In the early days of IP networks, computers running Unix or compatible operating systems like BSD or Linux used a file called /etc/hosts. This file mapped hostnames to IP addresses. However, as networks grew, managing the host file across all computers became unmanageable.
To address this issue, the Domain Name System (DNS) was created as a scalable solution. Today, DNS is one of the fundamental technologies that powers the Internet.
DNS is a distributed database and network protocol that converts human-readable network locations to machine-readable Internet Protocol (IP) addresses. DNS has two main types: authoritative and recursive. In this blog post, we’ll delve into both types, their purpose, and usage.
Understanding authoritative DNS and its structure.
Authoritative DNS is a service that answers queries for information. Authoritative DNS is structured like a tree. Each tier of the tree is called a “zone” and has authoritative servers that hold information. The DNS root servers are at the top of the tree, sometimes annotated as a single dot (.).
The root servers hold information on the authoritative servers for each of the top-level domains (TLDs), such as .com, .org, .biz, and .us. The authoritative servers for a TLD hold information on the authoritative servers for domains inside of them, such as vercara.com and ultradns.biz.
The authoritative servers for a domain hold Resource Records (RRs). A domain might have a subdomain, such as corp.vercara.com, that can hold RRs and subdomains just like inside a domain.in.
There are several types of records that can be inside of a DNS zone and they can be queried for. The most common ones are:
- A: an IPv4 IP address. (example: 156.154.120.112)
- AAAA: an IPv6 IP address. (example: 2610:a1:1016::e8)
- MX: The Mail Exchange (email) server for the domain. (example: vercara-com.mail.protection.outlook.com)
- NS: The zone’s authoritative nameservers. (example: pdns196.ultradns.info)
- TXT: A text response used for authentication or registration purposes, such as verifying servers authorized to send email on behalf of the domain or validating domain ownership for Transport Layer Security (TLS) certificates. (Example: v=spf1 include:spf.protection.outlook.com include:mail.zendesk.com -all)
A “Start of Authority” (SOA) record is required for any zone. It includes an authoritative nameserver, contact email address, and timing parameters for caching and refreshing answers from authoritative servers.
$TTL 86400
@ IN SOA pdns196.ultradns.info. domains.vercara.com. (
2023021669 ;Serial
14400 ;Refresh
10800 ;Retry
604800 ;Expire
60 ;Negative response caching TTL
)
The SOA record for the domain is the only compulsory item, but most domains also have 2 or more NS records and an A record for the domain itself.
So how do you set up a domain? First, you’ll need to buy a domain from a registrar, which is a service provider that sells domains for different TLDs. When you purchase a domain, you let the registrar know about the authoritative servers for that domain. The domain goes “live” at 2400 UTC when the zone file for the TLDs is refreshed.
If you don’t have servers to set up the domain records or don’t plan to use the domain immediately, you have the option to “park” it using a service provided by the registrar.
Next, you’ll set up an authoritative server for the domain. This can be done by installing server software like bind or using a service like UltraDNS. Once inside the server, you’ll configure your SOA and other RRs.
After setting up the domain SOA and RRs, you’re all set to make your domain live. Just head over to the registrar and update the authoritative nameservers to your new server. The TLD authoritative servers will publish the new zone information at 2400 UTC.
Understanding recursive DNS and its process.
Recursive DNS, also known as a “resolver”, is a service that helps computers request information from a remote zone. It gets its name from the process of recursion, where a recursive server explores the authoritative DNS tree to find answers to queries.
The process of recursion uses the following process:
- The recursive DNS server receives a query from another computer. For example, record type A for mail.vercara.com.
- The recursive DNS server uses its hints file to find and query a root server for an authoritative server for the .com TLD.
- The recursive DNS server queries a .com TLD authoritative server for the authoritative nameserver for vercara.com.
- The recursive DNS server queries a vercara.com authoritative nameserver for mail.vercara.com and is given an IP address as an answer.
- The recursive DNS server replies with the answer to the computer that made the initial query to it.
Throughout the recursion process, the recursive DNS server caches answers based on a “Time to Live” (specified in seconds) provided in the answer. This reduces both the amount of queries that the authoritative DNS servers receive and the time that it takes to receive an answer because the full recursion process is performed infrequently.
Configuring resolvers: methods and best practices.
A “resolver” is a name used for a DNS server that answers queries from computers on a local area network. The resolver can be a recursive DNS server or a forwarder that forwards DNS queries to a recursive DNS server. Forwarders usually cache the answer to offload queries from the recursive DNS server.
Resolver servers are configured as network services generally in 5 basic methods:
- Many routers and firewalls, especially those for small office/home office setups, can host a local resolver service. This service is advertised through Dynamic Host Control Protocol (DHCP) and can serve as either a recursive DNS server or a caching forwarder.
- With the Dynamic Host Control Protocol (DHCP), you have the ability to specify the IP addresses of a different resolver service by using option 6.
- You have the option to manually enter resolver IP addresses in the network settings of your computers.
- Microsoft Active Directory Domain Controllers serve as a resolver service for hostnames in the AD domain. Additionally, they can be configured as either a recursive DNS server or a caching forwarder.
- Certain operating systems, like Linux variants, can run a local recursive DNS service for their own queries.
End-to-end DNS protection with Vercara.
To ensure your online presence is robust and secure, it’s essential to understand the difference between authoritative and recursive DNS services. We offer specialized solutions in both domains to keep your digital infrastructure resilient and reliable.
For authoritative DNS services, our UltraDNS and UltraDNS² stand ready to ensure your digital infrastructure and online presence are always reachable. With enterprise-grade, cloud-based solutions that deliver fast and precise query responses, Vercara provides customizable packages to meet your primary, secondary, or dual managed DNS solution needs.
When it comes to recursive DNS, Vercara’s UltraDDR offers a proactive defense mechanism, identifying and preventing attacks before they happen. With real-time observability and advanced threat blocking, UltraDDR ensures your internal users maintain smooth traffic flow, essential for operational efficiency.
Get started. Speak with sales today.
