DNS Root Servers (Root Name Servers) are the highest level of the DNS hierarchy and the starting point of domain name resolution. When a DNS resolver doesn't know the answer for a domain name, it first queries the root server, which directs the resolver to the correct Top-Level Domain (TLD) server.
Role of Root Servers
Position in DNS Resolution Chain
User queries example.com ↓ Root Server → Returns .com TLD server address ↓ TLD Server → Returns example.com authoritative server address ↓ Authoritative Server → Returns final IP address
Core Functions
- Direct Queries: Tell resolvers which TLD server to query
- Maintain TLD Information: Know the location of all top-level domains (.com, .org, .cn, etc.) servers
- DNSSEC Signing: Provide DNSSEC signatures for the root zone
Global Distribution of Root Servers
Logical Root Servers: 13
Due to original DNS protocol design limitations (UDP packet size limit), there are logically only 13 root servers, named with letters A-M:
| Identifier | Operating Organization | Location |
|---|---|---|
| A | Verisign | USA |
| B | USC-ISI | USA |
| C | Cogent | USA |
| D | University of Maryland | USA |
| E | NASA | USA |
| F | Internet Systems Consortium | USA |
| G | US DoD NIC | USA |
| H | US Army Research Lab | USA |
| I | Netnod | Sweden |
| J | Verisign | USA |
| K | RIPE NCC | UK/Netherlands |
| L | ICANN | USA |
| M | WIDE Project | Japan |
Why Only 13?
Historical Reasons:
- DNS protocol was designed to use UDP transport
- Original DNS response limit was 512 bytes
- 13 root server IPv4 addresses (32 bits each) fit exactly in one UDP packet
13 IPv4 addresses × 4 bytes = 52 bytes Plus other DNS header information, just under 512 byte limit
Physical Root Servers: 1500+
Although there are logically only 13, physically through Anycast technology, there are 1500+ root server instances distributed globally:
Logical Root Server A (a.root-servers.net) ↓ ┌────┴────┐ ↓ ↓ ↓ USA Europe Asia (Anycast nodes) Node Node Node
Anycast Technology:
- Same IP address deployed at multiple locations worldwide
- Users automatically connect to the nearest node
- Improves resolution speed and availability
China Root Server Mirrors
Domestic Root Mirror Distribution
As of 2024, there are 10+ root server mirrors in China:
| City | Root Servers | Operator |
|---|---|---|
| Beijing | F, I, J, L | China Telecom, CNNIC |
| Shanghai | F, I, J, L | China Unicom |
| Guangzhou | F, I, J | China Telecom |
| Chengdu | F | China Mobile |
Role of Root Mirrors
- Accelerate Resolution: Domestic users access domestic mirrors directly, reducing latency
- Improve Stability: Avoid impact from international link failures
- Reduce International Traffic: Decrease cross-border DNS query traffic
Root Server Management
Root Zone File
The core data provided by root servers is the root zone file, containing NS records for all top-level domains:
; Root zone file excerpt . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. ( 2024010100 ; Serial 1800 ; Refresh 900 ; Retry 604800 ; Expire 86400 ) ; Minimum TTL ; TLD NS records com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. org. 172800 IN NS a0.org.afilias-nst.info. cn. 172800 IN NS a.dns.cn.
Root Zone Management Process
1. IANA manages the root zone file 2. NTIA (USA) approves changes (transferred in 2016) 3. Verisign, as root zone maintainer, distributes to root servers 4. Root servers update data
2016 Management Transfer:
- Before: US Department of Commerce's NTIA had final approval authority
- After: Transferred to international multi-stakeholder community
Importance of Root Servers
What If All Root Servers Failed?
Short-term Impact (Within Cache Period):
- Cached DNS records still work
- New domains cannot be resolved
- After cache expiration (usually 24-48 hours), Internet basically paralyzed
Actual Risk:
- Root servers use anycast, single point failure impact is limited
- Root servers have suffered DDoS attacks in history, but no large-scale paralysis occurred
- Local DNS cache and TLD cache provide buffer
Root Server Attack Incidents
2007:
- DDoS attacks against root servers
- Limited impact due to anycast technology
2016:
- Large-scale DDoS attacks
- Some root servers responded slower, but service was not interrupted
Future Development of Root Servers
IPv6 Support
All root servers support IPv6:
2001:503:ba3e::2:30 ; A root server IPv6 address
Full DNSSEC Deployment
- 2010: Root zone began supporting DNSSEC
- All root servers support DNSSEC validation
Root Server Expansion
Root Server System Advisory Committee (RSSAC) continuously researches:
- Adding more anycast nodes
- Improving attack resistance
- Optimizing global distribution
Common Interview Questions
Q: Why are root servers mainly in the USA?
A:
- Historical reasons: Internet originated from US ARPANET
- But modern root servers are globally distributed through anycast, physical location is no longer important
- Management has been internationalized, no longer controlled by a single country
Q: Does China have its own root servers?
A:
- China does not have independent logical root servers (one of A-M)
- But has multiple root server mirrors providing services to domestic users through anycast
- "Yeti DNS Project" is a research root server experiment, not a replacement solution
Q: Can root servers be shut down?
A:
- Root servers are a distributed system with no single point of control
- Even if some root servers fail, others can still work normally
- Need to shut down all 13 logical root servers simultaneously to completely shut down DNS root
Summary
| Aspect | Description |
|---|---|
| Logical Count | 13 (A-M) |
| Physical Count | 1500+ (through anycast) |
| Core Function | Starting point of DNS resolution, directs to TLD servers |
| Managing Organization | IANA manages, multi-stakeholder community supervises |
| China Situation | Multiple mirror nodes, no independent logical root server |
| Security Mechanisms | Anycast technology, DNSSEC, distributed architecture |