DNS — Hierarchy, Glue, Transport, Records, Poisoning & DNSSEC (Deep Dive)
DNS — Hierarchy, Glue, Transport, Records, Poisoning & DNSSEC
The core DNS pages cover the resolution walk and DNS-based load balancing. This page fills the senior gaps: why the hierarchy exists at all, the glue-record chicken-and-egg, the UDP wire substrate and its limits, the record-type vocabulary, the security story (Kaminsky poisoning → DNSSEC) that a senior always probes, client-side failover, and the back-of-envelope numbers.
1. Why a hierarchy — from first principles
DNS is a hierarchy for three compounding reasons: delegation of administrative authority (the .com registry delegates bank.com to the bank, who runs their own zone — no central authority edits everyone's records); bounded knowledge per node (a root server knows only the TLD name servers, not billions of hostnames — each tier knows just enough to point one level down); and caching that collapses read load (TTLs let resolvers answer ~80–90%+ of queries locally, so the roots see a tiny fraction of real traffic). Miss any one and the design looks arbitrary; together they force the tree.
2. Resolution and the glue-record chicken-and-egg
The naive trace says "ask the bank.com name server" — but that NS is itself named ns1.bank.com, whose address is inside the very zone you're trying to resolve. To break the loop, the parent (.com) returns the NS's A/AAAA record directly in the ADDITIONAL section — a glue record. Glue is required whenever a name server is in-domain (in-bailiwick); without it resolution can't bootstrap. This is a favourite "walk me through it exactly" follow-up.
3. The wire substrate: UDP, 512 bytes, TC, EDNS0
DNS is UDP-first on port 53 — one datagram out, one back, no handshake (that's what makes resolution fast, and also what makes it forgeable, see §5). Classic DNS caps a UDP response at 512 bytes; if the answer is larger the server sets the TC (truncated) bit and the client retries over TCP. EDNS0 negotiates larger UDP payloads (e.g. 4096 B) and carries extensions — DNSSEC signatures, and EDNS Client Subnet (lets the resolver hint the client's network so a CDN/GeoDNS answers with a nearby edge). Modern privacy variants wrap it in TLS: DoT (port 853) and DoH (over HTTPS).
4. Record-type vocabulary
- A / AAAA — hostname → IPv4 / IPv6.
- CNAME — alias to another name (can't coexist with other records at the same name).
- NS — delegation: which name servers are authoritative for a zone.
- SOA — zone apex metadata: primary NS, serial, refresh/retry/expire, and the negative-caching TTL.
- MX — mail exchangers (with priority).
- TXT — arbitrary text; used for SPF/DKIM/domain verification.
- PTR — reverse DNS (IP → name), in
in-addr.arpa. - SRV — service location (host+port), used by SIP/XMPP/AD.
- CAA — which CAs may issue certs for the domain.
5. Security: why plain DNS is forgeable, and the Kaminsky attack
Unauthenticated UDP DNS has no proof of who answered — the resolver accepts the first reply that matches the query's 16-bit transaction ID and the (source IP, port) tuple. An off-path attacker can flood forged replies guessing the txn ID. Kaminsky's insight (2008): query a random subdomain (rnd123.bank.com) so the answer is never cached — the attacker can retry the race indefinitely — and stuff the forged reply's authority/additional section with bank.com NS = attacker-IP, poisoning the entire domain, not one record.
Mitigations: randomize the source port as well as the txn ID (adds ~16 bits → ~2³² guesses, making blind spoofing infeasible), plus 0x20 case randomization for a few more bits. The real integrity fix is DNSSEC: each zone signs its records (RRSIG) and the parent signs the child's key (DS), forming a chain of trust from the root — so a resolver can cryptographically verify the answer wasn't forged. (DNSSEC gives integrity/authenticity, not confidentiality; DoT/DoH give confidentiality.)
