Can someone explain how DNS works? Because this current situation where GoDaddy.com’s nameservers being down* causing sites registered with them not to resolve contradicts what I thought I knew about the concept.
DNS servers propagate, right? So why would taking out a couple of them in the chain cause addresses not to resolve? Why wouldn’t redundancy kick in as long as the DNS where the sites are registered is down?
Why create a system with single point of failure like that, especially on the Internet where rerouting around problems is one of its main strengths?
*Claimed to be by Anonymous, but it’s odd that it’s just one mouthpiece.
IANA Network engineer, but I am a general-purpose Computer Geek, so the following haphazard handwaving WAG should be in the right direction:
As I understand it, DNS is registered by domain, not every last server is propagated all over the 'Net. Each domain has a local DNS server to which all resolution requests (for the domain) get routed, and the multitude of physical and virtual hosts on a domain are resolved there (and cached by your own Name Server.)
So whether a GoDaddy-hosted site is actually in GoDaddy’s domain or has purchased its own, the physical name server resolving individual servers within the domain is – well, was – hosted on GoDaddy. And you can’t reach it now.
DNS is hierarchical, not peer-to-peer. Every top-level domain has a few bigass nameservers (root nameservers) and the list of these comes in your computer’s Root Zone File which is distributed with every operating system.
The root nameservers hold the addresses of the authoritative name server for every domain registered in that TLD. The root nameservers can tell you the address of the nameserver that has information about the individual domains. That nameserver can then tell you the addresses of individual servers within that domain.
So if a given domain happens to have their DNS hosted on GoDaddy’s DNS servers, then the root nameservers can point you there. But if their DNS servers are broken, then you’re boned.
Now, add to this the fact that DNS servers cache the results of queries for some time. That’s why you can ask your ISP’s DNS server for an address and get a result very fast; your ISP’s DNS server only needs to go to the next level up if the cache timeout for that query has expired. That’s why DNS propagation can take a few hours; you have to wait for everyone’s cache to expire and query the originating nameserver again.
If a DNS server goes down, it’s quite possible that many people would not notice, because their nameservers already have the information cached. But if it stays down for more than a few minutes, more and more people will notice the interruption as their local caches expire.
This situation is exacerbated by the fact that these days, many people deliberately set the expiration time on the DNS records to be very short, for a variety of reasons.
I dont know what exactly is wrong with GoDaddy, but some hosting services use the same IP for several websites. If the nameserver is down, knowing and entering the IP into the browser will not give you access to the site because the webserver (assumming it is not down too) won’t know which of the sites sharing that IP you want.
So then, I assume the cache isn’t set up to retain the address until explicitly told it’s gone because the assumption is that nameservers often come and go. But, if that’s the case, why do they need to register on GoDaddy’s nameserver at all? Why not just host your own small nameserver that contains your domain name? Sure, you still have to register it to the root nameservers, but then you wouldn’t have to worry about attacks like this. Why put all the registrations in one place, creating a single point of failure?
No, the assumption is that data on nameservers changes from time to time, but not often enough that we should contact the authoritative source for every request.
You could certainly do that. I could also clean my own house. But it’s a lot more convenient to pay some money to the lady who comes every two weeks while I’m at work. Running a DNS, like mopping, is a huge pain in the ass.
Anybody can run a DNS server, and it’s done as a matter-of-course of any decent-sized company. If your company has a intranet where you can type “hr” to get to the internal human resources site, for example, your company runs its own DNS servers. It requires some specialized knowledge, though.
A factor here is that a lot of people running web servers, even for popular sites, don’t really understand how DNS works. Another factor is that 0.001% of the time that GoDaddy’s (or whoever’s) DNS is down isn’t worth the effort of maintaining your own DNS server 100% of the time.
Basically, your hosting provider serves multiple sites/domains that all resolve to the same IP address. When you access any of those sites your browser resolves the IP address via DNS, then issues an HTTP request to that address, sending along the server and domain name itself in one of the HTTP headers. The webserver parses that header value to figure out which of the multiple sites at that IP you are trying to reach and responds with the appropriate content.
This is why a lot of sites can’t be accessed via IP address alone anymore, and why old pre-HTTP/1.1 browsers from before 1996 won’t get very far on the web today. Without that Host header, the server won’t know which site to serve the request from.
Your browser doesn’t care if the name is resolved through DNS or the hosts file. Either way it sends the name in the HTTP headers, so the server knows exactly what site to serve. As long as the IP and the name are valid, it will work fine.
Even many large, clueful sites don’t run their own DNS. Companies like UltraDNS and Akamai run DNS for huge parts of the Internet. These providers have points of presence on every continent, using anycast and other techniques to provide much more redundancy and performance than you could ever hope to get out of a couple of DNS servers running in your company’s data center (or more likely colo, or on a cloud server somewhere).
IMHO, really there are only two categories of people who should be running their own external DNS (internal is a different matter):
Geeky folks who enjoy tinkering with this kind of stuff (or want to learn about it) and are running non-critical personal sites.
Massive, top-tier companies with global infrastructure and deep technology expertise (think Google, Amazon, etc.).
Everyone else should let someone else host their DNS. On the low end, use your web/mail hosting provider, on the medium-end use something like Amazon’s Route53 or DNS Made Easy (those can both scale beyond medium-end, but unlike many of the other big players, they’re affordable for smaller scale operations). On the higher end, you can also consider Akamai, UltraDNS, etc. Here’s an interesting article comparing some of the players: http://blog.cloudharmony.com/2012/08/comparison-and-analysis-of-managed-dns.html. It has some pricing info near the end, to give you a sense of what we’re talking about here.
