Score:0

Server

What is the behavior of a DNS resolver if one authoritative name server does not have particular record but another one does

Hassu

9/1/24, 1:25 AM

Say I have sent a query for TXT record for m1._domainkey.amazon.com

nslookup -q=txt m1._domainkey.amazon.com

Say the authoritative nameservers for amazon.com are

amazon.com  nameserver = ns1.amzndns.com.
amazon.com  nameserver = ns1.amzndns.org.
amazon.com  nameserver = ns1.amzndns.net.

What would happen if this TXT record is NOT present on the first authoritative nameserver the resolver queries, ns1.amzndns.com, but it IS present on another, ns1.amzndns.org? Is it typical for the resolver to continue querying name servers until it gets an answer?

In practice, I have seen that I will get the TXT record even though it is not on all nameservers.

Please include documentation/reference in your answer so I can independently study this.

Thanks for reading.

2 + 2

domain-name-system

bind

dkim

dns-zone

HBruijn

9/1/24, 6:31 AM

The Wikipedia article is a pretty good resource and annotates all underlying RFC s by the way. https://en.m.wikipedia.org/wiki/Domain_Name_System

HBruijn

9/1/24, 6:34 AM

A resolver connects to one (more or less random) of your authoritative name servers and gets an authoritative answer to the query. That answer will be taken as gospel and thruth. (When you fail to keep your authoritative name servers synchronized it depends on which server is used what version of the truth your resolver gets but the underlying principle is: the authoritative server provides the definitive answer: either the queried resource OR a nxdomain the resource does not exist)

Score:4

Server

HBruijn

9/1/24, 7:39 AM

The authoritative name servers set a protocol flag, called the "Authoritative Answer" (AA) bit in its responses and the resolver takes that response as truth.

When the response is affirmative, the response will contain the requested resource record.

When the authoritative name server does not have that resource record, the response will be a NXDOMAIN message.

When your authoritative name servers are inconsistent, the response a client gets will depend on which authoritative name server was queried. And that response will be considered the truth.

Is it typical for the resolver to continue querying name servers until it gets an answer?

Yes, but only when the first name server(s) do not respond at all.

Once any (positive or negative) response is received the resolver won't need to query your other name servers.

(It's not like your resolver behaves like a six year old, that when one parent gives one answer, they will go to their other parent hoping that they will get a different answer that they'll like better.)

+ 1

Hassu

9/2/24, 11:25 AM

Thanks, that answers my question

Score:2

Server

Greg Askew

9/1/24, 7:48 AM

The behavior of resolvers is implementation-dependent.

Microsoft Windows 10 for example, queries all name servers in parallel. The client will use the first server to respond, even if it is a negative response.

If a client queries name servers sequentially, it will do so, and time out if a response is not received and proceed to the next configured name server. When a response is received, the query is finished, even if it is a negative response.

What will not occur is the client will not wait for all name servers to respond. The client will not use multiple responses, only the first response.

If Amazon has 100 name servers, and only one has a resource record, and a client queries one of the other 99 name servers, it will receive a negative response for the resource record.

https://superuser.com/questions/969171/multihomed-windows-10-dns-resolution-timeouts/970322#970322

in practice, I have seen that I will get the TXT record even though it is not on all nameservers.

If you have questions about a record, feel free to share the record that reproduces the behavior, including client details, so we can reproduce it.

More information:

Microsoft introduced parallel name resolution for A/AAAA records due to numerous incidents where name servers had been configured incorrectly. This usually caused major problems when non-primary name servers were queried due to the primary being unavailable. The iterative resolution process has timeouts, and each level may have different timeouts, and a cumulative timeout. There are also rules for using results from multiple network adapters. This led to scenarios where some organizations had configured four or five name servers for purposes of high availability. Unfortunately the process times out after the third server, so the DNS strategy was invalid, the disaster recovery strategy was invalid, and it caused other problems of its own.

When using nslookup, to simulate the behavior of a resolver and perform an iterative query against a specific name server, use the -norecurse switch.

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup-set-recurse

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What is the behavior of a DNS resolver if one authoritative name server does not have particular record but another one does

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.