I am new to networking and all this DNS thing.
I have the following questions
Please help/ guide me out on this.
I have read Authoritative Nameserver, but I was not able to clearly understand it. Can one please explain me in some simple terms.
An authoritative Nameserver is a nameserver (DNS Server) that holds the actual DNS records (A, CNAME, PTR, etc) for a particular domain/ address. A recursive resolver would be a DNS server that queries an authoritative nameserver to resolve a domain/ address.
So, for example, If I have a a DNS server in my network that holds an A record for foobar.com, my DNS server would be authoritative for the foobar.com domain.
If clients needed to access foobar.com, they could query my DNS server and they would get an authoritative response.
However, if a client needed to access contoso.com, and they queried my DNS server, it would not have records to resolve that domain. In order for my DNS server to resolve contoso.com, it would need to use recursive lookups (via Forwarders or Root Hints). My DNS server would be set to send queries for domains for which it is not authoritative, to another DNS server. That DNS server would do the same, until the query reached a DNS server that was authoritative for contoso.com. That DNS server would return the proper records, which would be passed all the way back down to the client.
This is an oversimplification, as there are other things in play here, like caching records.
I have the following questions
- What is an Authoritative Nameserver ?
- What is a Recursive Resolver ?
Please note that "resolver" and "nameserver" are not exactly synonymous, and that you ask about a nameserver in the first case and a resolver in the second.
An authoritative nameserver is one that satisfies queries from its own data without needing to reference another source. Unless it is also a recursive nameserver (a practice which is generally deprecated) it will answer only with authoritative data from its own store (which can come from a zone master file, from a copy of that data transferred from a master server, from a database, from dynamic DNS, be built in, etc.) or with a referral (e.g. "I don't know that answer, but you can talk to server so-and-so, who answers questions for this subdomain..), or with an NXDOMAIN or similar error.
A recursive nameserver is one that satisfies queries by asking other nameservers for the answer, traversing the tree from the root level of the DNS tree if necessary. If it does not know the answer it will attempt to find it for the querying client.
A resolver is (collectively) the set of functionality that a DNS-aware system uses to query DNS.
There are several DNS concepts which people sometimes confuse with the split between authoritative and recursive data.
This one confuses quite a few people, particularly because the name of the SOA (start of authority) resource record type contains the word "authority" which sounds as though it should be related to "authoritative." However, you can serve authoritative data for a zone which is not delegated to you, and many people do. Examples include DNS-based content blocking and servers which provide authoritative answers for RFC 1918 zones [i.e. nobody has delegated you authority to answer PTR record queries for 168.192.in-addr.arpa (192.168.0.0/16) and similar zones but it's not a bad idea for your server to answer such queries authoritatively rather than leak queries for those zones to the internet, where nobody is delegated to answer them. ISC BIND and other nameservers provide built-in zone data for these private address space zones to prevent the in-addr.arpa servers from being bombarded with queries that cannot be referred.]
It is not required that you be delegated authority for a zone in order for answers to be considered authoritative.
Slave servers, even though they get their zone data from another source, are still authoritative servers, as they are satisfying queries with data from their own storage (of whatever type) rather than satisfying it by relaying the queries recursively to other nameservers.
Slave servers are authoritative servers (for the zones they serve.)
Warning: Most oversimplification ahead:
Authoritative server is a server that only responds to DNS questions about the zone(s) that only they control or own: It is a selfish myopic server but highly efficient one too.
In that offensive sense, an authoritative server does not provide a decent nor meaningful answer to any general request (questions) about other zones that they do not control or own.
Collectively, only authoritative servers are one with the DNS answers to their own zones, and with an authoritatively stance. And rightfully so, for they are the ones who owns their own zones.
This is all that they know and do. Just need to go and find these authoritative servers … somehow.
Recursive server is a server that collects all the needed answers for any DNS-related questions from just about anyone or anything, as a rule.
Some recursive servers will be devious-like and do answer back in some selective manner based on geographical, privacy, or trope-like ISP wanting to catch all your badly misnamed domain requests with a nice “sales pitch”.
For each part of a domain name (not having a period symbol), a recursive server will work very hard to seek out the correct authoritative nameserver associated with that part of the domain name. That each and every part of a domain name is also called a zone.
Recursive server is a server that also does additional lookups toward other authoritative servers in order to try and get an answer for a question about a hostname, a domain name, or any other DNS record types that they may have been asked for. Most commonly, that answer is “see that next authoritative server for a more specific answer.
A recursive server does lookups as followed:
They will work very hard to provide you with a complete and concise answer or give up trying.
If the recursive server happens to have zones that they own or control, they’ll answer with that too (and quickest so); they are the nice guys, but badly abused.
They are a favorite target by DDoS actors world-wide. Keep those recursive servers of yours within your trusted but firewalled network.
A resolver is a loose term. Most UNIX users would associate a resolver as that mini-DNS-lookup that is built into every networkable operating system (such as libnss.so and /etc/resolve.conf).
Resolver do the work of relaying each DNS-related request from the application (or end-user) to the recursive server and wait toward obtaining its final complete answer before relaying it back to its application.
And at each request that the resolver received, it starts with relaying requests to the first working nameserver listed in /etc/resolv.conf file. They’re your most indispensible component of interacting with the Internet in general.
Recursive resolver sounds like it is entirely within the same host, which is done dually by both running a DNS recursive server (such as dnsmasq or named configured as a recursive-only) and having the OS resolver point to that localhost:53.
Network engineers, who try to usher all their corporate DNS traffic toward their firewalled bastion nameserver, will frown upon those recursive resolvers unless its properly configured to do just forwarding-only toward their protected recursive nameserver(s).
In those corporate networks, PCs with recursive resolvers (that starts at the root server) or with forwarding-only to non-corporate recursive nameserver just needlessly spray nasty packet noise within their corporate network and may trip up intrusion detection systems.
