Clearly I don't know much about DNS, so bear with me on this issue, which has been puzzling me me for a while.
Some WHOIS records show (say) ns1.example.com and ns2.example.com as name servers for example.com. Then how is the actual IP address found? Isn't this circular?
This question probably belongs on Severfault rather than Stackoverflow, but for the explanation you should read about glue records.
Name servers in delegations are
identified by name, rather than by IP
address. This means that a resolving
name server must issue another DNS
request to find out the IP address of
the server to which it has been
referred. If the name given in the
delegation is a subdomain of the
domain for which the delegation is
being provided, there is a circular
dependency. In this case the
nameserver providing the delegation
must also provide one or more IP
addresses for the authoritative
nameserver mentioned in the
delegation. This information is called
glue. The delegating name server
provides this glue in the form of
records in the additional section of
the DNS response, and provides the
delegation in the answer section of
the response.
There is also a nice explanation in this FAQ.
I hope this is taken the right way, but have a good read at this, particularly the section on "Domain Name Space" (even more specifically, "Domain name formulation").
http://en.wikipedia.org/wiki/Domain_Name_System
It explains the way in which a name is resolved and way, way more.
Related
Suppose that I own example.com that is served by my own DNS server and I can create every records that I want.
Now imagine that one of my friends get a new domain called new-domain.com and I want to help him manage his domain with his own DNS server.
So in my dns system for example.com, I create two A records as:
my.ns1.example.com -> some.ip.addr
and
my.ns2.example.com -> some.ip.addr
(some.ip.addr is the ip address of his DNS server)
and ask him to set my.ns1.example.com and my.ns2.example.com as name servers for his domain.
But he cannot set them because it gets invalid nameserver error!
Its my understanding that because example.com is working properly in DNS system and thus my.ns1.example.com and my.ns2.example.com are resolved to the IP address properly, so nothing can prevent them to be used as nameservers.
I searched around and found that some people say the nameservers should be registered. I understand registering when we have to ask for setting glue records, but for this case I have no idea why would we need to register those name.
To be more specific with real life example, why would jobs.ns.cloudflare.com is a valid nameserver but www.cloudflare.com is not?
I asked the same question on serverfault.com with this link
There, I quote important part of the answer here,
From a pure DNS perspective, an authoritative nameserver (such as those for com) should not perform any kind of recursion to learn the IP address of the nameservers that are defined in your example.com zone. Instead, the registry permits registrars to add glue records to the com domain, and those registrars can provide a user interface so that the owners of the domains that these custom nameservers live in can do so. (example: Namecheap - How do I register personal nameservers for my domain?)
(To address the elephant in the room...no, these glue records are not strictly required. But policies are policies, and if the registrar interface requires the registry level glue to be present, you have little choice in the matter.)
While the answer does not answer my updated part of the question, I picked it as the answer and decided to ask another question.
The problem does not lie in the names: my.ns1.example.com and my.ns2.example.com are fine.
The registry, and sometimes even the registrar, normally perform a few checks before approving a nameserver change. If your nameservers are rejected as invalid they are most likely not yet correctly configured for your friend's domain. I mean, the servers at my.ns1.example.com and my.ns2.example.com do not contain the minimum required records for new-domain.com.
That said, the registrar support team should be able to provide more details: if it's them who reject the change they should let you know what part of the automatic tests fails and even provide the test output so you can see by yourself. On the other hand, if they just pass the change to the registry (your friend should see a "operation pending at registry level" notice in his control panel for some time) they could do the extra effort of helping you out by providing hints based on their experience with that particular TLD. That is, if your friend didn't grab a promo offer in the 0.99$-5.99$ a year range for the domain: if he pays them something in the 20$-50$ a year range then he should expect and demand a proper, helpful support. I use one of the cheapest registrars and if my nameserver change gets rejected I still get a full report:
Dear customer,
The registry did not accept the nameservers you tried assigning to
new-domain.com because they did not pass the registry tests. Please
check the report we got from the registry below, fix the errors
and try assigning the nameservers again.
Nameservers Resolvable Test: ERROR
my.ns1.example.com. ERROR Unresolvable host my.ns1.example.com.
my.ns2.example.com. ERROR Unresolvable host my.ns2.example.com.
my.ns3.example.com. OK
my.ns4.example.com. OK
SOAQueryAnswerTest: ERROR
my.ns1.example.com. ERROR java.net.SocketTimeoutException
my.ns2.example.com. ERROR java.net.SocketTimeoutException
my.ns3.example.com. OK
my.ns4.example.com. OK
... ... ...
Update: The OP posted an update saying that as soon as the nameservers were registered with the registry, they were accepted in his friend's control panel. It appears that particular registrar checks for glue records and rejects the nameservers if they have none. This is an unnecessary check because glue records are only needed if the nameservers are within the same domain they serve, as explained in these questions. Registrars usually explain this very clearly or at least mention this above the nameserver change form:
Please note that in most cases the ip address is not required and will actually be ignored. It is only necessary if the nameservers you are entering are sub-domains of the selected domain (also called custom nameservers or vanity nameservers).
