How DNS Works in Firezone
Firezone's approach to DNS works a bit differently than one might expect. One question we get a lot is, "why do my DNS Resources resolve to different IPs with Firezone enabled?". Great question. Let's explain that now.
What follows is a quick recap of how DNS works, a couple of the security issues it faces, and how Firezone's DNS-based traffic routing was designed to address them.
At a high level, DNS is a hierarchical system that distributes the responsibility of resolving a fully-qualified domain name (FQDN) to a series of nameservers, each one responsible for resolving a different part.
On today's internet, the whole process for resolving a query typically takes a few hundred milliseconds. Caching resolvers help to speed this up by storing the results of queries for a certain amount of time, known as the record's time-to-live (TTL). So if a host makes the same query multiple times, the upstream resolver can return the result immediately (assuming the TTL hasn't expired) without having to query the hierarchy of root, TLD, and authoritative nameservers again. This can speed up query times by orders of magnitude, to the point where upstream resolvers responding with cached responses are nearly instantaneous.
DNS works today almost exactly as it did when it was first introduced to the ARPANET in the early 1980s. But the internet has changed a lot since then, and security issues have emerged that the original design didn't account for.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24748328/236706_Mac_Pro_AKrales_0094.jpg)
