31

In my work with servers I have come across in configuration files where you should enter the address to an external server. I have seen some use the server's IP address directly, but I have heard many recommendations to use a hostname fully qualified domain name (FQDN) instead. Why should I use a hostname instead of the direct IP address?

Because if you use a hostname then you would need a local DNS server that would link each hostname to an IP address. What is the disadvantage between using a hostname or an IP address?

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Emil Rowland
  • 429
  • 1
  • 4
  • 8
  • 5
    if you have dynamic IP's it is probably easier to just change the DNS record. and why a local DNS server? why not just make all machines have publicly resolvable IP's? another disadvantage of IP's are, that even if they are not dynamic, they probably still depend on physical location, making it harder to migrate to a different location. basically, it sounds like you are asking why DNS was invented. this question has been answered many times elsewhere. – Janus Troelsen Jul 09 '16 at 12:11
  • 1
    It has always been a recommendation (in RFCs, for example) that on *application* level one only deals with hostnames. However, some applications won't even work unless with IP. Nevertheless, I myself am guilty to often contact my devices by IP instead of hostname - but that bad habit will certainly end as soon as we have fully migrated to IPv6 :) – Hagen von Eitzen Jul 09 '16 at 16:34
  • Because of course the external server will be securing all communications with SSL, and the SSL certificates will be signed for the FQDN, and your application can't verify the right server if you use the IP address. Right? :| – TessellatingHeckler Jul 09 '16 at 17:18
  • 1
    @HagenvonEitzen Sure you will never, ever, type out `::1`? :-) – user Jul 09 '16 at 18:09

2 Answers2

56

Using an IP address ensures that you are not relying on a DNS server. It also has the benefit of preventing attacks through DNS spoofing.

Using a FQDN instead of an IP address means that, if you were to migrate your service to a server with a different IP address, you would be able to simply change the record in DNS rather than try and find everywhere that the IP address is used.

This is especially useful when you have many servers and services configured by multiple individuals.

Joshua Griffiths
  • 2,164
  • 14
  • 19
  • 1
    Especially if the knowledge of that IP address is external too, like if customers or partners or vendors use it. Imagine if instead of stackoverflow.com, we all went to an IP that we knew as stackoverflow.com, and then they needed to change the IP? How would they tell every single possible user of the site the IP has changed? Hence names. – Brandon Jul 09 '16 at 21:33
  • @Brandon it'd be the same as if they now decided to change from stackoverflow.com to heapunderflow.com The original benefit of domain names is for humans to remember `stackoverflow.com` instead of `151.101.1.69`. Of course nowadays that also allows virtual hosting, subdomains relating to their parents and other benefits that have arisen of them. – Ángel Jul 09 '16 at 23:40
  • 2
    I think the core of this answer is that an organization owns its FQDN; but may not own its IP address. – Pieter Geerkens Jul 09 '16 at 23:47
  • 1
    Try running HTTPS/Kerberos over IP vs FQDN. – Aron Jul 11 '16 at 07:34
  • This is literally the purpose of DNS. – Lightness Races in Orbit Jul 11 '16 at 10:03
  • "It also has the benefit of preventing attacks through DNS spoofing." or you just use DNSSEC. – womble Jul 18 '16 at 03:18
42

DNS is not just FQDN = IP

The important thing about DNS is that it provides more than just A records (hostname = IP). DNS provides different types of records such as MX, CNAME, TXT, etc... that may be required by some software, sometimes. It allows multiple address records, IPv4 + IPv6 records, dynamic addresses, load balancing, geo location based resolution, fail-over/redundancy, etc... DNS tells you what things are (www.google.com is google's web service, 172.217.4.110? What's that?) It allows you to change these settings/records and have them picked up by clients without making changes on all the clients. DNS can do complex things.

There's often a clear advantage to using DNS over a direct IP address.

FQDNs can be a requirement

Some things like web servers that use name based virtual hosting or load balancers, etc... absolutely require that you address them via an FQDN or hostname. They determine how to respond to your request based on the FQDN that you are connecting to. Connecting via an IP may not work at all.

SSL certificates are issued based on domain names, so you may not be able to use some SSL enabled services (properly) without DNS.

This is a dig query for the google.com domain to give you a glimpse into the complexity of DNS

google.com.             299     IN      A       172.217.0.174
google.com.             299     IN      AAAA    2607:f8b0:400b:807::200e
google.com.             599     IN      MX      10 aspmx.l.google.com.
google.com.             599     IN      MX      40 alt3.aspmx.l.google.com.
google.com.             59      IN      SOA     ns2.google.com. dns-admin.google.com. 126990955 900 900 1800 60
google.com.             599     IN      MX      30 alt2.aspmx.l.google.com.
google.com.             21599   IN      NS      ns2.google.com.
google.com.             599     IN      MX      20 alt1.aspmx.l.google.com.
google.com.             599     IN      MX      50 alt4.aspmx.l.google.com.
google.com.             21599   IN      NS      ns1.google.com.
google.com.             3599    IN      TXT     "v=spf1 include:_spf.google.com ~all"
google.com.             21599   IN      CAA     0 issue "symantec.com"
google.com.             21599   IN      NS      ns3.google.com.
google.com.             21599   IN      NS      ns4.google.com.

Yahoo responds with 3 IP addresses

$ host -ta yahoo.ca
yahoo.ca has address 77.238.184.24
yahoo.ca has address 74.6.50.24
yahoo.ca has address 98.137.236.24

Advantage of using an IP address

For me it's usually when DNS could get in the way somehow or is not available. Generally, I would use DNS for most things.

One example of where an IP address might be better would be when you have two machines with a direct link between them (no switch) with private network addresses (say 192.168.1.1 and 192.168.1.2) and they are using it for high availability communications or DRBD or another very specific service. In this case, setting up things in DNS probably doesn't make any sense. It's not necessary, would add complexity, performance issues and could introduce a point of failure.

Another example is routing. Routing tables record IP addresses for various reasons.

Another is referencing name servers (like in /etc/resolv.conf). Since without a name server, you cannot resolve anything.

Ryan Babchishin
  • 6,160
  • 2
  • 16
  • 36
  • This is a great answer, but it should also probably say something about vhosted services as well; IP⟷FQDN is a many-to-many mapping, not many-to-one. – fluffy Jul 09 '16 at 19:07
  • Thanks, and agreed. DNS is very helpful for name based virtual hosting if that's what you're referring to. – Ryan Babchishin Jul 09 '16 at 19:29
  • Yeah, that's what I was referring to. – fluffy Jul 09 '16 at 20:44
  • Great answer that actually gets DNS right - bookmarking for future reference. One minor gripe I have is your comment "Routing tables record IP addresses for various reasons." What are the various reasons to which you refer? Routing tables have no choice but to use IPs because routing happens at the internet layer, whereas DNS uses the application layer and is therefore necessarily dependent on routing. – gardenhead Aug 07 '16 at 18:37
  • @gardenhead Thanks. That's right about routing, I just didn't want to get into it. Forgive my choice of words. – Ryan Babchishin Aug 07 '16 at 19:08