Wednesday, November 17, 2010

DNS Servers

DNS Server Types 

1.Authoritative
      a.Master
      b.Slave
2. Non-Authoritative
3. Caching / Recursive Servers
4. Iterative Servers



1.Authoritative Servers

DNS Servers can be configured to host more than one domain. A server can be primary for one domain, and secondary for another. The term authoritative refers to any DNS servers that has a complete copy of the domain's information, whether it was entered by an administrator or transferred from a primary server. Thus, a secondary server can and should be authoritative for any domain for which it performs secondary authoritative resolution.
What is Authority?

Any DNS server that contains a complete copy of the domain's zone file is considered to be authoritative for that domain only. A complete copy of a zone file must have:

    * A valid Start of Authority (SOA) record
    * Valid Name Server (NS) records for the domain
    * The listed NS records should match the servers listed in the SOA record. Servers listed in the zone file, but not in the SOA record are called lame servers.

It is considered standard practice to have a primary authoritative DNS server AND a secondary authoritative DNS server. When registering your domain with an accredited domain name registrar, the primary authoritative DNS server is the server you list first, all other DNS servers you list will be secondary. The secondary server and the primary server should be on different IP subnets and the hardware should be located in different physical locations. By putting the two DNS servers on different subnets and placing them geographically apart, you greatly reduce the risk that a single catastrophe will take down the entire system of DNS servers for your domain. Having more than one secondary DNS server for your domain is also good practice, but you can only designate ONE primary DNS server with your registrar because DNS can only point to a single primary DNS server for your domain.
Authoritative Responses

Any response to a DNS query that originates from a DNS server with a complete copy of the zone file is said to be an 'authoritative response'. What complicates matters is that DNS servers cache the answers they receive. If a DNS server has an SOA record, it fills in a field in the response that signals that the server queried is authoritative for the domain and that the answer is authoritative. Any DNS server external to that domain that retrieved the authoritative response will cache that answer. The next time the server is queried, it will say that the answer it is giving is authoritative, even though it is not authoritative for that domain.

In other words, it IS possible for a DNS server that is NOT an authoritative server for a domain to give an 'authoritative response' to a DNS query for a domain it does not serve.

Non-authoritative responses come from DNS servers that have cached an answer for a given host, but received that information from a server that is not authoritative for the domain.

 Master DNS Server

A Master DNS server contains the following:

   1. A complete copy of zone files for the domain which the master server is authoritative. These files are created by the local DNS administrator.
   2. Each zone file contains an SOA record which lists the Master and Slave DNS servers (in that order)
   3. The primary and secondary are the first two name server (NS) resource records in the zone file.
   4. A complete copy of all information for all hosts in the DNS domain. This list of hosts is contained within the zone file. Slave servers download copies of the domain information on a regular basis. The domain information on a master server is manually entered by an administrator.

Master servers are often called primary servers.

Slave DNS Server


A slave DNS server transfers zone files for which it is authoritative from the master server.


2. Non-Authoritative DNS Servers

Non authoritative servers do not contain copies of any domains. Instead they have a cache file that is constructed from all the DNS lookups it has performed in the past for which it has gotten an authoritative response. When a non-authoritative server queries an authoritative server and receives an authoritative answer, it passes that answer along to the querier as an authoritative answer. Thus, non-authoritative servers can answer authoritatively for a given resolution request. However, non-authoritative servers are not authoritative for any domain they do not contain specific zone files for. Most often, a non-authoritative server answers with a previous lookup from its lookup cache. Any answer retrieved from the cache of any server is deemed non-authoritative because it did not come from an authoritative server.

NON-AUTHORITATIVE DNS RESPONSES

DNS servers cache responses so that if another local user requests the same host or IP address from the local nameserver, the answer will already be in the local nameserver's DNS database. The server will not have to go outside the network to resolve that same host again.

 3.THE CACHING FUNCTION

Caching

As mentioned elsewhere in this tutorial, name servers and client resolvers store answers they get from other name servers. This information is added to their an internal database called the cache. Information about hosts is etained for a period of time equal to the time to live value sent by authoritative name server when it returned an answer about a particular host. The cache can contain both authoritative and non-authoritative information, depending on where the answer to the query for that particular host was provided from.