We can conclude that the friend's registrar performs an unnecessary blocking test and does not respond to user inquiries in a helpful matter. Since the OP has the following need (citation from his updated post on serverfault):
I need to be able to create dynamic nameservers programmatically and ask my users to enter their specific nameservers for their domains in their registrars.
I warmly recommend he does some research looking for a decent and reasonably priced registrar he can point his customers/friends to in case they have any issues with their current ones.
I recently started using linode to host my site.
Prior to using linode, I normally used hosting offered by my domain registrar. In those cases, i thought I understood how DNS worked, because the registrar automatically updated your DNS records to point to the server hosing the site.
When following linodes guide, to setting up a website: https://www.linode.com/docs/websites/hosting-a-website
Their instructions tell you to set the DNS servers as:
ns1.linode.com
ns2.linode.com
ns3.linode.com
...
But the point I am making is, that ANYONE can open an account on linode, and fill in the same DNS settings! So now anyone trying to access your website, could be directed to someone else who wants to pretend to be your site!
Am I correct in understanding how DNS works ? I know that the only way to ensure (from a visitors perspective) that a site being visited is actually the domain intended is to install a certificate (https) etc. But based on the above instructions, it seems almost trivial to pretend to be someone else, if they also use linode.
I am not an expert on DNS so my answer may be mistaken, but I had the same question so looked into this.
I think your understanding is correct, and this seems to be a problem but apparently it happens rarely in practice so hosting providers (including Linode) aren't doing anything about it.
Here is Ryan Quinn from DigitalOcean (another hosting company that has this problem) answering a similar question:
A domain can only exist on one account so any user attempting to add it would not be able to. Cases where a domain already exists or is hijacked are extremely rare (I've seen 3 cases in 2+ years and in each case it was a former owner of the domain who still had records in place). In these rare cases the user can open a support ticket where we will verify the domain whois information against their billing details to verify ownership.
Here is a question on Information Security Stack Exchange that asks the same thing.
In the case of DigitalOcean, I found a post (HackerNews discussion) of someone describing how they took over around 20,000 inactive domain names that pointed to DigitalOcean's nameservers. I haven't found anything similar for Linode, although I imagine basically the same attack is possible (2020 Update: This actually recently happened to someone I know, where their website got taken over by a spammer after they took down their Linode without changing the DNS settings to stop pointing to Linode).
Amazon Route 53 seems to use randomly generated nameservers (rather than Linode/DigitalOcean's constant ns1.linode.com etc.) to make this attack highly unlikely to succeed.
Apparently some other services (Google Apps?) "verify domain ownership by requiring the domain owner to add a TXT record to their domain with a special code."
So what? Someone may use the same DNS servers. But they can't register for the same domain. Once you have registered for example.org, you own that domain and nobody else will be able to register for it.
You have registered for example.org and use the following DNS configuration at Linode:
Domain | Nameserver
-------------------+---------------------
example.org | ns1.linode.com
example.org | ns2.linode.com
... | ...
An "evil hacker" may have registered evil-hacker.com and uses this configuration:
Domain | Nameserver
-------------------+----------------------
evil-hacker.com | ns1.linode.com
evil-hacker.com | ns2.linode.com
... | ...
example.org | ns1.linode.com << Those are the lines that bug you, right?
example.org | ns2.linode.com
For simplicity's sake let's say that the IP of your site is 1.1.1.1 and the IP of the evil hacker's site is 2.2.2.2. You are worried that because the "hacker" used the same DNS configuration, your site example.org might resolve to 2.2.2.2, right?
This is what happens, when I try to resolve example.org:
I connect to the DNS root servers to find out which nameserver is responsible for the org top-level domain.
I connect to the nameserver of the org top-level domain and ask it for the IP address of example.org. The org nameserver is managed by your domain registrar. It will look up the information you entered and tells me look at one of the linode nameservers.
I connect to ns1.linode.com and ask it for the IP address of example.org. Linode knows which IP your site has and answers me with 1.1.1.1.
In the above process, I will never see evil-hacker.com or 2.2.2.2. Since our evil hacker (hopefully) can't control the DNS root servers, the nameserver of the org top-level domain or the Linode nameservers, all DNS requests for your site will be answered by "trusted" name servers.
However, a hacker might intercept DNS traffic from my particular machine. He might install malware that always resolves example.org to his IP address 2.2.2.2 (e.g. /etc/hosts) or compromise my network router. So using an SSL certificate for your site is still a good idea :).
I'm trying to learn as much as possible about DNS, and so far I've read most of:
http://www.zytrax.com/books/dns/ch8/soa.html
and all of:
http://computer.howstuffworks.com/dns.htm
I understand that SOA and NS records contain info about the authoritative name server for a domain, but as these are just DNS records, how does the rest of the world even know where to get them?
I assume it starts at the top-level-domain (.COM .NET .ORG, etc) servers. So they must contain a SOA record for my domain? If so, how does that get there? I imagine only registrars like GoDaddy and Network Solutions are able to update those? If they contain a SOA record, why does my DNS server (that I host), need one also? I think there must be something, maybe in the domain registration records (outside of DNS?), that I'm missing.
