Hujiang’s evolution from DNS to HTTPDNS

The full Name of DNS is Domain Name System. Its purpose is to resolve a Domain Name to an IP address. The basic DNS uses port 53 of TCP/UDP. UDP is the default protocol. TCP is recommended if you have high requirements on service quality.

In the TCP IP protocol, hosts must use IP to communicate with each other. But IP addresses are hard to remember, so most websites are accessed by domain names. And because the program can not write dead IP when the domain name is called, so use FQDN.

Take mail.cctv.com as an example. Its top-level domain name is.com, the second-level domain name is CCTV, and the third-level domain name is Mail, which is also a subdomain of CCTV. Finally, the root domain name is “. “, but usually not written.

Authoritative DNS, commonly known as the “final” server, is used to tell users which IP address their domain name resolves to. The cache DNS is mainly to cache the domain name result of the user’s request to resolve in order to reduce the workload of the authoritative DNS. Recursive DNS-localDNS is usually used by carriers to receive recursive queries from users and perform iterative queries by themselves. The forwarding DNS is similar to the recursive DNS. It first checks whether there are authoritative records in its DNS. If there are authoritative records, it returns them to the user directly. Public DNS is also a foundation of HTTPDNS, some common public DNS: Baidu: 180.76.76.76, Ali: 223.5.5/233.6.6.6, Tencent: 119.29.29.29.

A->B ->C, C->D, D->C->B->A; Iterating query schematic (give me the answer, or hint) : A->B, A->C, A->D, D->A.

DNS workflow when a user accesses http://mail.cctv.com/ :

The recursive DNS then initiates an iterative query to the root domain NS, and the root domain returns the NS of the COM domain. After receiving the request, the recursive DNS initiates an iterative query to the COM domain NS, and the COM domain NS returns the NS of CCtv.com. Finally, recursive DNS initiates an iterative query to cctv.com domain NS to obtain the final result, which is mail.cctv.com.

If the client has cached DNS, the above procedure is omitted and the result is returned directly.

HTTPDNS is a service built on top of DNS that resolves domain names to IP addresses. The difference is that HTTPDNS uses port 80/443 of the HTTP/HTTPS protocol.

HTTPDNS can fill carrier LocalDNS pits, such as domain name hijacking, slow access, resolution forwarding, and so on.

Reduce operation complexity and improve resource utilization. Kubernetes is most commonly used in IT and has a growing talent pool. The community responds quickly to user needs.

When HTTPDNS is unavailable, the standby line is switched to the normal LocalDNS.

The HTTPDNS obtains the user IP address through the recursive DNS, whereas the ISP obtains the LocalDNS address.

BGP Anycast is recommended for HTTPDNS cluster interface service. It can help users obtain the nearest HTTPDNS server. You can also define a public interface IP address.

The active/standby/standby invocation mode is used. When one HTTPDNS server is unavailable, the next one is invoked. When all HTTPDNS servers are unavailable, the LocalDNS server is switched to the normal mode. There is also an IP list approach where multiple HTTPDNS ping requests are pinged within the SDK, and the node with the lowest latency takes precedence.

There are two query modes: HTTP and HTTPS. HTTPS prevents content hijacking.

Using an IP address to make a request to HTTPDNS, hostname cannot be queried. To do this, add host to the Requst Header, specifying the required hostname.

The earliest domain name resolution method is HOSTS. On Windows, the HOSTS file is stored in C:\Windows\System32\dirvers\etc\ HOSTS, while on Linux, it is stored in /etc/hosts. The advantages of HOSTS are simple, rude, and hidden, while the disadvantages are more obvious, such as large files, slow transmission, loan consumption, and consistency.

Microsoft DNS has the advantages of being simple and easy to use, but it also has problems such as black box, scalability, concurrency, security, poor centralized piping ability, and unstable master/slave synchronization.

After ditching Microsoft DNS, we used BIND, the open source DNS software, which is by far the most popular DNS implementation. Hujiang uses BIND in two stages: the first stage is the deployment of BIND service; the second stage is the optimization and transformation of BIND distributed cluster.

During the deployment phase we have three lines, and DNS polling requests are made to these three DNS when a user makes a DNS request. This basically meets the needs of users, but there are many problems. The first is that the authoritative DNS turns on recursion and forwarding, which puts more pressure on the DNS server. Then modify the record all by hand, no zone resolution function and authoritative DNS is a single point. Finally, the Intranet and extranet are not separated, and the authoritative DNS serves as the cache DNS.

In the cluster optimization transformation stage, we equipped two authoritative DNS for HA in each machine room, and then deployed the cache DNS separately. The servers on each Intranet query the cache DNS to reduce the load pressure of authoritative DNS, and separated the read and write of authoritative DNS.

The authoritative DNS enables log rotation and intelligent resolution.

Optimization point of authoritative DNS master side: Authoritative DNS disables recursion and forwarding, uses key+ Nsupdate to change records, and dynamically updates resolved records.

Optimization point of authoritative DNS slave: Interface-interval1 is added, which is used to detect VIP drift in pacemaker cluster. If the master and slave synchronization are inconsistent, the slave records are modified separately.

Cache DNS separation: Limit the range of requests allowed — Intranet, enable recursion. Background logic management layer

The development of Hujiang to HTTPDNS mainly carried out two work, the first is the selection of HTTPDNS interface service, in the self-made HTTPDNS service and third-party services to choose between. After selecting the interface service, the mobile SDK must be modified, which is the second task.

The main reason is that DNS enables recursive and forwarding services, but does not deploy distributed, read/write separation, and a single ISP line.

Common DNS attacks include DNS Query flood, UDP flood, refraction attack, and amplification attack.

The solutions are as follows: To resist heavy traffic attacks, purchase third-party services, increase the DNS public network bandwidth, configure the authoritative DNS whitelist policy, and configure the DNS rate limiting policy to improve the DNS concurrent performance.

Some client applications that rely on frameworks such as java/.net/python, such as salt-minion, do not refresh immediately after a DNS resolution adjustment.

The reason for this is that the res_init() module of the client DNS parser glibc is not triggered by the program, which uses Python scoke.getaddrinfo to call res_init() only when the program is first started, reading the contents of /etc/resolv.conf.

The solution is to restart the client program and force the DNS parser on the client side to work. Or the client program can use the underlying domain name resolution function directly instead of the third-party framework.

This may be due to LocalDNS resolution forwarding or a problem with the authoritative DNS IP address library.

In this case, immediately change the glue records value at the domain registrar to the correct value, or request the domain registrar to independently refresh the glue records that affect the domain name.

Needless to say, use HTTPDNS!