[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: block new version of KAZAA

On Thu, Jul 31, 2003 at 08:22:30AM -0400, Alex Lee wrote:
> I cannot grasp the difference between 'DNS content servers' and 'DNS
> resolver''. Can you elaborate a little bit or perhaps point me to some good
> links on that ? Thanks.
A "DNS content server", better known as an "authoritative name server",
is a server which has _authority_ over a given domain or set of domains.
Meaning that when it is asked for a record in the domain it has
authority over, it *must* answer (whether a positive or a negative
answer). Put simply, it is the ultimate, all powerful, reference from
where you can get an answer to a DNS query for the domain the
authoritative server is authoritative for. It does so by having
"content": domain name records.

We usually distinguish between primary master authoritative name servers
and secondary (or slave) authoritative name server. The primary master
loads the "content" of the domain (or set of domains) it has authority
over from the local disk. This is also known as a "zone file". The
secondary fetches its data over the network using a mechanism called
"zone transfer" from another authoritative name server called a "master"
(which could be a primary master or another secondary) [1]. 

If I take my own domain, "docisland.org", the authoritative name servers

# dig docisland.org ns
;docisland.org.                 IN      NS

docisland.org.          172800  IN      NS      ns3.bsdlogics.org.
docisland.org.          172800  IN      NS      ns1.bsdlogics.org.
docisland.org.          172800  IN      NS      ns2.bsdlogics.org.

as you can see, I used the command "dig" to know which servers are
authoritative for the docisland.org domain. The primary master of this
domain is ns1.bsdlogics.org. The other servers are secondaries. 

a "DNS resolver", in Nick Speak(tm), is a DNS server which resolves DNS
queries sent to it by DNS clients. It does so by following referrals
until it reaches the authoritative name servers for the domain name the
query is for. 

For example, let's say you want to connect using ssh to a machine called
zoe.docisland.org. Your local machine doesn't know what the IP address
of zoe.docisland.org is. It reads its /etc/resolv.conf file (I'm
assuming you are running some version of Unix) to know to which server
(which is its "DNS resolver") it must send the query (you can have more
than one server listed but to keep it simple, we'll assume you have only
one). It then sends the query, which contains something like: I want to
know what the A record (name to address mapping) of zoe.docisland.org
is. The "DNS resolver" looks in its cache. It doesn't have the answer
[2]. So it follows referrals [3] until it find out that the "DNS content
servers" for the domain name zoe.docisland.org are the ones shown above.
It then asks one of them sth like that (of course, it doesn't use dig
but this is to show what happens):

# dig @ns2.bsdlogics.org zoe.docisland.org a
; <<>> DiG 9.2.2 <<>> zoe.docisland.org a
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63692
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;zoe.docisland.org.             IN      A

zoe.docisland.org.      172800  IN      A

docisland.org.          172800  IN      NS      ns2.bsdlogics.org.
docisland.org.          172800  IN      NS      ns3.bsdlogics.org.
docisland.org.          172800  IN      NS      ns1.bsdlogics.org.

Note the "AUTHORITY SECTION" above. 

It then put this info in its cache (for 172800 seconds which is the TTL
for that record) and returns the answer to your machine.

This is really an over-simplified introduction to DNS. If you want to
get serious about it, get a copy of "DNS and BIND" 4th ed. from O'Reilly
or google for "DNS howto".

It should be noted that Nick simplified the terms used in the DNS
protocol so that his message can be understood without delving too much
in DNS. 

[1] This is not true in the case of Microsoft DNS Server and Active
    Directory integrated zones but that's another story.
[2] If it did have it, it would have return it to the requesting client
    and specifying that it is not an _authoritative_ answer
[3] Think of them as a series of questions/answers that lead to the
    authoritative name server after one or more iterations depending of
    the cache content on the "DNS resolver"
Saad Kadhi -- [saad_(_at_)_docisland_(_dot_)_org] [saad_(_dot_)_kadhi_(_at_)_hapsis_(_dot_)_fr]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D]

Visit your host, monkey.org