Answer: Your computer contacts a series of DNS servers around the Internet.
There are several DNS servers with information about network-surveys.cr.yp.to. A central root server at IP address 192.5.5.241 has the following information:
.:192.5.5.241 &to:198.6.1.82The second line is a delegation. It says ``For information about .to, ask the DNS server at IP address 198.6.1.82.'' The DNS server at IP address 198.6.1.82 has the following information:
.to:198.6.1.82 &yp.to:131.193.178.181The second line says ``For information about .yp.to, ask the DNS server at IP address 131.193.178.181.'' The DNS server at IP address 131.193.178.181 has the following information:
.yp.to:131.193.178.181 =network-surveys.cr.yp.to:131.193.178.100The second line gives the IP address of network-surveys.cr.yp.to.
Your computer starts with the root server address in a file on disk. It talks to the root server, then the .to server at IP address 198.6.1.82, then the .yp.to server at IP address 131.193.178.181, and finally it has the answer. It remembers everything that it learned (for a limited amount of time; information changes!) to save time later. All of this work is handled by a DNS cache running on your computer.
To protect against computer failure, there are actually several root servers and several .to servers. Each of the root servers has the following information:
.:198.41.0.4:a .:128.9.0.107:b .:192.33.4.12:c .:128.8.10.90:d .:192.203.230.10:e .:192.5.5.241:f .:192.112.36.4:g .:128.63.2.53:h .:192.36.148.17:i .:198.41.0.10:j .:193.0.14.129:k .:198.32.64.12:l .:202.12.27.33:m &to:128.250.1.21:a &to:193.0.0.193:b &to:196.7.0.139:c &to:206.184.59.10:d &to:198.6.1.82:e &to:206.86.247.253:f &to:148.59.19.11:gEach of the .to servers has the following information:
.to:128.250.1.21:a .to:193.0.0.193:b .to:196.7.0.139:c .to:206.184.59.10:d .to:198.6.1.82:e .to:206.86.247.253:f .to:148.59.19.11:g &yp.to:131.193.178.181:a # or, in BIND master zone-file format: # yp.to IN NS a.ns.yp.to # a.ns.yp.to IN A 131.193.178.181Your computer tries the root servers in a random order. When it receives a response from some root server, it moves to the .to servers, and tries them in a random order.
Answer: Your computer asks a series of DNS servers about the name 122.217.33.208.in-addr.arpa. The root servers have the following information:
&33.208.in-addr.arpa:206.228.179.10:c &33.208.in-addr.arpa:144.228.254.10:b &33.208.in-addr.arpa:144.228.255.10:aThe DNS server at IP address 144.228.254.10 has the following information:
.33.208.in-addr.arpa:144.228.255.10:a .33.208.in-addr.arpa:206.228.179.10:c .33.208.in-addr.arpa:144.228.254.10:b &217.33.208.in-addr.arpa:209.191.164.20:a &217.33.208.in-addr.arpa:206.253.194.65:bThe DNS server at IP address 209.191.164.20 has the following information:
.217.33.208.in-addr.arpa:209.191.164.20:a .217.33.208.in-addr.arpa:206.253.194.65:b =mm-outgoing.amazon.com:208.33.217.122
Answer: Normally each computer will run the dnscache program as a local DNS cache on the private IP address 127.0.0.1.
As an alternative, one computer can run dnscache as an external DNS cache on a public IP address. Other computers (if authorized) can then use that cache instead of running local caches.
You'll also need to run the tinydns program as a DNS server on any computer to which names have been, or will be, delegated. You don't need tinydns if your host information is provided by your ISP's DNS server.
The final results for a typical department network look like this:
on private and on public with this in computer running IP address running IP address /etc/resolv.conf -------------------------------------------------------------------- unix1 dnscache 127.0.0.1 tinydns 18.25.0.1 127.0.0.1 unix2 dnscache 127.0.0.1 tinydns 18.25.0.2 127.0.0.1 unix3 dnscache 127.0.0.1 - 18.25.0.3 127.0.0.1 unix4 dnscache 127.0.0.1 - 18.25.0.4 127.0.0.1 unix5 - 127.0.0.1 dnscache 18.25.0.5 18.25.0.5 doze1 - 127.0.0.1 - 18.25.0.6 18.25.0.5 doze2 - 127.0.0.1 - 18.25.0.7 18.25.0.5 doze3 - 127.0.0.1 - 18.25.0.8 18.25.0.5 doze4 - 127.0.0.1 - 18.25.0.9 18.25.0.5unix1, unix2, unix3, and unix4 are running local DNS caches. unix1 and unix2 are also running DNS servers; each server is providing the same information about various names that have been delegated to 18.25.0.1 and 18.25.0.2. unix5 is running an external DNS cache, which is shared by unix5, doze1, doze2, doze3, and doze4.
If you're setting up a personal computer, you can follow the model of doze4 shown above, with your ISP's external cache IP address in /etc/resolv.conf; you don't need to run a local cache. Or you can follow the model of unix4, with a local cache on 127.0.0.1 and with 127.0.0.1 in /etc/resolv.conf; cached responses are extremely fast, and you don't need any information from your ISP. You may want to have the local cache forward queries to the ISP's cache if your network connection is slow or limited by a firewall.
If you're publishing addresses for a large cluster of web servers, you may want to use pickdns to balance the HTTP load. You can also use pickdns to provide different answers to different clients. In versions 1.04 and above, these features have been integrated into tinydns.
You can also use rbldns to publish lists such as RBL or DUL. These lists are used by rblsmtpd.
Answer: Configure a few external caches. Set up your firewall to allow UDP packets between port 53 on the Internet and ports above 1024 on each external cache. Set up all your computers to use these caches.
Configure a DNS server behind the firewall, separate from your public DNS server. Put your whatever.moon.af.mil names on this server. Configure each external cache to consult this server for moon.af.mil names.
You may also want to run a public reverse DNS wall to provide uninformative host names for all your IP addresses.
Answer: Yes. See cr.yp.to/djbdns/guarantee.html.