How Public DNS Works – Practical Simulation – InsideOut – Part II
WaheGuru G Ka Khalsa, WaheGuru G Ki Fateh
Here we continue with Public DNS Infrastructure Simulation using Windows Server 2003, Sp2 Enterprise release as DNS Server. Make Sure you had followed Part I before continuing.
We will be establishing our own Internal Root Hint Servers (.), Global Top-Level Domain(GTLD) Servers (such as .COM), and Second Level Domains (such as VirtualizationMaximus.com.) using Windows Server 2003, Sp2 Enterprise release as NS Server for all the Domains residing in our in simulated DNS NameSpace Hierarchy.
First, we gather information of Root DNS Domain – . – and it’s associated NS Servers:
NSLOOKUP > set q=ns > . Server: google-public-dns-a.google.com Address: 8.8.8.80 Non-authoritative answer: (root) nameserver = e.root-servers.net (root) nameserver = h.root-servers.net (root) nameserver = l.root-servers.net (root) nameserver = m.root-servers.net (root) nameserver = a.root-servers.net (root) nameserver = j.root-servers.net (root) nameserver = f.root-servers.net (root) nameserver = c.root-servers.net (root) nameserver = b.root-servers.net (root) nameserver = g.root-servers.net (root) nameserver = i.root-servers.net (root) nameserver = d.root-servers.net (root) nameserver = k.root-servers.net
…
We also don’t have an A RR mapped to Root DNS Domain name, which is why can’t resolve . to an IP address – as depicted below:
C:\Users\Harmandeep>dig @8.8.8.8 . ; <<>> DiG 9.3.2 <<>> @8.8.8.8 . ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1907 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;. IN A ;; AUTHORITY SECTION: . 257 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2013021200 1800 900 604800 86400 ;; Query time: 88 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Feb 12 16:09:39 2013 ;; MSG SIZE rcvd: 92
As per DIG, we issued ONE Query and received ZERO Response / Answer.
…
NSLOOKUP also reveals that Root DNS Domain Name isn’t mapped to an IP Address i.e. no A RR for .
NSLOOKUP > . Server: google-public-dns-a.google.com Address: 8.8.8.8 Name:
We can see that Root DNS Domain NS Servers are named as a.root-servers.net | b.root-servers.net … … – i.e. – these NS Servers lie beneath NET. DNS Domain hierarchy.
Now we gather information of gTLD Domains – COM. and NET. – and their associated NS Servers:
C:\Users\Harmandeep>nslookup Default Server: google-public-dns-a.google.com Address: 8.8.8.8 > set q=ns > com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: com nameserver = k.gtld-servers.net com nameserver = a.gtld-servers.net com nameserver = g.gtld-servers.net com nameserver = b.gtld-servers.net com nameserver = e.gtld-servers.net com nameserver = c.gtld-servers.net com nameserver = j.gtld-servers.net com nameserver = h.gtld-servers.net com nameserver = d.gtld-servers.net com nameserver = i.gtld-servers.net com nameserver = l.gtld-servers.net com nameserver = f.gtld-servers.net com nameserver = m.gtld-servers.net > net Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: net nameserver = b.gtld-servers.net net nameserver = c.gtld-servers.net net nameserver = g.gtld-servers.net net nameserver = e.gtld-servers.net net nameserver = h.gtld-servers.net net nameserver = m.gtld-servers.net net nameserver = k.gtld-servers.net net nameserver = i.gtld-servers.net net nameserver = j.gtld-servers.net net nameserver = a.gtld-servers.net net nameserver = d.gtld-servers.net net nameserver = l.gtld-servers.net net nameserver = f.gtld-servers.net
We can see that COM., NET. gTLD DNS Domain NS Servers are named as a.gtld-servers.net | b.gtld-servers.net … … – i.e. – these NS Servers lie beneath NET. DNS Domain hierarchy (as with Root DNS Domain NS Servers Case).
Also we can’t resolve COM. | NET. DNS Domain Names to an IP Address, as no A RR has been mapped to these FQDN, depicted below:
C:\>dig @8.8.8.8 com. ; <<>> DiG 9.3.2 <<>> @8.8.8.8 com. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1012 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;com. IN A ;; AUTHORITY SECTION: com. 65 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1360665900 1800 900 604800 86400 ;; Query time: 127 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Feb 12 16:29:14 2013 ;; MSG SIZE rcvd: 94
…
C:\>dig @8.8.8.8 net. ; <<>> DiG 9.3.2 <<>> @8.8.8.8 net. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1404 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;net. IN A ;; AUTHORITY SECTION: net. 539 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1360666379 1800 900 604800 86400 ;; Query time: 109 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Feb 12 16:29:18 2013 ;; MSG SIZE rcvd: 94
NSLOOKUP also reveals that no A RR has been mapped to COM. and NET., and thus we can’t resolve these FQDN:
NSLOOKUP >com Server: google-public-dns-a.google.com Address: 8.8.8.8 Name: com. NSLOOKUP > net Server: google-public-dns-a.google.com Address: 8.8.8.8 Name: net.
