RSS

Cold Start DNS

SVI1 pts0 comments

Cold start DNS | APNIC Blog

Skip to content

Skip to the article

Image by Henryk Niestrój from Pixabay.

The Domain Name Service (DNS) Working Group meets at every RIPE meeting. I found this presentation from RIPE 92, held in May 2026, to be particularly interesting.

This presentation, by Internet Systems Consortium’s (ISC’s) Ondřej Surý, was on the topic of DNS provisioning, looking at how to strike a balance between resilience and efficiency in the provisioning of nameservers of DNS zones and the performance of DNS resolvers.

An interesting way to look at this topic is to start with a single DNS recursive resolver that is in a cold start state, where there is nothing held in the resolver’s local cache. It’s an easy experiment to replicate, so let’s start with my web server domain name, www.potaroo.net, and use a local Bind recursive resolver, running version 9.20.23.

It takes this recursive resolver four queries to perform this resolution function. The resolver has loaded the IP addresses of the root servers from its configuration data, so the first query is to refresh this root server data by querying one of these root server IP addresses with a query for the nameservers of the root zone:

Q: NS? .<br>A: NS i.root-servers.net., NS d.root-servers.net. …<br>Additional: m.root-servers.net. A 202.12.27.33, …

The resolver then asks one of these servers for the nameservers for the .net zone:

Q: NS? net.<br>A: NS f.gtld-servers.net., NS m.gtld-servers.net., …<br>Additional: f.gtld-servers.net. A 192.55.83.30, …

The third query is to one of these servers, and it’s after the nameservers for potaroo.net:

Q: NS? potaroo.net.<br>A: NS ns1.potaroo.net., NS ns2.potaroo.net<br>Additional: ns1.potaroo.net. A 203.133.248.2, …

The final query is for the terminal name, www.potaroo.net:

Q: A? www.potaroo.net.<br>A: A 203.133.248.108

This is as few queries as one can make to resolve a name that has three labels, and each label is a zone cut-point. In this case, the resolver is performing query name minimisation, but the result would be the same if it were asking for the A record for www.potaroo.net in each case, as it would receive the same information in the referral responses from the root and .net servers.

In contrast, there are domain names that present a far more detailed resolution pattern. Ondřej’s example was teams.microsoft.com, which took his Bind resolver running 9.16 247 queries! My cold-start Bind resolver running 9.20 took just 94 queries, and Ondřej noted that 9.21 has managed to cut this down to 29 queries.

In some ways, this is a contrived question, as it’s unusual for users to encounter a cold-start recursive resolver. In a more conventional environment, many of these queries are answerable by the resolver’s warm cache and are avoided as a result. In any case, it’s useful to ask why teams.microsoft.com is such a challenging name to resolve.

CNAMES

CNAMES, so popular with Content Distribution Networks (CDNs) due to their ability to isolate a single label out of the control of one DNS zone and insert it into another zone, is one of the challenges to name resolution.

A CNAME has the effect of restarting the resolver’s name resolution process with the target name. In the case of teams.microsoft.com, there is a sequence of four CNAME records, causing the resolver to perform a total of five name resolutions in sequence:

teams.microsoft.com. CNAME teams.office.com.<br>teams.office.com. CNAME tmc-g2.tm-4.office.com.<br>tmc-g2.tm-4.office.com. CNAME teams-office-com.s-0005.dual-s-msedge.net.teams-office-com.s-0005.dual-s-msedge.net. CNAME s-0005.dual-s-msedge.net.

In the first CNAME, teams.microsoft.com. to teams.office.com, the resolver has already cached the nameservers for .com, so the resolution of the second name can commence with a query to an already cached .com nameserver for the name office.com. The second CNAME, teams.office.com. to tmc-g2.tm-4.office.com., can use the local cache for the office.com nameservers. The next CNAME directs the resolver to restart from the root zone to query for the .net servers.

The longer the CNAME chains, combined with a provisioning model where the elements in the chain use different top-level domains, the greater the cold-start query load.

Glue

The next factor is the resolution of the names of the nameservers. A delegation in the DNS lists the names of the DNS servers that are authoritative for the delegated zone. It is not possible to delegate a domain to an IP address, so it is left to the resolution process to resolve these nameserver names into IP addresses.

In some circumstances, the responding server will also provide the IP addresses of the listed nameservers in the form of glue records in the Additional Section of a DNS response. If the name of the nameserver lies within the delegated zone, then it’s essential to include these glue records for the nameservers, as otherwise the resolver has no ability to proceed with the resolution operation. Such nameserver names are...

resolver name servers teams office cname

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.