DNS is no laughing matter! Why once, I met this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy's cousin...!
03:52 Actually, it's 13 ip addresses. This is a hard limit related to the size of DNS packets. These 13 addresses used to belong to 13 servers, but this was long ago expanded by the use of anycast routing to share those ip addresses among multiple servers. A packet sent to one of those addresses get routed to a server in the closest location. These days there are over a thousand root name servers.
Yeah, that's what I thought too and I popped over to root-servers.org to verify. There are 13 "servers" belonging to 12 organizations (Verisign has two) which use anycast to serve from 1,309 sites as of today (2020-07-09).
@@CCRLH85 Odd, this is a copy and paste from their site, "As of 2020-07-10, the root server system consists of 1086 instances operated by the 12 independent root server operators." Still the 9th here in the US, but some parts of the world are already on the 10th.
@@lawrencedoliveiro9104 Size of a UDP packet, which is the protocol that DNS runs on ( it runs on TCP too but UDP is tried first for various factors) has a limit of 512 bytes per packet. So there's a limit on the number of addresses you can fit in it. More than that and you can't fit the answer in 1 packet and have to switch to TCP to send the complete info.
Every time you're troubleshooting: "It's not possible for DNS to be the cause, it's completely unrelated." Also every time you're troubleshooting: "It was DNS."
@@ayefries I literally just (right before lunchtime, less than an hour ago) resolved an issue caused by 1.1.1.1 not giving out ANY results for Fortinet requests.
@rebmcr yeah I’ve had similar random issues with 1.1.1.1 and ended up moving back to Google’s 8.8.8.8. I wanted to try and at least reduce my use of Google services so they don’t have literally all of my information haha, but unfortunately they tend to have the best, most reliable option most of the time (e.g. Google search vs DuckDuckGo, Gmail vs like every other email service, etc).
@@einsteinx2 The easiest way is to just use your ISP's DNS, or even your ISP-provided router (if applicable) as a forwarder. If you want something super-fast for free, you go to Google's servers these days. Just be aware that they are now aware of _every_ site you access (you're asking _them_ where that server is. And selling information is what's their business, after all). There's quite a few free ("open source community" I'd say for some) non-tracking services around aswell, some even blacklisting known phishing sites etc; they work fine, but you'll have to add a millisecond here or there, so it's not _as_ snappy as 1.1.1.1
@@GutnarmEVE Great idea, all ISPs in my country are obligated by government to log all client traffic. Google may make money on it, ISPs may help make case for law enforcement.
Watched this video 2 years ago, didn't get much. After recent studying, it all makes sense. Great video, this channels is a very helpful reference for top level explanations.
Yeah, I was first learning the DNS server farms out around and basic DNS servers are set up with text like data and they feed update each other until recent better security has been implemented because DNS can be hacked rerouted.
@@klyanadkmorr yep, DNSSEC. Cryptographically signs replies so it can't be faked, unless you have managed to compromise the signing keys...usually very, very unlikely.
I love how ambiguous the record names are lol. It's impossible to infer anything from them aside from CNAME. I mean that's gotta be name for something. But... A?
@@-dash They are completely fine abbreviations. A is an address and AAAA is an address that is four times as big as the one with a single A. Mail exchangers can be abbreviated with -ME- MX, because eXchange begins with X. ;)
I needed this video in my life for work - perfect timing! I swear Computerphile installed an agent in my brain. Every time I need to RampUp on a concept, there is new computerphile vid on it...or maybe youtube be creepin...
I used to explain it as like making a (land line) phone call to somebody in another town. You look up the town where the other person lives, dial the STD code for that place and then their number. The same code might cover several towns, just as several websites might be served from the same IP address. The name server does the same job as the code pages in the back of the phone book.
The DNS spoofing at the end is basically how the Big Firewall of China works in part. Because DNS has usually no encryption, they don't need to guess the request ID either, since they can just inspect it.
Would be cool if you could do i video on how DNS is changing, DoH : DNS Over HTTPS and DNS over TLS. How unencypted DNS queries are typically stored by ISP to build internet connection records ICRs
@@robertholtz Ha thanks, i studied computer science at UoN Mike and Julie are great lecturers for cyber security and comp sci things in general! Just wish UoN had more investment in cyber security and digital forensics modules while I was there.
