本文翻译自我的英文博客,最新修订内容可随时参考:DNS简明教程
在我看来,DNS(域名系统)是互联网的核心。我始终认为,控制了DNS就等于控制了网络世界。下面我们就来深入了解DNS。
主机映射表(Hosts)
早期访问计算机需要记住IP地址,但这既难记忆又不便维护(IP变更时需通知所有人)。于是人们创建了一个文件,将计算机名称映射到IP地址,并在所有设备上存储该文件,同时通过一台特定计算机维护更新,这个文件就是hosts(例如:timerring: 88.88.88.88)。这便是ARPANET的起源。
随着互联网发展,IP数量激增,hosts文件变得庞大且容易出现命名冲突,DNS应运而生。
DNS 核心原理
1983年,Paul Mockapetris提出域名系统(DNS),这是一种将域名映射到IP地址的分布式数据库。如今访问网站时,只需向DNS服务器查询域名,即可获取对应IP,不再依赖本地hosts文件(现代计算机的hosts文件通常为空)。
DHCP动态分配
DNS服务器的IP可能是动态的(如家庭宽带),每次联网时由网关通过DHCP(动态主机配置协议)分配。可在Linux系统的/etc/resolv.conf文件中查看当前DNS服务器IP。
DNS协议规则
为确保域名唯一,DNS采用类似现实地址的层级结构(如home.google.com)。
域名层级
- 根域名(root domain):以
.表示(通常省略),如math.stackexchange.com.末尾的点。 - 顶级域名(TLD):如
.com、.org。 - 二级域名(SLD):用户可注册的域名,如
google.com。 - 主机名(host):用户自定义的主机标识,如
www。
域名资源记录(Resource Record)
每条域名在DNS中对应一条记录,格式为:
域名 生存时间 协议类型 记录类型 值
- 记录类型(Type):
A:IPv4地址记录(如google.com -> 142.250.78.14)。AAAA:IPv6地址记录。NS:名称服务器记录,指向该层级域名的权威服务器(如.com的NS记录指向.com域的服务器)。MX:邮件交换记录,指定邮件接收服务器(如github.com的MX记录指向其邮件服务器)。CNAME:别名记录,将一个域名指向另一个域名(如blog.timerring.com可能是timerring.github.io的CNAME)。PTR:反向解析记录,将IP映射回域名(用于验证IP所属域名)。
DNS服务器架构
DNS通过域名分区(DNS Zone)实现分布式管理,每个分区有主服务器和从服务器(备份并加速查询),统称为权威服务器(Authoritative Name Servers)。分区存储两类记录:
- 本分区的域名资源记录(如
google.com的A记录)。 - 父级和子级域名的NS记录(用于层级查询)。
根域名服务器(.) 是DNS的基础,全球共有13组根服务器,可通过root-servers.org查看详情。
eg.
Now every zone has a master server and many slave servers to backup and expedite the query. These servers are called Authoritative Name Servers.
And it save the two types of records:
- This zone's domain name resource records.
- This zone's parent DNS and sub-DNS server records(mainly NS records).
域名解析流程
连接网络时,设备会获取默认DNS服务器(运营商提供或手动设置的公共DNS,如8.8.8.8)。解析过程如下:
- 本地缓存优先:浏览器和操作系统先检查缓存,若有记录直接返回IP。
- 递归查询:若缓存无记录,本地DNS服务器向根服务器查询,根服务器返回顶级域名服务器地址(如
.com的NS记录),依次递归直至获取目标IP(如www.google.com的解析路径:. -> com -> google.com -> www.google.com)。
缓存机制
为提升效率,浏览器、操作系统和DNS服务器都会缓存解析结果,缓存时间由记录中的Time_to_live(TTL)决定:
- 稳定域名(如
google.com)的TTL较长(通常数小时至数天)。 - 动态变更的域名(如临时测试域名)的TTL较短(几分钟至几十分钟)。
DNS泄露与防护
DNS泄露是指DNS请求以明文传输,途经的中间节点可获取用户访问的域名。即使使用代理,未匹配规则的域名仍可能触发本地DNS请求(如浏览器通过WebRTC发送UDP探测包)。
检测工具:
- ipleak.net:通过随机子域名检测DNS请求是否泄露。
- browserleaks.com/webrtc:检测WebRTC是否泄露公网IP。
防护方法:
- DoH(DNS over HTTPS):通过HTTPS加密DNS请求(端口443)。
- DoT(DNS over TLS):通过TLS加密DNS请求(端口853)。
- 全局代理模式:将所有流量加密后发送至远程节点处理(如Clash的
Fake IP模式)。
完整访问流程示例
以访问google.com为例,整个过程涉及OSI模型的多层协作:
To begin with, you should know the OSI model. I have drawn a good image to explain it. You can also read my previous blog Real Computer Network.
