Can the United States make China disappear from the Internet?

Let’s talk about an interesting topic today.

There are 13 root domain name servers in the world, and the main root domain name server is in the United States.

Is it possible for the United States to cut off China's Internet through the root domain name server?

Before we talk about the conclusion, let us first understand:

• How does DNS work?
• Why are there only 13 root domain name servers?
• Can the United States eliminate China from the Internet?

How does DNS work?

When we surf the Internet, we enter the website's domain name in the browser, not the IP address of the web server.

The reason is very simple. The relationship between domain names and IP addresses is like our mobile phone address book, using the other party's name to correspond to its mobile phone number. In this way, every time you make a call, you can directly look up the name in the address book to find the other party's mobile phone number, without having to remember the other party's mobile phone number.

IP addresses and mobile phone numbers are long strings of numbers, and it is quite difficult to remember them.

Therefore, in order to make it more comfortable for netizens to surf the Internet, a DNS server, or domain name resolution server, was set up. It can find the IP address of the web server through the domain name we enter, and then the browser sends a request to the web server.

Domain names are separated by periods, such as www.server.com. The periods here represent the boundaries between different levels. The closer to the right, the higher the level.

The root domain is at the top level, the next level is the com top-level domain, and below that is server.com, so the hierarchical relationship of domain names is similar to a tree structure:

• Root DNS Servers
• Top-level domain DNS server (com)
• Authoritative DNS server (server.com)

Our computers do not actually access the root domain name server directly, but access our "local DNS server", which accesses the root domain name server, and when resolving domain names, it is a recursive process.

What is domain name resolution?

Let's take a specific example. For example, if the client requests the domain name www.server.com, the process of resolving the domain name is as follows:

• The client will first send a DNS request, asking what the IP address of www.server.com is, and send it to the local DNS server (that is, the DNS server address filled in the client's TCP/IP settings).
• After receiving the client's request, if the table in the cache can find www.server.com, it will directly return the IP address. If not, the local DNS will ask its root domain name server: "Boss, can you tell me the IP address of www.server.com?" The root domain name server is the highest level. It is not directly used for domain name resolution, but it can point out a path.
• After receiving the request from the local DNS, the root DNS finds that the suffix is ​​.com and says: "The domain name www.server.com is managed by the .com zone. I will give you the .com top-level domain name server address, and you can go ask it."
• After receiving the address of the top-level domain name server, the local DNS sends a request asking, "Second brother, can you tell me the IP address of www.server.com?"
• The top-level domain name server said: "I will give you the address of the authoritative DNS server responsible for the www.server.com zone. You should be able to get it when you ask it."
• The local DNS then turns to the authoritative DNS server and asks: "Old Third, what is the IP address of www.server.com?" The authoritative DNS server of server.com is the original source of the domain name resolution result. Why is it called authoritative? It means that I have the final say over my domain name.
• After querying, the authoritative DNS server tells the local DNS the corresponding IP address XXXX.
• The local DNS then returns the IP address to the client, and the client establishes a connection with the target.

At this point, we have completed the DNS resolution process. I drew a diagram of the whole process:

The process of domain name resolution is quite interesting. The whole process is similar to the process of asking someone for directions in our daily life. They only point the way but don’t lead the way.

Does that mean that every time a domain name is resolved, it has to go through so many steps?

Of course not, there is also this thing called cache.

The browser will first check whether it has a cache for this domain name. If it does, it will return directly. If not, it will ask the operating system. The operating system will also look at its own cache. If it does, it will return directly. If not, it will check the hosts file. If there is no cache, it will ask the "local DNS server".

Why does the “local DNS server” know the IP address of the root domain name server?

There are only 13 root domain name servers in the world. These 13 root domain name servers are named in sequence from A to M.

Domain names are in the format "letter.root-servers.org" and their IP addresses rarely change.

Therefore, the "local DNS server" will have a built-in configuration file for the root domain name server. By reading this configuration file, the IP address of the root domain name server can be found.