There are ways to thwart secured DNS. If your records have a very short time to live, all queries will end up going to an authoritative nameserver. This request can be used to enable Web service temporarily, only to the IP address ultimately asking for its one. So only queries made in the clear will be answered.
It gives you the general idea so you have a fundamental understanding you can go research more yourself. Even as a software engineer this is probably all you need to know about DNS
@@maflones I remember being in University - and I still know some Professors. They don't live in the real world for sure but saying they're not competent is a bit harsh. They are really expert - just in things that your average company doesn't need. If they had to they could probably adapt to what real world IT demands of you. They wouldn't be happy with it though.
Worth contrasting the telephone system, based on 19th century technology where you have to remember someone’s telephone number (or maintain a directory on your phone), versus the Internet, developed in the 20th century, where the network itself takes care of finding the numbers for you, you just have to remember their names. The mobile phone in your pocket is such an advanced piece of technology, yet when you make a call or send an SMS to someone, it still falls back to this 19th-century way of finding them through the network--by a number instead of a name.
The early Internet didn't have a DNS system but required you to keep track of the IPs yourself. A legacy of that is the /etc/hosts file in *nix systems and the inherited (and very badly placed - I have no idea what DNS and Drivers have in common) C:\Windows\System32\Drivers\etc\hosts file in the Microsoft world.
@@lawrencedoliveiro9104 That's neither funny nor strange. You can make up almost any domain name, using any combination of letters and digits (and each domain name can have subdomains as well), but there is a limited number of IPv4 addresses.
That's because phone numbers are unique. You can quite difficultly create an NAPTR record in DNS to point a SIP URI at a SIP server, although having people enter your SIP address in their mobile phone's dialling software is a completely different usability problem. You could also point your UK phone number at a SIP address, you just need to follow all of the requirements set out by the defunct UKEM and petition the UK government to take over control of 4.4.e164.arpa (UK ENUM) from Nominet (who gave up on it).
One drawback with DNS A records, in particular, is that they only give you an IP address, not a port number. So they are not sufficient to identify a service, only a machine which might provide that service. This was remedied later with the introduction of SRV records, but they are not heavily used.
You are not illustrating the recursive method but the iterative method . In recursive approach , the root server will directly ask the TLD server which in turn will ask the Authoritative server and then the response will get back to the client in similar fashion but in reverse order.
Pleasantly surprised about the amount of information in an 8 min vid. Couldn't have explained it much better myself without going into Radix trees, resolvers, DDNS, BIND views & ACLs and DNSSEC. BTW, not sure there are many (if any) DNS implementations left that aren't patched against Cache poisoning since Dan Kaminsky released the research ~9 years ago.
@@PrimitiveFuturologist_YTC absolutely :) we did a scan of all the nameservers in one of the tld zones, and tried to fingerprint them. There were windows nt nameservers out there. It was scary! I mean, I'm impressed they are still up, but wow.
Your computer will query its host file before making a query to the computers default gateway. The host file was the method of resolving IP address to domain names before the existence of the Domain Name System. It sill exist so that small networks can be setup a way to resolve host names on their networks without setting up and administrating a domain name server. I use mine as an add blocker by resolving domain that host advertising to 127.0.0.1 .
"I use mine as an add blocker by resolving domain that host advertising to 127.0.0.1 . - "Same (but for blocking unwanted autoupdates) For Windows it's "%windir%\System32\drivers\etc" and you will have to open "hosts"
Yup. And in fact, the dnsmasq name server, which is designed for small setups like a home office, serves up exactly the contents of your /etc/hosts file, it doesn’t need (or understand) complex zone files like bind does.
@0:12: English is not my native language, so I might be totally wrong about the meaning of the word "resolve", but isn't the function of DNS server the opposite; resolve domain names we give it to IP addresses our computer needs to connect to? Not resolve the IP address to a domain name, as Dr. Mike states?
The function of a DNS server is to resolve one name into another, what each name is depends on the record type. It can do both IP address to domain name and vice versa. In this case, it should have been domain name to IP address though.
What if an IP address changes before it expires in the IP service cache, so the IP address that it feeds back to the querying computer is no longer correct?
