Editing Domain Name System (section)

==Operation==
===Address resolution mechanism===
Domain name resolvers determine the domain name servers responsible for the domain name in question by a sequence of queries starting with the right-most (top-level) domain label.

[[File:Example of an iterative DNS resolver.svg|right|thumb|400px|A DNS resolver that implements the iterative approach mandated by RFC 1034; in this case, the resolver consults three name servers to resolve the [[fully qualified domain name]] "www.wikipedia.org".]]

For proper operation of its domain name resolver, a network host is configured with an initial cache (''hints'') of the known addresses of the root name servers. The hints are updated periodically by an administrator by retrieving a dataset from a reliable source.

Assuming the resolver has no cached records to accelerate the process, the resolution process starts with a query to one of the root servers.  In typical operation, the root servers do not answer directly, but respond with a referral to more authoritative servers, e.g., a query for "www.wikipedia.org" is referred to the ''org'' servers.   The resolver now queries the servers referred to, and iteratively repeats this process until it receives an authoritative answer. The diagram illustrates this process for the host that is named by the [[fully qualified domain name]] "www.wikipedia.org".

This mechanism would place a large traffic burden on the root servers, if every resolution on the Internet required starting at the root. In practice [[#Record caching|caching]] is used in DNS servers to off-load the root servers, and as a result, root name servers actually are involved in only a relatively small fraction of all requests.

====Recursive and caching name server====
In theory, authoritative name servers are sufficient for the operation of the Internet. However, with only authoritative name servers operating, every DNS query must start with recursive queries at the [[DNS root zone|root zone]] of the Domain Name System and each user system would have to implement resolver software capable of recursive operation.<ref>{{Cite web |title=DNS zone |url=https://www.ionos.co.uk/digitalguide/server/know-how/dns-zone/ |access-date=2022-03-31 |website=IONOS Digitalguide |date=27 January 2022 |language=en}}</ref>

To improve efficiency, reduce DNS traffic across the Internet, and increase performance in end-user applications, the Domain Name System supports DNS cache servers which store DNS query results for a period of time determined in the configuration (''[[time-to-live]]'') of the domain name record in question.
Typically, such caching DNS servers also implement the recursive algorithm necessary to resolve a given name starting with the DNS root through to the authoritative name servers of the queried domain. With this function implemented in the name server, user applications gain efficiency in design and operation.

The combination of DNS caching and recursive functions in a name server is not mandatory; the functions can be implemented independently in servers for special purposes.

[[Internet service providers]]  typically provide recursive and caching name servers for their customers. In addition, many home networking routers implement DNS caches and recursion to improve efficiency in the local network.

===DNS resolvers===
The [[Client-side|client side]] of the DNS is called a DNS resolver. A resolver is responsible for initiating and sequencing the queries that ultimately lead to a full resolution (translation) of the resource sought, e.g., translation of a domain name into an IP address. DNS resolvers are classified by a variety of query methods, such as ''recursive'', ''non-recursive'', and ''iterative''. A resolution process may use a combination of these methods.<ref name="rfc1034" />

In a ''non-recursive query'', a DNS resolver queries a DNS server that provides a record either for which the server is authoritative, or it provides a partial result without querying other servers. In case of a [[#Record_caching|caching DNS resolver]], the non-recursive query of its local [[Name server#Caching name server|DNS cache]] delivers a result and reduces the load on upstream DNS servers by caching DNS resource records for a period of time after an initial response from upstream DNS servers.

In a ''recursive query'', a DNS resolver queries a single DNS server, which may in turn query other DNS servers on behalf of the requester. For example, a simple stub resolver running on a [[home router]] typically makes a recursive query to the DNS server run by the user's [[ISP]]. A recursive query is one for which the DNS server answers the query completely by querying other name servers as needed. In typical operation, a client issues a recursive query to a caching recursive DNS server, which subsequently issues non-recursive queries to determine the answer and send a single answer back to the client. The resolver, or another DNS server acting recursively on behalf of the resolver, negotiates use of recursive service using bits in the query headers. DNS servers are not required to support recursive queries.

The ''iterative query'' procedure is a process in which a DNS resolver queries a chain of one or more DNS servers. Each server refers the client to the next server in the chain, until the current server can fully resolve the request. For example, a possible resolution of www.example.com would query a global root server, then a "com" server, and finally an "example.com" server.

