DNS Question

PashPash Member Posts: 1,600 ■■■■■□□□□□
When a resolver is querying a SERVER, does the server search it's own zone files first or cache?

MS Press book says zone files, but I would of said cache? Anyone have a good authoritative answer for this question (ba dum tish)?

Cheers,
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.

Comments

  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    It's zone file then cache.

    http://207.46.196.114/windowsserver/en/library/19a63021-cc53-4ded-a7a3-abaf82e7fb7c1033.mspx?mfr=true
    Part 2: Querying a DNS Server

    As indicated in the previous figure, the client queries a preferred DNS server. The actual server used during the initial client/server query is selected from a global list.

    When the DNS server receives a query,it first checks to see if it can answer the query authoritatively based on resource record information contained in a locally configured zone on the server. If the queried name matches a corresponding resource record in local zone information, the server answers authoritatively, using this information to resolve the queried name.

    If no zone information exists for the queried name, the server then checks to see if it can resolve the name using locally cached information from previous queries.

    Scroll to this area and read it. There's a lot more information as well as a flowchart to describe what exactly occurs in the lookup process.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • jasonbochejasonboche Member Posts: 167
    By the time you finish 70-291, you should be a DNS ninja!
    :D

    dnsninja.jpg
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Many thanks for the link, very helpful. I think the instructor I had a couple of years ago always thought that cache was checked first, this is why I was lost as his notes and diagram suggest differently.

    I thought I used to have this stuff nailed icon_rolleyes.gif
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Pash wrote:
    Many thanks for the link, very helpful. I think the instructor I had a couple of years ago always thought that cache was checked first, this is why I was lost as his notes and diagram suggest differently.

    I thought I used to have this stuff nailed icon_rolleyes.gif

    The client will usually* check it's cache first to do name resolution, maybe that's what you were thinking?

    *Based upon the node type setting
    All things are possible, only believe.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    sprkymrk wrote:
    Pash wrote:
    Many thanks for the link, very helpful. I think the instructor I had a couple of years ago always thought that cache was checked first, this is why I was lost as his notes and diagram suggest differently.

    I thought I used to have this stuff nailed icon_rolleyes.gif

    The client will usually* check it's cache first to do name resolution, maybe that's what you were thinking?

    *Based upon the node type setting

    No, I know the resolver checks its own cache first. I have a diagram from the class i took with my old 291 instructor. In that diagram the resolver is making recursive queries to it's preferred DNS server, and the query go's straight to the DNS server cache first before the zone file. Ill scan it when i have time and post it up, kinda made me confused :)

    Thanks anyhow.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□

    The DNS Server or the local workstation etc. will always check its cache FIRST when it is either non-Authoratative or if is a worstation.

    Sorry now im lost. How does it know if it is a non-authoratative server without checking it's zone file first?
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Pash wrote:

    The DNS Server or the local workstation etc. will always check its cache FIRST when it is either non-Authoratative or if is a worstation.

    Sorry now im lost. How does it know if it is a non-authoratative server without checking it's zone file first?

    Well, it still has to look at the zone file first to know whether or not it has a zone. It then looks at cache first since it knows it's non-authoritative. Just like the DNS Whitepaper states.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    royal wrote:
    Pash wrote:

    The DNS Server or the local workstation etc. will always check its cache FIRST when it is either non-Authoratative or if is a worstation.

    Sorry now im lost. How does it know if it is a non-authoratative server without checking it's zone file first?

    Well, it still has to look at the zone file first to know whether or not it has a zone. It then looks at cache first since it knows it's non-authoritative. Just like the DNS Whitepaper states.

    Obviously I didn't read that white paper as closely as I thought, makes mucho sense now and explains my instructors diagrams reasoning, im gonna visio it then post it today if anyone would care to check it out :)

    Thanks mr DW and mr royal.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    Threads like this are very interesting for me, and helpful, too. It's been almost a year since I finished my MCSA, and since then my employer's had me doing trivial tasks with Server 2003, nothing at all to do with DNS, RRAS, AD, or anything of the like. Also makes me a little sad, really, because it means I'll probably have to read through my 70-291 book all over again, or at least watch the CBT Nuggets, before I plug away at the 70-293 material, since I've forgotten all too much in this past year or so.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    I know exactly what you mean, even though I havent passed these exams before. About 2 years ago this stuff was fresh on my mind and I was building AD/DNS environments in my course labs every day. It's funny though how you rettain some fact's about the subjects but some others just float out. I would purchase the CBT nuggets myself because they really work for me, but work will not refund, so I am on my own using what notes and information I have currently.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    http://www.markpashby.co.uk/files/studydiagrams/How-DNS%20Servers.pdf

    Does that make an ounce of sense to anyone? I think I get it after staring at it for the last few hours .
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Slowhand wrote:
    Threads like this are very interesting for me, and helpful, too. It's been almost a year since I finished my MCSA, and since then my employer's had me doing trivial tasks with Server 2003, nothing at all to do with DNS, RRAS, AD, or anything of the like. Also makes me a little sad, really, because it means I'll probably have to read through my 70-291 book all over again, or at least watch the CBT Nuggets, before I plug away at the 70-293 material, since I've forgotten all too much in this past year or so.

