Robust, Free DNS FTW

by Matthew Prince.

Robust, Free DNS

Most people don't think DNS is very sexy, but it's critically important to the functioning of the Internet. At its core, the purpose of DNS is to turn a domain that humans can read ( into an IP address that computers can read (

Recursive DNS

If you are a web surfer, when you sign up for Internet service your ISP will give you a pair of IP addresses. Typically you enter these IP addresses into your home router and never think about them again. But, quietly in the background, these IPs are critical to ensuring your Internet service works. They point to what are known as recursive DNS servers. When you type a domain into your browser, or click on a link, your computer queries the IPs of these recursive DNS servers and asks if they know what the IP for a particular domain is. The DNS system then act like a sort of telephone directory mapping domains to IPs.

But it's not that simple and there are many parts to the system. Think of recursive DNS like a cache. Since the total universe of domains and their corresponding IPs is large, recursive DNS servers typically don't store a copy of everything. If a recursive DNS server has had a query for a domain recently, then it can return the corresponding IP from its cache if another request for the same domain comes in later. The length of time a domain is cached by a recursive DNS server is known as the time to live (TTL) and it is specified by the domain's owner.

Unfortunately, many ISPs under-invest in their DNS infrastructure. If your browser ever stalls and you see "Resolving" in the status bar (where "" is the domain of the site you're trying to look up) chances are it means your ISP's DNS is having problems.

A service like OpenDNS replaces your ISP's recursive DNS. While OpenDNS's recursive DNS servers also have two IP addresses ( & those IP addresses use a technology called Anycast. Anycast allows multiple machines in geographically dispersed locations to answer to the same IP. If you use OpenDNS in California you will get a response from a completely different server than if you use OpenDNS in New York. The fabric of the network itself determines where the request is sent.

Robust, Free DNS

Authoritative DNS

Whether OpenDNS or the name servers provided by your ISP, recursive DNS acts as a cache and returns results it already knows. If a recursive DNS provider gets a request for a domain where the IP isn't cached, it retrieves the result from the authoritative DNS server for a particular domain. If recursive DNS servers sit on the "eyeball" side of the network, authoritative DNS servers sit on the "content" side. If you have purchased a domain, what you have really purchased is the right to set the authoritative DNS server for that domain.

Many registrars like GoDaddy,, or Network Solutions provide authoritative DNS service for domains you register with them. Unfortunately, much like with ISPs and recursive DNS, authoritative DNS is often underinvested in and servers allocated to it are overloaded.

CloudFlare has built one of the most state-of-the-art DNS systems in the world. When you sign up for CloudFlare, we provide you with a set of authoritative DNS servers like or We coined these our "ninja name servers" and even had an artist draw some characters to represent them all.

Thinking of our authoritative DNS servers as "individuals" is actually quite misleading. Just like OpenDNS, we use Anycast to allow multiple servers to respond to any request. What that means is that the set of name servers we give you actually points to clusters of servers in each of the global data centers we run. What that means is not only is your DNS faster because it is located closer to the recursive DNS server making the request, but even if a single server or even a whole data center is knocked offline there will still be many more ninja name servers standing in reserve to pick up the slack.

There are companies that charge big bucks for an Anycasted DNS service like we've built. While we don't make a big deal about ours, it rivals in terms of number of data centers and physical servers answering DNS some of the biggest names in the DNS business. And it's included free with every CloudFlare account.

Cool DNS Tricks

I've been friends with David Ulevitch, the CEO of OpenDNS, since the founding of his company and I was always impressed how they used something as unsexy as DNS to provide real protection of web surfers. If you sign up for the free OpenDNS service, you can get everything from parental controls (keeping your kids from visiting adult content) to anti-malware protection (keeping you from visiting a site that will cause you harm) all through the service's faster recursive DNS.

CloudFlare is similar but where OpenDNS protects web surfers, CloudFlare protects websites. When you sign up for CloudFlare we can act as a proxy service that makes your site twice as fast and protects it from bad guys. In order to do that, we needed to build one of the most robust authoritative DNS systems on the planet. We don't talk about it much but, here at the CFHQ, DNS definitely is sexy.

comments powered by Disqus