Overview
Most of the current network communications use the tcp/IP protocol, and the basis of the TCP/IP protocol is IP address, so when a computer communicates on the network, it can only recognize IP addresses composed of pure numbers. But in actual work and life, we only need to enter a string of simple and easy-to-remember domain names in the browser address bar to access the corresponding website. The one that plays an important role in this process is dns. Next, we will give a brief introduction to the principles and resolution process of DNS.
What is DNS
DNS is the abbreviation of Domain Name System, which is translated into Chinese as "domain name system". DNS is a core service in the Internet. It is an distributed database used to map domain names and IP addresses to each other. It translates simple and clear domain names into IP addresses that can be recognized by computers, allowing users to access the Internet more quickly and conveniently.
The Internet connects global resources, and a single domain name server is not enough to support all address conversion operations, so there are multiple sets of domain name servers around the world to cooperate with each other. As early as 1983, the Internet began to adopt the naming method of hierarchical tree structures and used a distributed domain name system for parsing operations. This not only improves the efficiency of domain name resolution , but also ensures the stability of domain name resolution. If a single domain name server in the system fails, it will not have much impact on the normal operation of the entire DNS system.
Domain Name Structure
The Internet adopts a hierarchical tree structure naming method. Any host or router connected to the Internet has a unique hierarchical name, namely the domain name.
The structure of the domain name is composed of a sequence of labels, separated by dots. Similar to this: "…..three-level domain names.second-level domain names.top-level domain names." Domain names at all levels are managed by their previous domain name management agencies, while the highest-level top-level domain names are managed by ICANN.
domain name consists of two or more words. Common domain names are second-level domain names + top-level domain names, so we generally divide the domain names into top-level domain names and second-level domain names. In addition, there are country code top-level domain names.
Domain Name Server
DNS domain name servers on the Internet are also divided according to hierarchy, and each domain name server only governs part of the domain name system. According to the role played by the domain name server, the domain name server can be divided into four different types:
root domain name server
had a total of 13 root servers around the world, 1 main root server is in the United States, and the other 12 are auxiliary root servers, including 9 in the United States, 1 in the United Kingdom, 1 in Swedish 1 in Japan, and 1 in Japan. These 13 root servers mainly manage the main directory of the Internet, and mainly serve IPV4.
In 2016, the China Next Generation Internet Engineering Center led the launch of the Snowman Project , aiming to provide more root server solutions for the next generation of Internet (IPV6). The plan was completed in 2017. It includes 3 main root servers, 1 in China, 1 in the United States, 1 in Japan, 22 auxiliary root servers, 3 in China, 2 in the United States, 3 in India and France, 2 in Germany, 2 in Russia, Italy, Spain, Austria, Chile, South Africa, Australia, Switzerland , and 1 in the Netherlands, a total of 22 units. Since then, a new pattern of 13 original roots and 25 IPV6 root servers has been formed.
Top-level domain server
Top-level domain name is the word on the right side of the domain name. For example, mail.baidu.com's com is the top-level domain name. We call the server corresponding to the top-level domain name. In addition, common top-level domain names include .NET, .TOP, .ORG, etc., and they all have their own uses.
- .COM: Used for commercial organizations, there is no usage restrictions. Everyone can register
- .NET: It was originally used for network organizations, such as service providers and repairers. Now there is no usage restrictions. Everyone can register
- .TOP: Used for top companies or individuals in the industry, everyone can register
- .ORG: Used for various organizations, such as non-profit organizations, educational organizations, etc. Now everyone can register
. In addition to the above, there are .CN, .UA, .JP, etc. These are composed of two letters and are top-level domains dedicated to each country. For example, .CN is a top-level domain name dedicated to China and .JP is a top-level domain name dedicated to Japan.
Authoritative Domain Name Server
When a permission domain name server cannot give the last query answer, it will inform the DNS client who issued the query request, which authoritative domain name server should be found in the next step.
