Why send authoritative nameserver in DNS?

Question

Out of curiosity, I'm checking the Wireshark DNS packets. I can see that there's a DNS query from the host, and then DNS response from the DNS server. Everything is just as expected.

However, if you further check in the query, you can see that the server also sends the NS (authoritative name server). My question is: why?

As a host, I only care about the IP. That's the main point of DNS, to resolve a name into an IP address.

Why, as a host, would I need the NS info?

@downvoter, please comment. And if you think my question is so easy, then at least answer it then downvote. — AhmedWas, Nov 05 '18 at 09:14
By philosophy and design votes are anonymous and **neither voting [up](http://serverfault.com/help/privileges/vote-up) nor voting [down](http://serverfault.com/help/privileges/vote-down) requires any mandatory explanation**. The tooltip that appears when your mouse pointer hoovers over the down button states: *"this question does not show any research effort; it is unclear or not useful"*. Also questions can attract a down vote when not [well written](http://meta.serverfault.com/a/3609/37681), not quite [on-topic](http://serverfault.com/help/on-topic) or missing details. — HBruijn, Nov 05 '18 at 09:32

score 15 · Accepted Answer · edited Oct 07 '21 at 07:34

15

Traditionally name servers don't send a short response to a query but an RFC 1034-1035 compliant full response which includes the authority section that contains Resource Records that point toward the authoritative name server(s).

The why is probably because with the distributed and delegated nature of DNS it seemed a good idea at the time to include the "source of truth" in responses.

Edit: By the way: sending the authority section is RFC compliant but not mandatory for all query responses.

In BIND this behaviour can be tuned with the minimal-responses yes | no; directive, where the default is no and the Authority and Additional sections of the query response will always be fully populated.
Other name servers CloudFlare, AWS Route 53, Infoblocks and probably others will already always send such minimal responses by default. Google's public resolvers will return an Authority section when available, Cloudflare.

I think the origin of that tradition to include both the authority section in as well as the actual query response finds its root in the (pseudo) code from the now obsolete RFC882 page 15-16

If the name server is not authoritative, the code copies

the RRs for a closer name server into the response.

The last section of the code copies all relevant RRs into the response.

edited Oct 07 '21 at 07:34

Community

1

answered Nov 05 '18 at 09:26

HBruijn

72,524
21
127
192

thanks for the edit and the additional info. I wish I could give you more that one UP vote :) – AhmedWas Nov 05 '18 at 13:02
This doesn't really answer the question. We already know a full response is received. The question was, what is the benefit of this? _Why_ is the standard designed this way? What is the value of the "additional" information in this form of response? – Lightness Races in Orbit Nov 05 '18 at 14:13
And yes I realise the OP accepted it, which is even more confusing. – Lightness Races in Orbit Nov 05 '18 at 14:13
3

@LightnessRacesinOrbit to me, the answer is self-evident: The DNS server isn't just telling me that example.com is a.b.c.d; it's telling me who said so. This is epistemologically sound, because I can't accurately tell you I know something is a fact when I actually only know that some third party asserted it is a fact. I find it more difficult to troubleshoot problems when people present hearsay as if it be observation, or their conclusions as if primary evidence, etc. The difference between stating X to be true and telling me Y said it's true is huge. – Monty Harder Nov 05 '18 at 15:18
1

@MontyHarder Yes, that makes sense, but what I'm saying is that it should be in the answer. – Lightness Races in Orbit Nov 05 '18 at 15:49
2

@LightnessRacesinOrbit RFC's don't always include the design motivations. To clarify "it seemed a good idea at the time" - I *think* a reason of why it is traditional to include the authority section in addition to the actual query response even though current RFC's don't mandate that finds its origin in the (pseudo) code from the now obsolete [RFC882](https://tools.ietf.org/html/rfc882) page 15-16 *"...If the name server is not authoritative, the code copies the RRs for a closer name server into the response. The last section of the code copies all relevant RRs into the response..."* – HBruijn Nov 05 '18 at 16:38
Again I'm suggesting to add this to the answer. – Lightness Races in Orbit Nov 05 '18 at 16:40

score 5 · Answer 2 · answered Nov 05 '18 at 17:11

5

The server doesn't know whether the request is coming from an end client, or is a recursive request from another nameserver. If it's another nameserver, it can cache the Authority Section and query those nameservers directly in the future.

I believe that was the original justification in the protocol, but it has security implications. A response can include an Authority Section that lists bogus nameservers, and this has been used in cache poisoning attacks. So nameservers will generally not cache NS records unless they're delegation records for a subdomain of the domain you're querying.

answered Nov 05 '18 at 17:11

Barmar

344
1
8

The server can actually tell the difference between such requests. There is a bit in the flags to ask for recursion. – kasperd Nov 07 '18 at 09:56
Servers can send recursive queries, e.g. when the `forwarders` feature is used. – Barmar Nov 07 '18 at 15:50
But if you do that it won't care about authoritative servers anyway. – kasperd Nov 07 '18 at 16:01

Why send authoritative nameserver in DNS?

2 Answers2