I was hoping for a more thorough explanation of DNS. Who gets the money when I register a domain? How does an "A" record work? If I test if a domain is free by typing it in my browser, do I run a risk of someone registering it before I do?
I am wondering why does it gets messy and have to add a query id to correlate request and response? Isn't it synchronous i.e. it waits for the server to return the IP (or suggestion to query another server). Also why would it accept a response from another (say malicious) server with same query id? whom it didn't even query (request)?
Great video thanks. You didn't talk much about cache invalidation, you just mention a TTL (how is it define, what happen if the IP changes before TTL expire, ...). And when the IP is resolved, how route name server are updated to be able to redirect faster/closer the next time a computer asks? Thanks a lot for your videos
Given how rarely ip addresses change, I can't help but wonder if it wouldn't be more efficient to only have cache entries expire when the lookup fails or when space is needed. Has any research been done into that?
Now what happens if there is a cached IP address that is out of date? Does your computer try to go there and simply fail? I've never seen that so it seems unlikely. Does it try to go there, fail, and send another query indicating the IP address is out of date? Does it do something else altogether?
It goes there and fails. Anyone who is going to change their IP should reduce the TTL for their records in advance so the change is picked up quickly, Or have both IP's working for the transition period.
Time to live vs time to live ... how come it is usually set in minutes? Surely it lives longer than that, or is this a setting that tells it how long it will take at the most to go live?
Can you please come to my university and teach computer networks for the new first semestlers? Damn I needed this channel and especially you back then... Thank you for this video, great work. Enjoying your way of describing things very much. ;)
I'm not sure I get how, for example, the root dns server get accessed to. For example, it cannot be by its name since it would trigger another DNS lookup. So I assume that some of thoses different kind of servers, if not all, have their IP adresses hardcoded and passed around everywhere. I just don't know and it's not explained.
I don't know if you made a video about it already, but maybe you could make a video about DNSSEC and DNS over HTTPS and what problems they solve. Amazing thumbnail BTW
every once in awhile, i forgot that Computerphile is a double entendre and i get re-excited when i notice it again, lol. computerphile/computer_phile. [brain bMyBrain[] = Mind.Blown();
Ill try to give you a day in the life of a DNS query to better understand the technical lifecycle of DNS. DNS starts with your computer becoming aware of a DNS name server which is typically done through DHCP and is given by your ISP or sometimes is overriden on your router or computer to something like OpenDNS. You will interact with a name server called a cached resolver that might use recursuve lookups or distribute large chunks of updated records around. Those servers will follow up a hierarchy first through resolvers then up through domain levels up to the domain root TLDs. However when they do that they arent looking for an awnser to the DNS query like its IP instead its searching for the start of authority. At this point the query will be given a name server that can provide an authorative awnser to the query. This will be the domain registrars name servers and these servers generally are not recursive so they can only awnser for specific domain names. Among these servers arecones that actually store the original and most upbto date record which will be reference in the Start of Authority record. With that said queries will generally not go this deep ever. Instead youll be relying on a cache or mirror of a name server.
What happens when an IP address changes for a given domain name? Is there some cascading update for all the dns caches? Seems a bit inefficient unless there's some clever way that the caches are updated.
Oh a video about cache poisoning would be super cool. I know it is sometimes used for redirecting to login pages and the like but of course it is more often used as an attack vector.
How do they handle changing ips? eg. Google changes ip in the middle of the day and the legacy ip is cached. Does the ISP also cache the google name server or does it re-do the recursive search?
Judicious use of short Time-To_live values (TTLs) on the records. If the owner of a service changes an IP address and your closest name server has a cache with a long TTL (E.g. > 1 day), then you'll likely experience what looks like connectivity issues as you're directed to the wrong IP address, until the TTL expires or the DNS Cache on the local server is flushed.
Can you please explain the new encrypted DNS (over https)? It's so confusing when you look at how many settings and server adresses you have to plug in to get it to work with windows.
Okay this is a bit freaky... A few years ago, I had a corn snake. In a terrarium exactly like that one (except white), with that exact water bowl, that exact "cave", that exact log, and nearly the same 'vegetation'. A man after my own heart.
good day! what timing! i just had a DSN issue with my laptop wifi and instead on trying to figure out what it was, i just connected it via cable! And this video shows up!