, such as baidu.com in mail.baidu.com, is a secondary domain name. , , has no fixed words, and can be composed of various letters and arrays. mail is the MX analysis of the second-level domain name baidu.com, and so on, there may be a third-level domain name server and a fourth-level domain name server.
Local Domain Name Server
Local Domain Name Server does not belong to the tree-like DNS Domain Name Server in the figure below, but it is very important to the domain name system. When a host issues a DNS query request, the query request message is sent to the local domain name server. Every ISP can have a local domain name server.
DNS domain name resolution process
The following figure is an example diagram of domain name resolution, which covers the basic parsing steps and principles.
The following parsing steps will be explained, and the parsing process will be tracked in the form of a command line. After the user typed in the address bar and typed Enter, the domain name resolution begins.
Step 1: Check whether the IP address corresponding to the domain name has been cached in the browser cache
After the user browses a website through the browser, the browser will automatically cache the address corresponding to the domain name of the website. When the user visits again, the browser will look for the IP address corresponding to the domain name from the cache. Because caches not only has a size limit, but also has a time limit (the time when the domain name is cached is set through attributes), so there is a situation where the domain name cannot be found. When the browser finds the address corresponding to the domain name of the website from the cache, the entire resolution process ends. If it is not found, the next step will be carried out. For the cache time issue, it is not advisable to set too long cache time. If the corresponding time of the domain name changes, the user will not be able to access the website normally for a period of time. If it is too short, it will cause frequent resolution of the domain name.
Step 2: If the IP is not found in the browser cache, it will continue to look up whether the local system has cached IP
. If the first step does not complete the domain name resolution process, the browser will go to the system cache to find whether the system has cached the corresponding address of the domain name, which can also be understood as the system itself has the basic ability to resolve domain names. In the system, the domain name can be manually bound to a certain file by setting a file, and the file location is. For ordinary users, it is not recommended to manually bind the domain name and the developer. For developers, by binding the domain name and the other, they can easily switch the environment, and switch from the test environment to the development environment , which is convenient for development and testing. In the system, hackers often modify the files of their computers and bind the domain names that users often access to to the ones they specify, thus realizing local resolution, resulting in the hijacking of these domain names. In or in the system, the same purpose can be achieved by modifying the file. The first two steps of
were completed on the local machine, so they were not shown in the above example diagram. Starting from the third step, a request to resolve the domain name is being initiated to the remote DNS server.
Step 3: Investigate a domain name resolution request to the local domain name resolution service system
If the domain name resolution cannot be completed on the local machine, the system can only request the local domain name resolution service system for resolution. The local domain name system is generally a domain name server in the region, such as the campus network you are connected to, so the domain name resolution system is in your campus computer room. If you are connected to a telecom, mobile or China Unicom network, then the local domain name resolution server is in the region and the services are provided by the respective operators. For local server addresses, the system can view them by using commands. Under the system, directly use commands to view the service addresses. Generally, most of the domain name resolution results are cached. Of course, the cache time is also controlled by the domain name failure time. Most of the resolution work is almost over here, and most of the resolution work is responsible for most of the resolution work.
Step 4: Investigate a domain name resolution request to the root domain name resolution server
If the local domain name resolver has not completed the resolution, then the local domain name resolution server will initiate a resolution request to the root domain name server.
Step 5: The root domain name server returns the gTLD domain name resolution server address
Local domain name resolution initiates a resolution request to the root domain name server. The root domain name server returns the universal top-level domain () address of the domain being found, and the common common top-level domains include,.
Step 6: Initiate a resolution request to the gTLD server
Local domain name resolution server initiates a request to the gTLD server.
Step 7: gTLD server receives the request and returns the Name Server server
server receives the request initiated by the local domain name server, and finds the domain name server corresponding to the domain name according to the domain name that needs to be parsed. Generally speaking, this server is the domain name server you registered, so the server of the service provider of the domain name you registered will undertake the task of domain name resolution.
