Skip to content

What do you know about DNS

Do you know how DNS works?

The other day it turned out that one stupid colleague does not understand how DNS works at all. Moreover, he doesn't want to understand. He used to apply the Bind package when he was a sysadmin. In fairness, he's easier to pity. At first I tried to argue and prove something, but then I realized that "A nod’s as good as a wink to a blind horse".

Bind is both authoritarian and recursive DNS server.

Unfortunately, therefore, many people do not understand that there are two completely different tasks: - One for zone maintenance. - The second is recursive name resolution.

If you want to understand the difference, take a look at the NSD and Unbound servers. Or the PowerDNS server it also consists of two components

About TCP and UDP:

Most DNS RFC1034 transactions take place over UDP RFC0768.
TCP RFC0793 is always used for zone transfers and is often used for messages whose sizes exceed the DNS protocol's original 512-byte limit.

About authoritative server:

Authoritative server implementations MUST support TCP so that they
do not limit the size of responses to what fits in a single UDP
packet.

About recursive server:

Recursive server (or forwarder) implementations MUST support TCP
so that they do not prevent large responses from a TCP-capable
server from reaching its TCP-capable clients.

About stub resolver (for small installation):

Stub resolver implementations (e.g., an operating system's DNS
resolution library) MUST support TCP since to do otherwise would
limit their interoperability with their own clients and with
upstream servers. 

Stub resolver implementations MAY omit support for TCP when
specifically designed for deployment in restricted environments where
truncation can never occur or where truncated DNS responses are
acceptable.

About protocols:

A resolver SHOULD send a UDP
query first, but MAY elect to send a TCP query instead if it has good
reason to expect the response would be truncated if it were sent over
UDP (with or without EDNS0) or for other operational reasons, in
particular, if it already has an open TCP connection to the server.