===Circular dependencies and glue records===
Name servers in delegations are identified by name, rather than by IP address. This means that a resolving name server must issue another DNS request to find out the IP address of the server to which it has been referred. If the name given in the delegation is a subdomain of the domain for which the delegation is being provided, there is a [[circular dependency]].

In this case, the name server providing the delegation must also provide one or more IP addresses for the [[authoritative name server]] mentioned in the delegation. This information is called ''glue''.   The delegating name server provides this glue in the form of records in the ''additional section'' of the DNS response, and provides the delegation in the ''authority section'' of the response. A glue record is a combination of the name server and IP address.

For example, if the [[authoritative name server]] for example.org is ns1.example.org, a computer trying to resolve www.example.org first resolves ns1.example.org. As ns1 is contained in example.org, this requires resolving example.org first, which presents a circular dependency. To break the dependency, the name server for the [[top level domain]] org includes glue along with the delegation for example.org.  The glue records are address records that provide IP addresses for ns1.example.org. The resolver uses one or more of these IP addresses to query one of the domain's authoritative servers, which allows it to complete the DNS query.

===Record caching===
A common approach to reduce the burden on DNS servers is to cache the results of name resolution locally or on intermediary resolver hosts. Each DNS query result comes with a time to live (TTL), which indicates how long the information remains valid before it needs to be discarded or refreshed. This TTL is determined by the administrator of the authoritative DNS server and can range from a few seconds to several days or even weeks.<ref>{{Cite web |title=What is DNS propagation? |url=https://www.ionos.com/digitalguide/server/know-how/dns-propagation/ |access-date=2022-04-22 |website=IONOS Digitalguide |language=en}}</ref>

As a result of this distributed caching architecture, changes to DNS records do not propagate throughout the network immediately, but require all caches to expire and to be refreshed after the TTL. RFC 1912 conveys basic rules for determining appropriate TTL values.

Some resolvers may override TTL values, as the protocol supports caching for up to sixty-eight years or no caching at all. [[Negative cache|Negative caching]], i.e. the caching of the fact of non-existence of a record, is determined by name servers authoritative for a zone which must include the [[SOA record|Start of Authority]] (SOA) record when reporting no data of the requested type exists. The value of the ''minimum'' field of the SOA record and the TTL of the SOA itself is used to establish the TTL for the negative answer.

===Reverse lookup===
A [[reverse DNS lookup]] is a query of the DNS for domain names when the IP address is known. Multiple domain names may be associated with an IP address. The DNS stores IP addresses in the form of domain names as specially formatted names in pointer (PTR) records within the infrastructure top-level domain [[.arpa|arpa]]. For IPv4, the domain is in-addr.arpa.  For IPv6, the reverse lookup domain is ip6.arpa. The IP address is represented as a name in reverse-ordered octet representation for IPv4, and reverse-ordered nibble representation for IPv6.

When performing a reverse lookup, the DNS client converts the address into these formats before querying the name for a PTR record following the delegation chain as for any DNS query. For example, assuming the IPv4 address 208.80.152.2 is assigned to Wikimedia, it is represented as a DNS name in reverse order: 2.152.80.208.in-addr.arpa. When the DNS resolver gets a pointer (PTR) request, it begins by querying the root servers, which point to the servers of [[American Registry for Internet Numbers]] (ARIN) for the 208.in-addr.arpa zone. ARIN's servers delegate 152.80.208.in-addr.arpa to Wikimedia to which the resolver sends another query for 2.152.80.208.in-addr.arpa, which results in an authoritative response.

===Client lookup===
[[File:DNS Architecture.svg|right|thumb|400px|DNS resolution sequence]]
Users generally do not communicate directly with a DNS resolver. Instead DNS resolution takes place transparently in applications such as [[web browser]]s, [[e-mail client]]s, and other Internet applications. When an application makes a request that requires a domain name lookup, such programs send a resolution request to the [[DNS resolver]] in the local operating system, which in turn handles the communications required.

