Tuesday, April 3, 2018

domain name system - Why send authoritative nameserver in DNS?



Out of curiosity, I'm checking the Wireshark DNS packets. I can see that there's a DNS query from the host, and then DNS response from the DNS server. Everything is just as expected.



However, if you further check in the query, you can see that the server also sends the NS (authoritative name server). My question is: why?




As a host, I only care about the IP. That's the main point of DNS, to resolve a name into an IP address.



Why, as a host, would I need the NS info?


Answer



Traditionally name servers don't send a short response to a query but an RFC 1034-1035 compliant full response which includes the authority section that contains Resource Records that point toward the authoritative name server(s).



The why is probably because with the distributed and delegated nature of DNS it seemed a good idea at the time to include the "source of truth" in responses.



Edit: By the way: sending the authority section is RFC compliant but not mandatory for all query responses.




In BIND this behaviour can be tuned with the minimal-responses yes | no; directive, where the default is no and the Authority and Additional sections of the query response will always be fully populated.
Other name servers CloudFlare, AWS Route 53, Infoblocks and probably others will already always send such minimal responses by default. Google's public resolvers will return an Authority section when available, Cloudflare.






I think the origin of that tradition to include both the authority section in as well as the actual query response finds its root in the (pseudo) code from the now obsolete RFC882 page 15-16




If the name server is not authoritative, the code copies 
the RRs for a closer name server into the response.


The last section of the code copies all relevant RRs into the response.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...