I'm creating my own DNS server using Windows Server and other users will use my DNS server and thought that if it will go down I should have a backup how about if users set my DNS as Primary and Secondary can be something like google public dns? How will it will work? If it can't resolve using my DNS it will try google's? It will try it every request?
Since you mention Google's public DNS server, I assume you're talking about a nameserver to be used as a recursive resolver (not as an authoritative server containing zones).
DNS doesn't distinguish between "primary" and "secondary" nameservers. What actually happens is up to the client.
Some clients may query nameservers in order, so they will query yours first, and then query Google's only if they don't get a response from yours. Other clients may choose a random server from the list for each query, so they will sometimes query yours and sometimes query Google's. Still others might track statistics on each nameserver and prefer the one that usually gives a faster response. This last options requires a stateful client and it's something another nameserver acting as a forwarder might do.
In practice it will not matter because your recursive resolver and Google's public recursive resolver should give the same response for every query.
Related
I am writing a piece of a software to add a dns record, but first I want to sent adding of the record directly on the dns server. I can use dig to query, but what can I use to do a direct add?
That depends on what software is running on the DNS server or if the DNS servers are a service provided by a third-party. In the case of the former it will vary and in the case of the latter they may have an API that will allow you to add records programatically.
I'm wondering how trustworthy the data from a SRV record lookup is? I have a program that essentially could fall apart if someone were to be able to spoof the SRV response.
If not, are there any precautions that could be taken to make it trustworthy?
The only reliable solution to spoofing seems to be using secure DNS servers for lookup. Currently the secure DNS lookup is provided by many DNS providers eg. cloudflare.
All DNS is completely insecure unless you're specifically using a secure DNS server with an encrypted protocol like DNSCrypt.
Even this may be insecure unless the server you're querying is the authoritative server for the requested resource. If it has to go off and ask another server, the link to the next server may or may not be secure.
Without encryption, everything can be modified and/or intercepted by an attacker like your ISP or anybody else along the way.
ISPs frequently intercept DNS queries in order to be "helpful", although they could just as easily be evil.
So the short answer to your question is "no". SRV lookups aren't secure and no other DNS queries are either.
If your application queries a DNS server you control, over a secure link, it should be fine. If you're just using whatever DNS your ISP provides, probably not.
I didn't see anything that answered what I'm looking for here - if there is something I apologize.
I have several secondary nameservers and four master nameservers - two per datacenter. I want the following query behavior:
Client => nameserver list (e.g. /etc/resolv.conf), populated with secondaries
- If secondary knows the answer, respond
- If secondary doesn't know the answer, I want it to forward the request to the master nameservers
- Master nameservers would then recurse to the root nameservers if it doesn't already know using the root hints file.
I was thinking forwarders, but I believe that would make the secondaries forward everything unless it already has it cached, and I don't want that behavior. They are authoritative for zones and should respond as such.
Any ideas?
Unfortunately I don't think this is how DNS works!
If you have two nameservers defined in your resolv.conf the resolver will query the first and wait for either an answer or a timeout. If there is a timeout it will then move on to the next. If the DNS server responds,even with a negative answer, that is the end of the resolution process.
DNS makes the presumption that every name server is pulling from the same dataset. If server A gets a response from a server that is authorative for a domain then that is as far as that query gets. If an authorative nameserver doesn't have a record about a name it is authorative over then it is presumed that that record doesn't exist.
The client isn't going to make the assumption that any other record in resolv.conf will get any other answer. There are multiple records there to protect against server failures, not to get alternative answers.
What is the problem you are trying to solve here?
I'm trying to get all the domains linked to a record like here
http://viewdns.info/reverseip/?host=23.227.38.68&t=1 but I'm getting no luck with dig 23.227.38.68 or nslookup 23.227.38.68. Any idea what I'm doing wrong?
The design of DNS does not support discovering every domain associated with a certain IP address. You may be able to retrieve one or more DNS names associated with the IP address through reverse IP lookup (PTR records), but does not necessarily give you all domains. In fact, it rarely will.
This is because the information you seek is scattered throughout the global DNS network and there is no single authoritative node in the network that has this information. If you think about it, you can point the DNS A record of your own domain to the IP of stackoverflow.com and that's perfectly valid, but anyone seeking to know this would have to find your DNS servers to figure this out. DNS does not provide any pointers for this, though.
Yet, certain "passive DNS" services (probably including viewdns.info) seem to overcome this limitation. These services all work by aggregating DNS data seen in the wild one way or another. At least one of these services works by monitoring DNS traffic passing through major DNS resolvers, building a database from DNS queries. For instance, if someone looks up yourdomain.com that points to 1.2.3.4 and the DNS query happens to pass through the monitored resolver, they take note of that. If a query for anotherdomain.com is seen later and it also resolves to 1.2.3.4, now they have two domains associated with 1.2.3.4, and so on. Note that due to the above, none of the passive DNS services are complete or real-time (they can get pretty close to either, though).
Short Question :
Since DNS is anycast, is there any way for a DNS Server to know the "first" source DNS Query originated from?
Long Question :
I've developed a custom DynDNS server using PowerDNS, I want to feed it information via web interface by users. I want the web interface to update records for each user "based on IP".
So when the DNS Server gets requests, If it could determine the source IP, it'd be easy to return records associated with that IP.
As long as I tested, the DNS Server can only know the "last" node IP on the DNS chain, not the source. Is there any way?
Regards
Google and Yahoo! submitted a draft (draft-vandergaast-edns-client-ip-01) to the IETF DNS Extensions Working Group that proposed a new EDNS0 option within DNS requests that recursive servers could use to indicate their own client's IP address to the upstream authoritative server.
The intent was to theoretically optimise the use of Content Delivery Networks by ensuring that the web server addresses returned were based on the end user's IP address, rather than on the address of the end user's DNS server.
The idea was not well received and wasn't accepted by the working group because it intentionally broke the caching layer of the DNS, and the draft has subsequently expired.
UPDATE - a variation on this has subsequently been published as RFC 7871.
Perhaps you have control of the software performing the lookup? If so, you could include the IP address as part of the request, e.g.
23-34-45-56.www.example.com
to which your custom-written server replies
23-34-45-56.www.example.com 1800 CNAME www-europe.example.com
or
23-34-45-56.www.example.com 300 A 34.45.56.67
etc.
If the client is a web browser, complications arise due to NAT, HTTP proxies, and the inability to query host interface addresses directly from Javascript. However, you might be able to do an AJAX-style lookup to a what's-my-ip service, which understands X-Forwarded-For.
Long answer to Short Question :
DNS is not anycast. Some content DNS server owners use anycasting to distribute servers in multiple physical locations around the world, but the DNS/UDP and DNS/TCP protocols themselves are not anycast. The notion simply doesn't exist at that protocol layer.
Short answer to Long Question :
No.
Expansion
As noted, there's nothing in the DNS protocol for this. Moreover, the relationship between front-end and back-end transactions at a caching resolving proxy DNS server is not one-to-one.
You'll have to use whatever client differentiation mechanisms exist in the actual service protocol that you're using, instead of putting your client differentiation in the name→IP address lookup mechanism. Client differentiation for other services doesn't belong in name→IP address lookup, anyway. Such lookup is common to multiple protocols, for starters. Use the mechanisms of whatever actual service protocol is being used by the clients who are communicating with your servers.