Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
30 juillet 2013 2 30 /07 /juillet /2013 17:08

Here we'll see precisely and completely the domain name delegation mechanism. We'll see how to setup the domain NS records, how to setup public authoritative DNS Servers, and how to check NS records throughout the Internet DNS hierarchy. We'll focus especially over IPv6

 

In the usual way of naming, NS ( Name Server ) and DNS Server have the same meaning, although the right naming is Name Server.

Likewise, domain name are zone have the same meaning, althought the right naming is zone.

 

 

The Domain Name Authority Delegation

 

 

Here is the Domain Name authority chain :

 

WS9a.gif 

 

 

While granting authority over a domain name, access to the associated NS records is granted.
The access to the NS records is granted by means of the NS records access in the TLD ( top level domain ). These NS records state which NS servers are authoritative for this domain name.

Please notice that the Registrar is acting as a proxy : He is delagated the authority over the domain example.com to handle it to the custommer. The custommer has acces to the TLD example.com NS settings through the registrar management page. The registrar is a proxy :

 

WS9b.gif

 

The other setting in the TLD records that is accessible to the custommer is the glue records ( A or AAAA records : example.com DNS Servers hostname to IP address résolution ).

 

There are at least 2 authoritative DNS Servers for a zone ( ie domain name or subdomain name) : A primary Name Server ( Master ) and a Secondary Name Server.

 

 

The DNS servers which are given authority over this example.com domain must comply to a set of rules. They are :

. 2 distinct DNS Servers ( one primary and one secondary), located on topologically distinct networks ( ie different origin automomous system in the BGP routing table )

. they each contain one SOA record, 2 NS records, and the A/AAAA records coresponding to the two NS records.

. The SOA records and NS records are identical throughout the zone ( zone = domain name )

 

. At least 1 glue record must be on the TLD records

Here is the basic DNS Servers implementation :

 

WS9c

 

 

 

3 possibilities of DNS Servers Delegations

 

There are 3 possibilities for DNS Delegation :

 

1. Registrar hosted DNS :

 

In this case, the registrar hosts a DNS server that the custommer has acces to. Only one DNS server is represented here :

 

WS9d.gif

 

 

2. Third-party hosted DNS

In this case, the DNS hosting is performed by a third party. The NS records point to this third-party DNS servers.

Only one DNS server is represented here :

 

WS9e.gif

 

3. Locally hosted Public DNS Servers :

 

In this case, the DNS Servers are hosted locally. Only one DNS Server is represented here :

 

WS9f.gif

 

Here is the full Network Map, with the minimum 2 DNS Server set required :

 

WS9g.gif

 

 

 

 

A Public DNS Servers set Setup

 

 

 

a few notes :

There is one primary server and at least 1 secondary server.
The secondary servers automatically update to the primary server.
They all contain the same basic information :

. same SOA record
. same NS records
. same A or AAAA records for the NS records hostnames resolution
. TCP and UDP ports 53 must be accessible ( DNS querries and Servers sync )

WS9g

 

 

please note that all Name Servers have records that list all Name Servers for that zone ( ie ns1 has both ns1 and ns2 NS records, ns2 has both ns1 and ns2 records)



The SOA record


The SOA record states authoritative informations about a DNS zone.

. primary name server
. email of domain admin
. domain serial number
. timers related to zone refresh.


here is a typical SOA record :



example.com SOA 86400 ns1.example.com hostmater.example.com
2013072004 3600 600 86400 3600

here is the meaning :

[zone] SOA [Primary NameServer] [E.mail of domain admin]
[Serial Number] [T1] [T2] [T3] [T4]


[zone] is the domain name ( or subdomain )

[TTL] is the zone records time to live for outside DNS servers

[Primary NameServer] is the FQDN of the primary Name Server of the zone

[E.mail of domain admin] is noted with a dot instead of a '@'

[Serial Number] is an incremental number, upped at each of the Primary NameServer record change.It states to the secondary Name Servers of the zone the records have changed, and that they should sync.
It is written in the form [Year][Month][Day][Number]

[T1] Refresh time : time before the Secondary Name Servers recheck the Zone Serial Number ( in seconds )
[T2] Retry time : time before a Secondary Name Servers retries a zone transfert after a failed one ( in seconds )
[T3] Expire time : time of failed zone transfert, before a Secondary Name Servers expires its zone file, and stop answering querries ( in seconds )
[T4] minimum TTL : how long outside DNS servers should keep the zone datas in their caches.



NSLOOKUP and Name Servers Querries

To check the Name Servers records, we can use the NSLOOKUP command.
It is especially usefull, to check the contend of the TLD records, as well as differences between the TLD records and the authoritative Name Servers records.

let's check the example.com NS records :

nslookup -q=ns .

nslookup -q=ns com a.[root NS]

nslookup -q=ns example.com [.com NS]



explaination :

first, we check the querry for the NS records of the root zone :

nslookup -q=ns .


we get answered with a list of valid NS records. Let's call [root NS] one of these answers.



then, we ask one of the returned root servers the authoritative NS records for the .com TLD :
 
nslookup -q=ns com [root NS]

we get answered with a list of valid NS records for the .com TLD.
Let's call [com NS] one of these answers

finally, we querry one of the returned .com name server for the example.com record :

nslookup -q=ns example.com [com NS]



This is the complete sequence. A shorter, and less prefect one, might be :

nslookup -q=ns com
nslookup -q=ns example.com [com NS]



We can compare it with our local [NS] records, making a direct querry :
nslookup -q=ns [Primary Name Server IP]



Partager cet article

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article

commentaires

essay writing service reviews 25/07/2016 07:07

How do I change DNS providers without downtime? I am really interested in networking, and this is absolutely an informative post. Keep writing and sharing :)

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens