DNS Wizardry for Muggles

The fireplace crackled and popped, embers fading to hues of dark orange.  They sat together on the couch, his arms around her protectively, her head lying across his chest.  He savored the smell of her fruity hair, the gentleness of her warm affection soaking into his very pores.  The children had fallen asleep hours earlier, a miracle beyond hope.  Some sappy Hallmark Movie Channel flick was winding down on the television.  They would pay for this indulgence in the morning, when the alarm clock beat down upon their ears, signifying another lurch to the grind of life.  But as for now, the still silence of pure bliss washed over them both like the gentle rains of May.

As the credits crawled across the screen, she turned her head towards him.  In the combined glow of the fire and the television, her eyes sparkled over a contented smile.  She breathed a deep sigh and snuggled in closer yet.  In that magic moment, she whispered “I love you,”  As he leaned in closer for the kiss, he murmured “And I love you,”  Their lips touched; the world around them faded away like the morning fog.  Life was complete.

My thirteen-year old editor has already rolled her eyes, a good sign that this blog post is off to a great start.


As an American citizen, each one of us has what is known as a Social Security Number.  When was the last time you went up to your coworker and said “excuse me, 412-87-1564, could you please pass the red stapler?”  I’m wagering seven dollars this hasn’t happened in recent history to any of us.  We could of course do this if we memorized everyone’s SSN – but it’s much easier to communicate with each other using a name.

Likewise, each networked computer has an IP Address.  We know computers are certainly content in communicating with each other using these IP Addresses in Binary – but us average humanoids need something a little more user friendly.  We need names like Google, Microsoft, Apple.  We need a technical mediator between IP Addresses and names.

Enter DNS


OK so that sounded infinitely cooler than I intended.  If you’re conjuring up some Chuck Norris-esque device that roundhouse kicks IP Addresses into submission, you’re in for a disappointment.

DNS stands for Domain Name Service, and a DNS server has the single job of translating names to IP Addresses.  Let’s take our romantic love story of fireplace chick flicks above.  Cliff Notes: The moral of that story was to outline the need for meaningful names, rather than sterile numerical identification.  Our romantic interests in the story above can be determined using a simple tool that we already know about – the PING tool.

The +3 Network Tool of Supreme Resolution

Did you know PING can do much more than just yell HEY ARE YOU HERE?  There are command line switches that you can place after the command PING to make it do lots of other cool stuff.  By default PING sends four ECHO packets, waiting for the coveted ECHO REPLY to come back.  But if you enter PING –T followed by the target, it will keep pinging the target forever (or until you hold down the CONTROL key on your keyboard, then press the letter C).  That is a command line switch.

To see all of the PING options, type PING -? to view them all.  Yeah, that’s right – all three of you who actually just did that, you earned some l33t points.  For the rest of you, I’ll cut to the chase.  Let’s take one of the IP Addresses above and crank it through our PING tool from a command line (you do remember how to get a command line, don’t you?), using the switch –a:

C:\Users\thegeek>ping -a
Pinging st11p01ww-apple.apple.com [] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

Our first of the starstruck lovers is a public IP Address for Apple.  As a side note, don’t panic that we got a Request timed out message.  The resolution still took place, their computer just doesn’t want to talk to us.  And the second address?

C:\Users\thegeek>ping -a
Pinging ir1.fp.vip.gq1.yahoo.com [] with 32 bytes of data:
Reply from bytes=32 time=178ms TTL=51
Reply from bytes=32 time=105ms TTL=51
Reply from bytes=32 time=99ms TTL=51
Reply from bytes=32 time=96ms TTL=51
Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 96ms, Maximum = 178ms, Average = 119ms

It’s owned by Yahoo. And it doesn’t mind taking the time to respond to our PING requests.  How polite.