It would be interesting to know what happens if the domain name doesn't exist. Is it number of bounces related, timeout related? Also what if the server IP does change. How does it work so this domain name is updated, or do you have to wait say 24 hours till the cache in all DNS servers get invalidated?
The nameserver be like: "I know a guy that knows a guy that can help you."
unless the nameserver is set to recursive
Imagine dns over tor:
i know a guy that knows a guy that knows a guy.... thar will tell you about the guy
DNS is no laughing matter! Why once, I met this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy, who knew this guy's cousin...!
Can we trust this guy?
- I don’t know for sure, he works for NASA though...
DNS is no doubt 'SaulGoodMan
03:52 Actually, it's 13 ip addresses. This is a hard limit related to the size of DNS packets. These 13 addresses used to belong to 13 servers, but this was long ago expanded by the use of anycast routing to share those ip addresses among multiple servers. A packet sent to one of those addresses get routed to a server in the closest location. These days there are over a thousand root name servers.
Yeah, that's what I thought too and I popped over to root-servers.org to verify. There are 13 "servers" belonging to 12 organizations (Verisign has two) which use anycast to serve from 1,309 sites as of today (2020-07-09).
@@CCRLH85 Odd, this is a copy and paste from their site, "As of 2020-07-10, the root server system consists of 1086 instances operated by the 12 independent root server operators." Still the 9th here in the US, but some parts of the world are already on the 10th.
Ah, is that why the limit.
Great clarification :) I think Steve is already planning a new video on this!
@@lawrencedoliveiro9104 Size of a UDP packet, which is the protocol that DNS runs on ( it runs on TCP too but UDP is tried first for various factors) has a limit of 512 bytes per packet. So there's a limit on the number of addresses you can fit in it. More than that and you can't fit the answer in 1 packet and have to switch to TCP to send the complete info.
Great explanation. One of the few people who explains computer concepts very simply. This is an art. Thank you very much.
This channel is singlehandedly helping me pass my Network+ exam
Takes me back 25 years when setting up the first DNS server for British Steel that would resolve internet and intranet queries
Boomer
but anyway well played the card of transitory state of youth
haha Im sure youre loaded now buddy stay blessed
Too bad your name is Mark and not Nigel.
From the look of the thumbnail, i tought Mike would say "Dunno" and the video would end.
☺ More like "The F*K If I Know!?"
Made my day
This is a wonderful comment
It's a blackbox and you don't really need to know.
Genius 😂
Every time you're troubleshooting: "It's not possible for DNS to be the cause, it's completely unrelated."
Also every time you're troubleshooting: "It was DNS."
suggested solution: check wtf is up with your DNS ;)
@@ayefries I literally just (right before lunchtime, less than an hour ago) resolved an issue caused by 1.1.1.1 not giving out ANY results for Fortinet requests.
@rebmcr yeah I’ve had similar random issues with 1.1.1.1 and ended up moving back to Google’s 8.8.8.8. I wanted to try and at least reduce my use of Google services so they don’t have literally all of my information haha, but unfortunately they tend to have the best, most reliable option most of the time (e.g. Google search vs DuckDuckGo, Gmail vs like every other email service, etc).
@@einsteinx2 The easiest way is to just use your ISP's DNS, or even your ISP-provided router (if applicable) as a forwarder.
If you want something super-fast for free, you go to Google's servers these days. Just be aware that they are now aware of _every_ site you access (you're asking _them_ where that server is. And selling information is what's their business, after all).
There's quite a few free ("open source community" I'd say for some) non-tracking services around aswell, some even blacklisting known phishing sites etc; they work fine, but you'll have to add a millisecond here or there, so it's not _as_ snappy as 1.1.1.1
@@GutnarmEVE Great idea, all ISPs in my country are obligated by government to log all client traffic. Google may make money on it, ISPs may help make case for law enforcement.
When recommendations are faster than sub box
Lmau
TH-cam is definitely not fundamentally broken in many ways.......
Or how to make people forget that TH-cam exists. :)
I hate this change
Am I the only one who confused substitution boxes with sub box? Maybe I've studied cryptography too much
Subscribe to me to get a sub (:
I love this man's explanations, Clean & Simple. So easy to understand and it helps me out alot!
