Skip to main content

HSCN/Transition Network DNS

This document provides an overview of the Domain Name System on HSCN and the Transition Network, and the Domain Name System change request process.

What is DNS?

The Domain Name System (DNS) allows IP network users to use easy to identify names in place of numeric IP addresses.

For example, a user typing www.nhs.uk into a web browser will get to the website hosted by a server at internet IP address 217.64.234.65. DNS tells the user's computer that www.nhs.uk is actually at IP address 217.64.234.65. The user's computer, the server hosting the website and the network on their own only understand IP addresses.

DNS also lets operators move servers and services to different IP addresses invisibly, whilst keeping the DNS naming the same for users.

Protective DNS (PDNS)

The Replacement DNS recursive service will direct all external queries through the NCSC’s Protective Domain Name Service, referred to as PDNS – a service aimed at disrupting the use of DNS for malware distribution and operation. It's been created by the NCSC, and is implemented by Nominet UK.

PDNS is a free and reliable internet-accessible DNS service for the public sector and is one of the NCSC’s widely deployed Active Cyber Defence capabilities. It's been mandated for use by central government departments by the Cabinet Office
Further information is available on the NCSC website.
 

nhs.uk

nhs.uk is the registered internet domain for the UK National Health Service. This means it is for internet use, for instance when an NHS organisation wants to access a public website. However, the NHS also uses nhs.uk on HSCN and the Transition Network (TN). 

Using nhs.uk both internally and externally (on the internet) makes the user experience seamless. An HSCN/TN user typing nww.nhs.uk into their browser will get the HSCN/TN hosted website, but if they type www.nhs.uk they'll get the internet hosted website. This is because the TN has a gateway to the internet, but they are different websites on different networks.

nhs.uk is the NHS's primary level domain. Individual NHS organisations normally have their own sub-domain of nhs.uk, for example: digital.nhs.uk. Sub-domains are normally just called domains, when they're being talked about alone. A full DNS address (technically known as a URL) includes the hostname prefix; the name of a server where a website is hosted. For example www.digital.nhs.uk identifies the web server called 'www' for the digital.nhs.uk (sub!) domain.

How does DNS work?

DNS works by user (client) computers sending queries to a local DNS server to get the IP addresses they need. This is called resolving. Domain name data is distributed and/or delegated amongst a number of name servers. Often the local name server doesn't hold all the data requested, even though local servers do store (cache) some answers to recent DNS queries. If the answer isn't cached, the local server checks with other name servers to get the data. This is known as recursive operation. This process continues until the definitive DNS information (record) for a domain is found on an authoritative DNS server. Although previous examples have used the nhs.uk domain, the resolving process works for queries about any domain registered and in use. A TN/HSCN users DNS request for the IP address of www.microsoft.com would be resolved in the same way.

Because DNS is so important there should always be at least two DNS servers for any domain for resilience. These are often called primary and secondary, although they may share DNS requests more equally than the names suggest, depending on set up.

HSCN/TN/nhs.uk logical DNS configuration

The below diagram shows the logical DNS configuration used across HSCN/TN.

Diagram showing the logical DNS configuration used across HSCN/TN

2020 Technical Refresh

DNS migration

During 2020 NHS Digital successfully migrated the DNS service from the legacy BT service to a replacement service. The legacy infrastructure access was then blocked and decommissioned.  

All organisations should now have configured their DNS configuration to use the correct IP addresses below:

DNS Service - NHS Digital-owned RIPE IP Addresses
155.231.231.2 (cns1.nhs.uk)
155.231.231.1 (cns0.nhs.uk)

For a limited timeframe, in order to support organisations that have not yet migrated their DNS services, the legacy BT-owned IP addresses 194.72.7.137 and 194.72.7.142 will be temporarily supported. Organisations should continue to plan their migration to the new NHS Digital-owned IP addresses.

Further guidance on IP configurations and the legacy DNS service can be found on the Legacy DNS Service section below.

Please note that Transmission Control Protocol (TCP) ping should be used to test connectivity to the DNS IP addresses. TCP ping is supported by the HSCN DNS service and is a recommended alternative to Internet control Message Protocol (ICMP) ping. A variety of TCP ping tools are available online and guidance on utilising TCP ping has been published by Microsoft.

Legacy DNS Services

NHS Digital provide the replacement HSCN DNS service on the following IPs:

DNS Service IPs
155.231.231.1 (cns0.nhs.uk)
155.231.231.2 (cns1.nhs.uk)

As noted in the section above, the legacy BT-owned IP addresses 194.72.7.137 and 194.72.7.142 will be temporarily supported, but should be removed from all DNS configurations. All other legacy BT-owned IP addresses will cease to work once migration is complete.

The following IPs must be removed from Organisations DNS configuration and replaced with the new 155.231.231.x addresses:

Legacy DNS IPs
81.128.8.1
81.128.8.9
62.130.194.17
62.130.194.25
194.72.7.137
194.72.7.142
217.36.155.8
217.36.155.9

 

DNS records

Data for a domain, such as nhs.uk, is arranged in (zone) data files with a number of (resource) records. The most important and most often used are the:

  • address record (A record) - used to direct users to live servers for web browsing and file transfers for example
  • mail exchange record (MX-record) - used to direct messages to email/messaging servers for a domain

Other types of record used on the nhs.uk DNS servers are:

  • start of authority (SOA): defines the start of a zone data file, includes information on: 
    • the name server with ultimate authority for the domain
    • who to contact about the domain
  • name server (NS): defines one or more name servers with definitive DNS information
  • Canonical Name/alias (CNAME): defines additional aliases for an IP address (as alternative to multiple A records)
  • Pointer (PTR): a 'reverse lookup' record that associates an IP address to a DNS name - effectively the reverse of an A record

DNS change request process

NHS Digital own and administer nhs.uk DNS for the NHS in England.

NSS in Scotland administers the scot.nhs.uk (sub) domain.

NHS Wales Informatics Service manages the wales.nhs.uk/cymru.nhs.uk sub-domain.

HSCNI manages the n-i.nhs.uk sub-domain.

DNS change requests, to change either zone data files or individual DNS records, must be made directly to these bodies. 

Find England DNS change request forms and contact information

Further information

  1. internal

    HSCN IP address management

    Find all information relating to IP address management under HSCN, including the HSCN IP addressing policy, IP addressing good practice guidelines, IPAM process and change request forms.

  2. internal

    Business Applications Guidance

    This document provides guidance on procuring standard business applications to replace N3 overlays and is aimed at health and social care organisations moving to HSCN from N3.

  3. internal

    HSCN Quality of Service overview

    Quality of Service (QoS) is a set of techniques to manage resources within a communications network. This page provides details of QoS implementation across HSCN.

  4. internal

    HSCN connectivity options

    The Health and Social Care Network (HSCN) programme will provide new and significantly different network services to the N3 network it succeeds.

Last edited: 28 October 2020 2:00 pm