Total Pageviews

Friday, 15 April 2016

Oversimplified DNS

Find All Name Servers

GOALS: Find every name server that may be authoritative for your domain. Make sure that all are authoritative, and that WHOIS has a list of all of them (and no others).
BACKGROUND: Every domain name is required to have a primary nameserver (only one), and at least one secondary nameserver. This is to help ensure that all domains are reachable. For example, if you have 3 separate offices, and one of them suffers a disaster, that shouldn't prevent people from being able to reach the other two offices.
The WHOIS database lists all the authoritative nameservers (ones that get updated automatically when you make changes) for your domain. This list gets sent to the root server for your Top Level Domain (such as .com). Anyone in the world trying to reach your domain will get that list, and go to one of the nameservers to resolve a subdomain within your domain.


Step 2a: Find out what the root servers think your nameservers are
To do this, you will need to use a program that can generate DNS requests (such as NSLOOKUP on Windows or DIG). My favorite program for this is Sam Spade. Or, you can go to a web site that allows these requests, such as http://www.samspade.org/.
First, find the primary root server for your Top Level Domain (such as .com if you have the domain example.com). With NSLOOKUP, you can type "set type=NS" (to get the NS, or nameserver, records) and then enter your top level domain ("com" or "uk" or whatever). You will get a list of root nameservers. Type "server " followed by the first nameserver in the list (for example, "server a.root-servers.net"). Then, enter your domain name ("example.com"). Now, you will have a list of servers that the root servers think are authoritative for your domain.
With DIG, enter your top level domain ("com") as the domain to look up (or type "dig com@default.dnsserver" where "default.dnsserver" is your normal DNS server). Look at the "NS" entries in the results, and take the top one, and enter it as the nameserver to use. Then, as the domain to look up, enter your domain name (or, type "dig example.com@a.root-servers.net", where your domain goes before the "@" and the root server goes after the "@"). This should just return the name servers for your domain, but make sure just to look at entries with " NS " in them.
Problem? If there are any nameservers listed here that are NOT listed in WHOIS, or there are any nameservers listed in WHOIS that are NOT listed here, there is a problem. Contact the company that gave you your domain name for help.
Add these to your list of nameservers from WHOIS that you got in Step 1.


Step 2b: Find out what your name servers say your nameservers are
For this step, do exactly what you did in Step 2a, except this time use the first one of the name servers you have written down as the DNS server to use, and use your domain name as the domain to look up.
Using NSLOOKUP, type "server nameserver.example.com" (where nameserver.example.com is the first name server on the list you wrote down), then "set type=ns", and then enter your domain name. If there are any name servers listed here that are not on your list, add them to the list.
Or, using DIG, enter the first name server you wrote down as the name server to use, and then your domain name as the domain to look up. Or, from the command line, type "dig example.com@nameserver.example.com". If there are any name servers listed here that are not on your list, add them to the list (only look at entries with " NS " in them).
Problem? If any name server you check here returns a name server that was NOT listed in WHOIS, it is called a "missing nameserver", and is an error. If the name server listed is authoritative for your domain (see steps below), it MUST (RFC882 p.25) be added to the WHOIS listing. If it is NOT authoritative for your domain, it MUST be taken out of the nameserver it was listed in.
Problem? If any name server you check here does NOT return one of the name servers listed in WHOIS, there is a problem. If the name server listed in WHOIS IS authoritative for your domain (see steps below), it MUST be added to your nameservers. If it is NOT authoritative, it MUST be taken out of WHOIS (but you MUST have at least 2 nameservers listed in there). Repeat this step for EVERY name server on your list -- even ones you may have just added.


Step 2c: Test every name server
You need to make sure that every name server on your list is authoritative for your domain.
With DIG, use the first name server on your list as the domain server to use, and enter your domain name as the domain to look up (or, from the command line, type "dig example.com@nameserver.example.com"). You should see "Authoritative answer" (or something similar) if it is authoritative, or "Non-authoritative answer" if it is not.
Problem? If the name server is NOT authoritative for your domain, you have a "lame delegation." If this server is not authoritative, and it is listed as an NS record in your domain (step 2b), it MUST be taken out. If this server is not authoritative, and it is listed in WHOIS, it MUST be taken out (but, you MUST also have at least 2 name servers listed in WHOIS).


Step 2d: Sanity Checks

  • You MUST have ONLY ONE primary nameserver. You will check this later in the step for SOA (Start of Authority) records, where the primary server is listed. 
  • You MUST have AT LEAST ONE secondary nameserver. That means that WHOIS, the root servers, and all your name servers MUST list at least two name servers that are authoritative for your domain. You may have more than one secondary nameserver (4 to 7 SHOULD be the maximum). 
  • Your secondary nameserver(s) MUST get their information directly from your primary nameserver, and check it periodically (how often is based on the SOA record fields) for updates.
from http://rscott.org/dns/ns.html,
http://rscott.org/dns/