Was going to say something similar, and also the energy and humor he uses to convey the message is great.
Watched this video 2 years ago, didn't get much.
After recent studying, it all makes sense. Great video, this channels is a very helpful reference for top level explanations.
I see Dr. Michael Pound, I click like.
You mean Sir Dr Michael Pound, CBE
you pound the like button
Finally a new video from Dr. Mike
title: how something works.
thumbnail: who tf knows really!?
Videos with Mike are always really interesting. I really appreciate this guy!
You should do a video on DNS records like MX, A, CNAME, TXT, etc.
Yeah, I was first learning the DNS server farms out around and basic DNS servers are set up with text like data and they feed update each other until recent better security has been implemented because DNS can be hacked rerouted.
And the Address and Routing Parameter Area where PTR records live... ;)
@@klyanadkmorr yep, DNSSEC. Cryptographically signs replies so it can't be faked, unless you have managed to compromise the signing keys...usually very, very unlikely.
I love how ambiguous the record names are lol. It's impossible to infer anything from them aside from CNAME. I mean that's gotta be name for something.
But... A?
@@-dash They are completely fine abbreviations. A is an address and AAAA is an address that is four times as big as the one with a single A. Mail exchangers can be abbreviated with -ME- MX, because eXchange begins with X. ;)
It's so good to see you after a long time.
he's by far my favorite on this format
Dr Mike on the mic, check 1 - 2.
This guy is always interesting, i love his encryption videos :D
I needed this video in my life for work - perfect timing! I swear Computerphile installed an agent in my brain. Every time I need to RampUp on a concept, there is new computerphile vid on it...or maybe youtube be creepin...
I used to explain it as like making a (land line) phone call to somebody in another town. You look up the town where the other person lives, dial the STD code for that place and then their number. The same code might cover several towns, just as several websites might be served from the same IP address. The name server does the same job as the code pages in the back of the phone book.
What a coincidence!
I was looking for information about DNS the whole day, I love computerphile.
You should get something better. This video is full of errors.
@@maflones what
The DNS spoofing at the end is basically how the Big Firewall of China works in part. Because DNS has usually no encryption, they don't need to guess the request ID either, since they can just inspect it.
This guy deserves he own youtube channel
I like the awkward humor of this man. Would be nice to hang out with this dude for a bit.
Would be cool if you could do i video on how DNS is changing, DoH : DNS Over HTTPS and DNS over TLS. How unencypted DNS queries are typically stored by ISP to build internet connection records ICRs
Yes. This.
Zazzy I’d rather watch YOUR video. You seem quite knowledgeable.
@@robertholtz Ha thanks, i studied computer science at UoN Mike and Julie are great lecturers for cyber security and comp sci things in general! Just wish UoN had more investment in cyber security and digital forensics modules while I was there.
THIS
There are ways to thwart secured DNS. If your records have a very short time to live, all queries will end up going to an authoritative nameserver. This request can be used to enable Web service temporarily, only to the IP address ultimately asking for its one. So only queries made in the clear will be answered.
Even though i know what dns is still watched whole video. I like both computer as well as number phile vids :)
I’d love if these vids were more technical
They are not competent...
Computerphile is a channel that explains professional concepts to laypeople, and the _lack_ of technical details is valuable.
It gives you the general idea so you have a fundamental understanding you can go research more yourself. Even as a software engineer this is probably all you need to know about DNS
@@p_serdiuk Hey,
Can you suggest some channel cool like computerphile with moree techy knowledge ?
Thankyou
@@maflones I remember being in University - and I still know some Professors. They don't live in the real world for sure but saying they're not competent is a bit harsh. They are really expert - just in things that your average company doesn't need. If they had to they could probably adapt to what real world IT demands of you. They wouldn't be happy with it though.
Worth contrasting the telephone system, based on 19th century technology where you have to remember someone’s telephone number (or maintain a directory on your phone), versus the Internet, developed in the 20th century, where the network itself takes care of finding the numbers for you, you just have to remember their names.
The mobile phone in your pocket is such an advanced piece of technology, yet when you make a call or send an SMS to someone, it still falls back to this 19th-century way of finding them through the network--by a number instead of a name.
