On Thu, 13 Mar 2003, John Hebert wrote: > Learning about DNS tonight... > > What database or collection of information does the command "dig" query > when it looks up information on a domain name? > > I assume dig talks to my primary name server from /etc/resolv.conf, > which returns some kinda shared DNS record. Where is this record > originally generated?
Your primary name server gets some of the info from the root servers (ie a.root-servers.net) which are controlled by Internic, AKA Verisign (and other organizations). But root servers only maintain which nameservers are authoritative for a domain. DNS is distributed and recursive, so no one person has all the info on everything. Your NS will ask a root server 'hey who knows about selu.edu?'. Root server will say '147.174.1.4 is authoritative for selu.edu'. Your NS will contact 147.174.1.4 directly and say 'what about www?', and the response is 'www.selu.edu is at 147.174.1.23 and the TTL (time to live) on this record is 1 day'. Your NS relays the info back to you and you have no idea how much work went into getting this record. And that is the short of it...there are some other queries in there that i left out. Since it was so much work to get the record, your NS will probably cache the data for up to the TTL, typically one day. So if someone else asks for the same data they get the cached version. When your NS answers with data from the cache, it answers non-authoritatively, basically telling you 'i'm not the best source of info for selu.edu, but this is my best guess'. Check out the flags: section in the dig output, and look for the aa (authoritative answer) flag. If it's not there you got a non-authoritative answer. This is a good way to see if your NS is authoritative for a domain. Here's a neat trick. Do a dig for an obscure domain, if your NS has to goto the internet for it, you might get the aa flag back (sort of a 'pass-through' from the remote NS). Now that its cached, do the same query again, and you lose the aa. This worked in BIND4 and BIND8, but no longer works in BIND9, since really your NS should never answer authoritively for a domain that isn't delegated to it. DNS is cool.... later! ray -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
