Tuesday, August 18, 2009

Difference between DBMS and RDBMS

A DBMS has to be persistent, that is it should be accessible when the program created the data ceases to exist or even the application that created the data restarted. A DBMS also has to provide some uniform methods independent of a specific application for accessing the information that is stored.

RDBMS is a Relational Data Base Management System Relational DBMS. This adds the additional condition that the system supports a tabular structure for the data, with enforced relationships between the tables. This excludes the databases that don't support a tabular structure or don't enforce relationships between tables.

Many DBA's think that RDBMS is a Client Server Database system but thats not the case with RDBMS.

Yes you can say DBMS does not impose any constraints or security with regard to data manipulation it is user or the programmer responsibility to ensure the ACID PROPERTY of the database whereas the rdbms is more with this regard bcz rdbms difine the integrity constraint for the purpose of holding ACID PROPERTY.

I have found many answers on many websites saying that DBMS are for smaller organizations with small amount of data, where security of the data is not of major concern and RDBMS are designed to take care of large amounts of data and also the security of this data and this is completely wrong by definition of RDBMS and DBMS

Difference between Superkey, Candidate Key and Primary Key

A superkey is defined as a set of attributes of a relation for which it holds that in all relations assigned to that variable there are no two distinct tuples (rows) that have the same values for the attributes in this set.As an example
Code:
+---------------+----------------+--------------+
Roll Number First Name Last Name
+--------------+----------------+--------------+
CSU0001 Shabbir Bhimani
CSU0002 SomeName SurName
CSU0003 Larry page
+---------------+---------------+---------------+
Now here we have the following as super keys1. Roll Number First Name2. Roll Number First Name Last Name Now in plain language.
Any Unique key with some Non Unique key combination is called a super key of the relationship. A candidate key of a relationship is a set of attributes of that relationship such that there are no two distinct tuples with the same values for these attributes. In simple example candidate key is a minimal superkey, i.e. a superkey of which no proper subset is also a superkey.Since a relation is a set(no duplicate elements), it holds that every relation will have at least one candidate key (because the entire heading is always a superkey). For practical reasons RDBMSs usually require that for each relation one of its candidate keys is declared as the primary key

Thursday, August 6, 2009

How Does a Firewall Work?

Introduction
With broadband internet becoming much more popular and accessible to the masses, many users are becoming increasingly concerned about any security issues that an 'always on' connection my present. As such many are looking for ways to secure their system and files from the outside world.

One answer to such a problem is the use of a firewall. Unlike its name suggests, a firewall does not surround your computer with flames that threaten to touch anybody getting close, however in principle this idea is not too far from the truth! In this article I will be looking at what a firewall is and what you can expect to get from using one.

So what is a firewall?
A firewall is a term used to describe a device or application that will control and restrict data transfers between a computer system and internet connection. The purpose of having a firewall in place is to not only prevent unauthorised or maliscious data entering your system via your internet connnection, but to also prevent sensitive information from leaving you system
There are basically two types of firewalls, these are hardware firewalls and software firewalls. A hardware firewall is a physical device that is installed between the modem and computer or, in the case of network of computers, it may be linked/incorporated into a broadband router being used to share the internet connection can also act as a firewall device. A software firewall however is a software application that is installed onto the computer system that you wish to protect and this is usually the computer with the modem attached to it.

The difference is demonstrated in the diagram below, as you can see a hardware firewall normally acts as a barrier between a network of computers and an internet connection (although it can be used with a standalone computer) whereas a software firewall is generally installed on a computer system connection to the internet.
What Is a Firewall? Located either at a network gateway server or on a specialized hardware device, a firewall is a set of related programs that protect the contents of a private network from external users and programs. Many SOHO users install firewalls to prevent outsiders from accessing private resources (e.g., confidential business data) and to control internal access to Internet resources.

Typically, a firewall works in tandem with a router program to examine each packet of data sent out on a network to determine whether to send that data to its destination. A firewall also includes or complements a proxy server. In addition to aggregating network requests so that all outgoing traffic appears to be coming from one computer instead of from several machines on the internal network, a proxy server also collects and caches all incoming network pages. Administrators often install a firewall on a specially designated computer separate from the rest of the network so that no incoming request can directly access private resources. Let's look at a few of the screening methods firewalls use.

