NullifyNetwork

The blog and home page of Simon Soanes
Skip to content
[ Log On ]

This is something I posted to a mailing list in response to a question, but since posting it I've also been asked some questions which it answers - so, here is a VERY quick rundown of DNS:

> I basically need:

>

> (a) An overview of all the bits in the process – so I know I haven’t

> missed something obvious!

DNS is a tiered, cached method of querying some form of data, not necessarily a name, not necessarily an IP, not necessarily a text record, location, what the router for a network is, what the Kerberos/LDAP servers for a domain are, etc.

It uses the format:

Name dot

To distinguish a part, therefore (taking my own domain as an example) it is not really:

Nullify.net

But instead:

Nullify.net.

However the last dot is commonly left off for convenience incorrectly.  One or more domains controlled as a single entity on a server is called a 'zone'.

The bits that make up DNS from a practical standpoint consist of:

- A resolver

- A cache

- An authoritative server

The resolver is what exists on every persons computer, and on the ISP's nameservers along with a cache.  The resolver requests from the default DNS servers for the current dns 'zone' any desired records - in the case of a site that is in the root zone, or wants to query the root set of DNS servers there are a set of root servers, located at root-servers.net.  These can be extracted using dig, and have always stayed at the same IP - although one of these servers got a new multicast IP a short while ago.  Once a result (or NXDOMAIN, indicating there isn't a result) is retrieved - it is stored in the cache along with it's time to live (ttl).

The cache is the reason a small number of servers can support the whole Internet (obviously there's a lot behind the scenes, but the point still holds).  The vast majority of traffic is handled by the caches at every stage.  There will commonly be as many as four caches between an authoritative nameserver and a client.  The TTL maintains how long these hold a record of those results, and this is why DNS changes take so long.  The exact same cache is also used on a secondary nameserver, but rather than the TTL for records, the TTL for the zone itself is used.

An authoritative nameserver is a server that knows something itself.  It responds with a particular record for a particular domain - assuming anyone asks it.  There are both master and slave servers - a master holds the file that actually stores the data, the slave stores it in memory and relies on the TTL for the zone itself to decide how long it is authoritative.  The slave uses the zones serial number to decide whether a change has been made, and refreshes every time the refresh property of the SOA record for a zone has been expired.

>

> (b) An idea of how to set up the Windows Server as the primary nameserver

> (not sure if this is a good idea)

For windows you just create a zone and create the desired records.  From then on it will answer as a nameserver and can be queried by a machine looking at it as the default nameserver, or using nslookup/dig with it set as the default.

You then need to point a server on the internet for the domain you are adding a record to (say, net. Or com.!) to think it is the nameserver for a domain, and you require either an out of zone A record for it, or a glue record for it so that the IP of your own server can be resolved in order to go query it for the details of your domain!

To simplify this, for my domain I have a primary nameserver xerxes.nullify.net. at 2002:4262:b24a::4262:b24a and 66.98.178.74

This means that in order for xerxes to host nullify.net, the nameservers for net. Need to also contain both AAAA and A records for it.  A records resolve to a host.  (AAAA is ipv6, which you don't need to worry about yet).  You should request these records are created in advance for ALL nameservers that do not already have glue records.  The contact for the netblock the servers are hosted in may be contacted by some TLD providers, but net. And com. Don't do this.

Once you have glue records that have propagated to all the servers for the zone they are in, you need to ask them to delegate a hostname for you - this is your domain and results in your domain being set to use your nameservers - this is an NS record, and there will be one for each nameserver that knows that domain.

>

> (c) An idea of how to configure secondary nameservers

Create a secondary zone, pointed to yourdomain.tld. - note the last dot.  Then you need to make sure you secondary server has a glue record in your TLD and an A record in your domain, add an NS record to YOUR copy of the domain pointing to the nameserver, and finally have it added as an additional NS record to the TLD's servers.

>

> (d) An overview of how MX records work

An MX record is a mail exchanger record, when you send mail to a host the following happens:

- An attempt to resolve it as an A record occurs.

