DNS Question
Pash
Member Posts: 1,600 ■■■■■□□□□□
When a resolver is querying a SERVER, does the server search it's own zone files first or cache?
MS Press book says zone files, but I would of said cache? Anyone have a good authoritative answer for this question (ba dum tish)?
Cheers,
MS Press book says zone files, but I would of said cache? Anyone have a good authoritative answer for this question (ba dum tish)?
Cheers,
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Comments
http://207.46.196.114/windowsserver/en/library/19a63021-cc53-4ded-a7a3-abaf82e7fb7c1033.mspx?mfr=true
Scroll to this area and read it. There's a lot more information as well as a flowchart to describe what exactly occurs in the lookup process.
I thought I used to have this stuff nailed
The client will usually* check it's cache first to do name resolution, maybe that's what you were thinking?
*Based upon the node type setting
No, I know the resolver checks its own cache first. I have a diagram from the class i took with my old 291 instructor. In that diagram the resolver is making recursive queries to it's preferred DNS server, and the query go's straight to the DNS server cache first before the zone file. Ill scan it when i have time and post it up, kinda made me confused
Thanks anyhow.
Sorry now im lost. How does it know if it is a non-authoratative server without checking it's zone file first?
Well, it still has to look at the zone file first to know whether or not it has a zone. It then looks at cache first since it knows it's non-authoritative. Just like the DNS Whitepaper states.
Obviously I didn't read that white paper as closely as I thought, makes mucho sense now and explains my instructors diagrams reasoning, im gonna visio it then post it today if anyone would care to check it out
Thanks mr DW and mr royal.
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do.
Does that make an ounce of sense to anyone? I think I get it after staring at it for the last few hours .
Do you have any plans to finish your MCSE? Also, how is your CCNA studies going?
That diagram made my head hurt when I first looked at it! I didn't look at it too much because I'm taking an exam soon. I just tried looking it over again but the page cannot be displayed. Do you have the pdf saved, I wouldn't mind taking a more in depth look at it.
I do plan on finishing my MCSE, hopefully even going for the 70-299, so I can get MCSE: Security. I've found myself in a little bit of a rut, trying to get on with the CCNA studying since I was urged by my employers to get deeper into the Cisco world sooner than later. It's been a little slow-going, mainly because they've been keeping me doing some projects here and there, and doing support for stand-alone customer machines. I was planning on doing the LPIC-2 certification, but that too got derailed. I've had to re-organize my certification plans, and I've made a conscious decision to assert myself on both the Microsoft and Cisco tracks. Right now, I'm keeping on the CCNA path, but I won't be able to retake the exam until mid-June because of finances. I'm doing mainly labs on the Cisco partner e-learning site, so I've been poking around on Craigslist and on eBay for hardware to build myself a lab here at the house. (The fact that my roommate found three full-sized server racks helps in that endeavor, I'm going to lay claim to one of them and put it in next to my desk to begin setting up the lab-hardware.)
So, with that going, this is the general plan:
First, I'm consolidating all my old PC hardware into a couple of decent machines to use as servers, I'll probably end up with two or three that I can put on a shelf in the rack. I'll probably set one up as a FreeBSD server, to keep up the *NIX skills, as well as run diagnostic and scanning software from. I've also got a little iMac desktop that I've currently got Fedora Core 6 running on, so I'll be putting that on my desk as a *NIX workstation to blow up from time to time, with various software I want to test out. Beyond that, I'm going to begin amassing some Cisco equipment to use as my networking lab, and then I'll be well on my way to doing some real learning.
Certification-wise, I'm going to start by finishing off the CCNA. I'm generally prepared to pass it, I just need to get some more reading done and pay up the $125 to take it. After that, I'll dive into doing the 70-293 and 70-294 exams, hopefully getting through them in the next 3 - 4 months. In the fall, I'll do a stretch-study of all things related to Microsoft security, and start by doing the 70-298 exam, then go right into the 70-299. A lot of this stuff will be outside of work, since they want me to focus on the Cisco-end, and I'm pretty sure they'll want me to be actively studying for the CCDA, after finishing CCNA, with the time they give me on the job. Who knows, maybe I'll be able to pull off getting the CCDA under my belt by the time I have my MCSE: Security.
After that, I'm planning on holding off for a bit with the MCITP on Server 2008. I want to see how things develop with the upgrade-path, and I'm going to give it until at least spring of next year to see how well-received Windows Server 2008 is, and what changes or upgrades Microsoft plans on doing to it as they launch. The first, "plain release" of their OS'es tends to be buggy, or there'll be additional software with it that'll change. The change from SUS to WSUS comes to mind, so I'll give it a little while before I put myself on the MCITP path.
