DNS has evolved: 10 things you probably didn’t know about the strategic power of authoritative DNS

Domain name system (DNS) servers might seem like a background function of the internet, but they have undergone a significant evolution. Once a basic tool for resolving domain names to IP addresses, DNS is now a dynamic, real-time load-balancing engine central to performance, resiliency and user experience. Drawing from industry examples, including IBM® NS1 Connect®, this article explores how authoritative DNS has become a critical infrastructure.

There are two main types of DNS: recursive and authoritative. Recursive servers handle queries from end-user devices, while authoritative servers respond with actual IP information.

If you type ibm.com into your browser, a recursive DNS server will answer this query. The answer comes either from a locally cached answer, or if there’s no answer in the cache, your browser asks the authoritative DNS server. 

It all helps with scaling DNS so the job of resolving billions of queries at any moment in time is all handled in less than 200 milliseconds per request. We’ll come back to caching later as it’s an important part of how the technology has changed. 

If you check your computer or phone’s IP address settings, you can see an IP address pointing at one or more DNS servers to use, and these servers are always recursive. Furthermore, ISP or telcos by default provide you with their own DNS address for a recursive server. This setup is one of the ways that they can see which internet sites you visit and sometimes monetize this information. 

You can modify these settings to other recursive DNS servers such as Google’s (8.8.8.8) or one of our favorites, Quad9 (9.9.9.9), which provides a high level of security and privacy. These services can provide encrypted DNS and some, such as Quad9, doesn’t store your DNS lookups. 

Using encryption means that your telco, internet service provider (ISP), nor anyone else can intercept all the DNS requests that you make.

There are three different ways DNS traffic can be encrypted: DNS over TLS (DoT), DNS over HTTPS (DoH) and DNSCrypt. Each approach has advantages and disadvantages associated with the particular use case that it’s trying to address. 

However, it’s important to note that none of these options can stop someone determined with access to your IP traffic from figuring out where you are going on the internet. 

It’s always possible to do a reverse lookup of IP addresses to figure out what DNS names are associated with the IP address or addresses you are connecting to. This situation can happen even if you use a VPN service if the packet intercepted is at or beyond the VPN connection.

Long gone are the days when a DNS entry was semi-permanently bound to an IP address, with traffic following a set pathway every time, for every user. Authoritative DNS servers now routinely provide different answers to each request based on lots of different factors. Some of the factors can include your location, the availability of content distribution networks or even who you are. 

This dynamic nature makes for a dramatic improvement in user experience and resilience.

For example, our IBM NS1 Connect service is designed to understand the performance of each application or web service before handing your device a destination IP address. It ensures that you always receive the best possible experience. 

To do this, we build a real-time model around “Global Internet Weather”. The model understands which telco networks, content distribution networks (CDNs), geographic regions and routes are performing poorly (compared against others), and where possible, avoid using these paths. This approach ensures that users do not get a poor experience.

Content providers and authoritative DNS providers work together to ensure that you get the best experience. By embedding a little JavaScript in each session (such as a game, video stream or website visit), providers like IBM NS1 Connect get insight into the performance of your connection. These insights can include latency, availability and throughput. 

If you don’t receive a great experience, this information is fed back to the internet weather model. This way we can adjust the model for the next customer, much like an airline pilot might report turbulence so other aircraft can take a different path.

Most large websites and content providers require a content distribution network (CDN) like Akamai or Cloudflare to ensure the distribution of their content scales to millions of customers with a global reach. However, large content providers don’t usually rely on just one CDN but need multiple CDNs to deliver resiliency, geographic reach and scale at a manageable cost. 

Some content providers use five or six to reach all their customers. This means that these content providers can’t rely on the authoritative DNS services of the CDN providers because, by definition, they should operate outside of the CDN.

It means that authoritative DNS providers act as load balancers between the CDNs or multi-CDN switching, which serves the same purpose as global load balancers for internet traffic. They are carefully spreading load between the CDNs and geographies and backing-off or load-shedding if one CDN starts to flake out. 

It all happens in real-time for millions of sessions in less time than you have read this paragraph. In fact, the same technology can also displace many of the functions of traditional global server load balancers in more traditional use cases too.

If you are using an authoritative DNS service to ensure resiliency of your application, what happens if your authoritative DNS provider fails? Almost all our large customers provision multiple authoritative DNS services, so fail-over and resiliency can occur with little or no user impact. For example, IBM NS1 Connect plans to release Cloud Sync in 2025, a tool that replicates DNS configurations across platforms such as Amazon Route 53, reducing risk from single points of failure.

This might make sense if you are a hyperscaler and offer your own services. Yet many enterprises suffer from operational risks and high costs that come from running critical infrastructure on hundreds of servers around the world, 24/7/365. There’s also a performance challenge. Running your own authoritative DNS service also delays server response times unless it’s highly tuned. 

In a study IBM commissioned with Catchpoint, self-hosted authoritative DNS servers on average took more than four times as long to respond to queries when compared to NS1®. (See the report The need for speed for more details). A delay of 400 ms per lookup sounds minor. However, across the hundreds of application and website lookups that happen every minute on an average laptop, the impact on user experience is noticeable.

The IBM NS1 Connect authoritative DNS service is being used every day by many large players in the video streaming, gaming, media, financial services and SaaS application provider markets. You’ve likely used NS1 many times today before reading this article without noticing and we like it that way. 

In fact, every day we manage about one-third of the global internet traffic, and our job is to make sure that you don’t notice anything unusual about your internet experience.

Get more information and insights on authoritative DNS with IBM NS1 Connect.