View Single Post
  #4   (View Single Post)  
Old 29th May 2008
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,787

Originally Posted by spiderpig View Post
..... it appears that caching nameservers are only useful for increasing performance and distributing the load on authoritative nameservers.
No, a responsible caching nameserver will not be satisfied by the answer of a caching nameserver. It will only be satisfied if it sees the aa (Authoritative Answer) flag in the DNS reply packet.
The proper way to distribute load on authoritative nameservers is to have several from them.

Caching nameserver are useful for a network to reduce DNS traffic. That is why your ISP usually gives you the addresses of his two caching nameservers to enter into your /etc/resolv.conf file.
As such, they don't store A records as I originally assumed.
A nameserver like Bind can be configured to act as a caching nameserver, as well as an authoritative nameserver, answering queries from the stored A records. In other words two different tasks ran by a single program.
In a professional environment, this however should be avoided for security reasons.

For example, if you configure a zone file for and enter as A record, the caching nameserver will not do the traversal starting from the DNS root '.' , but will answer with the address from the zone file.

If I am correct, it also doesn't appear that caching nameservers have to reference authoritative nameservers within the zone as they can just begin queries directly through the TLD nameservers.
That is partially correct, they start their inquiries from the [a-m] servers from the DNS root '.' servers. The "." (dot) is the root of the DNS hierarchy, just like "/" is the root of a filesystem.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote