The Domain Name System is one of the most important internet services in existence, without which we wouldn’t be able to access any online content or even send an email. In fact, every time we try to connect to a website or any other online service, DNS root servers help our computers find and reach the desired addresses.
DNS root servers are a crucial part of the entire DNS and for that matter, the Internet, but there isn’t that much information about them available. There are also a few myths floating around. So today, we’ll learn what root servers are, what they do and how many of them are really out there.
What are DNS root servers?
Root servers, or DNS root servers, are name servers that are responsible for the functionality of the DNS as well as the entire Internet. They’re the first step in the name resolution of any domain name, meaning they translate domain names into IP addresses.
The mapping of domain names to IP addresses works in a hierarchical order using DNS zones. Root servers serve the root zone, which tops of the hierarchy, and they publish the root zone file. In turn, the root zone file contains resource records for the authoritative servers of all TLDs. Because of this, they can work two ways:
- Answer directly to queries for those resource records in the root zone or
- Refer queries to the appropriate name servers for the requested TLD
While in the second case they aren’t directly involved in name resolution, root servers are in the root (figuratively and literally) of the entire Internet’s infrastructure. Without them, most of the online world we know and use today wouldn’t be accessible.
How do root servers work?
The way root servers work comes down to the process of name resolution:
- When you type in www.securitytrails.com in your web browser it will first go to either an ISP DNS server or another DNS server you’ve configured. Sometimes, that DNS server may have the information on the domain stored in cache, and if that’s the case it will simply respond with the information and serve you that website.
- However, if it doesn’t have that information stored, the DNS server will send a query to the root server. The root servers won’t have information on a specific IP address for www.securitytrails.com, but it will know where the name servers that serve that TLD(.com) are.
- Root servers will return the list of TLD servers so the provider or configured server can again send a query, this time to a TLD server.
- The TLD server will then return the authoritative name server where the desired domain is stored.
- This is when the server that made the request sends a query to the authoritative server hosting the zone of the domain in question.
- Once the request has reached the authoritative server, it will respond to the requesting server with the IP address for www.securitytrails.com
- When the requesting server has this information, it will cache it for future requests and will return the answer to your resolver, which will send it to your web browser and allow you to access the desired website.
How many DNS root servers are there?
When researching the answer to this question we often see the number 13 pop up. So, you may ask, why are there only 13 root servers?
It’s because of the limitations of the original DNS infrastructure, which used only IPv4¹ containing 32 bytes. The IP addresses needed to fit into a single packet, which was limited to 512 bytes at that time. So, each of the IPv4 addresses is 32 bits, and 13 of them come to 416 bytes, leaving the remaining 96 bytes for protocol information.
Before, there was only one single server for each of the 13 IP addresses, while today we have a server cluster for each of them—creating a network of hundreds of servers all around the world which use anycast routing. This helps balance their decentralization and ensure reliability even if one of the root servers becomes unavailable due to, for example, a DDoS attack or any other type of DNS attack.
However, with the emergence of IPv6 unhampered by a low limitation on packet size, it’s almost certain we’ll see many more DNS root servers pop up in the future.
Where are the DNS root servers located?
There are hundreds of root servers at over 130 locations all over the world. ICANN² is responsible for the servers for one of the 13 IP addresses and entrusts the operation of the rest to various other organizations. In total, there are 12 organizations held responsible, with VeriSign operating two of them³.
Here’s a list of the DNS root servers:
|Hostname||IP address IPv4 / IPv6||Organization|
|a.root-servers.net||188.8.131.52, 2001:503:ba3e::2:30||VeriSign, Inc.|
|b.root-servers.net||184.108.40.206, 2001:500:200::b||University of Southern California (ISI)|
|c.root-servers.net||220.127.116.11, 2001:500:2::c||Cogent Communications|
|d.root-servers.net||18.104.22.168, 2001:500:2d::d||University of Maryland|
|f.root-servers.net||22.214.171.124, 2001:500:2f::f||Internet Systems Consortium, Inc.|
|g.root-servers.net||126.96.36.199, 2001:500:12::d0d||US Department of Defense (NIC)|
|h.root-servers.net||188.8.131.52, 2001:500:1::53||US Army (Research Lab)|
|j.root-servers.net||184.108.40.206, 2001:503:c27::2:30||VeriSign, Inc.|
|k.root-servers.net||220.127.116.11, 2001:7fd::1||RIPE NCC|
|m.root-servers.net||18.104.22.168, 2001:dc3::35||WIDE Project|
For the location of authorities responsible for root servers, check out this cool map on root-servers.org⁴:
The DNS is responsible for almost everything connected to the Internet, and as with everything, the root system supports the branches. The importance of DNS root servers isn’t widely discussed—the end user rarely needs to worry about them—but in the grand scheme of things, they truly are the Internet’s backbone.
We also hope we’ve dispelled with a few misconceptions about the actual number of root servers. So the next time someone says there’s 13, not only will you know the truth, you’ll also know the how and the why behind it.
When it comes to security, the DNS is still one of the most overlooked parts of an organization’s infrastructure. That’s why conducting a frequent DNS audit is so important. Fortunately, SecurityTrails has you covered with our API that allows you to monitor any changes to DNS records—and thwart any future attacks!
1 https://en.wikipedia.org/wiki/IPv4 2 https://www.icann.org/ 3 https://investor.verisign.com/corporate-profile/fact-sheet 4 https://root-servers.org/