The following figure is part of the configuration file of 13 root domain name servers:

Some students may say that this is a static configuration file. If the IP address of a root domain name server changes, how can we know it?

In fact, when the "local DNS server" is started for the first time, it will not read this static configuration file first, but will first check the IP list of the root domain name server. The transmission protocol used in this query process is UDP.

In addition, you can see that the TTL value of all records in the above figure is 3600000 seconds, which is equivalent to 1000 hours. In other words, the list of root domain name servers will be queried once every 1000 hours.

Why are there only 13 root domain name servers?

Strictly speaking, there are 13 "IPv4 protocol" root domain name servers in the world, and there are more than 13 root nodes for IPv6.

Note that these 13 do not mean that there are only 13 real physical servers behind them. These 13 correspond to 13 IP addresses, corresponding to the 13 numbers of AM. Through the Anycast technology, root servers with the same number use the same IP (similar to a cluster).

Anycast was first proposed by RFC1546 and is mainly used on DNS root servers. The specific explanation is as follows:

Anycast means that a group of hosts that provide specific services are identified by an IP address on the IP network. The service accessor does not care which host provides the service. The message accessing the address can be routed by the IP network to the "nearest" server (preferably only one, not multiple). Here, "nearest" can refer to characteristic values ​​such as the number of router hops, server load, server throughput, round trip time (RTT) between the client and the server, and available bandwidth of the link.

Why only 13?

I mentioned earlier that the transmission protocol used to query the IP list of the root domain name server is UDP.

When the UDP packet size exceeds the MTU, it will be fragmented at the IP layer, but only the first fragment has the UDP header field (which means it contains the port number). Since the other fragments do not have the UDP header field (which means there is no port number), whether they can pass through the firewall depends entirely on the firewall, because the firewall may check the port number.

Therefore, the best communication effect is to prevent the UDP packet size from exceeding the MTU size to prevent fragmentation at the IP layer.

The MTU of most Internet network interfaces is >= 512, so RFC1035 stipulates that the DNS message must be controlled within 512 bytes.

A DNS message that queries the root domain name server information must be able to contain the basic information of all root domain name service nodes. Because of the limitation of 512 bytes, the root domain name service nodes must of course be limited.

I won't go into the specific calculation details, but it was ultimately determined that a 512-byte DNS message could hold the information of 14 root domain name server nodes. However, people at the time thought it would be a good idea to keep some and not use it all, so they limited it to 13 root domain name servers.

Can the United States eliminate China from the Internet?

As we know above, there are 13 root domain name servers.

One of them is the primary root domain name server, located in the United States, and the remaining 12 are auxiliary root domain name servers, 9 of which are located in the United States, 2 in Europe, located in the United Kingdom and Sweden, and 1 in Asia, located in Japan.

As you can see, we do not have a root domain name server in China, and the main root domain name is in the United States and managed by ICANN.

If the United States terminates the resolution and application of the .cn suffix, will it cause the Chinese network to be paralyzed?

Let me first state the conclusion: there is no need to worry about this.

Although the root domain name servers are all located abroad, we already have many "mirror root domain name servers" in China, which means that they will synchronize data from the main root domain name server to the domestic root domain name server. This means that we have already had a backup of the commonly used records of the root domain name server, which is equivalent to having our own root server.

Even if the United States deletes the .cn record from the main root domain name server, there is no need to worry, because we have maintained a mirror of the root domain name server, we can control the content of the mirror ourselves, and we can synchronize the deletion of the .cn record.

Do you remember who accessed the root domain name server? It is the local DNS server, which is generally managed by domestic network operators. As long as the request to the root domain name server is made in China, it is actually completed by these mirrors. For Chinese users, the request to the root generally does not go to the United States.

Therefore, domestic users are basically not affected. However, other countries may not be able to access websites with the .cn suffix.

PS: The United States has done this before, terminating the application and resolution of Iraq's top-level domain name .iq, causing all websites with the .iq suffix to make Iraq disappear from the Internet.