Packet filtering. A dynamic packet filter is a firewall facility that monitors the state of active connections, using this information to determine which network packets to let through the firewall. By recording session information, such as the IP address and port numbers, a dynamic packet filter implements much tighter security than a static packet filter. For example, assume that you want to configure your firewall so that you let all your users access the Internet, but you let in only replies to users' data requests. With a static packet filter, you'd need to permanently let in replies from all external addresses, assuming that users are free to visit any site on the Internet. This kind of filter would let an attacker sneak information past the filter by making the packet look like a reply (by indicating reply in the packet header). By tracking and matching requests and replies, a dynamic packet filter can screen for replies that don't match a request. When the system records a request, the dynamic packet filter opens an inbound door just long enough to let in only the expected data. Once the system receives the reply, the filter closes the door, dramatically increasing the firewall's security capabilities.

Proxy service. You use a proxy server with a gateway server that separates the enterprise network from the outside network and with a firewall server that protects the enterprise network from outside intrusion. When a proxy server receives a user’s request for an Internet service (e.g., a Web page request), if the service passes filtering requirements, the proxy server (assuming it's also a cache server) looks in its local cache of previously downloaded Web pages. If the proxy server finds the page, it returns the page to the user without forwarding the request to the Internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server out on the Internet. When the Internet server returns the page, the proxy server relates the page to the original request and forwards the information to the user. The user never sees the proxy server; all Internet requests and returned responses appear to be direct with the addressed Internet server. (The proxy server is not quite invisible; it displays its IP address on all requests so that traffic can return back to it.) An advantage of using a proxy server is that its cache can serve all users. Frequently requested Internet sites are likely to be in the proxy server's cache, improving user response time. The functions of a proxy server, firewall, and cache server can exist as separate server programs or as one package. Also, different computers can contain different server programs. For example, a proxy server can be on the same machine with a firewall server, or it can be on a separate server and forward requests through the firewall.

Stateful inspection. Stateful inspection is a newer firewall screening method that doesn't examine the contents of each packet; instead, it compares certain key parts of a packet to a database of trusted information. Stateful inspection monitors information traveling from inside the firewall to the outside, looking for specific defining characteristics, and compares these characteristics with incoming information. If the comparison yields a reasonable match, the firewall lets the information go through; otherwise, it discards it. However, because stateful inspection doesn't examine the entire packet, malformed packets can penetrate this line of defense and cause problems with the servers behind the firewall. A packet's contents can contain information or commands that can cause applications to fail (e.g., Active Server Pages—ASP—or Common Gateway Interface—CGI—script on a Web server). In fact, some multimedia applications (e.g., Real Audio) require firewall manufacturers to revise their stateful inspection engines. For that reason, large companies and e-commerce and hosting sites use high-end firewalls that are hybrids, offering stateful inspection and proxy applications for specific programs. However, most SOHO applications need only a firewall with simple stateful inspection.

Using Firewalls You can use firewalls in many ways to protect your network. Firewalls offer protection against remote log on and access by not letting someone connect to your computer and control it (e.g., viewing or accessing your files or running programs on your computer). Firewalls can also protect you against actions you run from macros. For example, some applications let you create a script of commands—a macro—that the application can run to simplify more complex procedures; however, malicious attackers can create their own macros that, depending on the application, can destroy your data or crash your computer. Firewalls also offer protection against malicious source routing. Routers typically determine the path a packet travels over a network. However, the source providing the packet can explicitly state what route the packet should follow to the destination. Attackers sometimes use this facility to make traffic appear to originate at a trusted source or even inside your network, a process called spoofing. Most firewall products disable source routing by default.

Firewall Limitations Although firewalls can help protect your internal network from outside sources, they do have limitations. For example, firewalls can protect against the actions that Trojan horse viruses (such as Back Orifice) take once installed, but firewalls can’t prevent a virus from entering your network without add-ons. Whereas some firewalls offer limited virus protection, some are difficult to update. Some antivirus product vendors make modular plugins for firewalls that can screen email and Web traffic before it ever enters the internal network. Moreover, the virus definitions are simple to update. Basically, the plugins function like desktop product updates. You should still install antivirus software on each computer in your network. Also, as long as you accept email into your network, some spam will pass through your firewall.

