DNS servers and Iteration

Ruaidhri

ok i was just going through the DNS settings on win2k Advanced Server(does not really matter the OS for this post)
it seems to me that (in an ideal world) every domain should have their own DNS server to provide the outside world with a lookup for servers and addresses under that node in the tree..now if this is that case,would that not mean that when you buy an address(under the Top level domain)you can specify any amount of servers under your domain?if this is that case,would there not be a huge amount of traffic between DNS servers?and security,the higher up the tree a server is,the more damage an attack can cause?(say the main .com server was "hacked" and microsoft.com's entry was changed)would this entry not filter down the line?considering all the DNS servers fetch new info of each other regulary?
or have i got the whole concept arsé-ways?i'm kinda new to DNS so if i'm way out just slap me around with a wet trout.

The Cigarette Smoking Man

Every domain doesn't need their own (seperate) DNS servers, you can easily host thousands of domains on the same server before the load becomes a factor.

There's not usually a huge amount of traffic between DNS servers because of replication. Most domains only have a primary and a secondary DNS server and the database is replicated between the two every time there is a change made to the primary.

The way the request for a host record goes is:

User -> ISPs DNS -> . root Server -> .ie root server -> boards.ie server -> www.boards.ie

That does generate a huge amout of traffic on the root servers (hundreds of millions of requests per day). To help this, the ISPs DNS servers are set up to cache the requests so if they get a popular site, it'll only have to query it once until the ttl runs out and every time someone looks for that address it'll take it from the cache.

Your right about the security, if someone did hack one of the root servers they could change the DNS servers for a domain to be pointed somewhere else and modify the records. But they don't run on Windows, so the chances of that are unlikely

AFAIK all of the DNS root servers run BIND: http://www.isc.org/products/BIND/

http://www.isi.edu/in-notes/rfc2870.txt

Ruaidhri

Yeah i grasped that fact that DNS servers can support many domains..i was talking about a perfect world.
sao how does it go when you buy a domain,Have you own DNS server
when you change,do you force a replication?send your DNS records to a "master"server or where do you send them,because as i understand it the DNS replication can only go down the tree from the root server.
i was saying earlier that the potential risk is GREAT.i understand that root servers are pretty secure..but the risk is there..even to force an attack on them would be pretty easy.
think it's going to take me a few more days before i understand this properly )

The Cigarette Smoking Man

Originally posted by Ruaidhri
Yeah i grasped that fact that DNS servers can support many domains..i was talking about a perfect world.

There's no need to have a server for every domain, even in a perfect world.

sao how does it go when you buy a domain,Have you own DNS server
when you change,do you force a replication?send your DNS records to a "master"server or where do you send them,because as i understand it the DNS replication can only go down the tree from the root server.
i was saying earlier that the potential risk is GREAT.i understand that root servers are pretty secure..but the risk is there..even to force an attack on them would be pretty easy.
think it's going to take me a few more days before i understand this properly )

When you buy a .ie domain (for example), you send in a request for the domain and you tell them the address of your two DNS servers. They then create a record on their DNS server for your domain. So every time someone looks up www.you.ie their DNS server will send the request on to the DNS servers you specified.

Your right about the replication only happening down the tree, eg you can't replicate with one of the root servers and start sticking in records.

The way replication works is the records on the primary DNS server have a serial number associated with them and every time there's a change made this number is increased by 1. Then when the secondary server checks the primary server if it's serial number is different it replicates the records for that domain.

One thing, the way DNS servers work on the Internet is how I've described above. It doesn't generally (99%) use Microsoft Active Directory DNS where you can have multiple DNS servers and you can update any of them and they'll replicate between (multi master replication).

I think the fact that your reading Microsoft documentation isn't helping either. Get the DNS book from O'Reilly.

http://www.amazon.com/exec/obidos/ASIN/0596001584

Ruaidhri

yeah thanks..
next thing is start to figure out bind (*shudder*can feel the beard growing already)

well to be honest who would use MS os'es for a critical function like that..i mean they are good and i use them all the time,but for critical,high risk tasks like that,there are to many holes(no i'm not starting a well linux is better agrument,,go somewhere else if you want one of them)
well when the . root comes crashing down you know i screwed up )
thanks for your insights

The Cigarette Smoking Man

No problem.

The UNIX board is for the "Linux is better than Microsoft" arguements. This board is for the "My connection is better than yours" arguements

Ruaidhri

yeah but my connection IS better than yours(100mb ethernet and 512kb Internet.all for myself)

MiCr0

bind is dead easy to set up too
post if u get any problems

Ruaidhri

thanks..but it wont be a problem....have to move on to active directory and SQL now ) man o man is SQL easy going compaired to java..

The Cigarette Smoking Man

There's an article in the Washington Post on the A root server:

http://www.washingtonpost.com/wp-dyn/articles/A33447-2002Mar28.html

Ruaidhri

yeah,the article is alright..but there are a few things that really annoy me in it :

Adjoining the operations center, behind another mantrap, are twin rooms that house the essential computers that serve as the heart of the Net

There is no center of the 'net.it's the way it's designed

Between the server hedgerows are several equally tall storage units, where the continually updated master lists of the addresses registered in dot-com, dot-net and dot-org are stored.

Is There not 13 of those?

"The last thing I'd want someone to think is that they could put a bomb around their waist and hug the A root and think they're going to significantly impact the Internet," Rippe said.

hey now wait a min..this is technically true,but not in practise.remember there a while back when some jackáss cut the main backbone between east and west coast USA?wha happened?all traffic got routed through london,bringing almost everything to a complete standstill.same principle..one . server goes and all traffic gets routed through lines that were never designed to handle that traffic,everyone suffers

High-ranking U.S. officials have also started taking a greater interest in the security of the complex. After Sept. 11, as agencies and departments throughout the federal government began reexamining the security of the critical infrastructure under their jurisdictions.

now i'm not racist,but the bloody arrogant americans.think they own the world...the politicians are the worst of the lot..who cares...did not the afghan terrorists plan their attack from info gathered on the internet?why would anyone harm a extremly useful(with encryption!)communication meduim?makes no sense targetting a . root server

The Internet may be a global resource, but much of its infrastructure is still ultimately controlled by the U.S. government.

The Internet grew out of hte ARPnet.The US Military owned and designed that.

"The reason why you're seeing such a focus on VeriSign is that the safety and the integrity of these systems needs to be analyzed and needs to be improved upon regardless of how safe they currently are."

W00h00...someone is good at their job..hope everyone working with the A . Server is as good as him.