DNS Authoritative server on router

Hello,

Can someone explain what is the purpose of implementing a router as primary authoritative server? In other words using command ip dns primary.... and ns record?
Could the same effect be done without doing that and simply setting router as dns server and including ip host commands?
Sorry if it sounds stupid, but i'm just confused a bit about this.
Let's say a TLD .com server has NS and A record for my domain, which points to ip address of dns server in my domain (which acts as authoritative for zone). Lets say i want to use my router for it.
Why do i have to configure it with
ip dns primary mydomain.com soa ns.mydomain.com
ip host mydomain.com ns ns.mydomain.com

Could i not configure it like that and still answer for dns queries ?

Find more posts tagged with

Comments

Forsaken_GA

something has to be authortative for a dns zone, which means something has to return the ns and soa records. The TLD nameservers aren't authoritative, they just point to the server(s) that are

If you're just going to deploy a few hosts that won't be changing all that often, and you've got the router power to handle it, why not set the router up as the authoritative rather than deploy a server just to handle DNS, or tack it onto another host as an extra service?

acidsatyr

Thanks for taking the time,

i get the idea of using router as server just why does it have to be configured to be authoritative is what gets me.
The way i thought i understand this is, when i register mydomain.com, the will be NS and A record pointing to my dns server, something like

mydomain.com dns.mydomain.com, NS
dns.mydomain.com 100.10.10.10, A

So when TLD points down to my dns server why does it have to be explicitly configured as authoritative? Is it not going to work if router i just plain dns server with ip host commands?
I'm missing come concepts here thats whats the problem..

Forsaken_GA

because that's the way DNS works. Every zone is required to have an authoritative name server. The authoritative name server is the source of answers for that zone.

What you're describing is a recursive (and probably caching) name server, ie, one that the client queries, who goes through all the resolution steps and then finally returns an answer to the client (and then caches it for the TTL so it isn't constantly doing the same lookup over and over again)

So yeah, you can configure something to answer DNS queries. But if you register a domain and then point the domain record to that same server, it needs to have the soa and ns records, since you've said 'this is the server that is authoritative for my domain'.

You can have a DNS server perform as both, authoritative, and recursive/caching, but it's generally considered foolish to do so, authoritative name servers are critical pieces of infrastructure, when DNS breaks, ALOT of other stuff breaks. Recursive resolvers are like DHCP servers, you can deploy them where you feel necessary to make your clients lives easier.

acidsatyr

That's what i was getting at - and i completely agree with you - there must be something set in that DNS query/response message which will say "I'm the authoritative server" otherwise the query for host will fail. This is in contrast when i would just want to deploy a simple dns server which asnwers for local queries (and is not authoritative). I guess now i'm just wondering what is itwhich indicates outside client (some other local caching dns server) that server is or isn't authoritative. The authoritative dns server doesn't answer with NS record only A record for final ip address.

Forsaken_GA

acidsatyr wrote: »

That's what i was getting at - and i completely agree with you - there must be something set in that DNS query/response message which will say "I'm the authoritative server" otherwise the query for host will fail. This is in contrast when i would just want to deploy a simple dns server which asnwers for local queries (and is not authoritative). I guess now i'm just wondering what is itwhich indicates outside client (some other local caching dns server) that server is or isn't authoritative. The authoritative dns server doesn't answer with NS record only A record for final ip address.

Authoritative DNS answers have a flag set in their responses (called, appropriately enough, the AA flag). That's what makes the authoritative response different than a cached answer.

And yes, the authoritative name servers certainly do respond with the NS records.

As an example -

here's a response which comes from my local caching name server:
dayne@porthos:~$ dig targaryen.us

; <<>> DiG 9.5.1-P3 <<>> targaryen.us
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40669
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;targaryen.us. IN A

;; ANSWER SECTION:
targaryen.us. 7200 IN A 192.168.1.13

;; Query time: 0 msec
;; SERVER: 192.168.3.9#53(192.168.3.9)
;; WHEN: Tue May 4 23:15:55 2010
;; MSG SIZE rcvd: 46

Now, if I query the authoritative name server directly, it responds with the following:

dayne@porthos:~$ dig @NS51.DOMAINCONTROL.COM targaryen.us

; <<>> DiG 9.5.1-P3 <<>> @NS51.DOMAINCONTROL.COM targaryen.us
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32515
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;targaryen.us. IN A

;; ANSWER SECTION:
targaryen.us. 900 IN A 66.115.163.242

;; AUTHORITY SECTION:
targaryen.us. 3600 IN NS ns51.domaincontrol.com.
targaryen.us. 3600 IN NS ns52.domaincontrol.com.

;; Query time: 35 msec
;; SERVER: 216.69.185.26#53(216.69.185.26)
;; WHEN: Tue May 4 23:16:39 2010
;; MSG SIZE rcvd: 101

Note the addition of the authority section

Forsaken_GA

Actually, I'm going to correct myself. Returning the authoritative NS records is not a requirement, the only requirement is the aa bits being set for an authoritative answer. I'd forgotten that it's something that BIND does by default, but not all dns server implementations will

acidsatyr

Ah that's the bit that solves it!

Why does authoritative respond with NS record? What's the point?

Thanks for help! Certainly more than expected ;]

Forsaken_GA

the authority section is mostly meant to tell you who to query directly next time and save the recursion process. bind started returning it for a specific reason, which I can't recall off the top of my head at the moment, as I stopped using bind years ago