6. Redundancy and client-side failover
Every tier is replicated: 13 root letters are thousands of anycast instances; a zone must have ≥2 NS; a resolver retries the next server on timeout. Distinguish failure kinds: SERVFAIL (transient — retry another server) vs NXDOMAIN (authoritative "no such name" — cached negatively per the SOA minimum TTL, so you don't re-ask). On the client, getaddrinfo returns all A/AAAA records; the OS/browser tries the next address if one is dead, and Happy Eyeballs (RFC 8305) races IPv4 and IPv6 in parallel so a broken IPv6 path doesn't stall the connection. This client resilience means a stale/dead A record degrades gracefully rather than hard-failing — the base pages slightly overstate the single-IP failure risk.
7. Back-of-envelope
- Per-hop query latency ~10–50 ms; a fully cold recursive resolution (root → TLD → authoritative) ~50–150 ms. A warm cache hit is ~1 ms (local resolver).
- Cache hit ratio at a busy resolver is ~80–90%+, which is exactly why the roots survive global query volume — most queries never leave the resolver.
- TTL is the tuning knob: low TTL = faster failover/changes but more query load and less caching; high TTL = cheap and fast but slow to propagate a change.
Judgment layer & pitfalls
- TTL choice: short for records you may need to fail over fast (an A record fronting a service); long for stable infrastructure (NS, MX). Short TTL is a real cost at scale.
- DNSSEC: deploy when answer integrity matters (finance, high-value domains); note the operational cost (key rollovers, larger responses, potential resolver-side validation failures taking you offline). Not a confidentiality tool — pair with DoT/DoH for that.
- Pitfall: assuming DNS load balancing gives even distribution — resolver/client caching and TTLs make it coarse and sticky; use it for coarse geo/failover, not fine load spreading.
- Pitfall: forgetting glue → in-domain name servers become unresolvable; forgetting negative-cache TTL → NXDOMAIN storms.
Takeaways
- The hierarchy = delegated authority + bounded per-node knowledge + caching that collapses read load; glue records break the in-domain NS bootstrap loop.
- DNS is UDP:53, 512-byte-then-TC→TCP, with EDNS0 for larger payloads/DNSSEC/Client-Subnet; DoT/DoH add privacy.
- Plain DNS is forgeable (Kaminsky); source-port randomization raises the bar and DNSSEC signs the chain of trust for real integrity.
- Client multi-address + Happy Eyeballs make stale IPs degrade gracefully; ~80–90% resolver cache hit is why the roots survive.
Re-authored/Deepened for this guide.
🤖 Don't fully get this? Learn it with Claude
Stuck on DNS — Hierarchy, Glue, Transport, Records, Poisoning & DNSSEC (Deep Dive)? Open Claude, copy a block below, and it'll teach you this exact concept — visually and interactively.
Build the mental picture, not memorization.
I just read a lesson on **DNS — Hierarchy, Glue, Transport, Records, Poisoning & DNSSEC (Deep Dive)** (System Design) and want to truly understand it. Explain DNS — Hierarchy, Glue, Transport, Records, Poisoning & DNSSEC (Deep Dive) from first principles using ONE vivid real-world analogy and a visual mental model — draw it as ASCII art or a clear step-by-step diagram — with a concrete example using real numbers. Then ask me one question to check I got the mental picture, and wait for my reply. If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.
Socratic — adapts to where you're stuck.
Teach me **DNS — Hierarchy, Glue, Transport, Records, Poisoning & DNSSEC (Deep Dive)** interactively. Ask me ONE guiding question at a time, wait for my answer, and adapt to my confusion — build the idea with me step by step instead of explaining it all at once. If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.
Active recall exposes what you missed.
Quiz me on **DNS — Hierarchy, Glue, Transport, Records, Poisoning & DNSSEC (Deep Dive)** with 5 questions, easy to tricky, ONE at a time. Tell me if each answer is right; at the end, explain clearly what I got wrong and why. If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.
Intuition + hook + flashcards for long-term memory.
Help me remember **DNS — Hierarchy, Glue, Transport, Records, Poisoning & DNSSEC (Deep Dive)** for the long term: give the one-sentence intuition, a memorable hook/mnemonic, a tiny worked example, and 3 active-recall flashcards (Q -> A). If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.