Step 8: Name Server server returns the IP address to the local server
server finds the address corresponding to the domain name, and returns the address together with the value to the local domain name server.
Step 9: Local domain name server cache resolution results
Local domain name server cache resolution results, cache time is controlled by time.
Step 10: Return the parsing result to the user
parsing result will be returned directly to the user. The user system will cache the address, and the cache time is controlled. At this point, the parsing process ends.
here briefly introduces and analyzes the parsing steps, and then analyzes the specific parsing process of a domain name through the command line.
AliDNS high-availability architecture
Alibaba Group acquired Wanwang in 2009. On January 6, 2013, Alibaba Group announced that its Alibaba Cloud and Wanwang will merge into a new Alibaba Cloud company. After the merger, the "Wanwang" brand will continue to be retained and become a domain name service brand under Alibaba Cloud.
is the largest domain name registrar in China. The early domain name resolution of Wanwang was built on open source bind. Due to the great performance problems of bind, poor security protection capabilities, and no intelligent resolution support, Alibaba Cloud took over the self-developed DNS resolution path after taking over Wanwang, and named it AliDNS.The idea of
AliDNS quickly became a reality. By upgrading and transforming the DNS software, comprehensively improving its reliability and bearing capacity, relying on Alibaba Group's strong technical resources and strength, it deploys multiple nodes nationwide to provide efficient and stable analytical scheduling, realizes automatic downtime migration of cloud computing clusters in multiple computer rooms, data backup and rollback, system performance monitoring and real-time alarms, and uses the independently developed over 100 G traffic cleaning center, which can quickly make judgments and track attack behaviors and handle them according to the plan to ensure the stable and reliable domain name resolution service! As the entrance to cloud computing services,
AliDNS will gradually integrate with Alibaba Cloud's existing cloud products and become an indispensable part of the cloud product family. ECS, SLB, RDS, CDN, etc. provide users with efficient and reliable computing, storage, website acceleration and load balancing services. AliDNS provides a powerful and stable analytical scheduling portal to ensure that users have a smooth access experience. The launch of AliDNS has made Alibaba Cloud's products and services a whole, providing users with a one-stop service experience.
realizes high DNS availability, mainly relying on reducing faults and quick recovery after failures. The following figure is a simplified diagram of the DNS service architecture, divided into a control layer and an analytical layer, and the following description will be given separately how these two layers can achieve high availability.
control layer
control layer two main functions: persistence of DNS data, and sending DNS data to adns(dnsserver).
1 Data persistence
control layer receives the domain name data configured by the user, and persistence is stored in the database. The X-Cluster product of the database team is used to achieve high data availability and eliminate data loss caused by misoperation of operation and maintenance: the
database adopts three-site and five copies, and a strong synchronization solution is deployed in the same city; the
database uses the Paxos protocol to select the master between each node of the
database. After problems occur at any stage, the data will be switched internally; the
application room deployment is decoupled from the database , and can be deployed in any computer room; the
database will automatically switch when the database Leader failure scenario is the database. The application connects to any node to obtain the current Leader location and restores the application business.
2 Data issuance
control and adns are mainly distributed through a stable internal network, and the probability of data transmission errors is low; when
control sends data to adns, there is a data compensation mechanism. If the retry fails, retry will be done many times. If the retry fails, the alarm will be transferred to manual processing.
parsing layer
parsing layer consists of an adns cluster, deployed in hundreds of idc computer rooms around the world, and publishes a large number of service IPs through anycasttml4. The user sends a DNS request to these IPs to obtain the parsing result.
1 Eliminate single point
parsing layer mainly relies on eliminating single point to realize failover to reduce failures.
- host to the network: Each adns passes through a dual network port, and is connected to two different switches , to avoid single point of network port and single point of failure of switches ;
- cluster: adns are divided into multiple different clusters, and multiple adns in each cluster. These machines publish the same IP to the switch and distribute traffic through ECMP. DNS in the same cluster is hot standby. When a certain adns has a problem, the switch distributes traffic to other servers.
