|
|
|
|
At its simplest, DNS is a means of looking up URL's (Uniform Resource Locators), like www.amfes.com, and determining the IP address associated with it. This is a "standard" DNS lookup or query. This process also works in reverse - by querying with an IP address and determining the URL associated with it. This is known as a reverse lookup or query.
One common point of confusion for novice system administrators is how DNS servers work. DNS servers can be classed into two categories - authoritative and caching. Authoritative servers contain a fixed list of records, and are given "authority" for a particular domain hierarchy or IP subnet, i.e. amfes.com, 192.168.0.0/255.255.255.0. Authoritative servers are supposed to be just what there name sounds like - the authority on what names and/or IP addresses are valid within their "zone". Caching servers, on the other hand, are intended to query authoritative servers for their information - then store it for a period of time. For most networks, a proper configuration will consist of both an authoritative DNS server and a caching DNS server. Caching servers are configured with a list of zones - and a list of other servers to query for zone information. The other servers are not necessarily authoritative servers - but they are at least assumed to know another server to query in turn for that zone. Now, a slight diversion from DNS servers is in order to talk about "resolvers". Resolvers are the means by which individual workstations and servers lookup DNS information. A resolver is configured with a list of one or more DNS servers, which it queries in turn when searching for a DNS response. Under Microsoft Windows, the resolver is configured in the TCP/IP settings, by the "primary DNS" and "secondary DNS" fields. Under Linux, the resolver is typically configured in the /etc/resolv.conf file. One of the most common misunderstandings about DNS occurs right here. A "no record found" is a VALID DNS response! DNS, like many other Internet services, is intended to have redundant backup servers. The key is that word - "redundant". To be redundant, the backup server(s) need to have the same information as the primary server. Backup or alternate DNS servers are considered, by the resolver, to be functionally identical to the primary DNS server - the only time the backups are queried is if the primary cannot be located. Understanding this is critical to having a proper DNS configuration for your network. When a resolver queries a DNS server - it expects an answer. A resolver does not have a list of zone/server mappings - it just has a list of servers that are supposed to be equivalent. And each of those servers is supposed to be all-knowing, all-seeing regarding all DNS queries relevant to that resolver. That means every possible IP address, every possible domain name, every possible URL must be known - or reachable - by those DNS servers. For workstations trying to access the Internet - that includes the whole Internet! So, to be clear - workstation resolvers consider any DNS server supplied in their configuration to be equivalent - and if they're not, then you're going to have problems. So what does this mean to a network administrator who wants to have a DNS server for their own LAN - and still have workstations able to reach the Internet? You will need at least one authoritative server for your LAN. That server will have at least two zones defined - one for your textual domain name, and one for the reverse lookup IP domain. That's it. Then, you will need at least one caching server for your LAN. That server will have at least server addresses listed for forwarding - the address of your authoritative DNS server, and the address of an Internet DNS server. Then, all the workstations and servers in your LAN - including both the authoritative and caching server computers - will list your caching server in their resolver's configuration. And that should be the ONLY servers listed in those resolvers! |
|
Please see the contact page if you have questions or comments about this web site.
|