Suppose my OS has two DNS servers set, let say 8.8.8.8 and 9.9.9.9. Is there some RFC that states what the DNS client should do if the first query performed has as answer the code 5 (refused)?
For example: if the query goes firstly to the IP 8.8.8.8, and it refused the query, what is the RFC recommendation for the client to do? To query the IP 9.9.9.9 or just accept the refused query as the final answer and throw an error to the application?
Related
I am working on Backup server (failover) for my websites.
example.com is my domain, Host on IP 1.1.1.1
Copy of example.com, Host on IP 2.2.2.2
I want to use IP2 as backup only when IP 1 is down,
so i set both IPS in my DNS A record.
As per rule of DNS: if i set 2 IPs in A record, then it will work like round robin.
First visitor redirect on IP 1.1.1.1
Second Visitor redirect on IP 2.2.2.2
But i set "A record" Priority in DNS, So its always redirect all users to IP 1.1.1.1, and no users redirect on IP2 hosting.
Now, When IP 1.1.1.1 is down, then its browser or DNS nature, it will try again to other A record if IP2 available. (Its working perfect, and i want this thing)
Problem is that,
DNS keep trying to IP 1 for 30-60 seconds, after its fail, then DNS try on IP 2.
I want to reduce that DNS lookup time to 5 Seconds. I have Centos VPS with WHM.
Round-robin DNS does not work like you appear to think it works.
Most DNS nameservers will indeed rotate a list of multiple A RRs for a given name with each response, but remember the requestor will be an intermediate recursive resolver, often shared by many end clients, and those intermediate resolvers will cache each record for a minimum of 300 seconds or the maximum of the TTL given in the record. The intermediate resolver may or may not rotate the A RRs in the responses it sends to its individual clients. However ultimately the choice of address to try first between multiple A RRs for the same name is up to the client and some clients work differently.
The timeout for trying another address when multiple A RRs are given is mandated by the client through it's TCP connection attempt, not by anything supplied in a DNS response.
I am trying to develop a python script using dnspython to do forward lookups by hostname only instead of FQDN. This obviously has a dependency on DHCP Option 15(connection specific DNS Suffix). When I do:
from dns import resolver
servs = resolver.Resolver()
print(servs.nameservers)
I see a DNS resolver that is not a part of the list of DNS servers in ipconfig /all. This DNS server sometimes causes issues because sometimes this is the first DNS server that dnspython uses for lookups. How can I find out where this DNS server is coming from and how can I get rid of it?
UPDATE
I just ran Get-DnsClientServerAddress in power shell and that rouge DNS server does not show up as a known DNS server for any of my interfaces
I've got a cheap openvz Ubuntu vps and i'm trying to run my own dns server on it for learning purpose.
The dns server works fine in localhost (on the vps through ssh), i can query it using dig google.com #127.0.0.1 and i get the expected result (which is not the IP of google.com but a custom one).
When i try to query the dns server from outside the vps, using the same command, I do get a reply but the IP is not what I expect (it's an actual google.com IP).
After further investigation I found out my dns server is not receiving/sending packets when the query is done from outside the vps. So the answer is sent by something else, it seems like inbound packets with destination port 53 are deviated, they do not even reach my dns server.
I tried to query my dns server, still from outside, but this time while the VPS was SHUTDOWN. Magically i got a reply from god knows who.
Changing port from 53 to 54 everything works perfectly.
The problem is i need it to use port 53.
I don't have iptables rules nor any other firewall doing something related to port 53
I also tried to query some other random vps, from different hosting providers, seems like everyone has a dns server running! Why does everyone reply?
Of course i asked technical support, that's what they said:
Hello,
Sorry but we don't do "software" technical support on VPS.
We deliver the hosting and the operating systems, customers that order VPS are their own admins, and have to know how to manage a linux server.
We don't block any port on our side.
Best regards,
Support
Mybe your dns server is bound to the loopback interface only (so it's only listening on localhost). You can check the current service ports used (udp for DNS) using netstat and filter (grep) udp port used
netstat -an | grep ":53"
Also you can test the same dns query using the nslookup command, and checking the dns server ip that answer your dns query, in the result output:
nslookup google.com [dns_server_ip]
Also test it without dns_server_ip to check if there is a default nameserver when the specified nameserver is not responding.
Problem solved, it's my ISP intercepting and replying to dns queries.
I can do dig google.com #1.2.3.4 and i get a reply :D
Who wants to know more about this:
ISP Intercepting DNS Lookups
my pdns_recursor setup includes this
forward-zones=net=127.0.0.1:5353;8.8.8.8
where at 127.0.0.1:5353 listens my own DNS server that acts as a filter on all DNS requests under .net zone. When my DNS server thinks a request should be blocked, it returns the IP of a blocking page to pdns_recursor. If not, it returns NXDOMAIN to pdns_recursor.
My understanding about pdns_recursor is that it will continue to forward the DNS request to 8.8.8.8 in case it receives NXDOMAIN from my own DNS server. This way, unblocked requests would reach to their destinations via Google DNS. However, the client always sees either the blocking page or NXDOMAIN message from pdns_recursor!
What am I missing here?
Thanks a lot!
NXDOMAIN is a perfectly good answer to a DNS query, and there is no reason for PowerDNS to try another server when it has already received an answer. In fact, RFC1034 says that a recursor should keep asking servers until it receives "a response". Assuming that PowerDNS follows the RFCs, any response from your filter thingy will be passed on to the user. So if you want the query passed on to the next server in the list, your filter thingy must not answer at all. In which case all your users will instead have to wait for a timeout on all non-blocked queries before they get passed on to Google, which will likely annoy them a lot.
In this moment, I am learning how the DNS and domains resolutions work and I have a question.
Let's take a.test.com for example.
As I understand it, first of all, the intermediary ISP DNS server is called. If it has the domain IP in cache, it returns it. Otherwise, it does consecutively these following tasks :
It calls a root DNS server which returns a com DNS server IP
It calls that top level DNS server which returns the test.com DNS server IP
It calls that DNS server to finally get a.test.com's IP
Is it correct ?
And now what does it happen when we resolve a.b.c.test.com ?
Does it call another DNS server or does the c.test.com's DNS server contain the a.b.c.test.com's IP ?
Thanks
Yes, you are pretty much correct. Nothing different will happen in next steps: c.test.com will respond with a referral to more authoritative server (the one for b.c.test.com), or if itself is authoritative then it will respond with an answer.