    Do you have any plans to finish your MCSE? Also, how is your CCNA studies going?

    Pash wrote:
    http://www.markpashby.co.uk/files/studydiagrams/How-DNS Servers.pdf

    Does that make an ounce of sense to anyone? I think I get it after staring at it for the last few hours .

    That diagram made my head hurt when I first looked at it! I didn't look at it too much because I'm taking an exam soon. I just tried looking it over again but the page cannot be displayed. Do you have the pdf saved, I wouldn't mind taking a more in depth look at it.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    royal wrote:
    Do you have any plans to finish your MCSE? Also, how is your CCNA studies going?

    I do plan on finishing my MCSE, hopefully even going for the 70-299, so I can get MCSE: Security. I've found myself in a little bit of a rut, trying to get on with the CCNA studying since I was urged by my employers to get deeper into the Cisco world sooner than later. It's been a little slow-going, mainly because they've been keeping me doing some projects here and there, and doing support for stand-alone customer machines. I was planning on doing the LPIC-2 certification, but that too got derailed. I've had to re-organize my certification plans, and I've made a conscious decision to assert myself on both the Microsoft and Cisco tracks. Right now, I'm keeping on the CCNA path, but I won't be able to retake the exam until mid-June because of finances. I'm doing mainly labs on the Cisco partner e-learning site, so I've been poking around on Craigslist and on eBay for hardware to build myself a lab here at the house. (The fact that my roommate found three full-sized server racks helps in that endeavor, I'm going to lay claim to one of them and put it in next to my desk to begin setting up the lab-hardware.)

    So, with that going, this is the general plan:

    First, I'm consolidating all my old PC hardware into a couple of decent machines to use as servers, I'll probably end up with two or three that I can put on a shelf in the rack. I'll probably set one up as a FreeBSD server, to keep up the *NIX skills, as well as run diagnostic and scanning software from. I've also got a little iMac desktop that I've currently got Fedora Core 6 running on, so I'll be putting that on my desk as a *NIX workstation to blow up from time to time, with various software I want to test out. Beyond that, I'm going to begin amassing some Cisco equipment to use as my networking lab, and then I'll be well on my way to doing some real learning.

    Certification-wise, I'm going to start by finishing off the CCNA. I'm generally prepared to pass it, I just need to get some more reading done and pay up the $125 to take it. After that, I'll dive into doing the 70-293 and 70-294 exams, hopefully getting through them in the next 3 - 4 months. In the fall, I'll do a stretch-study of all things related to Microsoft security, and start by doing the 70-298 exam, then go right into the 70-299. A lot of this stuff will be outside of work, since they want me to focus on the Cisco-end, and I'm pretty sure they'll want me to be actively studying for the CCDA, after finishing CCNA, with the time they give me on the job. Who knows, maybe I'll be able to pull off getting the CCDA under my belt by the time I have my MCSE: Security.

    After that, I'm planning on holding off for a bit with the MCITP on Server 2008. I want to see how things develop with the upgrade-path, and I'm going to give it until at least spring of next year to see how well-received Windows Server 2008 is, and what changes or upgrades Microsoft plans on doing to it as they launch. The first, "plain release" of their OS'es tends to be buggy, or there'll be additional software with it that'll change. The change from SUS to WSUS comes to mind, so I'll give it a little while before I put myself on the MCITP path.

    I'd like to do CCNP at some point, but that's going to wait until after MCSE, so I'm not really putting the plans to take those exams in ink, so to speak. The goal is to finish the MCSE before the year is up, as well as get the CCNA finished up as soon as possible. It's all going to depend on how quickly I can build myself a workable lab, and how much time I'll have between working and school. That transfer-degree to UC Berkeley isn't going to drop in my lap, so I need to make sure I get all that homework I'll be getting in the high-level math and physics classes done.