- Inter-clusters: multiple different clusters, publish the same IP, and these clusters are hot-reserved by the network's anycast technology. One cluster is unavailable, and traffic is transferred to other available clusters.
- NS IP: Due to special reasons (such as operator black holes, etc.), some IPs cannot access the entire network. We configure multiple IPs for each NS. LocalDNS will select the shortest IP of the rt based on the SRTT algorithm and forward the requests to avoid the problematic IP.
2 System Capacity
Monitoring system monitors the qps capacity of each server and cluster in real time;
adns cluster has horizontal capacity expansion capabilities in deployment, and the capacity can reach the bandwidth of the computer room.
3 How to ensure the correct parsing of
deploys a data reconciliation system, compares data between adns, and compares data with controlled DBs;
deploys a dialing system, dialing the zone's soa, and dialing the rr records of specific domain names;
uses the above two methods to detect data exceptions in a timely manner, avoid exceptions or shorten the processing time of exceptions.
generally takes effect in a few seconds by removing the route of the server in question.
4 Security protection
As a service for public network , network attacks are unavoidable and will affect system availability. We have adopted the following two types of security measures to improve the usability of DNS.
1) Network attack protection
common DNS attack attack is ddos attack at layer 4. For network attacks with super large traffic, aliguard deployed in the computer room is used for network protection; in order to reduce the impact of the DDOS protection system on DNS, we set a very high protection threshold, corresponding to the DDOS attack below the threshold, and carry the attack through our high-performance DNServer (adns).
2) Application security
In order to deal with DNS poisoning, deception and other scenarios, our dnsserver supports dnssec;
in order to deal with DNS hijacking, we support connectivity protocols, such as tcp, dns, httpdns, tls, etc. Users can choose appropriate security solutions according to their needs.
AliDNS function and performance
Quick
resolution takes effect in real time, multi-line intelligent allocation, after users set the resolution record, AliDNS will synchronize your resolution record to the authoritative DNS servers across the country in just 5 seconds. After the server receives the resolution request, it can quickly give the resolution results within 30ms to ensure that the domain name resolution takes effect in real time and high-speed access; intelligent multi-line resolution intelligently locates the user source through accurate network address IP library, whether it is China Unicom, Telecom , mobile, education network or foreign users, they can quickly allocate the best access resolution line, allowing your website visitors to get the smoothest access experience!
stable
100% availability guarantee, allowing you to rest at any moment. AliDNS has 19 DNS cluster nodes and DNS intelligent acceleration services around the world, providing users with nearby access and minimum latency resolution capabilities. Multi-computer room cloud computing cluster automatic downtime migration, data backup and rollback, system performance monitoring real-time alarm, ensuring stable domain name resolution services, making your mission of every access must be achieved!
security
super 100G super protection capability, allowing you to rest assured every day. With the accumulation of attack and defense technology for Alibaba years, AliDNS can withstand flood flow attacks of more than 100G with its own developed traffic cleaning equipment. It has a comprehensive security monitoring system that can quickly judge and track attack behavior and handle it according to the plan to ensure the stable and reliable domain name resolution service! It can withstand up to 100 million DNS queries per second, protecting websites or application services from DNS attacks.
Intelligent
can intelligently return the IP address according to the user's geographical location. The route has covered 6 major operators and provinces in China. In addition to being fast, stable and secure,
AliDNS has also been fast, stable and secure, and the resolution settings are also very simple and convenient. The resolution management tool allows you to log in to AliDNS to add, modify and delete various domain name records by yourself, including domain name A, CNAME, MX, AAAA, SRV, TXT, NS and other records. In addition, it also provides stable and reliable URL forwarding services, freely define TTL on demand, supports Chinese domain name resolution, supports pan-domain name resolution, and supports subdomain name resolution
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-