20

I was reading about DNS some days ago and learned how the requests are processed. If you surf to www.example.com, then a request will go to the Root Name Servers to see who owns that .com address, then another request will go to another, more local, DNS server to see who owns the example.com address and so on.

How is it technically possible that the 13 Root Name Servers can handle all requests done by earth's billions of Internet users simultaneously without being overloaded leading to a Denial-of-Service?

Wouter
  • 131
  • 1
  • 8
Rox
  • 441
  • 1
  • 6
  • 13
  • 11
    By the way, your summary of the way the DNS works is wrong. The question asked to the root name server is not "who owns .com?" but "what is the IP address of www.example.com?" (the root name server replies by a reference to the owner of .com). The root name server sees the entire query (which is useful for statistics, data mining, etc). – bortzmeyer Mar 03 '13 at 08:45
  • @bortzmeyer The main reason the entire name is sent to the root servers is that not every dot in the name is necessarily a boundary of authority. In practice I believe there always is a boundary of authority just below the TLD, but in principle it is not guaranteed. Hence at some point in the future it might be decided to introduce a special TLD where the second layer is handled by the root servers such that when you query the root servers for `a.b.c.example` you will be told who is responsible for `c.example` rather than who is responsible for `example`. – kasperd Dec 16 '15 at 23:35

5 Answers5

53

They're 13 highly available clusters of servers, not simply 13 servers.

Among other things, root nameserver operators are required to have enough capacity to handle three times their normal traffic load (RFC 2870). This leads to rather large clusters.

However, the root nameservers only serve responses for the top level domains themselves, i.e. com., net., uk., ae., etc., and the nameservers which query the root can cache this information up to 48 hours, which dramatically reduces the load at the root nameservers. This leads to smaller clusters.

The root nameservers are in over 130 physical locations in 53 countries; with only 13 server names, this is done through the magic of IPv4 anycast.

The root nameservers also have their own web site, which you may find interesting reading.

Community
  • 1
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • 48 h is the TTL of the NS records at the root. But it can be overriden by the name servers of the TLD itself. For instance, for .jp, it is only 24 h. – bortzmeyer Mar 03 '13 at 08:46
  • Well, we _are_ talking about the root nameservers here. :) – Michael Hampton Mar 03 '13 at 08:47
  • RFC 2870 is quite outdated today. Because of the dDoS attacks, a root name server has to be ready to answer much more than three times its normal traffic. – bortzmeyer Mar 03 '13 at 08:47
  • 9
    53 countries? is it a coincidence or they chose it just like the DNS query port?? :D – amyassin Mar 03 '13 at 13:34
10

They don't. The root nameservers just have to tell you what nameservers handle com. From then on, you don't need to go to them to handle any domain inside com. The root nameservers have no idea who owns example.com. They're root nameservers, not com nameservers.

What slimsuperhero said is also true. Many high-volume nameservers use anycast to have a single IP address served by a number of servers around the world.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • But if 1 billion users were surfing to different .com adresses at the same second, would the root name servers handle all requests? – Rox Mar 03 '13 at 08:27
  • 3
    No. For one thing, users only talk to recursive nameservers (those that connect to other nameservers to get answers) and the root nameservers aren't recursive (they only serve local information they already know). Users talk to their own nameservers (usually provided by their ISP) who only need to ask the root nameservers *once* for the servers that handle `com`. – David Schwartz Mar 03 '13 at 08:29
  • 1
    @DavidSchwartz is correct - so instead of one billion requests from one billion users they'd only get roughly one million requests from one million ISPs, each of which serves a thousand users. – Shadur Mar 03 '13 at 11:08
  • @Shadur: Now, the nameservers for `com` on the other hand must take a much more massive beating. – David Schwartz Mar 03 '13 at 11:16
  • 1
    And I'm fairly sure they're scaled and clustered appropriately. – Shadur Mar 03 '13 at 11:18
  • @Rox, to give your hypothetical some serious consideration: if every nameserver on earth suddenly dumped its cache at the same moment, and then after that 1 billion users tried to surf to .com addresses-- or anywhere else-- it seems likely that the resulting traffic would temporarily overwhelm the root servers. And beyond that, traffic to the .com servers would also spike in a huge way. This isn't going to happen, because intelligent caching is a key part of the design of the global DNS system. – davidcl Mar 03 '13 at 18:05
6

Each root server is not actually a server, they are huge clusters of servers. In addition to this, DNS answers are cached so not every request reaches the root server.

gevial
  • 1,264
  • 8
  • 13
3

Note that you do not use the root servers. You usually use the DNS server provided by your Internet Service Provider which usually can respond immediately if the information you need is in their local cache. Only if not cached, their upstream DNS server is asked and only eventually is the root server asked (and that response is then cached)

Thorbjørn Ravn Andersen
  • 1,342
  • 8
  • 14
0

Actually Its 13 Anycast IP address which resolves to lot of servers around the globe. You can look at the Link to find those servers if needed. All these servers are managed by the concerned authority.

The fact that we are still using only 13 IP address (And cluster of servers having same IP address) is that to ensure that the packet size wont go beyond 512 bytes. Then why? we have TCP which can go beyond this packet size why cant we use it?. The thing is that, TCP involves very high overhead as it includes multiple steps and procedures to establish a TCP connection. Because of this, the entire process of a DNS query will go slow.

Things like DNS can never be slow and that's why we still use the same old system.

Jaison
  • 1
  • The answer to a query for `.` no longer fits in 512 bytes. Because IPv6 is now a necessity, the answer has grown to 811 bytes. With EDNS that can be returned in a single response. However queries for `.` are not needed so often that a couple of roundtrips is a showstopper. It is primarily needed for recursors to learn the latest changes to IP addresses of the roots, which rarely change. – kasperd Mar 25 '17 at 16:27
  • @kasperd I am not sure. I checked dig +trace for normal A record or AAAA record and all responses (from Root level servers, top level servers or in nameservers) are under 508 to 509 bytes. Can you explain little bit more about it. – Jaison Mar 27 '17 at 20:06
  • You need to use EDNS or TCP to get the full response. UDP requests without EDNS can never get a response longer than 512 bytes. – kasperd Mar 27 '17 at 20:11