    So, that's the general plan. The certifications and self-learning are going to be an ongoing project for me, leading into the coming years when I take myself out of the working world and get into school on a full-time basis. I enjoy learning, I enjoy networking and systems administration, and I don't want to give it up just because life is going to get busy. I'd like to think I can put myself through school with the work I'm doing now, and it certainly won't hurt to have the experience and credentials to take on consulting and contract jobs during the breaks from classes; so I think my mad plot to become (over)educated is working out pretty well. And hey, who knows. . . one day, when college is winding down and I'm even crazier than I am now, maybe I'll be starting one of those posts on this forum that starts with "Today, the payment for my CCIE lab went on my credit card. . ."

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    royal wrote:
    Pash wrote:
    http://www.markpashby.co.uk/files/studydiagrams/How-DNS Servers.pdf

    Does that make an ounce of sense to anyone? I think I get it after staring at it for the last few hours .

    That diagram made my head hurt when I first looked at it! I didn't look at it too much because I'm taking an exam soon. I just tried looking it over again but the page cannot be displayed. Do you have the pdf saved, I wouldn't mind taking a more in depth look at it.

    Web server down until I can get a longer cable to accomodate my reshuffle. TEMP LINK:

    --BACK TOO OLD LINK PLEASE--

    We said exactly the same thing to the instructor, but he was 100% sure it would help us understand a DNS environment.

    Cheers,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Thanks for posting the pdf back up. Yes, that diagram makes complete sense. Let me describe in a high level manner exactly what is occurring. Perhaps that will help you better understand what is occuring.

    1. A client is checking for a dns. The dns resolver (client) will check it's local cache in which the hosts file was pre-loaded.

    2. If the resolver cache does not include a positive answer, the primary dns server will be contacted. If contacting the primary fails, the secondary server will be contacted. Note that if the primary server does respond back, the client will NOT contact the secondary server.

    3. Now in this diagram, the primary server checks it's zone file for information. It clearly does not contain the record needed to give an authoritative positive answer back to the client.

    4. This primary server has a forwarder configured to go to the internal company's forwarding server. Many company's will configure a dns server in a dmz that has connectivity to the internet. This server's role is to build up a rich cache. This cache allows prompt answers back to the dns server requesting an answer in addition to reducing WAN traffic due to the answer being in cache. This can especially be useful if you are using a WAN link that costs your company money based on usage. This forwarding works by having all your internal dns servers forwarding to this caching server. Because all of your internal dns servers will be forwarding unresolvable requests to this caching server, this caching server will be configured to forward to an ISP dns server or use root hints to perform recursion (the process of resolving a recursive query through iterative queries). In the case of this diagram, it is configured to forward to an ISP DNS server which also will have a rich cache.

    In this case of redundancy, you can configure multiple forwarders on your internal dns servers. This requires you to have >1 caching server. You can have a couple different configurations in this scenario. On half of your internal dns servers, you can have if forwarding to caching server A while the other half are forwarding to caching server B. One con about this is that 1 server will not have as rich of a cache as it could have. Keep in mind, that you can configure multiple forwarders on 1 internal dns server. This means that if the 1st caching server is not able to be contacted, it will use the 2nd on the list. A scneario where this is usable is having all your internal dns servers pointing to 1 primary caching server. You then add the secondary caching server at the bottom of the list. This will allow you to have 1 caching server as a main caching server with a very rich cache, and only if that server dies, then the secondary caching server will temporarily take over the responsibility of caching.

    5. This caching server now performs recursion by contacting it's configured forwarder; which in this case, is an ISP DNS server. You can also configure your own caching server to perform recursion using root hints if forwarders do not provide a positive answer (forwarders are used before root hints). In the case of this diagram, the caching server might not do this (we don't know if it does or not because the ISPs forwarding server provides a positive answer so the root servers wouldn't have to be contacted). But if the ISP caching server were to provide a negative response, then your caching server can then continue recursion through contacting root hints (if enabled). In the case of this diagram, because the ISP does indeed reply with a positive answer, the internal caching server responds to the primary dns server with the positive answer, which then provides the client with the positive answer. The client can now directly contact the host it was intiially trying to find using it's Layer 3 protocol; whether that may be by using Internet Protocol (IP), Internetwork Packet Exchange (IPX), etc...

    Hope this helps. Let me know if you have further questions.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Thanks for your reply royal. That makes a lot more sense now behind the reasoning of the diagram. I would say the only thing I am not sure of is the second resolver who's primary DNS server is the secondary server in the corperate network. It makes an iterative query to the secondary DNS server, which seemingly cannot find the answer in it's own cache so forwards an iterative query to C. The the line seems to stop, there isnt any additional notes on why this query is just dropped. Do you have any idea why that might be?
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    This is in the DNS Whitepaper:
    How Iteration Works

    Iteration is the type of name resolution used between DNS clients and servers when the following conditions are in effect:
    • The client requests the use of recursion, but recursion is disabled on the DNS server.
    • The client does not request the use of recursion when querying the DNS server.