Now we gather information of Second Level Domains – NS Servers – such Yahoo.com. NS Servers:
NSLOOKUP > set q=ns > yahoo.com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: yahoo.com nameserver = ns6.yahoo.com yahoo.com nameserver = ns4.yahoo.com yahoo.com nameserver = ns1.yahoo.com yahoo.com nameserver = ns5.yahoo.com yahoo.com nameserver = ns8.yahoo.com yahoo.com nameserver = ns2.yahoo.com yahoo.com nameserver = ns3.yahoo.com
We can see that YAHOO.COM. DNS Domain NS Servers are named as ns1.yahoo.com | ns2.yahoo.com … … – i.e. – these NS Servers lie beneath YAHOO.COM. DNS Domain hierarchy.
Now we list Real World DNS Infrastructure and its Equivalent Virtual Setup
Real World DNS Infrastructure
| Type | NS – FQDN | NS – A RR | NS – FQDN | NS – A RR |
| Root Servers | a.root-servers.net | 198.41.0.4 | b.root-servers.net | 192.228.79.201 |
| gTLD Servers | a.gtld-servers.net | 192.5.6.30 | b.gtld-servers.net | 192.33.14.30 |
| Yahoo.com | ns1.yahoo.com | 68.180.131.16 | ns2.yahoo.com | 68.142.255.16 |
| WordPress.com | ns1.worpress.com | 72.233.69.14 | ns2.wordpress.com | 69.174.248.148 |
…
Equivalent Virtual Setup
We will create Two Root Servers, Two gTLD Servers and Two Second Level Domains NS Servers – details highlighted below:
| Type | NS – FQDN | NS – A RR | NS – FQDN | NS – A RR |
| Root Servers | a.root-servers.net | 10.0.0.11 | b.root-servers.net | 10.0.0.12 |
| gTLD Servers | a.gtld-servers.net | 10.0.0.13 | b.gtld-servers.net | 10.0.0.14 |
| Yahoo.com | ns1.yahoo.com | 10.0.0.15 | ns2.yahoo.com | 10.0.0.16 |
| WordPress.com | ns1.worpress.com | 10.0.0.17 | ns2.wordpress.com | 10.0.0.18 |
Now we discuss about Windows DNS Server – Setup and Configuration – related to Root Domain DNS Zone, GTLD DNS Zones COM. and NET. and Second Level Domains – Yahoo.com | WordPress.com – DNS Zone.
Root Server – 10.0.0.11 Configuration:
1) Primary Zone - . - and set NS Servers as "a.root-servers.net - 10.0.0.11"
and "b.root-servers.net - 10.0.0.12".
2) Create DNS Delegation on 10.0.0.11 - for - NET. and COM. Domains with:
COM. Delegated NS Servers pointing to "a-gtld-servers.net - 10.0.0.13"
and "b.gtld-servers.net - 10.0.0.14"
NET. Delegated NS Servers pointing to "a-gtld-servers.net - 10.0.0.13"
and "b.gtld-servers.net - 10.0.0.14"
3) Zone Transfers of Root Zone allowed to - "b.root-servers.net - 10.0.0.12"
4) Create Secondary DNS Zone "." on 10.0.0.12 with Primary Server set
to 10.0.0.11 - and initiate DNS Zone Transfer.
.
5) Disable Recursion on a.root-servers.net. & a.root-servers.net. NS Server
Root Server Configuration – 01
gTLD Server – 10.0.0.13 Configuration:
1) Create Primary DNS Zone - COM and set NS Servers as
"a.gtld-servers.net - 10.0.0.13" | "b.gtld-servers.net - 10.0.0.14"
.
2) Create Primary DNS Zone - NET and set NS Servers as
"a.gtld-servers.net - 10.0.0.13" | "b.gtld-servers.net - 10.0.0.14"
3) Create new Domain - "gtld-servers" under NET Domain with these RRs:
"a.gtld-servers.net - 10.0.0.13" | "b.gtld-servers.net - 10.0.0.14"
4) Create new Domain - "root-servers" under NET Domain with these RRs:
"a.root-servers.net - 10.0.0.11" | "b.root-servers.net - 10.0.0.12"
5) Set Root HINTS on "a.gtld-servers.net - 10.0.0.13" and
"b.gtld-servers.net - 10.0.0.14" as
"a.root-servers.net - 10.0.0.11" & "b.root-servers.net - 10.0.0.12"
6) Disable Recursion on ns1.yahoo.com & ns2.yahoo.com NS Server
7) Zone Transfers of COM. and NET. DNS Zone allowed to -
"b.gtld-servers.net - 10.0.0.14"
8) Create Secondary DNS Zone "COM." and "NET."on 10.0.0.14 with
Primary Server set to 10.0.0.13 - and initiate DNS Zone Transfer.
