I knew it…

That one day we will talk about Public DNS infrastructure and types of DNS servers, Starting with Authoritative DNS Servers which form the Primary and Secondary nameservers for a DNS zone.

There are other types of DNS servers like – Root, and TLD servers but we will cover them later.

But instead of just writing the definition of each one here I thought to have a different approach.

The hands-on approach :

Public DNS Infrastructure

The public DNS infrastructure is composed of various components that work together to provide reliable and efficient domain name resolution services to clients across the internet. Some of the key constituents of the public DNS infrastructure are:

Primary DNS Server

To explain the Primary DNS server I will start with the SOA record type because the SOA record and NS server records are all about the Primary and Secondary Name Servers.

The SOA (Start of Authority ) record defines the authority, SOA record ( message) starts from the Authority “The Godfather” and walks up to the associates through the soldiers. Through SOA record all the servers/machines in the zone know who the boss is.

The SOA record is typically created automatically by the DNS server software when a new zone is created. It contains the following information :

The ‘RNAME’ value here represents the email address of the responsible party for the zone, which can be confusing because it is missing the ‘@’ sign, but in an SOA record donvito.corleone.com is the equivalent of donvito@corleone.com.

The ‘MNAME’ value here represents the Primary Name Server which is The Godfather himself and he has all the records created under him including the SOA record. In the above example, the Primary name server ns.corleone.com has the zone Corleone.com configured on it and has all the zone’s records.

Below is the google.com SOA record

ns1.google.com - Primary nameserver of google.com
dns-admin@google.com - Google.com zones responsible party Email address

Secondary DNS Server

The story does not end here. Don Corleone has a lot of risk in the business and too much at stake. There has to be someone who is trustworthy and has all the information about the business. Second in line – The Secondary DNS server.

The remaining SOA parameters are of the Secondary DNS server.

The Serial no, Secondary DNS server has to hear the Primary DNS Server. Every time there is any change on the Primary DNS server, it increases its serial no by 1 and that is how the secondary server has to request the change from the Primary DNS Server to be in sync.

• The refresh interval specifies how often secondary name servers should check for updates to the zone.
• The retry interval specifies how often secondary name servers should retry a failed refresh.
• The expiration time specifies how long a secondary name server can continue to use its cached copy of the zone data if it cannot refresh.
• The minimum time-to-live (TTL) value, specifies how long negative responses (i.e., responses indicating that a record does not exist) should be cached.

Name Servers

Kindly note that Primary or Secondary Name Servers are authoritative name servers and can be found querying NS record type of a zone. Below I am querying the NS record for google.com.

The tool used – digwebinterface

As we saw in the SOA record ns1.google.com was the Primary Name Server and the remaining ns2,ns3, and ns4 could work as Secondary name servers. But combined they all are authoritative name servers.

Note that in some cases, a domain may have more than one primary name server or multiple tiers of secondary name servers. In these cases, the NS records will list all of the authoritative name servers for the domain, without distinguishing between primary and secondary servers.

So if I resolve www.google.com using any of the authoritative name servers, I will see the resolution as authoritative resolution. If I resolve www.google.com using Cloudflare DNS server IP 1.1.1.1 it will be shown as Non-authoritative Name Server it shows that Cloudflare DNS server 1.1.1.1 is not an authoritative name server for google.com zone or in short not the owner of the zone.

nslookup www.google.com 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer: <<<<<<
Name:    www.google.com
Addresses:  2404:6800:4007:820::2004
          142.250.193.132


nslookup www.google.com ns1.google.com
Server:  ns1.google.com
Address:  2001:4860:4802:32::a

Name:    www.google.com
Addresses:  2404:6800:4003:c03::69
          2404:6800:4003:c03::63
          2404:6800:4003:c03::68
          2404:6800:4003:c03::6a
          74.125.24.106
          74.125.24.104
          74.125.24.99
          74.125.24.147
          74.125.24.103
          74.125.24.105


nslookup www.google.com ns2.google.com
Server:  ns2.google.com
Address:  2001:4860:4802:34::a

Name:    www.google.com
Addresses:  2404:6800:4003:c03::63
          2404:6800:4003:c03::6a
          2404:6800:4003:c03::69
          2404:6800:4003:c03::67
          74.125.24.105
          74.125.24.103
          74.125.24.104
          74.125.24.147

So if I insist Cloudflare DNS server 1.1.1.1 to resolve the google records it has to ask it google name servers and then reply to the query for www.google.com.