The level of security you establish determines how many of these threats your firewall can stop. A common rule of thumb: Block everything first, and then begin selecting what types of traffic you’ll let in. You can also restrict traffic that travels through the firewall so that only certain types of information (e.g., email) can get through. You can buy firewall appliances that perform most of the analysis and configuration upfront (e.g., Linksys Cable/DSL router); all you need to do is plug them in. In my next column, I’ll look at a small router device that affords strong, inexpensive firewall protection for your SOHO.

Wednesday, August 5, 2009

What is Virtual Private Network ?

A virtual private network (VPN) is a private network that uses a public network (the Internet) to connect users. These users can be located in branch or home offices. Years ago, companies would either procure leased lines or create a frame relay network for this purpose, both solutions being very expensive. VPN technology is much more efficient because it uses virtual connections routed through the Internet, from the corporate LAN to the remote site. Best of all, there is no need to pay some carrier to take care of these services because the Internet is the carrier. Some other advantages of a VPN are encrypted security, broadband network support, ease of maintenance, simplified network topology and the ability to provide support to individual users or branch offices.

Several methods of configuration can be used with VPNs. One method is an intranet-based VPN, which is defined as a network that links remote locations to create a single private network. This type of network connects LANs. A single department's network may be physically connected to the intranet but separated by VPN servers. These servers do not provide a directly routed connection. Only users on the corporate intranet with the appropriate rights can establish a remote-access VPN connection with the server. There is another enhanced level of security provided by VPN -- all communication is encrypted. If users do not have rights to establish a VPN connection, the network is completely hidden from them.

Another way of setting up a VPN is to use routers for the VPN connections. In this example, departments must be connected to an intranet with computers that act as VPN routers. Once the connections are established, PC users on each network can exchange information over the Internet.

As shown in the diagram, each branch office has PC clients connected to a switch that also functions as a VPN router. This in turn connects to a firewall, which then sends its information encrypted through a tunnel that is linked with the VPN connection. The laptop user is a home-based user who does not need a router or a firewall. He uses a VPN client to establish his tunnel. The beauty of using VPN for this solution is that -- depending on the hardware purchased -- it should be possible to support hundreds of users across the public network, with just the client software. This solution provides significant cost savings over traditional toll-free numbers. It also supports broadband, giving dramatic performance improvements over dial-up. Security is improved as well, since the connections go through encrypted tunnels.

An important concept to understand regarding VPNs is tunneling. Tunneling is the transmission of data intended for use only within a private network through a public network in such a way that the nodes in the public network (the Internet) are not even aware that the transmission is part of a private network. The way this is done is to encapsulate the private network data and protocol information within the public network transmission. This is done so that the private network protocol information appears to the public network as data. This allows one to use the public network to transmit data from a corporate private network.

There are many VPN protocols, such as Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). IPsec (Internet Protocol Security), a framework for a set of security protocols at the packet processing layer, is also used with VPNs. IPSec has two encryption modes: tunnel and transport. Tunnel is more secure because it encrypts the header and the payload of each and every packet, whereas transport will encrypt only the payload. IPsec provides strong security features, such as complex encrypting algorithms and strong authentication. The only drawback here is that the hardware devices must support IPsec, and this is not a given.

Finally, when helping your customer choose a VPN, look carefully at all the products on the market. Don't just jump at the first one. Look at everything your customer wants the VPN to do. If all they'll ever need it for is connectivity for their work-from-home users, they may not need all the features of an enterprise hardware product offered by one of the top vendors.
Also, think carefully before you recommend a product in which the VPN is also the router or the firewall. All-in-one solutions have a certain appeal, but think about what would happen if someone were to break into that device -- there is no other barrier between your customer and their private network. A separate router provides another barrier. Similarly, many vendors offer hybrid firewall/VPN solutions. Don't forget that the firewall provides the barrier between the private network and the public network, which is the Internet. Any way you slice it, separating devices provides another layer of protection.

Synchronous optical networking (SONET)

Synchronous optical networking (SONET) and Synchronous Digital Hierarchy (SDH), are two closely related multiplexing protocols for transferring multiple digital bit streams using lasers or light-emitting diodes (LEDs) over the same optical fiber. The method was developed to replace the Plesiochronous Digital Hierarchy (PDH) system for transporting larger amounts of telephone calls and data traffic over the same fiber wire without synchronization problems.

SONET and SDH were originally designed to transport circuit mode communications (eg, T1, T3) from a variety of different sources. The primary difficulty in doing this prior to SONET was that the synchronization source of these different circuits were different, meaning each circuit was actually operating at a slightly different rate and with different phase. SONET allowed for the simultaneous transport of many differnet circuits of differing origin within one single framing protocol. In a sense, then, SONET is not itself a communications protocol per se, but a transport protocol.

Due to SONET's essential protocol neturality and transport-oriented features, SONET was the obvious choice for transporting ATM (Asynchronous Transfer Mode) frames, and so quickly evolved mapping structures and concatenated payload containers so as to transport ATM connections. In other words, for ATM (and eventually other protocols such as TCP/IP and ethernet), the internal complex structure previously used to transport circuit-oriented connections is removed, and replaced with a large and concatenated frame (such as STS-3c) into which ATM frames, IP packets, or ethernet is placed.

Both SDH and SONET are widely used today: SONET in the U.S. and Canada and SDH in the rest of the world. Although the SONET standards were developed before SDH, their relative penetrations in the worldwide market dictate that SONET now is considered the variation.
The two protocols are standardized according to the following:

SDH or Synchronous Digital Hierarchy standard developed by the International Telecommunication Union (ITU), documented in standard G.707 and its extension G.708

SONET or Synchronous Optical Networking standard as defined by GR-253-CORE from Telcordia and T1.105 from American National Standards Institute

What is SOA

Definition: - A service-oriented architecture (SOA) is the underlying structure supporting communications between services. SOA defines how two computing entities, such as programs, interact in such a way as to enable one entity to perform a unit of work on behalf of another entity. Service interactions are defined using a description language. Each interaction is self-contained and loosely coupled, so that each interaction is independent of any other interaction.

Simple Object Access Protocol (SOAP)-based Web services are becoming the most common implementation of SOA. However, there are non-Web services implementations of SOA that provide similar benefits. The protocol independence of SOA means that different consumers can communicate with the service in different ways. Ideally, there should be a management layer between the providers and consumers to ensure complete flexibility regarding implementation protocols.

Whether you realize it or not, you've probably relied upon SOA, perhaps when you made a purchase online. Let's use Land's End as an example. You look at their catalog and choose a number of items. You specify your order through one service, which communicates with an inventory service to find out if the items you've requested are available in the sizes and colors that you want. Your order and shipping details are submitted to another service which calculates your total, tells you when your order should arrive and furnishes a tracking number that, through another service, will allow you to keep track of your order's status and location en route to your door. The entire process, from the initial order to its delivery, is managed by communications between the Web services -- programs talking to other programs, all made possible by the underlying framework that SOA provides.

What is the difference between a router and hub or switch?

A router is a more sophisticated network device than either a switch or a hub. Like hubs and switches, network routers are typically small, box-like pieces of equipment that multiple computers can connect to. Each features a number of "ports" the front or back that provide the connection points for these computers, a connection for electric power, and a number of LED lights to display device status. While routers, hubs and switches all share similiar physical appearance, routers differ substantially in their inner workings.

Traditional routers are designed to join multiple area networks (LANs and WANs). On the Internet or on a large corporate network, for example, routers serve as intermediate destinations for network traffic. These routers receive TCP/IP packets, look inside each packet to identify the source and target IP addresses, then forward these packets as needed to ensure the data reaches its final destination.
Routers for home networks (often called broadband routers) also can join multiple networks. These routers are designed specifically to join the home (LAN) to the Internet (WAN) for the purpose of Internet connection sharing. In contrast, neither hubs nor switches are capable of joining multiple networks or sharing an Internet connection. A home network with only hubs and switches must designate one computer as the gateway to the Internet, and that device must possess two network adapters for sharing, one for the home LAN and one for the Internet WAN. With a router, all home computers connect to the router equally, and it performs the equivalent gateway functions.

