when i type www.google.com how does the dns lookup work. According to my knowledge it first goes to the root server and finds out where the .com dns server is. Next it returns the ip address of that server. Next from there is finds out where the google server is. Now it returns a ip address and that would be the place where www.google.com is found.
So to resolve this two dns look ups are needed. Correct me if iam wrong.
DNS resolution can get pretty hairy when you start to consider things like caching and anycast, but let's keep it simple for now.
Here are snippets of digs next to snippets of tcpdumps of a query for www.google.com to a freshly started nameserver, so no caching is being used. I've trimmed some of the timestamps for legibility.
First, the local nameserver (here 192.168.10.10) asks one of the root servers (in this case h.root-servers.net, 128.63.2.53) the query "what is the A record for www.google.com?" h.root-servers.net is not authoritative for www.google.com, but it does have a delegation for .com, so it returns that.
192.168.10.10.17203 > 128.63.2.53.53: 29969 [1au] A? www.google.com. (43)
128.63.2.53.53 > 192.168.10.10.17203: 29969- 0/15/16 (719)
;; QUESTION SECTION:
;www.google.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
Second, the local nameserver then chooses one of the nameservers from the list returned by h.root-servers.net and sends the same query: "what is the A record for www.google.com?" In this case the nameserver queried was f.gtld-servers.net (192.35.51.30). f.gtld-servers.net, which is authoritative for .com, has responded with the nameserver delegations for the zone google.com
192.168.10.10.65182 > 192.35.51.30.53: 58632 [1au] A? www.google.com. (43)
192.35.51.30.53 > 192.168.10.10.65182: 58632- 0/4/5 (179)
;; QUESTION SECTION:
;www.google.com. IN A
;; AUTHORITY SECTION:
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
Getting closer! Now the local nameserver picks one of the nameservers in the last response and asks it the same question. In this case, it asks ns2.google.com (216.239.34.10). ns2.google.com responds that www.google.com is actually a CNAME (canonical name) record for www.l.google.com
192.168.10.10.4767 > 216.239.34.10.53: 15830 [1au] A? www.google.com. (43)
216.239.34.10.53 > 192.168.10.10.4767: 15830*- 6/0/0 CNAME[|domain]
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 604800 IN CNAME www.l.google.com.
Very close! Now we just need the address of www.l.google.com. Now because we already know the nameservers for google.com, we just ask one of them. In this case, we ask ns3.google.com (216.239.36.10) "what is the A record for www.l.google.com.?" It responds with the address, and we have our answer:
192.168.10.10.63657 > 216.239.36.10.53: 62511 [1au] A? www.l.google.com. (45)
216.239.36.10.53 > 192.168.10.10.63657: 62511*- 5/0/0 A[|domain]
;; QUESTION SECTION:
;www.l.google.com. IN A
;; ANSWER SECTION:
www.l.google.com. 300 IN A 74.125.232.116
www.l.google.com. 300 IN A 74.125.232.112
www.l.google.com. 300 IN A 74.125.232.115
www.l.google.com. 300 IN A 74.125.232.113
www.l.google.com. 300 IN A 74.125.232.114
Huzzah!
Anyway, I hope that's enough to get your started. There are a lot of great resources out there. The O'Reilly book "DNS and BIND" is very useful.
I highly highly highly recommend installing dig to use for seeing how the DNS queries go. For example, you can use dig +trace to easily see the delegation path to a host:
; <<>> DiG 9.7.0-P1 <<>> +trace www.google.com
;; global options: +cmd
. 516930 IN NS k.root-servers.net.
. 516930 IN NS g.root-servers.net.
. 516930 IN NS h.root-servers.net.
. 516930 IN NS j.root-servers.net.
. 516930 IN NS a.root-servers.net.
. 516930 IN NS m.root-servers.net.
. 516930 IN NS b.root-servers.net.
. 516930 IN NS f.root-servers.net.
. 516930 IN NS d.root-servers.net.
. 516930 IN NS c.root-servers.net.
. 516930 IN NS l.root-servers.net.
. 516930 IN NS i.root-servers.net.
