System_item_2_42

Experimental RFCs Domain Name System_section_21

Domain Name System_unordered_list_3

  • , New DNS RR DefinitionsDomain Name System_item_3_43

Best Current Practices Domain Name System_section_22

Domain Name System_unordered_list_4

  • , Selection and Operation of Secondary DNS Servers (BCP 16)Domain Name System_item_4_44
  • , Classless IN-ADDR.ARPA delegation (BCP 20)Domain Name System_item_4_45
  • , DNS Proxy Implementation Guidelines (BCP 152)Domain Name System_item_4_46
  • , Domain Name System (DNS) IANA Considerations (BCP 42)Domain Name System_item_4_47
  • , DNS Root Name Service Protocol and Deployment Requirements (BCP 40)Domain Name System_item_4_48

Informational RFCs Domain Name System_section_23

These RFCs are advisory in nature, but may provide useful information despite defining neither a standard or BCP. Domain Name System_sentence_185

() Domain Name System_sentence_186

Domain Name System_unordered_list_5

  • , Choosing a Name for Your Computer (FYI 5)Domain Name System_item_5_49
  • , Domain Name System Structure and DelegationDomain Name System_item_5_50
  • , Common DNS Operational and Configuration ErrorsDomain Name System_item_5_51
  • , The Naming of HostsDomain Name System_item_5_52
  • , Application Techniques for Checking and Transformation of NamesDomain Name System_item_5_53
  • , Requirements for a Mechanism Identifying a Name Server InstanceDomain Name System_item_5_54
  • , Internationalized Domain Names for Applications (IDNA):Background, Explanation, and RationaleDomain Name System_item_5_55
  • , Mapping Characters for Internationalized Domain Names in Applications (IDNA) 2008Domain Name System_item_5_56
  • , DNS Privacy ConsiderationsDomain Name System_item_5_57
  • , Decreasing Access Time to Root Servers by Running One on LoopbackDomain Name System_item_5_58
  • , DNS TerminologyDomain Name System_item_5_59

Unknown Domain Name System_section_24

These RFCs have an official status of Unknown, but due to their age are not clearly labeled as such. Domain Name System_sentence_187

Domain Name System_unordered_list_6

  • , Domain Requirements – Specified original top-level domainsDomain Name System_item_6_60
  • , Domain Administrators GuideDomain Name System_item_6_61
  • , Domain Administrators Operations GuideDomain Name System_item_6_62
  • , DNS Encodings of Network Names and Other TypesDomain Name System_item_6_63

See also Domain Name System_section_25

Credits to the contents of this page go to the authors of the corresponding Wikipedia page: Name System.