We can get a name from an IP Address using PING… So what about going from name to IP Address?  Well it just so happens, that way is even easier.  To get an IP Address from a name, just ping it by name:

C:\Users\thegeek>ping google.com
Pinging google.com [] with 32 bytes of data:
Reply from bytes=32 time=17ms TTL=56
Reply from bytes=32 time=17ms TTL=56
Reply from bytes=32 time=16ms TTL=56
Reply from bytes=32 time=17ms TTL=56
Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 17ms, Average = 16ms

Notice that this particular Google server has an IP Address that is NOT listed on the RFC 1918 list of private IP Addresses.  This is a public IP Address, meaning it is not within your own little private network at home.  Or to use an earlier blog analogy, this IP Address is not on your little island.  To get there, traffic must go out your default gateway and into the cloud.

So now on to the deeper stuff

DNS servers reside out in the cloud – the vaporous mire of the Internet.  Every time you open a web browser and type in google.com, your computer does a DNS lookup to figure out exactly who google.com is, by IP Address.  For giggles, you could open up a web browser and enter the IP Address and it would load in your browser.  Remember, computers care about IP Addresses, not names.  For your own local network, chances are your DNS server is most likely your default gateway / router.  And your router in turn gets its DNS server from your ISP.  Ultimately, a DNS lookup has to find a public server out on the Internet for up to date name resolution.

To view your DNS server(s), remember the IPCONFIG tool from before?   Using a command line switch with IPCONFIG of –all, we can see our DNS server(s):

C:\Users\thegeek>ipconfig -all
Ethernet adapter Local Area Connection:
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Lease Obtained. . . . . . . . . . : Tuesday, October 15, 2013 7:36:35 PM
   Lease Expires . . . . . . . . . . : Wednesday, October 16, 2013 7:36:35 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . :
   DNS Servers . . . . . . . . . . . :

And there it is – DNS Server =  That is also the same IP Address as my default gateway, the router.  My computer asks my router what Google is, and my router simply asks its own DNS server, which happens to be out on the Internet.  Ultimately someone figures out what IP Address is Google and I go there.  It’s like magic.

Here is why you care

As we wade deeper in the pool of security and content filtering (which is, after all, my eventual goal) you must understand how this works.  One key method to protecting your home network from filth flarn filth (to quote Bill Cosby) is to filter your Internet traffic by DNS.  You would be overly optimistic to have only one strategy; I personally utilize a three-fold approach in the Casa Del Geek.  I’ll go incredibly high level at this point, with the intention to go deeper into it in a later post.

Here is a key concept:  If you control where your computers do name resolution (DNS), you can control where your computers can and cannot go on the Internet.

Now there are obvious flaws to this plan, which again I’ll go deeper into in a later post.  If I block your traffic using a service like OpenDNS that filters out garbage, you could simply change your DNS server to get around it.  That is why we also need to utilize Firewall rules on our router to only allow DNS traffic to the DNS servers we specify, and if you try utilizing a DNS server not on the allowed list, the traffic is drop kicked like a schoolyard kickball.  But I digress.  We haven’t covered the myriad cool things we can do with our router yet.  That’s also another post.  I promise, all these different pieces of the puzzle will come together.

A Reminder

CS Lewis, in his masterpiece work Mere Christianity, started at the very beginning with basic concepts.  Key foundational topics like Good and Evil and the Nature of Man were covered first, in order to build the ground work to later introduce deeper topics like Sin, Faith, and Propitiation.  To quote Lewis (who actually quoted MacLaren), “the longer way around is the shorter way home.”  It will take us longer to get to our goal – but when we finally arrive, you’ll know what I’m talking about.  It’s easy enough to just click a checkbox and adjust a knob when I tell you to – but it’s better for both of us that you understand what you’re doing and why.

2 thoughts on “DNS Wizardry for Muggles

  1. Okay, so I have one question. DID YOU WRITE THAT STORY? Because I have to say – and I’m a little embarrassed by this – that you totally drew me in. Now, mind you, I make it a point not to read romance novels – Christian or otherwise – and we won’t debate the merits of those here. But I’m just sayin’ – If you ever want to make some money on the side, people pay for that stuff. (Maybe you could just leave out “the gentle rains of May.” That’s free advice. You’re welcome.)

  2. I try to make it interesting enough that the Pooky blog audience will get something out of it. At the first opportunity, I will replace “the gentle rains of May” with “the peaceful precipitations on Pluto the previous planet”. I know, it lacked panache.

Share Your Thoughts

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.