The DNS resolver will almost invariably have a cache (see above) containing recent lookups. If the cache can provide the answer to the request, the resolver will return the value in the cache to the program that made the request. If the cache does not contain the answer, the resolver will send the request to one or more designated DNS servers. In the case of most home users, the Internet service provider to which the machine connects will usually supply this DNS server: such a user will either have configured that server's address manually or allowed [[Dynamic Host Configuration Protocol|DHCP]] to set it; however, where systems administrators have configured systems to use their own DNS servers, their DNS resolvers point to separately maintained name servers of the organization. In any event, the name server thus queried will follow the process outlined [[#Address resolution mechanism|above]], until it either successfully finds a result or does not. It then returns its results to the DNS resolver; assuming it has found a result, the resolver duly caches that result for future use, and hands the result back to the software which initiated the request.

====Broken resolvers====
Some large ISPs have configured their DNS servers to violate rules, such as by disobeying TTLs, or by indicating that a domain name does not exist just because one of its name servers does not respond.<ref>{{cite web
|url = http://ask.slashdot.org/story/05/04/18/198259/providers-ignoring-dns-ttl
|title = Providers ignoring DNS TTL?
|publisher = [[Slashdot]]
|year = 2005
|access-date = 2012-04-07
}}</ref>

Some applications such as web browsers maintain an internal DNS cache to avoid repeated lookups via the network. This practice can add extra difficulty when debugging DNS issues as it obscures the history of such data. These caches typically use very short caching times on the order of one minute.<ref>{{cite web|url=http://dyn.com/web-browser-dns-caching-bad-thing/|title=Ben Anderson: Why Web Browser DNS Caching Can Be A Bad Thing|author=Ben Anderson|date=7 September 2011|access-date=20 October 2014}}</ref>

[[Internet Explorer]] represents a notable exception: versions up to IE 3.x cache DNS records for 24 hours by default. Internet Explorer 4.x and later versions (up to IE 8) decrease the default timeout value to half an hour, which may be changed by modifying the default configuration.<ref>{{cite web
|url = http://support.microsoft.com/default.aspx?scid=KB;en-us;263558
|title = How Internet Explorer uses the cache for DNS host entries
|publisher = [[Microsoft Corporation]]
|year = 2004
|access-date = 2010-07-25
}}</ref>

When [[Google Chrome]] detects issues with the DNS server it displays a specific error message.

===Other applications===
The Domain Name System includes several other functions and features.

Hostnames and IP addresses are not required to match in a one-to-one relationship. Multiple hostnames may correspond to a single IP address, which is useful in [[virtual hosting]], in which many web sites are served from a single host. Alternatively, a single hostname may resolve to many IP addresses to facilitate [[fault tolerance]] and [[load balancing (computing)|load distribution]] to multiple server instances across an enterprise or the global Internet.

DNS serves other purposes in addition to translating names to IP addresses. For instance, [[mail transfer agent]]s use DNS to find the best mail server to deliver [[e-mail]]: An [[MX record]] provides a mapping between a domain and a mail exchanger; this can provide an additional layer of fault tolerance and load distribution.

The DNS is used for efficient storage and distribution of IP addresses of block-listed email hosts. A common method is to place the IP address of the subject host into the sub-domain of a higher level domain name, and to resolve that name to a record that indicates a positive or a negative indication.

For example:
* The address {{IPaddr|203.0.113.5}} is block-listed. It points to {{mono|5.113.0.203.blocklist.example}}, which resolves to {{IPaddr|127.0.0.1}}.
* The address {{IPaddr|203.0.113.6}} is not block-listed and points to {{mono|6.113.0.203.blocklist.example}}. This hostname is either not configured, or resolves to {{IPaddr|127.0.0.2}}.
E-mail servers can query blocklist.example to find out if a specific host connecting to them is in the block list. Many such block lists, either subscription-based or free of cost, are available for use by email administrators and anti-spam software.

To provide resilience in the event of computer or network failure, multiple DNS servers are usually provided for coverage of each domain. At the top level of global DNS, thirteen groups of [[root name server]]s exist, with additional "copies" of them distributed worldwide via [[anycast]] addressing.

[[Dynamic DNS]] (DDNS) updates a DNS server with a client IP address on-the-fly, for example, when moving between ISPs or mobile [[Hotspot (Wi-Fi)|hot spots]], or when the IP address changes administratively.