Below is the trace of how the Cloudflare DNS server gets the DNS resolution for the query www.google.com for which he is not authoritative.

www.google.com@1.1.1.1 (Cloudflare):  
;; Truncated, retrying in TCP mode.
.			509736	IN	NS	a.root-servers.net.
.			509736	IN	NS	b.root-servers.net.
.			509736	IN	NS	c.root-servers.net.
.			509736	IN	NS	d.root-servers.net.
.			509736	IN	NS	e.root-servers.net.
.			509736	IN	NS	f.root-servers.net.
.			509736	IN	NS	g.root-servers.net.
.			509736	IN	NS	h.root-servers.net.
.			509736	IN	NS	i.root-servers.net.
.			509736	IN	NS	j.root-servers.net.
.			509736	IN	NS	k.root-servers.net.
.			509736	IN	NS	l.root-servers.net.
.			509736	IN	NS	m.root-servers.net.
;; Received 800 bytes from 1.1.1.1#53(1.1.1.1) in 37 ms

com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
;; Received 828 bytes from 192.203.230.10#53(192.203.230.10) in 56 ms

google.com.		172800	IN	NS	ns2.google.com.
google.com.		172800	IN	NS	ns1.google.com.
google.com.		172800	IN	NS	ns3.google.com.
google.com.		172800	IN	NS	ns4.google.com.
;; Received 280 bytes from 192.31.80.30#53(192.31.80.30) in 13 ms

google.com.		60	IN	SOA	ns1.google.com. dns-admin.google.com. 509476879 900 900 1800 60
;; Received 82 bytes from 216.239.34.10#53(216.239.34.10) in 11 ms

Root DNS Servers

The Root DNS server is responsible for maintaining a list of all the top-level domain (TLD) name servers, which are the DNS servers responsible for specific TLDs like .com, .org, .net, etc. The root DNS server is essentially the starting point for all DNS queries, and it helps to direct those queries to the appropriate TLD name servers based on the domain name being requested. There are actually multiple root DNS servers distributed across the world, operated by various organizations. These servers work together to ensure that DNS queries are efficiently resolved and that the internet remains accessible to everyone.

On Windows Machine you may get the list of Root DNS name servers by using the command ‘nslookup -type=ns .’ where (.) represents root DNS name servers.

nslookup -type=ns .
Server:  UnKnown
Address:  fe80::1

Non-authoritative answer:
(root)  nameserver = a.root-servers.net
(root)  nameserver = b.root-servers.net
(root)  nameserver = c.root-servers.net
(root)  nameserver = d.root-servers.net
(root)  nameserver = e.root-servers.net
(root)  nameserver = f.root-servers.net
(root)  nameserver = g.root-servers.net
(root)  nameserver = h.root-servers.net
(root)  nameserver = i.root-servers.net
(root)  nameserver = j.root-servers.net
(root)  nameserver = k.root-servers.net
(root)  nameserver = l.root-servers.net
(root)  nameserver = m.root-servers.net

a.root-servers.net      internet address = 198.41.0.4
b.root-servers.net      internet address = 199.9.14.201
c.root-servers.net      internet address = 192.33.4.12
d.root-servers.net      internet address = 199.7.91.13
e.root-servers.net      internet address = 192.203.230.10
f.root-servers.net      internet address = 192.5.5.241
g.root-servers.net      internet address = 192.112.36.4
h.root-servers.net      internet address = 198.97.190.53
i.root-servers.net      internet address = 192.36.148.17
j.root-servers.net      internet address = 192.58.128.30
k.root-servers.net      internet address = 193.0.14.129
l.root-servers.net      internet address = 199.7.83.42
m.root-servers.net      internet address = 202.12.27.33
a.root-servers.net      AAAA IPv6 address = 2001:503:ba3e::2:30
b.root-servers.net      AAAA IPv6 address = 2001:500:200::b

On Linux Machine you may get the list of the Root DNS server by running the command ‘dig . @8.8.8.8′

TLD DNS Servers

A Top-Level Domain (TLD) DNS server is a type of DNS server that is responsible for resolving domain name queries for a specific TLD. The TLD is the last portion of a domain name, such as .com, .org, .net, .edu, etc.

For example, if you want to access a website with the domain name example.com, your computer will send a DNS query to the TLD DNS server for the .com TLD, which is responsible for resolving domain names ending with .com. The .com TLD DNS server will then respond with the IP address of the authoritative DNS server for the domain name example.com, which can provide the actual IP address for the website.

On a Linux machine, you may get the list of the TLD DNS name servers for com. TLD by running the command ‘dig com. @8.8.8.8′.

On Windows Machine you may get the list of Root DNS servers by using the command ‘nslookup -type=ns com.’ where (.) represents root DNS name servers