Tag Archives: DNS

Easy guide for checking DNS propagation.

You make some urgent modifications to your DNS records. An hour later, your boss calls you complaining because changes are not visible. There are two choices. You get very nervous, not understanding what’s wrong. Or you know perfectly what DNS propagation is, therefore you can totally confidently answer to your boss that he has to be patient and wait for this process to be completed.  

For online business owners and administrators, DNS propagation can be a cause of constant headaches. Or not, if you learn its details. That’s why we prepared for you this easy guide for understanding and checking the DNS propagation process.

What is DNS propagation?

Your DNS infrastructure requires maintenance daily and changes every time you plan strategic moves for your business. To execute those tasks directly involves the addition, removal, or edition of different DNS records.

In that context, DNS propagation means the necessary process to update every single change and to spread it all across your DNS network.

Changes to DNS records will be made and stored directly on the authoritative DNS nameserver. But DNS networks involve not a single server but many more (DNS recursive), usually distributed globally. If they don’t have the last update, they will keep serving the previous one (stored in their cache memory) until DNS records’ time-to-live (TTL) values expire.

For all clients worldwide to get the newest update, the DNS update-spread process must reach every server on the whole network. Then DNS propagation will be completed. Remember that DNS recursive servers are the ones that take your clients’ requests to search for answers. Therefore, their work serving them can be affected if they are not up to date.

This is the answer for your impatient boss! Changes on DNS records will not necessarily be propagated with light speed. Actually, different factors can intervene, making the process faster or slower. A common reference of the time that can take to complete DNS propagation is up to 72 hours. It can be a lot less or even more.

And if your boss doesn’t believe you, no worries, you can get evidence to support your words. You can check how DNS propagation is going! 

Easy guide for checking DNS propagation.

Here you have three alternatives. Choose based on your operating system (OS) or preference.

Linux and macOS users, here you have:

Try the Dig command. 

First, open your Terminal, and then type: “dig domainname*.com*” command.

A lookup for A or AAAA will be triggered. As a result, you will be able to see the IPs of your website. Have they changed or not yet? If they changed, DNS propagation already succeeded. If they haven’t, it should still be on its way.

*Type your domain name and corresponding TLD instead of those in the example.

Windows 10 users.

Open the Command Prompt.

Once there, you can use Nslookup on your domain name. Only type: nslookup domainname*.com*

Again, the lookup result will point out if your website’s IP addresses have changed or not.

*Type your domain name and corresponding TLD instead of those in the example.

Online DNS propagation checkers.

There are online tools for performing DNS lookups to check information related to domains located in different countries. Through them, you can check if the DNS changes you made have been updated. 

Conclusion.

DNS propagation will be needed after every modification you try on DNS records. From routing the e-mail, changing TTL values on records, redirecting clients to subdomains, etc. Go deeper into how it works to learn how to influence it in your favor!

SPF record – What is it?

SPF record explained.

SPF record stands for Sender Policy Framework record is a DNS (Domain Name System) record that specifies essential information for a domain name. It points to the outgoing mail server that is responsible for the particular domain. The MX (Mail eXchanger) record serves to show which email servers are responsible for the incoming emails for the domain. On the other hand, SPF records indicate which email servers qualified for sending emails on behalf of the domain name.

Let’s say you want to send an email to James@example.com. But, first, the incoming mail servers of example.com are going to check your domain name. Then, they are going to look for the SPF record and follow the rules that are set by it. Your email is going to be successfully received only in the case the SPF record is present. In another case, your email could end in the SPAM box of your recipient.  

How does it work?

With SPF records, domain owners are able to make a public list containing all of their authorized senders, which are the outgoing mail servers and their IP addresses. Thanks to that list, servers that receive emails are able to verify if the email is delivered from an authorized server to communicate on your company’s behalf. If that message is not received from some of the servers included in the list, the server receiving the email will consider it fake. 

Establishing rules with SPF record

The rules are based on two main groups. The first one is the qualifiers, and the second one is the mechanisms of the SPF record.

The SPF qualifiers are:

  • “-” That minus symbol indicates FAIL. It is a warning that messages coming from the domain must be rejected. 
  • “~” That tilde symbol indicates SOFT FAIL. The signal here is when a message comes from the domain, it should get a failed tag, although it can also be allowed.
  • “?” The question mark symbol indicates NEUTRAL. The signal, in this case, is that there are no policies involved (none).
  • “+” The plus symbol indicates PASS. Messages, which are coming from the domain are signalized that they should be accepted. 