Additionally, broadband routers contain several features beyond those of traditional routers. Broadband routers provide DHCP server and proxy support, for example. Most of these routers also offer integrated firewalls. Finally, wired Ethernet broadband routers typically incorporate a built-in Ethernet switch. These routers allow several hubs or switches to be connected to them, as a means to expand the local network to accomodate more Ethernet devices.
In home networking, hubs and switches technically exist only for wired networks. Wi-Fi wireless routers incorporate a built-in access point that is roughly equivalent to a wired switch.

What Is a Layer 3 Switch?
Traditional network switches operate at Layer 2 of the OSI model while network routers operate at Layer 3. This often leads to confusion over the definition of "Layer 3 switch."
Answer: A Layer 3 switch is a high-performance device for network routing. Layer 3 switches actually differ very little from routers. A Layer 3 switch can support the same routing protocols as network routers do. Both inspect incoming packets and make dynamic routing decisions based on the source and destination addresses inside. Both types of boxes share a similar appearance.

Layer 3 switches were conceived as a technology to improve on the performance of routers used in large local area networks (LANs) like corporate intranets. The key difference between Layer 3 switches and routers lies in the hardware technology used to build the unit. The hardware inside a Layer 3 switch merges that of traditional switches and routers, replacing some of a router's software logic with hardware to offer better performance in some situations.

Layer 3 switches often cost less than traditional routers. Designed for use within local networks, a Layer 3 switch will typically not possess the WAN ports and wide area network features a traditional router will always have.

How Domain Name Servers Work

How Domain Name Servers Work
Inside this Article
Introduction to How Domain Name Servers Work
Domain Names
The Distributed System
Creating a New Domain Name
Lots More Information
See all Web Design & Development articles
Web Servers

If you spend any time on the Internet sending e-mail or browsing the Web, then you use domain name servers without even realizing it. Domain name servers, or DNS, are an incredibly important but completely hidden part of the Internet, and they are fascinating. The DNS system forms one of the largest and most active distributed databases on the planet. Without DNS, the Internet would shut down very quickly.

In this article, we'll take a look at the DNS system so you can understand how it works and appreciate its amazing capabilities.
When you use the Web or send an e-mail message, you use a domain name to do it. For example, the URL "http://www.howstuffworks.com" contains the domain name howstuffworks.com. So does the e-mail address "iknow@howstuffworks.com."
Human-readable names like "howstuffworks.com" are easy for people to remember, but they don't do machines any good. All of the machines use names called IP addresses to refer to one another. For example, the machine that humans refer to as "www.howstuffworks.com" has the IP address 70.42.251.42. Every time you use a domain name, you use the Internet's domain name servers (DNS) to translate the human-readable domain name into the machine-readable IP address. During a day of browsing and e-mailing, you might access the domain name servers hundreds of times!

Domain name servers translate domain names to IP addresses. That sounds like a simple task, and it would be -- except for five things:
· There are billions of IP addresses currently in use, and most machines have a human-readable name as well.

· There are many billions of DNS requests made every day. A single person can easily make a hundred or more DNS requests a day, and there are hundreds of millions of people and machines using the Internet daily.

· Domain names and IP addresses change daily.
· New domain names get created daily.
· Millions of people do the work to change and add domain names and IP addresses every day.

The DNS system is a database, and no other database on the planet gets this many requests. No other database on the planet has millions of people changing it every day, either. That is what makes the DNS system so unique.

IP Addresses
To keep all of the machines on the Internet straight, each machine is assigned a unique address called an IP address. IP stands for Internet protocol, and these addresses are 32-bit numbers normally expressed as four "octets" in a "dotted decimal number." A typical IP address looks like this: 70.42.251.42 The four numbers in an IP address are called octets because they can have values between 0 and 255 (28 possibilities per octet).