I'd like to do CCNP at some point, but that's going to wait until after MCSE, so I'm not really putting the plans to take those exams in ink, so to speak. The goal is to finish the MCSE before the year is up, as well as get the CCNA finished up as soon as possible. It's all going to depend on how quickly I can build myself a workable lab, and how much time I'll have between working and school. That transfer-degree to UC Berkeley isn't going to drop in my lap, so I need to make sure I get all that homework I'll be getting in the high-level math and physics classes done.
So, that's the general plan. The certifications and self-learning are going to be an ongoing project for me, leading into the coming years when I take myself out of the working world and get into school on a full-time basis. I enjoy learning, I enjoy networking and systems administration, and I don't want to give it up just because life is going to get busy. I'd like to think I can put myself through school with the work I'm doing now, and it certainly won't hurt to have the experience and credentials to take on consulting and contract jobs during the breaks from classes; so I think my mad plot to become (over)educated is working out pretty well. And hey, who knows. . . one day, when college is winding down and I'm even crazier than I am now, maybe I'll be starting one of those posts on this forum that starts with "Today, the payment for my CCIE lab went on my credit card. . ."
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do.
Web server down until I can get a longer cable to accomodate my reshuffle. TEMP LINK:
--BACK TOO OLD LINK PLEASE--
We said exactly the same thing to the instructor, but he was 100% sure it would help us understand a DNS environment.
Cheers,
1. A client is checking for a dns. The dns resolver (client) will check it's local cache in which the hosts file was pre-loaded.
2. If the resolver cache does not include a positive answer, the primary dns server will be contacted. If contacting the primary fails, the secondary server will be contacted. Note that if the primary server does respond back, the client will NOT contact the secondary server.
3. Now in this diagram, the primary server checks it's zone file for information. It clearly does not contain the record needed to give an authoritative positive answer back to the client.
4. This primary server has a forwarder configured to go to the internal company's forwarding server. Many company's will configure a dns server in a dmz that has connectivity to the internet. This server's role is to build up a rich cache. This cache allows prompt answers back to the dns server requesting an answer in addition to reducing WAN traffic due to the answer being in cache. This can especially be useful if you are using a WAN link that costs your company money based on usage. This forwarding works by having all your internal dns servers forwarding to this caching server. Because all of your internal dns servers will be forwarding unresolvable requests to this caching server, this caching server will be configured to forward to an ISP dns server or use root hints to perform recursion (the process of resolving a recursive query through iterative queries). In the case of this diagram, it is configured to forward to an ISP DNS server which also will have a rich cache.
In this case of redundancy, you can configure multiple forwarders on your internal dns servers. This requires you to have >1 caching server. You can have a couple different configurations in this scenario. On half of your internal dns servers, you can have if forwarding to caching server A while the other half are forwarding to caching server B. One con about this is that 1 server will not have as rich of a cache as it could have. Keep in mind, that you can configure multiple forwarders on 1 internal dns server. This means that if the 1st caching server is not able to be contacted, it will use the 2nd on the list. A scneario where this is usable is having all your internal dns servers pointing to 1 primary caching server. You then add the secondary caching server at the bottom of the list. This will allow you to have 1 caching server as a main caching server with a very rich cache, and only if that server dies, then the secondary caching server will temporarily take over the responsibility of caching.
5. This caching server now performs recursion by contacting it's configured forwarder; which in this case, is an ISP DNS server. You can also configure your own caching server to perform recursion using root hints if forwarders do not provide a positive answer (forwarders are used before root hints). In the case of this diagram, the caching server might not do this (we don't know if it does or not because the ISPs forwarding server provides a positive answer so the root servers wouldn't have to be contacted). But if the ISP caching server were to provide a negative response, then your caching server can then continue recursion through contacting root hints (if enabled). In the case of this diagram, because the ISP does indeed reply with a positive answer, the internal caching server responds to the primary dns server with the positive answer, which then provides the client with the positive answer. The client can now directly contact the host it was intiially trying to find using it's Layer 3 protocol; whether that may be by using Internet Protocol (IP), Internetwork Packet Exchange (IPX), etc...
Hope this helps. Let me know if you have further questions.
There's a couple things I am trying to think out in my head. The query from the internal caching server to the ISP caching server is recursive and not iterative. I am pretty sure this is because recursion is disabled (will not try to go for root hints when the query fails).
As for the resolver doing an iterative request, look above. The client actually does recursion itself. The Secondary dns server in this case should be replying back with a referral answer and then the client should be contacting the caching server. Because of this, I think the diagram is incorrect on the secondary server contacting the caching server.
Ok thanks royal. When you say the secondary DNS server supplies a referral answer to the client, is that correct? I thought that DNS server would then effectviely become the DNS client and then query it's next best option on behalf of the resolver?
DNS is the thorn in my side, I just cant get around the MS terminology.
Cheers for your help.
Does this help?
Yes! thanks royal I understand it now. Thank you very much!