The SPF mechanisms are: 

  • ” all” – All mechanisms after that it will be ignored.
  • ” include” – It provides you the opportunity to include more other domains that are able to send emails from the mail servers of the domain. You can unite example.itexample.co.uk, and example.de to send from example.com.
  • ” a” – When you pick it, then the A or AAAA records will require to get a match with the return path, and emails can be allowed.
  • ” mx” – When you select it, then an MX query requires to be completed and to get a match with the return path. If there is a match, then it is going to be allowed. 
  • ” ptr” – When you select it, then a PTR query requires to be completed and to get a match with the return path. It is allowed only if they match.
  • ” ip4” – This is going to review only A records (IPv4 addresses) to examine if they correspond to the domain.
  • ” ip6” – This is going to review only AAAA records (IPv6 addresses) to examine if the IP addresses match the domain.
  • exists” – This is for more complex queries.

DNS resolution – overview

Have you ever wondered how you can access so easy, so fast, a website on the Internet? 

If you get curious about how this magic happens, DNS resolution is the clue you need to follow.

What is DNS resolution?

Domain name system (DNS) resolution is the process of translating the domain name you type into your browser into the corresponding IP address of that domain. Without the IP address, the domain you search for can’t be located and loaded.

A domain name can have more than one IP address. For instance, it can have one IPv4 and one IPv6. During the DNS resolution, both will be requested. Or it can have multiple IPv4 (or IPv6) addresses, and when the DNS resolution process gets triggered, it will be enough to get one of those addresses to serve the domain.

The reason for this necessary translation emerged decades ago. When the Internet was young, hosts were searched using their IP addresses and stored in a manually updated Host file. Humans could still memorize those numbers (example: 230.115.1.16), but it was not simple. Still, to search this way was possible because there were a lot fewer devices than currently. 

The Internet succeeded, domains got multiplied, and the use of IP addresses got really hard for humans. Therefore, the domain name system (DNS) was created (1983). Instead of using a manually updated Host file with IP addresses, humans could type a name like todaynews.com. 

Then, IP addresses are used by machines, domain names by humans. 

How does DNS resolution work?

Fasten your belt because we are about to get inside the big DNS machinery, and the trip will take milliseconds!

Everything starts when a user requests a domain name (todaynews.com) inside the browser. The DNS resolution is triggered! The domain name has to be translated into its associated IP address to be loaded. The request will be taken by the expert searcher of IP addresses: a DNS recursive server.

If it’s not the first time the user visits this domain, there’s a chance that the DNS recursive server still has it on its cache. These servers’ cache gets configured with a specific TTL (time-to-live) value that establishes the period of time to store data. Once the TTL expires, an update will replace the previously stored data. Then, if the DNS recursive server has the IP address, the process will last a blink of an eye. The translation will happen immediately, and the requested domain (todaynews.com) will be loaded. 

But, if it’s the first time this domain is requested, or if its IP address is not available in the recursive server’s cache, it will have to ask other servers for it. 

First, the DNS recursive server will ask the Root server. It will check the TLD (top-level domain) of the requested domain (.com in our example). Then it will point to the DNS recursive server, the corresponding TLD server for the domain. Both servers will communicate, and the TLD server will point to the right authoritative nameserver, so the recursive can request the IP address.

The recursive server will reach the authoritative one, and this last will provide the IP address. The user’s request will finally be answered by properly loading todaynews.com. The DNS recursive server will store the IP address in its cache. 

Conclusion.

We are very used to the web, and sometimes we take it for granted. But behind every search, there’s a massive process taking place for loading your domain or for you to access that e-shop, news site, social network, etc. And the complete DNS resolution process happens in milliseconds! Amazing, isn’t it?

What does DNS cache mean?

The Domain Name System (DNS) is a keystone for the Internet to work as well and easily as it does for users. But to be vital means, it’s always busy, hard demanded and sometimes, even stressed.

Balancing this and not risking the important mission DNS has, different mechanisms and technology have been developed to make some tasks easier. The objective is to reduce work for the system and devices and accelerate the answer to users’ requests. 

And that is the case with DNS cache!

What does DNS cache mean?

The DNS cache or DNS resolver cache means the temporary cache memory that DNS recursive servers (resolvers) and devices like your computer or mobile have to save the DNS records from the domain names you have already requested. 

Those DNS records are domain names’ and subdomains’ IP addresses (A for IPv4 addresses and AAAA for IPv6). Records related to their verification, authentication, mail servers, etc. They will remain in the DNS cache only the time that their TTL (time-to-live) establishes, not permanently. 