Every machine on the Internet has its own IP address. A server has a static IP address that does not change very often. A home machine that is dialing up through a modem often has an IP address that is assigned by the ISP when you dial in. That IP address is unique for your session and may be different the next time you dial in. In this way, an ISP only needs one IP address for each modem it supports, rather than for every customer.

If you are working on a Windows machine, you can view your current IP address with the command WINIPCFG.EXE (IPCONFIG.EXE for Windows 2000/XP). On a UNIX machine, type nslookup along with a machine name (such as "nslookup www.howstuffworks.com") to display the IP address of the machine (use the command hostname to learn the name of your machine).
For more information on IP addresses, see IANA.

As far as the Internet's machines are concerned, an IP address is all that you need to talk to a server. For example, you can type in your browser the URL http://70.42.251.42 and you will arrive at the machine that contains the Web server for HowStuffWorks. Domain names are strictly a human convenience.

Domain Names
If we had to remember the IP addresses of all of the Web sites we visit every day, we would all go nuts. Human beings just are not that good at remembering strings of numbers. We are good at remembering words, however, and that is where domain names come in. You probably have hundreds of domain names stored in your head. For example:

· www.howstuffworks.com - a typical name
· www.yahoo.com - the world's best-known name
· www.mit.edu - a popular EDU name
· encarta.msn.com - a Web server that does not start with www
· www.bbc.co.uk - a name using four parts rather than three
· ftp.microsoft.com - an FTP server rather than a Web server

The COM, EDU and UK portions of these domain names are called the top-level domain or first-level domain. There are several hundred top-level domain names, including COM, EDU, GOV, MIL, NET, ORG and INT, as well as unique two-letter combinations for every country.
Within every top-level domain there is a huge list of second-level domains. For example, in the COM first-level domain, you've got:

· howstuffworks
· yahoo
· msn
· microsoft
· plus millions of others...

Every name in the COM top-level domain must be unique, but there can be duplication across domains. For example, howstuffworks.com and howstuffworks.org are completely different machines.

In the case of bbc.co.uk, it is a third-level domain. Up to 127 levels are possible, although more than four is rare.

The left-most word, such as www or encarta, is the host name. It specifies the name of a specific machine (with a specific IP address) in a domain. A given domain can potentially contain millions of host names as long as they are all unique within that domain.
Because all of the names in a given domain need to be unique, there has to be a single entity that controls the list and makes sure no duplicates arise. For example, the COM domain cannot contain any duplicate names, and a company called Network Solutions is in charge of maintaining this list. When you register a domain name, it goes through one of several dozen registrars who work with Network Solutions to add names to the list. Network Solutions, in turn, keeps a central database known as the whois database that contains information about the owner and name servers for each domain. If you go to the whois form, you can find information about any domain currently in existence.

While it is important to have a central authority keeping track of the database of names in the COM (and other) top-level domain, you would not want to centralize the database of all of the information in the COM domain. For example, Microsoft has hundreds of thousands of IP addresses and host names. Microsoft wants to maintain its own domain name server for the microsoft.com domain. Similarly, Great Britain probably wants to administrate the uk top-level domain, and Australia probably wants to administrate the au domain, and so on. For this reason, the DNS system is a distributed database. Microsoft is completely responsible for dealing with the name server for microsoft.com -- it maintains the machines that implement its part of the DNS system, and Microsoft can change the database for its domain whenever it wants to because it owns its domain name servers.

Every domain has a domain name server somewhere that handles its requests, and there is a person maintaining the records in that DNS. This is one of the most amazing parts of the DNS system -- it is completely distributed throughout the world on millions of machines administered by millions of people, yet it behaves like a single, integrated database!

The Distributed System
Name servers do two things all day long:
· They accept requests from programs to convert domain names into IP addresses.
· They accept requests from other name servers to convert domain names into IP addresses.
When a request comes in, the name server can do one of four things with it:
· It can answer the request with an IP address because it already knows the IP address for the domain.
· It can contact another name server and try to find the IP address for the name requested. It may have to do this multiple times.
· It can say, "I don't know the IP address for the domain you requested, but here's the IP address for a name server that knows more than I do."
· It can return an error message because the requested domain name is invalid or does not exist.