I think I've got a pretty good understanding of most parts of the DNS system, after reading lots of articles.. but I haven't found any that answer this part, in a way that I understand it.
For example, GoDaddy and Network Solutions both let me change different options (in their web UI) to "host my own DNS server". If these options remove them from the process, so DNS servers never need to query them again, and instead query my server directly (this is what I want, no dependency on GoDaddy/NS)... when I make these changes, what (at the DNS level or otherwise) is GoDaddy/NS doing? Are they asking the top-level-domain servers to update some DNS records for my domain?
Short answer is yes. Godaddy will take care of updating your the TLDs for you. Your other assumptions are also correct except for one small detail...
DNS starts with the "root" domain and then goes to the TLDs (top level domains).
www.somedomain.com. actually brakes down like this:
. The root name servers
com - The TLD name servers
somedomain - Your NS servers
www - The host portion of the dns name.
Setting up your own DNS server is a great way to understand DNS better. Good luck!
So they must contain a SOA record for my domain?
Multiple answers possible, depending on the scenario:
delegated 2nd level:
No; the start of authority of your domain is usually at your level, so the SOA for you.cf is (only) in your nameservers. Same as the SOA for .cf is only in the nameservers of .cf, and not in the root-servers. In case your nameservers are within the same domain (i.e. ns1.you.cf in case of you.cf) then glue records are needed. This means that registry that's operating the TLD's nameservers will insert a A and/or AAAA record with the IP of ns1.you.cf in the TLD zone. Normally you (the registrant) set this in the interface of your registrar.
undelegated 3th level:
No; if your domain was sub.you.cf - but sub.you.cf wasn't delegated (no NS records exist for sub.you.cf) then the SOA is probably at you.cf. Unless...
undelegated 2nd level:
Yes; if you register a domain without having it delegated (no NS records exist for you.cf) then the SOA is at the .cf nameservers. Although most registries run delegation-only zones, some don't. Example: when you use url-fwd'ing in .cf. The SOA then is at the cf level.
I'm creating a project on Microsoft Azure. We only get a nameserver instead of an IP address. Since I have multiple domains pointing to Azure, I would like to redirect all my domains to a nameserver that is redirecting to Azure. This way, if Azure change my nameserver, I’ll only have to change one nameserver instead of changing it for all my domains.
However, is it a bad practice to create a nameserver pointing to another nameserver. Is it slower to resolve the IP address ?
Thank you !
I guess you mean having NS records point to a CNAME record?
It's not allowed. However, it usually works. Doing this has always been discouraged but the original DNS specification was never perfectly clear about it.
RFC 2181 clarifies that it is not allowed, and RFC 1912 is relevant too. This ServerFault question contains more details and is where I found the refences to those two RFCs.
Nonetheless, it "usually" works (but I wouldn't recommend doing it). In answer to your question, yes, it will be slightly slower (there's an extra name that must be resolved) but not significantly, and resolvers will cache everything after the first time anyway.
Let's say I have a server (DNS and other), myserver.com. Now I register a domain, mydomain.com, and set it's NS at the registrar to myserver.com - it is therefore the authoritative server, if there is any such thing.
In the authoritative records for mydomain.com, can I set the NS to ns.mydomain.com?
I have two domains set up like that, one works, the other one seems reluctant to propagate. So I'm wondering if there is something wrong with that - I mean how can you resolve the name of the NS when you need to resolve the name of the NS to resolve the name of the NS...
And, If yes, how come parallels plesk sets them automatically in this way?
Ps: there is an A record for ns.mydomain.com on that same server, pointing to the proper IP
There's a solution for this problem - it's called "glue records", i.e. A records hosted in the parent zone that contain the IP addresses of the name servers.
See http://en.wikipedia.org/wiki/Domain_Name_System#Circular_dependencies_and_glue_records
Why would you want to set the NS record for the "mydomain.com":
to "myserver.com" in the delegation record that goes into the parent zone (com.), but
to "ns.mydomain.com" at the zone apex (inside the mydomain.com. zone)
? This creates an inconsistency (two different DNS servers answer the same question with two different answers) without any apparent benefit. You should try to help the DNS system as a whole issue consistent answers.
Unless you have a good reason to make the DNS inconsistent, you should decide what the correct, canonical name for your nameserver is, and publish that name in the NS record both in the delegation and at the zone apex for "mydomain.com".
That being said, it will still work:
If a recursive resolver which does not yet know anything about "mydomain.com" asks about it, it will be told by the gTLD servers to go look at "myserver.com". The gTLD will also issue A and AAAA glue records to help find "myserver.com", but even if they don't, you have A and AAAA records for "myserver.com" in the "myserver.com" zone file (right?).
If a recursive resolver which wants to refresh its cache for the "mydomain.com" NS record, it may query the authoritative server it already knows about. This server will answer that the nameserver is "ns.mydomain.com", with a glue record. This is different from what it had in its cache before, but ultimately it will map to a server with the same IP address.
As for "parallels plesk", I know nothing about that.