Networking – How to do full A-Record resolution from root DNS servers

dnsnetworking

I have a hypothetical situation that I've been unable to find any real answer to. Imagine we have a computer that has never been on the internet. The computer is also on a network where no DNS service is provided. Lets also pretend that things like google public DNS don't exist.

Now let's assume that the only thing this computer has is the root DNS servers' names and resolved addresses, like so.

Now this computer wants to know the IP address of say, superuser.com. How, with only having the IP addresses of root servers, does the computer work through queries to a root server in order to wind up with the resolved A-record of superuser.com?

I've made attempts but I always wind up in a place where I need to use an existing DNS server that I know of to resolve an A-Record. For example if I open command prompt and start trying to resolve google.ca (against a root server), I wind up with:

Served By:

ns1.google.com

google.ca

ns2.google.com

google.ca

… and so and and so forth. So basically at this point, I have to resolve nsX.google.com in order to query it to get the A-record for google.ca, however, given the scenario, I don't have a server I can to query for the address of nsX.google.com. If I attempt to resolve ns1.google.com back from the root server, I wind up in the same place.

Short version: How the hell do I resolve the A-Record for a domain without using any other information except what is provided to me by a root server? Thanks in advance. 🙂

Best Answer

Your situation is not unusual the slightest bit; every time a full-featured recursive resolver is started – such as BIND9 or Unbound, even the copy I've running on my laptop – it starts with just a list of root zone 'hints', and descends from there all by itself.

(You said "Imagine a world where Google Public DNS doesn't exist". Ever wonder how Google Public DNS itself resolves all domain names?)

But replies to DNS queries can have more than just a straight answer. Specifically, if a domain's authoritative name servers are in the same domain, then a copy of their addresses – aka, glue records – will be held by the parent domain as well.

So when you query the com. name servers for www.google.com, they don't just say that it's hosted by ns1.google.com, but also give you the IP addresses of ns1.google.com in the same reply message!

In fact, you should have already hit this earlier, with the com. top-level domain. When you query the root name servers – they will tell you that all of com. is hosted by m.gtld-servers.net. and they will give you its IP address. You can see for yourself that the root zone file holds this information.

For example:

$ dig @198.41.0.4 www.google.com. A
;; opcode: QUERY, status: NOERROR, id: 61096
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16

;; QUESTION SECTION:
;www.google.com.            IN  A

;; AUTHORITY SECTION:
com.            172800  IN  NS  m.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
...

;; ADDITIONAL SECTION:
m.gtld-servers.net. 172800  IN  A   192.55.83.30
l.gtld-servers.net. 172800  IN  A   192.41.162.30
k.gtld-servers.net. 172800  IN  A   192.52.178.30
...

Continuing with one of the com. name servers:

$ dig @192.55.83.30 www.google.com. A
;; opcode: QUERY, status: NOERROR, id: 46406
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5

;; QUESTION SECTION:
;www.google.com.            IN  A

;; AUTHORITY SECTION:
google.com.     172800  IN  NS  ns2.google.com.
google.com.     172800  IN  NS  ns1.google.com.
google.com.     172800  IN  NS  ns3.google.com.
google.com.     172800  IN  NS  ns4.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.     172800  IN  A   216.239.34.10
ns1.google.com.     172800  IN  A   216.239.32.10
ns3.google.com.     172800  IN  A   216.239.36.10
ns4.google.com.     172800  IN  A   216.239.38.10

Continuing with one of the google.com. name servers:

$ dig @216.239.34.10 www.google.com. A
;; opcode: QUERY, status: NOERROR, id: 7744
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.            IN  A

;; ANSWER SECTION:
www.google.com.     300 IN  A   173.194.32.50
www.google.com.     300 IN  A   173.194.32.49
www.google.com.     300 IN  A   173.194.32.52
www.google.com.     300 IN  A   173.194.32.48
www.google.com.     300 IN  A   173.194.32.51

We finally received an authoritative answer (aa) for the same name we asked for.

Related Solutions

Networking – How do preferred and alternate or multiple DNS servers work

The answer is certainly operating system-specific in the sense that nothing is preventing a certain operating system from behaving differently. There is nothing necessary about DNS client querying of multiple servers that would prevent an operating system implementation from treating DNS queries differently than I'm describing here.