The early Internet didn't have a DNS system but required you to keep track of the IPs yourself.
A legacy of that is the /etc/hosts file in *nix systems and the inherited (and very badly placed - I have no idea what DNS and Drivers have in common) C:\Windows\System32\Drivers\etc\hosts file in the Microsoft world.
that's because each number is unique, names aren't
Funny, then, that the world is running out of IPv4 numbers (addresses), but there are still plenty of domain names to go around.
@@lawrencedoliveiro9104
That's neither funny nor strange.
You can make up almost any domain name, using any combination of letters and digits (and each domain name can have subdomains as well), but there is a limited number of IPv4 addresses.
That's because phone numbers are unique. You can quite difficultly create an NAPTR record in DNS to point a SIP URI at a SIP server, although having people enter your SIP address in their mobile phone's dialling software is a completely different usability problem. You could also point your UK phone number at a SIP address, you just need to follow all of the requirements set out by the defunct UKEM and petition the UK government to take over control of 4.4.e164.arpa (UK ENUM) from Nominet (who gave up on it).
05:30 About to say "it could be" 10.0.1.2 and then checks himself when he realises it definitely couldn't be!
Hahaha almost missed that, thank you for this comment
Why again is that? It's not in the public IP range or why?
@@Blast-Forward 10.0.0.0/8 (i.e. 10.0.0.0 through 10.255.255.255) is one of three ranges reserved for private networks
Or maybe 172.16......wait no. Perhaps 192.168......ah s**t
@@NyanSten Thank you. I've heard that before but didn't remember.
2:16 "Or it could be your ISP, if you live at home probably"
Well, where do you live mate, we can send help
My, my. I live at the Data Center!
I live in the ocean
This Guy is Gifted.. I am Enlightened 💡every time I watch his explanations... Thank you.
7:20: there are PI times 100,000 views. is that a numberphile video?
miniro it is actually pi * 1,000,000
Give us more of this guy.
Please, don't stop on making videos, you really inspire me :)
Love the fact that at 07:19, the view count for the displayed video is digits of pi
One drawback with DNS A records, in particular, is that they only give you an IP address, not a port number. So they are not sufficient to identify a service, only a machine which might provide that service. This was remedied later with the introduction of SRV records, but they are not heavily used.
IPv6 ftw?
IPv4 or IPv6 makes no difference.
You are not illustrating the recursive method but the iterative method . In recursive approach , the root server will directly ask the TLD server which in turn will ask the Authoritative server and then the response will get back to the client in similar fashion but in reverse order.
Thank you computer papi for consantly saving my studies
This is the best video thumbnail yet! :-P
2:05 it could also be in /etc/hosts if you use linux right?
I'm so happy we finally got to see who lives in that vivarium!
Pleasantly surprised about the amount of information in an 8 min vid. Couldn't have explained it much better myself without going into Radix trees, resolvers, DDNS, BIND views & ACLs and DNSSEC. BTW, not sure there are many (if any) DNS implementations left that aren't patched against Cache poisoning since Dan Kaminsky released the research ~9 years ago.
Oh there 100% are. The internet is a wild place.
amaena Then they deserve what they get. >:-)
@@PrimitiveFuturologist_YTC absolutely :) we did a scan of all the nameservers in one of the tld zones, and tried to fingerprint them. There were windows nt nameservers out there. It was scary! I mean, I'm impressed they are still up, but wow.
amaena What’s the betting 389 is open on some of ‘em?
0:33 just bogo search through ips
Your computer will query its host file before making a query to the computers default gateway. The host file was the method of resolving IP address to domain names before the existence of the Domain Name System. It sill exist so that small networks can be setup a way to resolve host names on their networks without setting up and administrating a domain name server. I use mine as an add blocker by resolving domain that host advertising to 127.0.0.1 .
"I use mine as an add blocker by resolving domain that host advertising to 127.0.0.1 . - "Same (but for blocking unwanted autoupdates)
For Windows it's "%windir%\System32\drivers\etc" and you will have to open "hosts"
@@igorthelight Syntax error, I've used it on both Windows and Linux. I dumped using Windows 3 years ago so auto updates is not an issue.
