Public DNS Infrastructure

Category
DNS – Blog 2
Time to Read
25 Minutes
Who should read this blog.?
If you want to understand the types of DNS servers

I knew it…

That one day we will talk about Public DNS infrastructure and types of DNS servers, Starting with Authoritative DNS Servers which form the Primary and Secondary nameservers for a DNS zone.

There are other types of DNS servers like – Root, and TLD servers but we will cover them later.

But instead of just writing the definition of each one here I thought to have a different approach.

The hands-on approach :

Public DNS Infrastructure

Public DNS Infrastructure

The public DNS infrastructure is composed of various components that work together to provide reliable and efficient domain name resolution services to clients across the internet. Some of the key constituents of the public DNS infrastructure are:

Primary DNS Server

To explain the Primary DNS server I will start with the SOA record type because the SOA record and NS server records are all about the Primary and Secondary Name Servers.

The SOA (Start of Authority ) record defines the authority, SOA record ( message) starts from the Authority “The Godfather” and walks up to the associates through the soldiers. Through SOA record all the servers/machines in the zone know who the boss is.

The SOA record is typically created automatically by the DNS server software when a new zone is created. It contains the following information :

Name: corleone.com
Record Type: SOA
Mname (Primary): ns.corleone.com
Rname(Email) : donvito.corleone.com
Serial : 86400
Refresh: 900 sec
Retry: 900 sec
Expire : 1800 sec
TTL: 60 sec
SOA record

The ‘RNAME’ value here represents the email address of the responsible party for the zone, which can be confusing because it is missing the ‘@’ sign, but in an SOA record donvito.corleone.com is the equivalent of donvito@corleone.com.

The ‘MNAME’ value here represents the Primary Name Server which is The Godfather himself and he has all the records created under him including the SOA record. In the above example, the Primary name server ns.corleone.com has the zone Corleone.com configured on it and has all the zone’s records.

Below is the google.com SOA record

ns1.google.com - Primary nameserver of google.com
dns-admin@google.com - Google.com zones responsible party Email address

Secondary DNS Server

The story does not end here. Don Corleone has a lot of risk in the business and too much at stake. There has to be someone who is trustworthy and has all the information about the business. Second in line – The Secondary DNS server.

The remaining SOA parameters are of the Secondary DNS server.

Serial: 86400
Refresh: 7200
Retry: 1200
Expire: 3600
 TTL: 1800

The Serial no, Secondary DNS server has to hear the Primary DNS Server. Every time there is any change on the Primary DNS server, it increases its serial no by 1 and that is how the secondary server has to request the change from the Primary DNS Server to be in sync.

  • The refresh interval specifies how often secondary name servers should check for updates to the zone.
  • The retry interval specifies how often secondary name servers should retry a failed refresh.
  • The expiration time specifies how long a secondary name server can continue to use its cached copy of the zone data if it cannot refresh.
  • The minimum time-to-live (TTL) value, specifies how long negative responses (i.e., responses indicating that a record does not exist) should be cached.

Name Servers

Kindly note that Primary or Secondary Name Servers are authoritative name servers and can be found querying NS record type of a zone. Below I am querying the NS record for google.com.

The tool used – digwebinterface

Tool -digwebinterface.com

As we saw in the SOA record ns1.google.com was the Primary Name Server and the remaining ns2,ns3, and ns4 could work as Secondary name servers. But combined they all are authoritative name servers.

Note that in some cases, a domain may have more than one primary name server or multiple tiers of secondary name servers. In these cases, the NS records will list all of the authoritative name servers for the domain, without distinguishing between primary and secondary servers.

So if I resolve www.google.com using any of the authoritative name servers, I will see the resolution as authoritative resolution. If I resolve www.google.com using Cloudflare DNS server IP 1.1.1.1 it will be shown as Non-authoritative Name Server it shows that Cloudflare DNS server 1.1.1.1 is not an authoritative name server for google.com zone or in short not the owner of the zone.

nslookup www.google.com 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer: <<<<<<
Name:    www.google.com
Addresses:  2404:6800:4007:820::2004
          142.250.193.132


nslookup www.google.com ns1.google.com
Server:  ns1.google.com
Address:  2001:4860:4802:32::a

Name:    www.google.com
Addresses:  2404:6800:4003:c03::69
          2404:6800:4003:c03::63
          2404:6800:4003:c03::68
          2404:6800:4003:c03::6a
          74.125.24.106
          74.125.24.104
          74.125.24.99
          74.125.24.147
          74.125.24.103
          74.125.24.105


nslookup www.google.com ns2.google.com
Server:  ns2.google.com
Address:  2001:4860:4802:34::a

Name:    www.google.com
Addresses:  2404:6800:4003:c03::63
          2404:6800:4003:c03::6a
          2404:6800:4003:c03::69
          2404:6800:4003:c03::67
          74.125.24.105
          74.125.24.103
          74.125.24.104
          74.125.24.147

So if I insist Cloudflare DNS server 1.1.1.1 to resolve the google records it has to ask it google name servers and then reply to the query for www.google.com.