That said, the example of how Linux looks up DNS names should be representative of how most operating systems in common use today do it.

Here is a good post describing the behavior in detail, as well as a way to set up something like what you've asked for.

The general idea is that, by default, secondary/tertiary DNS servers are only used in sequence if the primary DNS server times out or points to a non-routable IP address. Even if the primary DNS server says "that domain does not resolve", it will not move on to ask the next nameserver. It treats any valid response to the query as a reason not to move to the next DNS server in the list.

One possible sane way of setting it up so that local addresses will resolve first, but still use Google DNS or OpenDNS instead of your ISP's DNS server, is to configure your router or LAN box (whichever box is the Internet gateway) to use 8.8.8.8 as its primary nameserver. Of course, the gateway box should itself be running a nameserver, and should be configured to answer DNS queries for local hostnames on the private subnet -- but if it fails to resolve against the local subnet, it should immediately punt to Google DNS. This is kind of the best of both worlds.

Another way to do it is to set up different nameservers for different network interfaces. Windows lets you do that by default; the article in the link above describes a way to do it by configuring the BIND9 DNS server implementation using the forward and forwarders directives.

How DNS Servers Work – Comprehensive Guide

Your computer has a list of DNS servers that it can query for further information. On a unix or linux system, this is stored in /etc/resolv.conf. In Windows, it's configurable in your network settings. Often, your DNS server will be supplied by your DHCP server, possibly along with other settings like default domain, proxy servers, etc.

The location of the DNS server you use doesn't matter much. As long as your computer has an IP address and a working default route (i.e. you can ping the DNS server), you should be able to make DNS queries.

DNS servers don't have to know "all" domains. They only need to know who is "authoritative", which it learns from a set of "root" servers. Each DNS server has a list of "root" servers, and this list changes infrequently. On one of my DNS servers, there are 18 root servers configured, and this configuration came when I installed the DNS server two years ago, and if the list of root servers has changed since then, enough of them are accessible that I haven't noticed it.

My DNS server, when asked to resolve a domain it doesn't know, makes a query to a root server to find out what other DNS server is authoritative for the domain. The response it gets may contain additional "NS" records and be marked non-authoritative, in which case my DNS server knows that it has to "follow the chain" and make a new query to a new server. Eventually, it finds a DNS server that provides authoritative information, and queries can be made that are not just NS records. A (address) and MX (mail exchange) are of course the two most common.

Each TLD (top-level domain) like COM, NET, ORG, CA, UK, etc maintains its own registry of subdomains. (A "subdomain" is any domain within another domain, so "example.com" is a subdomain within "com", and "com" is even a subdomain within ".", the "root".) The rules for each registry apply only to the TLD it administers -- that is, there's a completely different set of criteria for each country-code TLD, and the "generic" TLDs are administered by different organizations with different policies. But they all maintain DNS servers for their TLD, which, from a command line, you can see using basic DNS query tools:

[ghoti@pc ~]$ host -t ns ca.
ca name server c.ca-servers.ca.
ca name server e.ca-servers.ca.
ca name server z.ca-servers.ca.
ca name server a.ca-servers.ca.
ca name server f.ca-servers.ca.
ca name server sns-pb.isc.org.
ca name server j.ca-servers.ca.
ca name server k.ca-servers.ca.
ca name server tld.isc-sns.net.
ca name server l.ca-servers.ca.
[ghoti@pc ~]$ host -t ns info
info name server c0.info.afilias-nst.info.
info name server d0.info.afilias-nst.org.
info name server b2.info.afilias-nst.org.
info name server b0.info.afilias-nst.org.
info name server a2.info.afilias-nst.info.
info name server a0.info.afilias-nst.info.
[ghoti@pc ~]$

When you buy a domain from a registrar (of which there are many), that registrar submits information about the domain to the registry (of which there is just one per TLD). It is the responsibility of each registry to maintain the list of registered domains within their TLD, and maintain the DNS servers that provide this info to other servers.

Best Answer

Related Solutions

Networking – How do preferred and alternate or multiple DNS servers work

How DNS Servers Work – Comprehensive Guide

Related Question