A lot has been written and discussed regarding Domain Name System (DNS) in the past few months. The DDoS attacks on one of the major managed DNS providers a while ago just made us all take DNS issues seriously once again.
So why so much emphasis on getting DNS, right? We at Catchpoint, like a lot of other people in this ecosystem, strongly believe that DNS is not just a metric but a lifeline; a backbone for our online systems. It is extremely important to the Internet, as it lays the foundation for the WWW (World Wide Web).
DNS, in simple terms, translates hostnames to IP addresses. Though the objective of DNS seems straightforward and simple, yet in real life, it has grown to become one of the most complex systems we have today.
- Domain registries
- Global top-level domains (gTLDs)
- Numerous country code top-level domains (ccTLDs).
- An ever-growing list of all the new TLDs (.space, .photography etc.).
All these add more complexity to an already complex system.
Since DNS is not restricted to a single machine (being a distributed, coherent, and hierarchical database) and involves multiple hierarchies and entities, ensuring that every hierarchy and entity involved in managing the system is working efficiently becomes crucial. At the top of the hierarchy is the
- gTLD servers.
- Authoritative name servers for domains.
Every level in this hierarchy has an important role to play in the resolution process of a domain name.
- The registries (Verisign managing .COM and .NET).
- Registrars (GoDaddy and Namecheap).
- Registrants (we who register a domain name).
- Managed DNS Service Providers.
We all are a part of this system and it becomes extremely important for us, as registrants, to keep an eye on how these multiple components are functioning to ensure that we have a stable and well-functioning system.
In this article, we will be focusing more on a very important concept in DNS: additional records, or glue records.
Additional Records (Glue Records)
In simplest of terms, glue records are A records or IP addresses that are assigned or mapped to a domain name or a subdomain. Glue records become extremely important when the name servers for a domain name are the subdomains of the domain name itself.
The glue records can be seen under the additional section of a DNS response.
Let’s take an example to understand how glue records work; assume you have a domain name called yourdomain.com for which you are using the following set of nameservers:
In the DNS Resolution process, the authoritative name servers for yourdomain.com are ns1.yourdomain.com and ns2.yourdomain.com. The DNS resolution for ns1.yourdomain.com would first require the resolution of yourdomain.com which in turn returns the authoritative name servers as ns1 and ns2.yourdomain.
As you may have already noticed, this creates a circular dependency — or in simple terms, a loop — and the resolution never succeeds.
Glue records help in breaking this dependency by providing the IP Addresses for ns1.yourdomain.com and ns2.yourdomain.com in the lookup process, this breaks the loop from getting created, as we no longer need to resolve the name servers for the IP addresses; these addresses are already provided in the form of glue records.
In the example above, we see that glue records helped remove the circular dependency by providing the A records for ns1.ctrls.in and ns2.ctrls.in that were returned as the authoritative name servers for the domain ctrls.in. If this were not the case, the DNS Lookup would have failed because of a circular dependency.
For domain names, which do not use subdomains of the same domain as authoritative nameservers, glue records help in reducing the number of lookups by providing the IP addresses for the authoritative name servers. Here is an example for Wikipedia.com.
In this case, Wikipedia.org returned ns1.wikimedia.org, ns2.wikimedia.org, and ns3.wikimedia.org as the authoritative name servers for the domain. This would have required an additional level of DNS lookup for Wikimedia.org to get the A/AAAA record for the domain name initially queried for Wikipedia.org.
One of our customers, a leading CDN provider headquartered in China, reached out to us a while ago complaining that the A records being returned for 2 of their name servers were incorrect (old IPs).
When investigating this case, we observed that when doing a DNS Experience test for the Nameservers, the IPs being returned by the authoritative name servers were correct. However, when running a DNS direct test to the name servers of the domain using any of the gTLDs (a-m.gtld-servers.net.), the IPs returned were the incorrect IPs.
Digs to the domain name using the command
dig “domain name here” @a.root-servers.net returned the same response as Catchpoint’s DNS tests.
Further investigation led us to believe that this was one of those cases where the changes to the GLUE/additional record at the domain registrar’s end was not pushed to the gTLD servers.
|Catchpoint DNS Monitors
|Experience DNS Test||For DNS tests that use the experience monitor, Catchpoint randomly selects a server from each level of the DNS route and queries it for the domain.|
|Direct DNS Test||
This test provides the complete query and response from the DNS server specified for the test along with the length of time it took to complete the test and any errors received during testing.
What Fixed This Issue?
Based on our recommendations, our client reached out to the domain registrar for the domain and got the glue records updated for the domain. The change made was pushed to all the gTLD servers and the issue was resolved.
This incident emphasizes the importance of monitoring each level as well as each component of this amazingly vast system we know as DNS. Having a monitoring strategy focused around DNS is not just recommended but is crucial to discover issues that may be under our control or out of our control.