Below is the trace of how the Cloudflare DNS server gets the DNS resolution for the query www.google.com for which he is not authoritative.

www.google.com@1.1.1.1 (Cloudflare):  
;; Truncated, retrying in TCP mode.
.			509736	IN	NS	a.root-servers.net.
.			509736	IN	NS	b.root-servers.net.
.			509736	IN	NS	c.root-servers.net.
.			509736	IN	NS	d.root-servers.net.
.			509736	IN	NS	e.root-servers.net.
.			509736	IN	NS	f.root-servers.net.
.			509736	IN	NS	g.root-servers.net.
.			509736	IN	NS	h.root-servers.net.
.			509736	IN	NS	i.root-servers.net.
.			509736	IN	NS	j.root-servers.net.
.			509736	IN	NS	k.root-servers.net.
.			509736	IN	NS	l.root-servers.net.
.			509736	IN	NS	m.root-servers.net.
;; Received 800 bytes from 1.1.1.1#53(1.1.1.1) in 37 ms

com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
;; Received 828 bytes from 192.203.230.10#53(192.203.230.10) in 56 ms

google.com.		172800	IN	NS	ns2.google.com.
google.com.		172800	IN	NS	ns1.google.com.
google.com.		172800	IN	NS	ns3.google.com.
google.com.		172800	IN	NS	ns4.google.com.
;; Received 280 bytes from 192.31.80.30#53(192.31.80.30) in 13 ms

google.com.		60	IN	SOA	ns1.google.com. dns-admin.google.com. 509476879 900 900 1800 60
;; Received 82 bytes from 216.239.34.10#53(216.239.34.10) in 11 ms

Root DNS Servers

The Root DNS server is responsible for maintaining a list of all the top-level domain (TLD) name servers, which are the DNS servers responsible for specific TLDs like .com, .org, .net, etc. The root DNS server is essentially the starting point for all DNS queries, and it helps to direct those queries to the appropriate TLD name servers based on the domain name being requested. There are actually multiple root DNS servers distributed across the world, operated by various organizations. These servers work together to ensure that DNS queries are efficiently resolved and that the internet remains accessible to everyone.

On Windows Machine you may get the list of Root DNS name servers by using the command ‘nslookup -type=ns .’ where (.) represents root DNS name servers.

nslookup -type=ns .
Server:  UnKnown
Address:  fe80::1

Non-authoritative answer:
(root)  nameserver = a.root-servers.net
(root)  nameserver = b.root-servers.net
(root)  nameserver = c.root-servers.net
(root)  nameserver = d.root-servers.net
(root)  nameserver = e.root-servers.net
(root)  nameserver = f.root-servers.net
(root)  nameserver = g.root-servers.net
(root)  nameserver = h.root-servers.net
(root)  nameserver = i.root-servers.net
(root)  nameserver = j.root-servers.net
(root)  nameserver = k.root-servers.net
(root)  nameserver = l.root-servers.net
(root)  nameserver = m.root-servers.net

a.root-servers.net      internet address = 198.41.0.4
b.root-servers.net      internet address = 199.9.14.201
c.root-servers.net      internet address = 192.33.4.12
d.root-servers.net      internet address = 199.7.91.13
e.root-servers.net      internet address = 192.203.230.10
f.root-servers.net      internet address = 192.5.5.241
g.root-servers.net      internet address = 192.112.36.4
h.root-servers.net      internet address = 198.97.190.53
i.root-servers.net      internet address = 192.36.148.17
j.root-servers.net      internet address = 192.58.128.30
k.root-servers.net      internet address = 193.0.14.129
l.root-servers.net      internet address = 199.7.83.42
m.root-servers.net      internet address = 202.12.27.33
a.root-servers.net      AAAA IPv6 address = 2001:503:ba3e::2:30
b.root-servers.net      AAAA IPv6 address = 2001:500:200::b

On Linux Machine you may get the list of the Root DNS server by running the command ‘dig . @8.8.8.8′


TLD DNS Servers

A Top-Level Domain (TLD) DNS server is a type of DNS server that is responsible for resolving domain name queries for a specific TLD. The TLD is the last portion of a domain name, such as .com, .org, .net, .edu, etc.

For example, if you want to access a website with the domain name example.com, your computer will send a DNS query to the TLD DNS server for the .com TLD, which is responsible for resolving domain names ending with .com. The .com TLD DNS server will then respond with the IP address of the authoritative DNS server for the domain name example.com, which can provide the actual IP address for the website.

On a Linux machine, you may get the list of the TLD DNS name servers for com. TLD by running the command ‘dig com. @8.8.8.8′.

On Windows Machine you may get the list of Root DNS servers by using the command ‘nslookup -type=ns com.’ where (.) represents root DNS name servers


Conclusion:

From Our last blog which was about the Entererprise/ISP DNS servers and their different configuration modes both on Linux and Windows DNS Servers, We moved to the Internet based DNS System and explained the constituents of Public DNS Infrastructure. In Next Blog we will see how the whole movie play and Important part of DNS trace to understand internet based DNS resolutions.

Related Posts

SSL Certificate Check

Category Internet – Blog No 3 Time to Read 30 Minutes Who should read this blog? SSL Certificate check SSL Certificate Check Preface While choosing the topic…

How HTTPS works

Category Internet – Blog No 2 Time to Read 30 Minutes Who should read this blog? To learn about HTTPS , SSL/TLS. How HTTPS works Preface God!…

Website slow to load

Category Network Troubleshooting – Blog No 1 Time to Read 5 Minutes Who should read this blog? To learn about the commands which make troubleshooting easier. Website…

Forwarders, Conditional Forwarders, and Root Hints

Category DNS – Blog Time to Read 20 Minutes Who should read this blog.? If you want to learn about Forwarders, Conditional Forwarders, and Root Hints and…

How to add DNS Reverse Lookup Zone in Windows Server

Category DNS – Blog Time to Read 15 Minutes Who should read this blog.? If you want to learn how to add Reverse Lookup Zone in Windows…

How to add DNS Forward Lookup Zone in Windows Server

Category DNS – Blog Time to Read 15 Minutes Who should read this blog.? If you want to learn how to add Forward Lookup Zone in Windows…

Leave a Reply

Your email address will not be published. Required fields are marked *

Verified by MonsterInsights