IBM Cloud Docs
DNS concepts

DNS concepts

This document contains some concepts and definitions that are related to the internet's domain name system (DNS) and how it affects your IBM Cloud® Internet Services (CIS) deployment.

The Domain Name System (DNS) underpins the web. It works transparently in the background, converting human-readable website names into computer-readable, numerical IP addresses that follow the internet's RFC 1918 guidelines for IPv4 and RFC 4193 for IPv6. In short, DNS servers match domain names, such as ibm.com, to their associated IP addresses, which most people do not need to know.

The DNS system looks up this IP address and hostname information on a network of linked DNS servers across the internet, similarly to how people might look for some place using a phone book or a map.

Name servers

A name server implements services that provide responses to queries against a directory service. It translates meaningful, text-based web or host identifiers into IP addresses.

Name server delegation takes place when a name server for a domain receives a request for a subdomain's records and responds with the name server's reference to the delegate server. This capability allows you to decentralize the management of a large domain (such as ibm.com).

A custom domain name server allows you to use the DNS provider's servers with the customized reference name of your own domain. For example, you can define your name server to be ns1.cloud.ibm.com instead of ns1.acme.com.

Secure DNS

DNSSec is a technology to digitally 'sign' DNS data so you know it is valid. To eliminate vulnerability from the internet, DNSSec must be deployed at each step in the lookup, from root zone to final domain name (for example, www.icann.org).

Root record CNAME flattening

IBM CIS supports a the "CNAME Flattening" feature. With this method, root records can overcome the IETF RFC restriction that if a root record is a CNAME, it cannot have any other records for that domain. CIS Authoritative servers overcome this restriction by returning the A records corresponding to the CNAME target instead of returning the CNAME itself, effectively hiding the CNAME. This technique allows other records such as MX records to be added to the domain, even though the root record is a CNAME.

Proxying DNS records and global load balancers

IBM CIS supports proxying for global load balancers and DNS records. When a record or load balancer is proxied, it means that its traffic runs directly through CIS.

Currently, DNS records of type A, AAAA, or CNAME can be proxied.

Setting proxy modes

Load balancers and DNS records support both DNS-only and HTTP proxy modes. You can have HTTP proxy and DNS-only domains in the same CIS instance, but the traffic routing behavior differs as follows:

  • Traffic for records that are proxied flows through CIS.
  • Traffic for records that are nonproxied (DNS-only mode) flows directly from the client to the origin.

HTTP proxy mode

In HTTP proxy mode, CIS announces IBM IP addresses externally, but protects (masks) your origin server IP addresses. The announced IP address records have an automatic TTL.

Using HTTP proxy mode offers the following benefits:

  • Traffic flows through CIS where all the security, performance, and reliability features such as firewall rules and caching, are applied.
  • The "automatic" TTL (five minutes) reduces the number of authoritative queries that are made against CIS.

DNS-only mode

In DNS-only mode, records are resolved to the origin IP and you can customize the TTL for your records. For global load balancers, CIS serves the addresses of the healthy origin servers directly, but relies on DNS resolvers respecting the short TTL to requery the CIS DNS for an updated list of healthy addresses.

In DNS-only mode, none of the CIS security, performance, and reliability features are applied.