Table of Contents
Networking - DNS - Common DNS Server Types
DNS Servers usually support some or all of the following:
- Authoritative DNS server
- Caching DNS server.
- Recursive DNS server.
- Validating DNS server.
Authoritative DNS Server
An authoritative DNS server is simply the primary owner of the hostname.
When a domain is registered with a domain name registrar, the zone administrator provides a list of name servers (typically at least two, for redundancy) that are authoritative for the zone that contains the domain.
The registrar provides the names of these servers to the domain registry for the top level domain containing the zone.
The domain registry in turn configures the authoritative name servers for that top level domain with delegations for each server for the zone.
If the fully-qualified domain name of any name server for a zone appears within that zone, the zone administrator provides IP addresses for that name server, which are installed in the parent zone as glue records; otherwise, the delegation consists of the list of NS records for that zone.
A name server indicates that its response is authoritative by setting the Authoritative Answer (AA) bit in the response to a query on a name for which it is authoritative.
Name servers providing answers for which they are not authoritative (for example, name servers for parent zones), do not set the AA bit.
Caching DNS Server
Caching name servers store DNS query results for a period of time determined in the configuration (time-to-live) of the domain name record in question.
These servers improve the efficiency of the DNS by reducing DNS traffic across the Internet, and by reducing load on authoritative name servers, particularly root name servers.
The cache increases the performance of end-user applications that use DNS.
Recursive DNS Server
Recursive name servers resolve any query they receive, even if they are not authoritative for the specific question being asked, by consulting the server or servers that are authoritative for the query.
The server will first attempt to find the DNS query in its local cache. If it cannot find an answer it will query several other DNS servers until it finds the address. It will then respond to the original request with the results from each server's query.
ALERT: Not recommended to use.
Servers that support this type of request are vulnerable to fake requests from a spoofed IP address (the victim of the attack).
The spoofed IP address can get overwhelmed by the number of DNS results it receives and be unable to serve regular Internet traffic.
This is called an Amplifier attack because this method takes advantage of DNS servers to reflect the attack onto a target while also amplifying the volume of packets sent to the victim.
A consequence of this activity is that third party Network administrators who detect these requests may block your IP addresses. Your server could even be placed upon DNS blacklists.
Validating DNS Server
A validating DNS server is simply a resolver which verifies the response it has received is as correct as it can be sure of.
This is usually accomplished using Secure DNS (DNSSEC) or using 0x20-encoded random bits in the query to foil spoof attempts.
Validation could also encompass sanity checks of the returned data or making sure a remote host does not try to return an illegal IP for an external hostname (dnsspoof).
NOTE: Without validation, there is no guarantee that what the DNS server returns is actually valid.
A server could be configured to return an incorrect response to a DNS query; known as a cache poisoning attack.