So just imagine the process of go surfing the internet. eg. you query google.com on your browser, and then you get the page, what happened?
In the common case, when you purchase the broadband, the operator will provide you a
Fiber - optic Modem, and you will buy a router. The router connects to the internet via PPPoE and get the publicWANip (in fact still a intranet ip) and the DNS servers ip (common two DNS servers). Your router is as the gateway of your local network, so it will has own local network ip, and it will allocate the ip and DNS server ip to your devices through DHCP(commonly the DNS ip and the gateway ip are all the router's local ip).
- Your browser first checks the browser's cache to see if it has the ip of
google.com, and then checks the OS's cache(include the host file if there is the mapping relationship). If there isn't, it will send a DNS request.(eg. tell me the ip ofgoogle.com) - In the transport layer, the source port is eg.
222and the default destination DNS port is53. - In the network layer, the source ip is your computer's ip
192.168.1.10and the destination ip is the DNS server's ip8.8.8.8. But the DNS ip you cannot find locally, so you need to send the DNS request to the gateway you connect. And because the communication via MAC address in the same network, so it will be processed in data link layer. - In data link layer, the source MAC address
AA-AA-AA-AAis your computer's MAC address and the destination MAC addressCC-CC-CC-CC(get through ARP protocol) is the gateway's MAC address. - Then it will be sent through NIC and in the cable.
- The switch will receive the packet and forward it to the gateway(eg.router).
- In the data link layer of router, router finds the MAC is itself and resolve it pass to the network layer. But it cannot find the DNS
8.8.8.8in its routing table, so it will send the packet to the default router(in the public network). - Before sends to the public network, the router will use NAT to change the source private ip to the public ip(the
WANip of router). - In the public network, the routers will find and change the MAC addressed to forward the packet to the next router.
- Then the DNS server will receive the packet, and resolve the packet, in the transport layer, it find the destination port is
53, so it knows it is a DNS request. And it resolve the ip ofgoogle.comand return the ip. - And the return process is similar to the request process. Finally, after those, your computer will receive the ip of
google.comand request the ip ofgoogle.comto obtain the page, and the process is similar as above.
But sometimes, the process won't be so smooth, due to the DNS server is overseas, so the traffic needs to go through the public exit port(except for using the IPLC intranet of ISP). Every packet will be checked, thus causing the DNS pollution(tampers a not exist ip), TCP reset(sends the
RSTpacket in advance toreject the connection request), block ip or active detection.
实用工具:dig命令
dig是强大的DNS查询工具,常用用法:
dig baidu.com:查询A记录(等价于dig a baidu.com)。;; ANSWER SECTION: baidu.com. 6 IN A 198.18.28.63 ; TTL为6秒,IP为198.18.28.63dig +short baidu.com:仅显示IP地址。dig @8.8.8.8 baidu.com:指定DNS服务器(如谷歌的8.8.8.8)进行查询。dig +trace baidu.com:追踪解析路径,显示从根服务器到目标服务器的查询过程。
;; Received 239 bytes from 198.19.0.3#53(198.19.0.3) in 9 ms
baidu.com. 6 IN A 198.18.28.63 ; 最终从c.root-servers.net获取结果
dig cname facebook.github.io:查询CNAME记录,显示facebook.github.io指向github.map.fastly.net。
...
;; ANSWER SECTION:
facebook.github.io. 3370 IN CNAME github.map.fastly.net.
github.map.fastly.net. 600 IN A 103.245.222.133
whois:查询域名注册信息
通过whois命令可获取域名的注册商、过期时间等信息:
whois github.com ; 注意与系统命令`whoami`(查询当前用户)区分
参考资料
通过理解DNS的层级结构、解析流程和安全机制,可更好地优化网络配置、排查访问问题。如需进一步探讨,欢迎访问博客获取最新内容。