- An attempt to resolve it as an MX record occurs.

   - Each returned MX record points to an A record that is resolved.

      - Mail delivery is attempted at the A records in order of weighting.

The MX records take priority, to allow an A record to exist for a host, but that host not to receive mail.

MX records have a weighting, the lowest takes mail first, then if that is down the next highest, and so on.  MX records with the same weighting are attempted randomly.

If all MX records bounce, the message is queued but eventually bounces with a failure.  If there are no MX records, and no A record, the mail bounces instantly.  If there is an A record, delivery is attempted and on failure, it bounces instantly.

>

> (d) An overview of Reverse DNS records (and whether I need these)

>

You do need these to deliver mail, you also need these if you wish to run a netblock, since it can be revoked by the issuer if you fail to do so.

As the owner for a netblock, you also have rights to a second domain - in in-addr.arpa.

This domain follows the reverse of an IP, so it can be followed down through the ownership chain, for example if RIPE issued you the address space 192.168.0.0/24 you would have the zone:

0.168.192.in-addr.arpa.

You could set up www here, but it wouldn't be much use.  More use would be to set up a PTR record for your SMTP server, which is at 192.168.0.8:

8.0.168.192 PTR mymail.mydomain.tld.

Note that when working with DNS you really do need the final dot, otherwise it'll exist in your current domain.  This is the common cause of lots of problems like cname's not resolving correctly and instead trying to go to mymail.mydomain.tld.mydomain.tld.

A cname is an alias.

------

Records you need to know about are:

SOA - the actual domain as it is stored on your system.

A - a hostname to IP

PTR - an ip to hostname

SVR - a common service (e.g. - ldap and Kerberos to log in to active directory in a domain)

MX - mail exchanger

CNAME - an alias, or common name

TEXT - information or other details

You can explore from the client side and test everything is working by using nslookup.

To use nslookup, open a command prompt, define what record type you want, and type the name of the record.

For example:

C:\>nslookup

Default Server:  vex.nullify.net

Address:  192.168.0.5

> set type=a

> xerxes

Server:  vex.nullify.net

Address:  192.168.0.5

Name:    xerxes.nullify.net

Address:  66.98.178.74

> set type=ns

> nullify.net.

Server:  vex.nullify.net

Address:  192.168.0.5

nullify.net     nameserver = ns1.twisted4life.com

nullify.net     nameserver = queeg.nullify.net

nullify.net     nameserver = xerxes.nullify.net

queeg.nullify.net       internet address = 66.45.233.165

xerxes.nullify.net      internet address = 66.98.178.74

xerxes.nullify.net      AAAA IPv6 address = 2002:4262:b24a::4262:b24a

> set type=mx

> nullify.net

Server:  vex.nullify.net

Address:  192.168.0.5

nullify.net     MX preference = 20, mail exchanger = xerxes.nullify.net

nullify.net     MX preference = 30, mail exchanger = queeg.nullify.net

nullify.net     MX preference = 10, mail exchanger = firewall.nullify.net

nullify.net     nameserver = ns1.twisted4life.com

nullify.net     nameserver = queeg.nullify.net

nullify.net     nameserver = xerxes.nullify.net

firewall.nullify.net    internet address = 81.109.199.173

xerxes.nullify.net      internet address = 66.98.178.74

xerxes.nullify.net      AAAA IPv6 address = 2002:4262:b24a::4262:b24a

queeg.nullify.net       internet address = 66.45.233.165

Feel free to use my domain to explore it if you want, it (should be) set up correctly, and everything is public info anyway.  http://www.demon.net/toolkit/internettools/ contains some useful tools to test your domain from outside your own network if you don't have access to an external machine.

Exploring from the client side gives a good idea what the server side setup will need to be.

Permalink  2 Comments 

great article by vijay at 25/06/2005 02:45:35
Mr Simon this is a great article it demystifies dns for beginners/gurus

You're welcome by simon at 14/04/2008 22:40:03
Sorry it's taken me three years to reply!