9) Create DNS Delegation for Second Level Domains as:
Yahoo.com - Delegated to - "ns1.yahoo.com - 10.0.0.15" &
"ns2.yahoo.com - 10.0.0.16"
WordPress.com - Delegated to - "ns1.wordpress.com - 10.0.0.17" &
"ns2.wordpress.com - 10.0.0.18"
gTLD Server Configuration – 01
Second Level Domain – Yahoo.com – NS Server – 10.0.0.15 – Configuration:
1) Create Primary DNS Zone - Yahoo.com
.
2) Disable Recursion on ns1.yahoo.com & ns2.yahoo.com NS Server
3) Set Root Hints on ns1.yahoo.com & ns2.yahoo.com as
"a.root-servers.net - 10.0.0.11" | "b.root-servers.net - 10.0.0.12"
4) Zone Transfers of Yahoo.com Zone allowed to - "ns2.yahoo.com - 10.0.0.16"
5) Create Secondary DNS Zone "Yahoo.com." on 10.0.0.16 with Primary Server set
to 10.0.0.15 - and initiate DNS Zone Transfer.
Yahoo.com NS Server Configuration – 01
Second Level Domain – WordPress.com – NS Server – 10.0.0.17 – Configuration:
1) Create Primary DNS Zone - WordPress.com
2) Disable Recursion on ns1.wordpress.com & ns2.wordpress.com NS Server
3) Set Root Hints on ns1.wordpress.com & ns2.wordpress.com as
"a.root-servers.net - 10.0.0.11" | "b.root-servers.net - 10.0.0.12"
4) Zone Transfers of wordpress.com Zone allowed to - "ns2.wordpress.com - 10.0.0.18"
5) Create Secondary DNS Zone "Wordpress.com." on 10.0.0.18 with Primary Server set
to 10.0.0.17 - and initiate DNS Zone Transfer.
WordPress.com NS Server Configuration – 01
We now create an additional DNS Server – running Windows Server 2008 R2 Sp1, Enterprise release with IP Addr 10.0.0.21 – which will act as Public DNS Server – such as 8.8.8.8 [google-public-dns-a.google.com] – and will perform standard Recursion for the Incoming DNS Queries. On 10.0.0.21, we simply set Root Hints on this Server as “a.root-servers.net – 10.0.0.11 & b.root-servers.net 10.0.0.12″ – depicted below:
Additional DNS Server – Windows Server 2008 R2, Sp1 – Enterprise – 01
Now the reason for using Server 2008R2 release instead of Server 2003 is because the DNS Server package in 2003 doesn't entertains / responds to Root Servers NS Query - which will be used by DIG Iteration (+trace). ... DIG uses Root Servers NS Query to procure Root Domain NS Servers list from the Default DNS Server or Explicitly specified DNS Server. ... In DIG, DNS Server is defined Explicitly by using @.
We will use DIG Iteration (+trace) to validate our Simulated Public DNS Infrastructure – as seen below:
On 10.0.0.21, we execute DIG with +trace and @ options, as seen below… …
Yahoo.com – Simulated – DIG Results:
C:\>dig-files3\dig.exe +trace yahoo.com @127.0.0.1 ; <<>> DiG 9.3.2 <<>> +trace yahoo.com @127.0.0.1 ; (1 server found) ;; global options: printcmd . 3600 IN NS b.root-servers.net. . 3600 IN NS a.root-servers.net. ;; Received 97 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 3600 IN NS a.gtld-servers.net. com. 3600 IN NS b.gtld-servers.net. ;; Received 110 bytes from 10.0.0.12#53(b.root-servers.net) in 0 ms yahoo.com. 3600 IN NS ns2.yahoo.com. yahoo.com. 3600 IN NS ns1.yahoo.com. ;; Received 104 bytes from 10.0.0.13#53(a.gtld-servers.net) in 0 ms yahoo.com. 3600 IN A 10.10.10.10 ;; Received 43 bytes from 10.0.0.16#53(ns2.yahoo.com) in 0 ms
Compare the above shown Simulated output DIG results to the below shown Real World Public DNS Infrastructure DIG results (results Excerpts):
Yahoo.com – Real World – DIG Results:
C:\Users\Harmandeep>dig @8.8.8.8 +trace yahoo.com ; <<>> DiG 9.3.2 <<>> @8.8.8.8 +trace yahoo.com ; (1 server found) ;; global options: printcmd . 13194 IN NS a.root-servers.net. . 13194 IN NS b.root-servers.net. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 62 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ;; Received 487 bytes from 193.0.14.129#53(k.root-servers.net) in 27 ms yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ;; Received 197 bytes from 192.5.6.30#53(a.gtld-servers.net) in 327 ms yahoo.com. 1800 IN A 98.138.253.109 yahoo.com. 1800 IN A 206.190.36.45 yahoo.com. 1800 IN A 98.139.183.24 yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ;; Received 313 bytes from 68.180.131.16#53(ns1.yahoo.com) in 179 ms