When you type a URL into your browser, the browser's first step is to convert the domain name and host name into an IP address so that the browser can go request a Web page from the machine at that IP address (see How Web Servers Work for details on the whole process). To do this conversion, the browser has a conversation with a name server.
When you set up your machine on the Internet, you (or the software that you installed to connect to your ISP) had to tell your machine what name server it should use for converting domain names to IP addresses. On some systems, the DNS is dynamically fed to the machine when you connect to the ISP, and on other machines it is hard-wired. If you are working on a Windows 95/98/ME machine, you can view your current name server with the command WINIPCFG.EXE (IPCONFIG for Windows 2000/XP). On a UNIX machine, type nslookup along with your machine name. Any program on your machine that needs to talk to a name server to resolve a domain name knows what name server to talk to because it can get the IP address of your machine's name server from the operating system.

The browser therefore contacts its name server and says, "I need for you to convert a domain name to an IP address for me." For example, if you type "www.howstuffworks.com" into your browser, the browser needs to convert that URL into an IP address. The browser will hand "www.howstuffworks.com" to its default name server and ask it to convert it.

The name server may already know the IP address for www.howstuffworks.com. That would be the case if another request to resolve www.howstuffworks.com came in recently (name servers cache IP addresses to speed things up). In that case, the name server can return the IP address immediately. Let's assume, however, that the name server has to start from scratch.

A name server would start its search for an IP address by contacting one of the root name servers. The root servers know the IP address for all of the name servers that handle the top-level domains. Your name server would ask the root for www.howstuffworks.com, and the root would say (assuming no caching), "I don't know the IP address for www.howstuffworks.com, but here's the IP address for the COM name server." Obviously, these root servers are vital to this whole process, so:

· There are many of them scattered all over the planet.
· Every name server has a list of all of the known root servers. It contacts the first root server in the list, and if that doesn't work it contacts the next one in the list, and so on.
Here is a typical list of root servers held by a typical name server:

Here is a typical list of root servers held by a typical name server: ; This file holds the information on root name servers
; needed to initialize cache of Internet domain name
; servers (e.g. reference this file in the
; "cache . " configuration file of BIND domain
: name servers).
;
; This file is made available by InterNIC registration
; services under anonymous FTP as
; file /domain/named.root
; on server FTP.RS.INTERNIC.NET
; -OR- under Gopher at RS.INTERNIC.NET
; under menu InterNIC Registration Services (NSI)
; submenu InterNIC Registration Archives
; file named.root
;
; last update: Aug 22, 1997
; related version of root zone: 1997082200
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; temporarily housed at NSI (InterNIC)
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; temporarily housed at ISI (IANA)
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File

The formatting is a little odd, but basically it shows you that the list contains the actual IP addresses of 13 different root servers.

The root server knows the IP addresses of the name servers handling the several hundred top-level domains. It returns to your name server the IP address for a name server for the COM domain. Your name server then sends a query to the COM name server asking it if it knows the IP address for www.howstuffworks.com. The name server for the COM domain knows the IP addresses for the name servers handling the HOWSTUFFWORKS.COM domain, so it returns those. Your name server then contacts the name server for HOWSTUFFWORKS.COM and asks if it knows the IP address for www.howstuffworks.com. It does, so it returns the IP address to your name server, which returns it to the browser, which can then contact the server for www.howstuffworks.com to get a Web page.

One of the keys to making this work is redundancy. There are multiple name servers at every level, so if one fails, there are others to handle the requests. There are, for example, three different machines running name servers for HOWSTUFFWORKS.COM requests. All three would have to fail for there to be a problem.

The other key is caching. Once a name server resolves a request, it caches all of the IP addresses it receives. Once it has made a request to a root server for any COM domain, it knows the IP address for a name server handling the COM domain, so it doesn't have to bug the root servers again for that information. Name servers can do this for every request, and this caching helps to keep things from bogging down.