. 516930 IN NS e.root-servers.net.
;; Received 244 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 492 bytes from 202.12.27.33#53(m.root-servers.net) in 45 ms
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
;; Received 168 bytes from 192.33.14.30#53(b.gtld-servers.net) in 42 ms
www.google.com. 604800 IN CNAME www.l.google.com.
www.l.google.com. 300 IN A 74.125.232.115
www.l.google.com. 300 IN A 74.125.232.113
www.l.google.com. 300 IN A 74.125.232.116
www.l.google.com. 300 IN A 74.125.232.114
www.l.google.com. 300 IN A 74.125.232.112
;; Received 132 bytes from 216.239.34.10#53(ns2.google.com) in 131 ms
Notice how similar it is to the trace of the query earlier? Hope that helps.
It is slightly more complicated as DNS is quite heavily cached. Your local machine may even have the data cached and the lookup goes no further than that.
Your machine will query it's own cache and if that fails it will query the primary DNS server it has been told about. This may be a caching DNS server and my have the result in it's cache in which case the record is returned to you and the lookup ends. It is also most likely a recursive DNS server and will now do the leg work for your machine.
If the primary DNS server doesn't have the information it will query the root name servers they will respond with (in your example) the TLD name servers for .com
A query will be sent to the .com TLD servers which will respond with the address of the authoritative name server for google.com
A query will be sent to the authoritative name server for google.com requesting the www.google.com record. This will be found and returned to the primary DNS server which will cache it and return the record to you.
DNS is hierarchical and, as lain said, heavily cached. Perhaps, a more complicated example can help you.
Assume you have a machine that belongs to a company with several business units which are reflected in the domain structure. Your machine has the name machine.businessunit1.company.com, i. e. belongs to businessunit1.company.com, which is your primary DNS suffix.
The business unit is very large and operates several DNS servers (dns1.businessunit1.company.com, dns2.businessunit1.company.com) and also e. g. a webserver called www.businessunit1.company.com.
If your machine now wants to resolve www.businessunit1.company.com, it will first lookup the local DNS cache. I. e. your machine itself remembers DNS entries you recently queried, because it is very likely that you will need the results again, e. g. when you click a link on a website. I do not know whether you can see what your machine has cached, but there is a command for deleting everything your machine remembered (on Windows): ipconfig /flushdns
If your machine does not remember the answer, it will ask - as I previously commented - the DNS server(s) that are configured for your network adapter. Most likely, your admins will have configured dns1.businessunit1.company.com and dns2.businessunit.company.com. The reason for that is that you want your DNS query answered quickly without a lot of traffic. If dns1.businessunit1.company.com receives your query for www, it will answer it, because it is authoritative for the zone *.businessunit1.company.com. Authoritative means that this server knows the only correct answer for all DNS names ending "businessunit1.company.com".
Now assume you have queries www.businessunit2.company.com. Your machine, if it does not rememember the answer itself, will again ask dns1.businessunit1.company.com. Now, there are a lot of possibilities: first, your admins might be clever, and they have forseen that it is very likely that people from businessunit1 will also want to access machines in businessunit2 frequently. Therefore, they have configured dns1.businessunit1.company.com to hold a copy of the data from dns1.businessunit2.company.com. dns1.businessunit1.company.com can use this copy to answer your question. Second, your admins will surely have told dns1.businessunit1.company.com what to do when it does not know the answer to your question: that is asking another DNS server. Probably, this is dns1.company.com, but it could also be any other DNS server, including the root servers.
As lain said, dns1.businessunit1.company.com is free to remember any answer it got from other DNS servers. I. e. if you ask for www.google.com, it might have to ask some other server, but if you ask a second time, it remembers the answer and tells you directly.
You can basically see where your DNS answer is from when you type e. g. nslookup www.google.com. The output will tell you the server and whether it is an authoritative answer or not. Most likely, it will be non-authoritative, because it is not answered by Google's DNS servers, which are responsible for all DNS names ending "google.com".
You're not wrong. Here's a great illustration of how a DNS query works.
This is correct. And maybe 1 more look up for the "www" subdomain.