Yup. And in fact, the dnsmasq name server, which is designed for small setups like a home office, serves up exactly the contents of your /etc/hosts file, it doesn’t need (or understand) complex zone files like bind does.
Would love to see Dr. Mike Pound do a video on JSON Web Tokens!!
@0:12: English is not my native language, so I might be totally wrong about the meaning of the word "resolve", but isn't the function of DNS server the opposite; resolve domain names we give it to IP addresses our computer needs to connect to? Not resolve the IP address to a domain name, as Dr. Mike states?
It's both.
The function of a DNS server is to resolve one name into another, what each name is depends on the record type. It can do both IP address to domain name and vice versa. In this case, it should have been domain name to IP address though.
@@NyanSten Thanks for the explanation!
This is actually quite useful since I'm in the process of creating my first own website
Where does the hosts file come into picture?
Great video and explanation as usual! Now I need the DNS poisoning video!
What if an IP address changes before it expires in the IP service cache, so the IP address that it feeds back to the querying computer is no longer correct?
After 2 weeks nobody has answered this, nobody knows the answer , what a shame !
@@pkelly20091 Indeed. Maybe the powers that be with the answers have simply not noticed the question. LOL
I was waiting for this for so long...
Brilliant video, and straight to the point, thank you guys! This has been bugging me for a while....
Recently setup Pihole which has worked phenomenally as a DNS server. Highly recommend everyone to look into it!
@Red Dunkey wut?
@Red Dunkey ah yes, if I string enough computery sounding words together people will think i'm smart!
I really love the idea of the waking up in the morning and going "OH NO is Google where I left it???"
I was hoping for a more thorough explanation of DNS. Who gets the money when I register a domain? How does an "A" record work? If I test if a domain is free by typing it in my browser, do I run a risk of someone registering it before I do?
I see mike Pound, I click the video.
I click the video, I see Mike Pound
Incredibly well explained! Thank you!!!!
Well I'll be damned, I always thought DNS stood for Domain name server, not domain name system. Thanks!
Or domain name service
3:36 - "it hasn't got the foggiest idea", cloud pun? fog -> cloud -> internet? (I know it's a British saying)
good introductory video, hopefully to be followed up with more technical deep dives into the morass of dns
Very Well Explained !!! Thanks to Dr Mike Pound.
I am wondering why does it gets messy and have to add a query id to correlate request and response? Isn't it synchronous i.e. it waits for the server to return the IP (or suggestion to query another server). Also why would it accept a response from another (say malicious) server with same query id? whom it didn't even query (request)?
Nice as always! What about IRC?
Great video thanks.
You didn't talk much about cache invalidation, you just mention a TTL (how is it define, what happen if the IP changes before TTL expire, ...).
And when the IP is resolved, how route name server are updated to be able to redirect faster/closer the next time a computer asks?
Thanks a lot for your videos
any source you can suggest dealing with topics you mention?
Given how rarely ip addresses change, I can't help but wonder if it wouldn't be more efficient to only have cache entries expire when the lookup fails or when space is needed. Has any research been done into that?
IPs change allllll the time, especially with cloud services.
Dude it's way more dynamic out there than you think. Have you done any research into it at all?
Now what happens if there is a cached IP address that is out of date? Does your computer try to go there and simply fail? I've never seen that so it seems unlikely. Does it try to go there, fail, and send another query indicating the IP address is out of date? Does it do something else altogether?
It goes there and fails.
Anyone who is going to change their IP should reduce the TTL for their records in advance so the change is picked up quickly, Or have both IP's working for the transition period.
The link at the end of Mikes Snake cannot be clicked on. Is there a link to that?
So name servers are recursive (?) DNS servers. Is that the same name servers configured when registering a domain as well?
That's some really quality content
MORE MIKE POUND!!!
Time to live vs time to live ... how come it is usually set in minutes? Surely it lives longer than that, or is this a setting that tells it how long it will take at the most to go live?
What's that video with the snake on the left at the end?
do u do any security vids
It's probably worth mentioning the hosts file as a potential first point of resolution before DNS
Three seconds in and he's giving us the finger. Noice way to treat your audience mate.
I'm ready for the DNS cache poisoning video!