Storing these responses is called caching and allows a nameserver to respond more quickly to multiple queries for the same domain or host. If you are on a website, and want to retrieve the next page on the site, you click a link. Your web browser takes the name of the server, sends it to the the local name server to be turned into an IP address. Once your computer gets an answer, it does not have to look up the host again. Your local computer actually has its own DNS cache as well. Provided the time to live value hasn't expired, that answer will remain in the cache for some time. Once the time to live decays to zero the nameserver will delete the entries containing the host and address information. On your local computer, the cache is emptied when the local computer's default timeout is reached. This is an arbitrary value and is set to approximately 5 minutes on most Windows computers.

Caching is why it takes longer to contact a website on the first try but subsequent requests for pages on the same site are somewhat faster.
Negative Caching

The DNS application BIND version 4.9.3 and later supports negative caching as well (You'd better be on the latest version of BIND if you don't want to get hacked. --InetD). If the local server queries an authoritative server for information and receives an answer indicating that there is no such host, the local DNS server or resolver stores this answer as well, as there is no reason to look up this host twice if it does not exist. The host being down will not cause this response, but not having ANY record of it in the authoritative DNS server's database will cause this.
DNS Server Reloads

To flush the cache in BIND, you issue the following command:

# rndc flush

Why would you want to clear the name server cache file? Unfortunately caching is a two-edged sword. It speeds up resolution by storing recent answers, and short-circuiting the normal resolution process. However there is a down side. Because DNS servers cache answers, and don't delete these answers until the time to live expires, it can take hours, days or even weeks for the entire Internet to recognize changes to DNS information within your zone. In most cases, it is NOT possible to clear the nameserver's cache without shutting down the nameserver and restarting it. Since the server cannot resolve IPs or names while it is shut down, this effectively shuts down Internet communication for most users. This is usually not something a DNS administrator at a major ISP is willing to do without good cause. It is rare in the extreme to see major Tier 1 providers restart their DNS servers for any reason other than their own scheduled reload as this can prematurely reset version numbers, time to live and many other settings that will ripple through the Internet and cause other major headaches. If you ever find your job depends on getting them to restart their servers at anything other than their usual scheduled times, you'd better start looking for a new job. A restart of their servers means an outage for hundreds of thousands of companies and millions of users.
Clearing Your Resolver's Cache

The process differs depending upon which operating system you are using.

Windows

Windows provides the means to dump your local resolver cache. If you suspect your computer has stored a negative answer "host/domain not found" for some reason, then you can issue the following DOS command to clear your resolver's cache:

c:\ipconfig /flushdns

Mac OS & older BSD

Mac OS X and later uses 'lookupd'--a binary that provides diretory information and name caching functions. This function may require root privledges to run, which is dependent upon your local security configuration.

shell$ lookupd -flushcache

Linux

The client resolver is called 'nscd' (name service cache daemon). To wipe the cache, restart the daemon service with the following command:

/etc/rc.d/init.d/nscd restart

BSD

Some BSD systems don't come with resolver/caching software and simply use BIND. Be careful when issuing the flush command listed above.


4.Iterative Resolution

Resolvers in client software such as a web browser, are not designed to hunt down answers about hosts and domains on their own. They rely on the local DNS server to do this for them. For this systemof having client software relying on a DNS server to work, a recursive DNS server must be available for these clients.

An Iterative DNS query results in a single DNS server being queried, and only getting a single response. If the DNS server has the answer, it sends it. If not it sends a "host/domain not found" error message, but the DNS server does not do any additional resolution. It does not query any other DNS servers.

Because recursive lookup takes the DNS server longer and requires more memory to store records, it sometimes is more efficient to separate the DNS services for external (Internet) users from the internal (LAN) users. To do this, a recursive DNS server is provided for the internal users, and a non-recursive or 'iterative' server is provided for Internet users to enable them to resolve ONLY your domain.

A Domain Name Server which provides for iterative lookup performs resolution using the information within it's own lookup tables. It does not query other name servers for information. When a client request is sent to the server, it searches it's local database, and if it has an answer, it will reply. If it does not have an answer, it will respond with a 'host not found' message.

Iterative servers are useful when you wish to provide resolution for your own zone, and only your zone. All users pointed at this server to fail to resolve anything not entered on the DNS server. This restricts the nameserver to responding for only information stored on it, and thus is useless for resolving anything else. This decreases the usefulness of the

Kishore
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)