Let’s say it is a mechanism to avoid the multiple repetitions of a DNS lookup to get the necessary IP address for loading its corresponding domain name every time the user requests it. Instead, they could be multiple DNS lookups to serve the same domain name.

Think about the time and effort that can be saved if that information remains handy for a while. The answer to the users’ requests can be executed faster and resources better optimized.

How does it work?

Simply, the operating system (OS) keeps a temporary database on the memory of the server or other devices. 

Then, a user requests a domain name for the first time. The DNS resolution process gets triggered. The user’s browser sends the request. A resolver DNS server gets this to look for its corresponding IP address. 

This search will start with the resolver asking the root server, which will point to the TLD server for the requested domain. The resolver will then ask that TLD server, which will answer, pointing the authoritative name server in charge of the requested domain. This last will be the provider of the IP address for the resolver. Then, finally, the resolver will answer the user’s request while sending its corresponding IP address for the domain to be served and visited by the user.

Together with more domain DNS records, this IP address will be saved on the database we mentioned (cache). Both in the resolver cache and in the device cache. The next time the user requests the same domain name, to load it will be faster and easier. A new DNS lookup won’t be needed. The information will be found directly in the DNS cache.

This will happen with every domain requested. And based on the TTL value established on each DNS record, they will be more or less time available directly on the cache. Once the TTL expires, a new lookup will occur if the domain is requested again, and its results will be kept in the cache. 

What is DNS cache poisoning?

Unfortunately, cybercriminals already know very well how useful DNS cache is, and they have created a way to take advantage of its functionality.

DNS can be poisoned by inserting IP addresses or domain names into it for directing users to dangerous destinations, usually malicious websites. 

The DNS cache can get corrupted due to technical issues or administrative errors, but sometimes its corruption means criminal activity in progress. You can clear the cache regularly to prevent this risk. 

​What is a DNS outage?

Imagine this. You are an owner of a large e-commerce site. It is Black Friday, the biggest online promotion that you have, and you are eager to see how the site is going on. You type your domain name into your browser and… “Oh no!” “It is not opening. This is a disaster!” What is going on! You are experiencing a DNS outage that might completely devastate your promotion!

​So, what is this DNS outage?

DNS outage is the time when your DNS is not functioning for some reason (your nameservers were attacked, or they were saturated with too strong traffic, etc.), and that does not allow the domain resolution of your domain name to its IP address. The DNS resolution is the first step to enter a site. The browser won’t know where your website is hosted without it, and it can’t find its content.

All the visitors trying to resolve your domain will get an error message and won’t be able to access your site.

In a simple term:
The DNS outage is when your potential visitors enter your site name (domain name) into their browser and don’t get redirected to its IP address.

​Why is it bad?

If the DNS is down, nobody will be able to visit your site, and all the services related to the domain name, like emails, won’t function correctly. You will need to get it up and running again to get back all the temporary lost functionality.

During this time, you can:

  • Miss potential visitors.
  • Lose potential sales.
  • Have problems with services like email, FTP, VoIP, etc.
  • And more.

​What causes DNS outage?

  • Human error. Don’t be surprised. Most of the mistakes in Tech are human errors. For example, somebody didn’t configure the DNS records properly. Another performed a DNS migration badly, and so on. There are plenty of problems that could cause it. 
  • Hardware problems. If you are using your own server for DNS, any hardware failure could bring your server down and all the services that it provides. That is the risk of having your own server. 
  • DDoS attack. A Distributed Denial of Service attack is targeted traffic going your way with the purpose of taking out of service your server or servers. There are plenty of DDoS attacks in the last years, and their popularity is just increasing. They are getting stronger too, so the future does not look very pinkish in this aspect.

​Could I have prevented the DNS outage?

Of course, you could have prevented the DNS outage, and there are different measures that you can take to prevent future DNS downtime:

  • Secondary DNS. The easiest solution that could save you in most cases is to use a secondary DNS service. Preferably with another DNS provider. The secondary DNS will allow you to have other authoritative DNS servers that could still respond to queries, even if the Primary DNS is down. The more, the better.
  • DDoS protection. Many of the times that you are experiencing a problem with your domain name, the reason is a DDoS attack. Unfortunately, those traffic attacks have become cheap, and it is common that cybercriminals, sometimes paid by your competitors, are bringing down your domain. Get DDoS protection for your DNS servers that can resist strong traffic.
  • Load Balancing. You can organize your nameservers to use a load balancing method and redirect the traffic between them. That way, you can be sure that the weight is not falling on one of them. Spreading heavy traffic will improve the performance and the resilience of your DNS network.