Can you please come to my university and teach computer networks for the new first semestlers? Damn I needed this channel and especially you back then... Thank you for this video, great work. Enjoying your way of describing things very much. ;)
I'm not sure I get how, for example, the root dns server get accessed to. For example, it cannot be by its name since it would trigger another DNS lookup. So I assume that some of thoses different kind of servers, if not all, have their IP adresses hardcoded and passed around everywhere. I just don't know and it's not explained.
Thumbnail = perfection
How about the software that runs the DNS servers? Is it open-source or proprietary?
Can't wait for the DNS cache hacking video! It should be pretty fun!
I don't know if you made a video about it already, but maybe you could make a video about DNSSEC and DNS over HTTPS and what problems they solve. Amazing thumbnail BTW
Love these videos!
Have wired and wireless communication exam on monday, what a coincidence! :,)
Hope you've got DORA, TDM and CSMA/CA down. ;-)
every once in awhile, i forgot that Computerphile is a double entendre and i get re-excited when i notice it again, lol. computerphile/computer_phile. [brain bMyBrain[] = Mind.Blown();
Ill try to give you a day in the life of a DNS query to better understand the technical lifecycle of DNS.
DNS starts with your computer becoming aware of a DNS name server which is typically done through DHCP and is given by your ISP or sometimes is overriden on your router or computer to something like OpenDNS.
You will interact with a name server called a cached resolver that might use recursuve lookups or distribute large chunks of updated records around.
Those servers will follow up a hierarchy first through resolvers then up through domain levels up to the domain root TLDs. However when they do that they arent looking for an awnser to the DNS query like its IP instead its searching for the start of authority.
At this point the query will be given a name server that can provide an authorative awnser to the query. This will be the domain registrars name servers and these servers generally are not recursive so they can only awnser for specific domain names. Among these servers arecones that actually store the original and most upbto date record which will be reference in the Start of Authority record.
With that said queries will generally not go this deep ever. Instead youll be relying on a cache or mirror of a name server.
What happens when an IP address changes for a given domain name? Is there some cascading update for all the dns caches? Seems a bit inefficient unless there's some clever way that the caches are updated.
nope. you have to wait sometimes a couple of hours for the propagation to happen.
Oh a video about cache poisoning would be super cool. I know it is sometimes used for redirecting to login pages and the like but of course it is more often used as an attack vector.
How do they handle changing ips?
eg. Google changes ip in the middle of the day and the legacy ip is cached. Does the ISP also cache the google name server or does it re-do the recursive search?
Judicious use of short Time-To_live values (TTLs) on the records. If the owner of a service changes an IP address and your closest name server has a cache with a long TTL (E.g. > 1 day), then you'll likely experience what looks like connectivity issues as you're directed to the wrong IP address, until the TTL expires or the DNS Cache on the local server is flushed.
Just set up my website, this stuff is really fun to code for :D
Wont it be possible to setup your own domains then by sending a new ip and domain to one of the servers?
Can you please explain the new encrypted DNS (over https)? It's so confusing when you look at how many settings and server adresses you have to plug in to get it to work with windows.
His accent is British! So wonderful!
Amazing explanation, thank you!
Okay this is a bit freaky...
A few years ago, I had a corn snake. In a terrarium exactly like that one (except white), with that exact water bowl, that exact "cave", that exact log, and nearly the same 'vegetation'.
A man after my own heart.
That's a kitten, not a snake. You don't keep them in glass tanks. 🙃
good day! what timing! i just had a DSN issue with my laptop wifi and instead on trying to figure out what it was, i just connected it via cable! And this video shows up!
It would be interesting to know what happens if the domain name doesn't exist. Is it number of bounces related, timeout related? Also what if the server IP does change. How does it work so this domain name is updated, or do you have to wait say 24 hours till the cache in all DNS servers get invalidated?
I love your videos ❤️ wished I've done my bachelor degree in nottingham :)
Unless google servers are inside your local network, that IP will probably not belong to google :D
ZombieBest someone in your network could have set up a proxy server to google
@@whythosenames Ah but then they would also have to have set up a local DNS to point to that!
RFC1918 block does not "belong", It can not by design, because it is not unique. It is like a local variable that means nothing in global scope.
2:15 "if you live at home"
as opposed to ?