What is a DNS root server?


The administration of the Domain Name System (DNS) is structured in a hierarchy using different managed areas or “zones”, with the root zone at the very top of that hierarchy. Root servers are DNS nameservers that operate in the root zone. These servers can directly answer queries for records stored or cached within the root zone, and they can also refer other requests to the appropriate Top Level Domain (TLD) server. The TLD servers are the DNS server group one step below root servers in the DNS hierarchy, and they are an integral part of resolving DNS queries.

DNS Heirarchy
During an uncached DNS query, whenever a user enters a web address into their browser, this action triggers a DNS lookup, and all DNS lookups start at the root zone. Once the lookup hits the root zone, the lookup will then travel down the hierarchy of the DNS system, first hitting the TLDs servers, then the servers for specific domains (and possibly subdomains) until it finally hits the authoritative nameserver for the correct domain, which contains the numerical IP address of the website being sought. This IP address is then returned to the client. Interestingly, despite the number of steps required, this process can happen very quickly.
Root servers are an essential part of the infrastructure of the Internet; web browsers and many other Internet tools would not work without them. There are 13 different IP addresses that serve the DNS root zone, and hundreds of redundant root servers exist around the globe to handle requests to the root zone.
Why are there only 13 DNS root server addresses?
A common misconception is that there are only 13 root servers in the world. In reality there are many more, but still only 13 IP addresses used to query the different root server networks. Limitations in the original architecture of DNS require there to be a maximum of 13 server addresses in the root zone. In the early days of the internet, there was only one server for each of the 13 IP addresses, most of which were located in the United States.
Today each of the 13 IP addresses has several servers, which use Anycast routing to distribute requests based on load and proximity. Right now there are over 600 different DNS root servers distributed across every populated continent on earth.
Who Has Authority Over DNS Root Servers?
Ultimate authority over the root zone belongs to the National Telecommunications and Information Administration (NTIA), which is a part of the US Department of Commerce. The NTIA delegates management of the root zone to the Internet Corporation for Assigned Names and Numbers (ICANN).

ICANN operates servers for one of the 13 IP addresses in the root zone and delegates operation of the other 12 IP addresses to various organizations including NASA, the University of Maryland, and Verisign, which is the only organization that operates two of the root IP addresses. Cloudflare actually helps provide DNS Anycast services to one of the root servers known as the F-Root; Cloudflare supplies additional F-Root instances under contract with ISC (the F-Root operator). Learn more about how Cloudflare supports the F-Root.
How do resolvers find DNS root servers?
Since the DNS root zone is at the top of the DNS hierarchy, recursive resolvers cannot be directed to them in a DNS lookup. Because of this, every DNS resolver has a list of the 13 IP root server addresses built into its software. Whenever a DNS lookup is initiated, the recursor’s first communication is with one of those 13 IP addresses.
What happens if a DNS root server becomes unavailable?
Thanks to the use of Anycast routing and heavy redundancy, the root servers are very reliable. But on rare occasions a root server will have to update its IP address. In this case, recursive resolvers can continue using the other 12 IP addresses in the root zone to perform DNS lookups until their software is updated with the correct addresses of all 13 servers. Since all the root servers are able to forward DNS requests to TLD servers, there is no disruption to the normal operations of the Internet when one root server is down. Learn more about how Cloudflare DNS uses Anycast routing to improve reliability.

What is a DNS zone?


The DNS is broken up into many different zones. These zones differentiate between distinctly managed areas in the DNS namespace. A DNS zone is a portion of the DNS namespace that is managed by a specific organization or administrator. A DNS zone is an administrative space which allows for more granular control of DNS components, such as authoritative nameservers. The domain name space is a hierarchical tree, with the DNS root domain at the top. A DNS zone starts at a domain within the tree and can also extend down into subdomains so that multiple subdomains can be managed by one entity.

A common mistake is to associate a DNS zone with a domain name or a single DNS server. In fact, a DNS zone can contain multiple subdomains and multiple zones can exist on the same server. DNS zones are not necessarily physically separated from one another, zones are strictly used for delegating control.
For example, imagine a hypothetical zone for the cloudflare.com domain and three of its subdomains: support.cloudflare.com, community.cloudflare.com, and blog.cloudflare.com. Suppose the blog is a robust, independent site that needs separate administration, but the support and community pages are more closely associated with cloudflare.com and can be managed in the same zone as the primary domain. In this case, cloudflare.com as well as the support and community sites would all be in one zone, while blog.cloudflare.com would exist in its own zone.
DNS Zone
All of the information for a zone is stored in what’s called a DNS zone file, which is the key to understanding how a DNS zone operates.
What is a DNS zone file?
A zone file is a plain text file stored in a DNS server that contains an actual representation of the zone and contains all the records for every domain within the zone. Zone files must always start with a Start of Authority (SOA) record, which contains important information including contact information for the zone administrator.
What is a Reverse Lookup Zone?

