A DNS service resolves names into IP addresses. To resolve names into IP addresses, it uses resource records. A resource record maps a name with the IP address. Resource records are saved in zone files. A zone file saves resource records of a specific portion of the network. In DNS terminology, this specific portion is known as a domain. A network may contain many domains. For example, the Internet, the largest ever-created network, has millions of domains. For these domains, it uses millions of zone files.
If all these zone files are saved on a single server, the server will crash or take a huge time to resolve each name. Let's understand it through the example.
Billions of devices are connected to the Internet and they all use DNS service for name resolution. If there is only one DNS server and all zone files are saved on it, it will receive name-resolution queries from all hosts of the Internet. It will receive billions of name resolution queries per second. To answer each query, it will have to check millions of zone files. No matter, how powerful a server you use in this situation, it will crash or hang in a minute.
All services that access network resources by names use DNS service to translate names into IP addresses. If the DNS service works slowly or takes a long time to resolve names, the network will fail. To deal with this situation, administrators use distribution and delegation techniques. In these techniques, instead of saving all zone files on one server, they save (distribute) them on multiple servers in a hierarchy and make them responsible (delegate) for resolving queries that are related to the zone files they have.
The server on which you run the DNS service is called a DNS or name server. Based on how the DNS service is configured on it, it can be classified into seven types. These types are the caching-only DNS server, forwarding DNS server, primary authoritative-only DNS server, secondary authoritative-only DNS server, public DNS server, and private DNS server.
To understand the meanings and functions of these servers, we need to understand the meanings of some terms that are closely related to the functionalities of these servers. These terms are end devices, name resolution, resolver system, and DNS queries.
End devices
An end device is a device that wants to know the IP address of a name.
Name resolution
Name resolution is the process of knowing or translating a name into an IP address.
Resolver system
A resolver system accepts recursive queries from end devices, resolves them, and answers the requester systems.
DNS queries
There are two types of DNS queries: recursive and non-recursive.
In a recursive query, the request sender device asks the request receiver device to resolve a name on its behalf. Usually, it is used to transfer the workload of the name resolution process from the sender device to the receiver device. End devices use this query to request the resolver system to translate names for them.
In a non-recursive query, the request sender device asks the request receiver device to translate a name or provide information about the device that can translate it. If the request receiver device knows the IP address of the requested name, it translates the name. If it does not know the IP address of the requested name, it replies with a referral. A referral is a list of DNS servers that the requester system can further use to resolve the name. resolver systems send non-recursive queries to DNS servers to resolve names.
The following image shows an example of non-recursive queries.
Caching-only DNS server
A caching-only DNS server is a resolver system. It does not store zone files. But it stores information about the DNS servers it can use to resolve names. It accepts recursive requests from clients, contacts all configured DNS servers using non-recursive queries in a sequence until it gets the answer to each request, stores the answer in the cache, and replies to the requester clients.
When it receives a request from a client, it first tries to resolve that request from the cache. If it fails to resolve the name, only then it contacts the configured DNS server to resolve that name. It stores the answer from each DNS server in the cache for further use.
Since it stores answers in the cache and uses them to resolve names, it is called a caching-only DNS server.
Forwarding DNS server
A forwarding DNS server is also a caching-only server, but it does not resolve queries. It forwards them to the next caching-only server in the hierarchy. The caching-only server resolves queries and replies to the forwarding DNS server. The forwarding DNS server caches the result and replies to requester systems. Administrators deploy a forwarding DNS server to increase the speed of the name resolution process.
Let us take an example.
A company has its main office in the USA and a branch office in Japan. The company uses a caching-only DNS server in its main office. Computers of both offices are configured to use the caching-only DNS server for name resolutions.
Because of the physical distance, computers located in Japan office take more time to send and receive recursive queries to and from the caching-only DNS server than the computers located in the USA office. Since they spent more time resolving names, they work slower than the computer located in the USA office.
To improve their speed, the company can use a forwarding DNS server at the Japan office. Since a forwarding DNS server only saves the answers it receives from the caching-only DNS server and does not actively communicate with DNS servers to translate the name, it needs minimal hardware resources. The company can use any spare or unused system for it.
