"Steven T. Hatton" wrote:
On Thursday 15 February 2001 03:52, Victor R. Cardona wrote:
On Thu, Feb 15, 2001 at 01:13:10AM -0500, Steven T. Hatton wrote:
In summary, my first question is as follows: what is the default behavior of the clients and DNS servers within my zone with respect to resolutions which go outside of my zone?
Clients are dumb. They can only query a server, and wait for an answer. If the server that was queried cannot provide an answer then the query fails, and the client assumes that the domain does not exist.
The server must do all of the work for a client. When a server receives a query, it goes out and queries as many other name servers as needed in order to resolve a domain name. A DNS server first checks its cache for the answer. If the answer is not in cache, or in its authoritative data, then the server queries the root nameservers. Then it queries the TLD name servers, followed by the servers for the specified domain, and so on until it finds the answer. It caches all of this data, but only returns the final IP address to the client.
Next time a client queries the server for the same address, the server can respond from cache.
The "forwarders" option in named.conf changes the default behavior above. Basically, if you include a list of servers with the forwarding option, then the server will query them for the answer. The server starts by looking in its cache and authoritative data. If the answer is not there it queries the forwarders. They then do all of the work, and just return the answer to your nameserver. If the forwarders are not available for some reason, then your server falls back on the default behavior that I outlined above.
Finally, there is the "forward-only" option. If this is set, your nameserver will act as a "caching only" nameserver. However, it will not fall back into default behavior if the forwarders are not available. If the forwarders are not available, the query fails.
My second question is something I believe I should know the answer to, but I have never understood it. This is the 168.117.138.0/24 notation. I believe /24 means the same as a net mask of 255.255.255.0 the 24 indicates the number of bits counting from the left which are masked. 255.255.255.0 base 10 = 11111111.11111111.11111111.00000000 which has 24 '1's. Is this correct?
That is correct.
HTH, Victor Cardona
Victor,
This clarifies things for me once again. :-) Now I understand the meaning of the paragraph I was confused by. The use of forwarders would allow the network administrator to "focus" all DNS traffic to the forwarders in the list. The concern was not for the behavior of the end-clients, rather it was for the internal DNS servers. If they attempted to query in the default manner, they would be trying to hit an undetermined number of different IP Addresses.
On thing I'm still not clear on. You said "If the answer is not in cache, or in its authoritative data, then the server queries the root nameservers." Does that mean my system reaches out to the highest level name server in my root domain? I had always there there was some kind of recursive process taking place by default. Now it looks as though this type of recursion must be explicitly configured. As an example, I configure my internal network to mynet.bellatlantic.net. (Bellatlantic's DNS knows nothing about my network however - but that's a special case) If I don't set a forwarders list, my DNS will jump directly to the root server for .net? This is how I am understanding things now. That makes me think the root servers are getting an unnecessarily high level of traffic. Perhaps it's just a few lightweight hackers like me who are being this reckless, and real network admins have things configured correctly.
Is this perception correct? Do I burden the root of .net every time I get a cache miss?
Nope - although you may not have the particular internal IP address in your cache, you are the 'authoritative' server for your domain. Assuming you have appropriate DNS records for the boxes on your network, a lookup for their IP addresss will take its result from your 'authoritative' data. Not sure I've explained that clearly, but let me know... Bye, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\