A reverse lookup zone contains mapping from an IP address to the host (the opposite function of most DNS zones). These zones are used for troubleshooting, spam filtering, and bot detection.

Dynamic DNS can help ensure that DNS queries work even if the web service being sought has recently switched IP addresses.

What is dynamic DNS (DDNS)?

Many web properties, such as APIs or websites, run on internet connections that have their IP addresses changed frequently; this creates a problem if the operators of those properties want to give a hosted resource a specific domain name, which must then store an IP address in Domain Name System (DNS) records. Dynamic DNS (DDNS) is a service that keeps the DNS updated with a web property’s correct IP address, even if that IP address is constantly being updated.

For example, if a web administrator is operating a small website with a domain name of www.example.com and an IP address of 1.2.3.4.5.6, anytime another user enters www.example.com into their browser, the DNS will direct them to the server at 1.2.3.4.5.6. If the admin’s ISP dynamically changes the IP to 1.2.3.4.5.7, a dynamic DNS service can automatically update the admin’s DNS records so that other users trying to visit www.example.com will now go to the correct IP address.

Why do some IP addresses change?

In the early days of the Internet, IP addresses rarely changed, which made management of domains a lot simpler. But the rapid growth of the web and home computers with Internet access created a shortage of available IP addresses. This led to the Dynamic Host Configuration Protocol (DHCP), which lets ISPs assign IPs to their users dynamically. ISPs will typically maintain a shared pool of IP addresses and assign or “lease” them to users as needed, for the duration of their connection or until a maximum amount of time has been reached. Although the introduction of IPV6 alleviated the IP address shortage, ISPs still often use DHCP because it is more cost-efficient than providing static IPs.
Large enterprises that run major web services require their ISPs to give them unchanging or ”static” IP addresses so they can operate using standard DNS practices. In contrast, smaller services tend to see their IP addresses changed by their ISPs quite frequently, so they require a dynamic DNS solution to keep their DNS records up to date. These smaller services can include small business websites, personal websites, DVRs, and security cameras.

How does dynamic DNS work?

There are a number of companies who offer dynamic DNS services with varying features and technologies. One very common method of enabling dynamic DNS is by providing users with software which runs on their computer or router. This software communicates with the dynamic DNS service provider anytime the IP addresses provided by the ISP is updated, and the dynamic DNS provider in turn updates the DNS with those changes, providing almost instant updates.

A reverse DNS lookup takes an IP address and returns the domain name associated with that IP. A traditional DNS lookup does just the opposite.


What is reverse DNS?

A reverse DNS lookup is a DNS query for the domain name associated with a given IP address. This accomplishes the opposite of the more-commonly-used forward DNS lookup, in which the DNS system is queried to return an IP address.
reverse DNS
There are standards from the Internet Engineering Task Force (IETF) suggesting that every domain should be capable of reverse DNS lookup, but as reverse lookups are not critical to the normal function of the internet, they are not a hard requirement. As such, reverse DNS lookups are not universally adopted.
What are reverse DNS lookups used for?
Reverse lookups are very commonly used by email servers. Many email servers will reject messages from any server that does not support reverse lookups. This is because spammers typically use invalid IPs, so these email servers check and see if the message came from a valid server before bringing it onto their network.
It’s also common for logging software to employ reverse lookups in order to provide users with human-readable domains in their log data as opposed to a bunch of numeric IP addresses.
How does reverse DNS work?

Reverse DNS lookups query DNS servers for a PTR (pointer) record; if the server does not have a PTR record, it cannot resolve a reverse lookup. PTR records store IP addresses with their segments reversed, and they append ‘.in-addr.arpa’ to that. For example if a domain has an IP address of 1.2.3.4, the PTR record will store that information as 4.3.2.1.in-addr.arpa.

Round-robin DNS is a load balancing technique that involves using several different IP addresses for a single domain name.


What is round-robin DNS?

