Can the US Really Shut Down .cn Sites? Inside DNS Root Server Mechanics

DNS Fool's Guide

Since the US announced the "Clean Network" initiative, many network‑savvy people wonder whether the US could take control of root name servers.

Historical concerns are not new: in 2014 the People’s Daily quoted experts saying the US controls 10 of the 13 global root servers, theoretically allowing it to block a country’s top‑level domain by removing it from the root zone.

Similar incidents occurred in 2004 (Iraq’s .iq) and 2004 (Libya’s .ly), where the US halted domain resolution.

Is this a real threat? The short answer is that it is possible, but not inevitable, because we have DNS mirrors.

In one sentence: although we don’t control the root, we have mirrors.

Why are there only 13 root DNS servers?

Due to historical and technical reasons, IPv4 limits the root to 13 IP addresses. DNS messages must stay under 512 bytes to avoid fragmentation, and each root server’s record consumes part of that space.

Are there really only 13 servers?

The 13 logical roots are not 13 physical machines; each logical root is served by many physical servers worldwide. As of August 2020 there were 1,097 root servers, each with multiple mirrors.

This number keeps rising; during the 70th‑anniversary parade in October 2021 there were 1,015 servers.

How does DNS actually work?

Domain levels: "." is the root, ".com" is a top‑level domain, "baidu.com" is second‑level, "www.baidu.com" is third‑level.

Two main name servers:

Authoritative DNS : stores records (A, NS, CNAME) and answers queries directly.

Recursive DNS (LDNS) : receives client queries, walks the hierarchy, and returns the answer.

Example lookup for www.baidu.com:

LDNS asks a root server for the IP.

Root returns the NS records for the ".com" TLD.

LDNS asks the ".com" authoritative server, which points to the "baidu.com" authoritative server.

The "baidu.com" server returns the A record (or CNAME) for www.baidu.com.

In practice, caches at the browser, OS, and LDNS reduce the need to start from the root.

What role do root mirrors play?

Root mirrors hold the same root zone file as the logical roots and share the same IPs via anycast, providing geographic proximity and redundancy.

Anycast routes a single IP address to the nearest server based on latency, hop count, load, etc.

Thus Chinese users typically reach Chinese root mirrors rather than US‑based roots.

How are root DNS managed?

Root DNS is operated by 12 organizations; the root zone file is managed by ICANN, a non‑profit under a US‑Department‑of‑Commerce contract until 2016, after which ICANN became fully independent.

ICANN uses a global multistakeholder governance model, delegating top‑level domains to registries (e.g., CNNIC for .cn).

Who manages China’s root mirrors?

Since 2003 China has deployed multiple root mirrors (F, I, J, K, L, etc.) through China Telecom, CNNIC, China Unicom, and other institutions, with dozens of physical sites across the country.

What could the US do to the root DNS?

In theory the US could alter the root zone file to remove .cn entries, causing global .cn sites to become unreachable after caches expire.

The root zone file is publicly downloadable from IANA.

Removing .cn lines would propagate quickly to all roots.

How to respond?

Because China operates its own mirrors, it can refuse to sync changes affecting .cn, or even run an independent root.

Other countries could similarly protect their domains, but the US would likely face diplomatic and technical backlash.

Afterword

Experts note that the root system is resilient; even a total shutdown would be mitigated by backups and mirrors.

Understanding DNS fundamentals and root mirror architecture helps reassure users about internet stability.