Name servers do not cache forever, though. The caching has a component, called the Time To Live (TTL), that controls how long a server will cache a piece of information. When the server receives an IP address, it receives the TTL with it. The name server will cache the IP address for that period of time (ranging from minutes to days) and then discard it. The TTL allows changes in name servers to propagate. Not all name servers respect the TTL they receive, however. When HowStuffWorks moved its machines over to new servers, it took three weeks for the transition to propagate throughout the Web. We put a little tag that said "new server" in the upper left corner of the home page so people could tell whether they were seeing the new or the old server during the transition.

Creating a New Domain Name
When someone wants to create a new domain, he or she has to do two things:
· Find a name server for the domain name to live on.
· Register the domain name.

Technically, there does not need to be a machine in the domain -- there just needs to be a name server that can handle the requests for the domain name.
There are two ways to get a name server for a domain:
· You can create and administer it yourself.
· You can pay an ISP or hosting company to handle it for you.

Most larger companies have their own domain name servers. Most smaller companies pay someone.
The history of HowStuffWorks is typical. When howstuffworks.com was first created, it began as a parked domain. This domain lived with a company called www.webhosting.com. Webhosting.com maintained the name server and also maintained a machine that created the single "under construction" page for the domain.

To create a domain, you fill out a form with a company that does domain name registration (examples: register.com, verio.com, networksolutions.com). They create an "under construction page," create an entry in their name server, and submit the form's data into the whois database. Twice a day, the COM, ORG, NET, etc. name servers get updates with the newest IP address information. At that point, a domain exists and people can go see the "under construction" page.
HowStuffWorks then started publishing content under the domain www.howstuffworks.com. We set up a hosting account with Tabnet (now part of Verio, Inc.), and Tabnet ran the DNS for HowStuffWorks as well as the machine that hosted the HowStuffWorks Web pages. This type of machine is called a virtual Web hosting machine and is capable of hosting multiple domains simultaneously. Five-hundred or so different domains all shared the same processor.

As HowStuffWorks became more popular, it outgrew the virtual hosting machine and needed its own server. At that point, we started maintaining our own machines dedicated to HowStuffWorks, and began administering our own DNS. We currently have four servers:

· AUTH-NS1.HOWSTUFFWORKS.COM 70.42.150.19
· AUTH-NS2.HOWSTUFFWORKS.COM 70.42.150.20
· AUTH-NS3.HOWSTUFFWORKS.COM 70.42.251.19
· AUTH-NS4.HOWSTUFFWORKS.COM 70.42.251.20

Our primary DNS is auth-ns1.howstuffworks.com. Any changes we make to it propagate automatically to the secondary, which is also maintained by our ISP.
All of these machines run name server software called BIND. BIND knows about all of the machines in our domain through a text file on the main server that looks like this: @ NS auth-ns1.howstuffworks.com.
@ NS auth-ns2.howstuffworks.com.
@ MX 10 mail
mail A 209.170.137.42
vip1 A 216.183.103.150
www CNAME vip1
Decoding this file from the top, you can see that:
· The first two lines point to the primary and secondary name servers.
· The next line is called the MX record. When you send e-mail to anyone at howstuffworks.com, the piece of software sending the e-mail contacts the name server to get the MX record so it knows where the SMTP server for HowStuffWorks is (see How E-mail Works for details). Many larger systems have multiple machines handling incoming e-mail, and therefore multiple MX records.
· The next line points to the machine that will handle a request to mail.howstuffworks.com.
· The next line points to the IP address that will handle a request to oak.howstuffworks.com.
· The next line points to the IP address that will handle a request to howstuffworks.com (no host name).

You can see from this file that there are several physical machines at separate IP addresses that make up the HowStuffWorks server infrastructure. There are aliases for hosts like mail and www. There can be aliases for anything. For example, there could be an entry in this file for scoobydoo.howstuffworks. com, and it could point to the physical machine called walnut. There could be an alias for yahoo.howstuffworks.com, and it could point to yahoo. There really is no limit to it. We could also create multiple name servers and segment our domain.

As you can see from this description, DNS is a rather amazing distributed database. It handles billions of requests for billions of names every day through a network of millions of name servers administered by millions of people. Every time you send an e-mail message or view a URL, you are making requests to multiple name servers scattered all over the globe. What's amazing is that the process is usually completely invisible and extremely reliable!
For more information on domain name servers and related topics, check out the links on the next page.