Round-robin DNS is a load balancing technique where the balancing is done by a type of DNS server called an authoritative nameserver, rather than using a dedicated piece of load-balancing hardware. Round-robin DNS can be used when a website or service has their content hosted on several redundant web servers; when the DNS authoritative nameserver is queried for an IP address, the server hands out a different address each time, operating on a rotation. This is particularly useful when the redundant web servers are geographically separated, making traditional load-balancing difficult. Round-robin is known for it’s ease of implementation, but it also has strong drawbacks.
A DNS server with round-robin enabled will have multiple different A records, each with the same domain name but a different IP address. Each time the DNS server is queried, it sends the IP address to which it most recently responded with to the back of the queue, operating on a loop. The IP addresses in a round-robin DNS server are like baseball players in a batting lineup: each one gets a turn and then is moved to the back of the line.

What are the drawbacks of Round-Robin DNS?

The round-robin method doesn’t always provide evenly-distributed load balancing because of both DNS caching and client-side caching. If a user makes a DNS query to a particularly high trafficrecursive resolver for a particular website, that resolver will cache the website’s IP, potentially sending a heavy amount of traffic to that one IP.
Another drawback is that round-robin cannot be depended upon for site reliability; if one of the servers goes down, the DNS server will still keep that server’s IP in the round-robin rotation. So if there are 6 servers and one is taken offline, one in six users will be denied service. In addition, round-robin DNS does not account for server load, transaction time, geographical distance, and other factors that traditional load balancing can be configured for.

Some advanced round-robin services have methods to overcome a few of the drawbacks, such as the ability to detect unresponsive servers and take them out of the round-robin rotation, but there is no way around the caching issue. Many DNS providers, like Cloudflare DNS support round-robin DNS.

DNS records are sets of instructions that live on DNS servers. These instructions are vital to the success of a DNS lookup.


What is a DNS record?

DNS records (aka zone files) are instructions that live in authoritative DNS servers and provide information about a domain including what IP address is associated with that domain and how to handle requests for that domain. These records consist of a series of text files written in what is known as DNS syntax. DNS syntax is just a string of characters used as commands which tell the DNS server what to do. All DNS records also have a ‘TTL’, which stands for time-to-live, and indicates how often a DNS server will refresh that record.
You can think of a set of DNS records like a business listing on Yelp, that listing will give you a bunch of useful info about a business such as their location, hours, services offered, etc. All domains are required to have at least a few essential DNS records for a user to be able to access their website using a domain name, and there are several optional records that serve additional purposes.
What are the most common types of DNS record?
A record - The record that holds the IP address of a domain. Learn more about the A record.
CNAME record - Forwards one domain or subdomain to another domain, does NOT provide an IP address. Learn more about the CNAME record.
MX record - Directs mail to an email server. Learn more about the MX record.
TXT record - Lets an admin store text notes in the record. Learn more about the TXT record.
NS record - Stores the name server for a DNS entry. Learn more about the NS record.
SOA record - Stores admin information about a domain. Learn more about the SOA record.
SRV record - Specifies a port for specific services. Learn more about the SRV record.
PTR record - Provides a domain name in reverse-lookups. Learn more about the PTR record.

What are some of the less commonly used DNS records?
AFSDB record - This record is used for clients of the Andrew File System (AFS) developed by Carnegie Melon. The AFSDB record functions to find other AFS cells.
APL record - The ‘address prefix list’ is an experiment record that specifies lists of address ranges.
CAA record - This is the ‘certification authority authorization’ record, it allows domain owners state which certificate authorities can issue certificates for that domain. If no CAA record exists, then anyone can issue a certificate for the domain. These records are also inherited by subdomains.
DNSKEY record - The ‘DNS Key Record’ contains a public key used to verify Domain Name System Security Extension (DNSSEC) signatures.
CDNSKEY record - This is a child copy of the DNSKEY record, meant to be transferred to a parent.
CERT record - The ‘certificate record’ stores public key certificates.
DCHID record - The ‘DHCP Identifier’ stores info for the Dynamic Host Configuration Protocol (DHCP), a standardized network protocol used on IP networks.
DNAME record - The ‘delegation name’ record creates a domain alias, just like CNAME, but this alias will redirect all subdomains as well. For instance if the owner of ‘example.com’ bought the domain ‘website.net’ and gave it a DNAME record that points to ‘example.com’, then that pointer would also extend to ‘blog.website.net’ and any other subdomains.
HIP record - This record uses ‘Host identity protocol’, a way to separate the roles of an IP address; this record is used most often in mobile computing.
IPSECKEY record - The ‘IPSEC key’ record works with the Internet Protocol Security (IPSEC), an end-to-end security protocol framework and part of the Internet Protocol Suite (TCP/IP).
LOC record - The ‘location’ record contains geographical information for a domain in the form of longitude and latitude coordinates.