WordPress.com – Simulated – DIG Results:
C:\>dig-files3\dig.exe +trace wordpress.com @127.0.0.1 ; <<>> DiG 9.3.2 <<>> +trace wordpress.com @127.0.0.1 ; (1 server found) ;; global options: printcmd . 3600 IN NS a.root-servers.net. . 3600 IN NS b.root-servers.net. ;; Received 97 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 3600 IN NS a.gtld-servers.net. com. 3600 IN NS b.gtld-servers.net. ;; Received 114 bytes from 10.0.0.11#53(a.root-servers.net) in 0 ms wordpress.com. 3600 IN NS ns1.wordpress.com. wordpress.com. 3600 IN NS ns2.wordpress.com. ;; Received 112 bytes from 10.0.0.13#53(a.gtld-servers.net) in 0 ms wordpress.com. 3600 IN A 10.10.10.11 ;; Received 47 bytes from 10.0.0.17#53(ns1.wordpress.com) in 0 ms
WordPress.com – Real World – DIG Results:
C:\Users\Harmandeep>dig @8.8.8.8 +trace wordpress.com ; <<>> DiG 9.3.2 <<>> @8.8.8.8 +trace wordpress.com ; (1 server found) ;; global options: printcmd . 12703 IN NS a.root-servers.net. . 12703 IN NS b.root-servers.net. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 138 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ;; Received 491 bytes from 193.0.14.129#53(k.root-servers.net) in 29 ms wordpress.com. 172800 IN NS ns1.wordpress.com. wordpress.com. 172800 IN NS ns2.wordpress.com. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ;; Received 235 bytes from 192.5.6.30#53(a.gtld-servers.net) in 576 ms wordpress.com. 300 IN A 72.233.104.124 wordpress.com. 300 IN A 66.155.11.243 wordpress.com. 14400 IN NS ns1.wordpress.com. wordpress.com. 14400 IN NS ns2.wordpress.com. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ;; Received 267 bytes from 72.233.69.14#53(ns1.wordpress.com) in 547 ms
Additional DNS Server – 10.0.0.21 – Cache also displays Simulated DNS Namespace Hierarchy, as seen below:
Additional DNS Server Cache – Simulated DNS Namespace hierarchy – 01
So, we successfully Simulated Public DNS Infrastructure, Hierarchy and Name Resolution process in its entirety using Windows Server 2003, Sp2 Enterprise release.
Click Here to continue with Part III, where we simulate this same setup but using BIND with RHEL 5.2 release.
Hope this Helps and Cheers 
| Your feedback is highly appreciated.
WaheGuru G Ka Khalsa, WaheGuru G Ki Fateh
Copyright © 2013
For copyright purposes, VirtualizationMaximus.com is not in the public domain. The fact that this blog owner publishes an RSS feed does not grant any rights for republication or re-use of the material except in the manner described below.
All content in this blog created by the blog owner and his guest authors is the property of the blog owner and his guest authors and protected by international copyright laws and cannot be stored on any retrieval system, reproduced, reposted, displayed, modified or transmitted in any form, electronic or otherwise without written permission of the copyright owner except as noted below.
A brief excerpt of content that does not exceed 128 words or 512 characters may be quoted as long as a link is provided back to the source page on this blog and authorship is properly attributed.
Posted on February 6, 2013, in DNS and tagged a.gtld-servers.net, a.root-servers.net, b.gtld-servers.net, b.root-servers.net, delegated, Delegation, DIG, dns, GTLD, host, How, iteration, iterative, NS Query, ns1.wordpress.com, ns1.yahoo.com, ns2.wordpress.com, ns2.yahoo.com, Part, part I, Part II, Part III, public, recursion, server, simulation, trace, wordpress.com, works, yahoo.com. Bookmark the permalink. 2 Comments.
Pingback: How Public DNS Works – Practical Simulation – InsideOut – Part I « VirtualizationMaximus.com
Pingback: How Public DNS Works – Practical Simulation – InsideOut – Part III « VirtualizationMaximus.com