Once a forwarding DNS server is implemented, the Japan office's computers do not need to communicate with the caching-only DNS server located in the USA. They send recursive queries to the forwarding DNS server. The forwarding DNS server forwards them to the caching-only DNS server. The caching-only DNS server resolves queries and replies to the forwarding DNS server. The forwarding DNS server saves answers in the cache. It uses that cache to resolve further queries.
This implementation reduces the time the Japan office's computers need to resolve queries.
Differences between a forwarding DNS server and a caching-only DNS server
- A caching-only DNS server resolves queries while a forwarding DNS server does not resolve queries.
- In the name resolution process, a caching-only DNS server performs two tasks; resolving queries and caching the result while a forwarding DNS performs only one task; caching the result.
- A forwarding DNS server does not resolve queries. It forwards them to the caching-only DNS server. A caching-only server resolves queries. It does not forward them to the next DSN server.
- A forwarding DNS server uses only recursive queries. A caching-only DSN server uses both recursive and non-recursive queries.
Similarities between a forwarding DNS server and a caching-only DNS server
- Both accept recursive queries.
- Both don't save any zone files.
- Both cache the results.
Authoritative-only DNS server
An authoritative-only DNS server performs the following tasks.- It saves zone files for domains.
- It saves a list of referral DNS servers.
- It accepts non-recursive queries.
- For each request, it checks zone files.
- If it finds requested information in zone files, it provides that information to the requester.
- If it does not find the requested information, it checks the referral list.
- If the referral list contains the IP addresses of one or more DNS servers, it provides that list to the requester. The requester can contact them to resolve the query.
- If the referral list is empty, it sends an error message to the requester indicating that the requested information is not available on this server.
A requester can receive three types of responses to its query from an authoritative DNS server. These types are the answer to the query, referral to the next DNS servers, and an error.
- If the authoritative DNS server has the requested information in its zone files, it receives the answer to the query.
- If the authoritative DNS server does not have the requested information in its zone files but has addresses of the next authoritative servers in the referral list, it receives that referral list.
- If the authoritative DNS server does not have the requested information in its zone files as well as has no address in the referral list, it receives a 'requested information not found' error.
Characteristics and advantages of an authoritative-only DNS server
- It does not accept recursive queries. It accepts only non-recursive queries.
- It uses locally stored zone files to answer non-recursive queries.
- It provides the requested information only if the requested information is available in its zone files.
- If the requested information is not available in the zone files, it provides the addresses of DNS servers configured in the referral list.
- If the requested information is not available in the zone files and the referral list is empty, it provides a 'requested information not found' error.
Primary and secondary DNS servers
Authoritative-only DNS servers are critical for the network. They store zone files and referral links. If an authoritative server fails, all domains whose zone files and referral links are saved on it become inaccessible. Because of this, administrators always configure a backup server for each authoritative server.
If a backup authoritative server is configured, the main server is called as primary or master authoritative server, and the backup authoritative server is called the secondary or slave authoritative server.
Differences between primary and secondary DNS servers
Administrators create and configure zone files and referral addresses on only the primary authoritative server. The secondary authoritative server copies them from the primary authoritative server.
Only the primary server answers the queries. The secondary server remains ideal till the primary server is up. If the primary server fails, the secondary server acts as the primary server until the primary server comes online again.
Similarities between primary and secondary DNS servers
- Both servers save the same zone files.
- Both servers use the same referral links configuration.
- Both servers resolve queries for the same domain.
Public and private DNS servers
For security reasons, if a company wants to hide its internal hosts' names and IP addresses, it can use a private DNS server. A private DNS server is open only for the company's devices. It accepts queries only from internal devices. External devices cannot access it.
If the company wants to reveal the names and IP addresses of some hosts, it can put their records on a public DNS server. A public DNS server is open for all. Any device can send queries and receive information from these servers.
Usually, companies use both public and private DNS servers. It uses a public DNS server for the hosts that run services accessed by external users.
It uses a public DNS server for hosts that run services accessed by external users such as a web service. It uses a private DNS server for internal hosts.