NAPTR record - The ‘name authority pointer’ record can be combined with an SRV record to dynamically create URI’s to point to based on a regular expression.
NSEC record - The ‘next secure record’ is part of DNSSEC, and it’s used to prove that a requested DNS resource record does not exist.
RRSIG record - The ‘resource record signature’ is a record to store digital signatures used to authenticate records in accordance with DNSSEC.
RP record - This is the ‘responsible person’ record and it stores the email address of the person responsible for the domain.
SSHFP record - This record stores the ‘SSH public key fingerprints’; SSH stands for Secure Shell and it’s a cryptographic networking protocol for secure communication over an unsecure network.

What is 1.1.1.1?


1.1.1.1 is a fast and private way to browse the Internet. It is a public DNS resolver, but unlike most DNS resolvers, 1.1.1.1 is not selling user data to advertisers. The implementation of 1.1.1.1 makes it the fastest resolver out there.

What is DNS?
The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources.
DNS
Each device connected to the Internet has a unique IP address which other machines use to find the device. DNS servers eliminate the need for humans to memorize IP addresses such as 192.168.1.1 (in IPv4), or more complex newer alphanumeric IP addresses such as 2400:cb00:2048:1::c629:d7a2 (in IPv6).
What is a DNS resolver?
When a user requests to visit a web application like facebook.com, the user’s computer needs to know what server to connect to so that it can load the application. Computers don’t initially have the necessary information to do this ''name to address'' translation, so they ask a specialized server to do it for them.
This specialized server is called a DNS recursive resolver. The resolver’s job is to find the address for a given name, like 2400:cb00:2048:1::c629:d7a2 for cloudflare.com, and return it to the computer that asked for it.
Computers are configured to talk to specific DNS resolvers, identified by IP address. Usually the configuration is managed by the user’s ISP (like Comcast or AT&T) on home or wireless connections, and by an network administrator on office connections. Users can also manually change which DNS resolver their computers talk to.
Why use 1.1.1.1 instead of an ISP’s resolver?

The main reasons to switch to a third-party DNS resolver are security and performance. ISPs do not always use strong encryption on their DNS or support DNSSEC, which makes their DNS queries vulnerable to data breaches and exposes users to threats like man-in-the-middle attacks. In addition, ISPs often use DNS records to track their users’ activity and behavior. These resolvers don’t always have great speeds and when they get overloaded by heavy usage they become even more sluggish. If there is enough traffic on the network, an ISP’s recursor could stop answering requests altogether. In some cases attackers deliberately overload an ISP’s recursors, resulting in a denial-of-service.
DNS Hijacing
These downsides and risks of ISP recursors can be mitigated with a secure recursive DNS service like 1.1.1.1. With security features like bleeding-edge encryption and the fastest resolution speeds, 1.1.1.1 provides a better overall user experience.
What makes 1.1.1.1 more secure than other public DNS services?
Some other recursive DNS services may claim that their services are secure because they support DNSSEC. While this is a good security practice, users of these services are ironically not protected from the DNS companies themselves. Many of these companies collect data from their DNS customers to use for commercial purposes. Alternatively, 1.1.1.1 does not mine any user data. Logs are kept for 24 hours for debugging purposes, then they are purged.
1.1.1.1 also offers some security features not available from many other public DNS services, such as query name minimization. Query name minimization diminishes privacy leakage by only sending minimal query names to authoritative DNS servers.

What makes 1.1.1.1 the fastest recursive DNS service?
The power of the Cloudflare network makes gives 1.1.1.1 a natural advantage in terms of delivering speedy DNS queries. Since it has been deployed on Cloudflare’s 1000+ servers worldwide, users anywhere in the world will get a quick response from 1.1.1.1; in addition to this, these servers have access to the over 7 million domains on the Cloudflare platform, making queries for those domains lightning-fast.
DNS Speed Comparison

The best part of 1.1.1.1 is that in addition to being the fastest and most consumer-centered DNS, it's free to use. See how you can setup 1.1.1.1 in 5 minutes.