    An iterative request from a client tells the DNS server that the client expects the best answer the DNS server can provide immediately, without contacting other DNS servers.

    When iteration is used, a DNS server answers a client based on its own specific knowledge about the namespace with regard to the names data being queried. For example, if a DNS server on your intranet receives a query from a local client for “www.microsoft.com”, it might return an answer from its names cache. If the queried name is not currently stored in the names cache of the server, the server might respond by providing a referral — that is, a list of NS and A resource records for other DNS servers that are closer to the name queried by the client.

    When iteration is used, a DNS server can further assist in a name query resolution beyond giving its own best answer back to the client. For most iterative queries, a client uses its locally configured list of DNS servers to contact other name servers throughout the DNS namespace if its primary DNS server cannot resolve the query.

    The Windows Server 2003 DNS Client service does not perform recursion.


    There's a couple things I am trying to think out in my head. The query from the internal caching server to the ISP caching server is recursive and not iterative. I am pretty sure this is because recursion is disabled (will not try to go for root hints when the query fails).

    As for the resolver doing an iterative request, look above. The client actually does recursion itself. The Secondary dns server in this case should be replying back with a referral answer and then the client should be contacting the caching server. Because of this, I think the diagram is incorrect on the secondary server contacting the caching server.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    royal wrote:
    This is in the DNS Whitepaper:
    How Iteration Works

    Iteration is the type of name resolution used between DNS clients and servers when the following conditions are in effect:
    • The client requests the use of recursion, but recursion is disabled on the DNS server.
    • The client does not request the use of recursion when querying the DNS server.

    An iterative request from a client tells the DNS server that the client expects the best answer the DNS server can provide immediately, without contacting other DNS servers.

    When iteration is used, a DNS server answers a client based on its own specific knowledge about the namespace with regard to the names data being queried. For example, if a DNS server on your intranet receives a query from a local client for “www.microsoft.com”, it might return an answer from its names cache. If the queried name is not currently stored in the names cache of the server, the server might respond by providing a referral — that is, a list of NS and A resource records for other DNS servers that are closer to the name queried by the client.

    When iteration is used, a DNS server can further assist in a name query resolution beyond giving its own best answer back to the client. For most iterative queries, a client uses its locally configured list of DNS servers to contact other name servers throughout the DNS namespace if its primary DNS server cannot resolve the query.

    The Windows Server 2003 DNS Client service does not perform recursion.


    There's a couple things I am trying to think out in my head. The query from the internal caching server to the ISP caching server is recursive and not iterative. I am pretty sure this is because recursion is disabled (will not try to go for root hints when the query fails).

    As for the resolver doing an iterative request, look above. The client actually does recursion itself. The Secondary dns server in this case should be replying back with a referral answer and then the client should be contacting the caching server. Because of this, I think the diagram is incorrect on the secondary server contacting the caching server.

    Ok thanks royal. When you say the secondary DNS server supplies a referral answer to the client, is that correct? I thought that DNS server would then effectviely become the DNS client and then query it's next best option on behalf of the resolver?

    DNS is the thorn in my side, I just cant get around the MS terminology.

    Cheers for your help.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Well, if the dns server has recursion disabled, the client in essence will attempt iteration through a referral from the DNS server. The client will then use a referral from the DNS server on the next server that the dns server thinks is the best way to contact the dns server it needs. So for example, if the client contacts it's locally configured primary/secondary dns server to find microsoft.com, and the dns server has recursion disabled, the dns server will reply with the records needed for the client to contact the root servers directly or a forwarder. If the client is manually configured to not request recursion, but instead is configured to send an iterative query, the dns server will then respond with a referral to those root servers or a configured forwarder.

    Does this help?
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    royal wrote:
    Well, if the dns server has recursion disabled, the client in essence will attempt iteration through a referral from the DNS server. The client will then use a referral from the DNS server on the next server that the dns server thinks is the best way to contact the dns server it needs. So for example, if the client contacts it's locally configured primary/secondary dns server to find microsoft.com, and the dns server has recursion disabled, the dns server will reply with the records needed for the client to contact the root servers directly or a forwarder. If the client is manually configured to not request recursion, but instead is configured to send an iterative query, the dns server will then respond with a referral to those root servers or a configured forwarder.

    Does this help?

    Yes! thanks royal I understand it now. Thank you very much!
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Sign In or Register to comment.