Sunday, December 18, 2011

email 110 - DNS - the Domain Name System

Today's blog is a follow up to email 101 - The Basics

This is a subject often overlooked by those who don't understand the mechanics of the email system but it is critical for proper email transport. The reason it is overlooked is that it is really considered part of the TCP/IP network that forms the underlying infrastructure of the Internet.

DNS (the Domain Name System) was developed to help humans locate servers more easily. Computing devices - Servers, PC's, and other devices identify themselves by IP address. For instance, the server this document will be stored on will be a server inside my network with IP 192.168.5.67 and to the public it is known as as 184.71.33.126. remembering numbers like that is difficult for most humans, so DNS keeps a matching "name" for these that we can use. DNS is also smart enough to know that either of those numbers can be called "mairs.ca" so i can just connect to "mairs.ca" and I will find the right server no matter what number is most available.

The email system relies heavily on DNS so that humans don't have to remember all those numbers. Would you rather send an email to john@gmail.com, or john@74.125.115.27 ? More importantly, if that particular server is busy, can you remember the other 5 or 6 IP addresses that are also known as gmail.com? Probably not. This is where DNS really helps out email. When you send that email to john@gmail.com, the mail is attempted for delivery at the first server available. if it is too busy, the next server is tried, and so on, until one is available to take the message, or a special type of bounce message is sent back to say "we are too busy, try again later". That special bounce is called a transient failure and you will usually never see one of those in your POP mail box, but your SMTP MTA sees them all the time. In DNS, we can make several different servers in a network "look" like one mail server to the outside world and we can "weight" them to make sure one is always preferred. When your MTA tries to deliver mail, it looks to DNS first to know where to send the mail to.

The important part of DNS (to email) may look similar to this:


example.com MX 10 int.mail.server.example.com
MX 20 smtp.anotherexample.com

In the example above, sending mail to example.com will actually try to make your MTA communicate with int.mail.server.example.com because it has the lower number (10). That Mail eXchange (MX) may be too busy, so the next one in the list will also accept mail for that same name. In the case of an ISP like Yahoo or Hotmail or Gmail, there may be a dozen of those backup servers listed.

DNS is really a collection of files and look-up tables that are presented by a DNS server. There are many public DNS servers that all work together. Changed information in one DNS server will be passed on to the next DNS server in it's chain and so on until all the DNS servers in the world have been updated. This is how someone in Singapore can send you an email in New York without knowing anything about your servers except the mail domain name. Most people have two or more DNS servers defined in their computer to make sure you get the fastest service. You can tell what your DNS servers are by looking at the properties of your network connection. In there you will see "Primary DNS" and "Secondary DNS" - those are the servers you use to look up this data as well as how to find web pages and other services on the Internet.

DNS can also provide valuable other information to help fight SPAM and unwanted connections. When you sign a message with DKIM (Domain Keys Identified Mail) - add a cryptographic signature to your mail - the receiver will look to DNS to get the public key that matches your domain and will use that to decrypt the signature. If your domain entry does not exist or the public and private keys are not a matching set, then the DKIM check will fail and your mail will likely end up in the trash. A similar thing happens with SPF (Sender Policy Framework) and SenderID where a receiver can look to DNS to see if there is a list of authorized IP addresses that can send mail using a particular domain name.

Feed Back Loops (FBL) rely on DNS as well to have a valid spam reporting domain name available for each registered domain. FBLs are not available for all domains and a bulk sender has to go through an application process to register to use one, but a key ingredient is a valid DNS configuration. In a future session we will discuss DKIM (Domain Keys Identified Mail), FBL (Feed Back Loops), SPF (Sender Policy Framework) and other security components. These all use DNS as a look-up for a receiving MTA to verify that the mail is legitimate.

For high volume senders, setting up the proper DNS entries is critical. ISPs rely heavily on DNS to help determine if mail is real and should be delivered so a misconfiguration in DNS can mean all their email gets dropped or placed in the SPAM folder and is never seen. For the average person it is enough to understand that DNS is used to translate host names into IP addresses.

Next time we cover How NOT to be a Spammer

1 comment:

Structure said...
This comment has been removed by a blog administrator.