DNS: Authoritative, Non-Authoritative, Recursion
DNS: Authoritative, Non-Authoritative, Recursion
Authoritative name server
An authoritative name server is a name server that can give an authoritative answer to a DNS query, and not just a cached answer that was given by another name server. All primary and secondary name servers give authoritative answers.Recursive name server
An recursive name server is a name server that is not authoritative for any zones* answer to a DNS query. It must determine the answer to a DNS query by querying other name servers.* Most recursive nameservers are authoratative for RFC1918 [Private IP] space in order to reduce bogus DNS lookup load on the root servers.
Best practices
A DNS best practice is to separate your authoritative and recursive nameservers.- Suppose an attacker seizes control of your recursive server. If your authoratative server is the same as your recursive server, your outgoing [authoratative] DNS data might also be compromised.
- Suppose that a user floods your recursive DNS server with more work than it can handle. If this server is also your authoratative server, outgoing DNS performance may also be compromised
Issues with Authoratative/Recursive seperation
The largest problem this causes is that updates made to the authoritative servers are not immediately seen by the recursive servers. However, this is true of any other non DoIT nameserver in the world. When we change an DNS record on adns1,2,3, we must consider DNS caching and TTLs.Here are a couple of examples and a couple of potential workarounds.
- Dynamic DNS updates that use adns1,2,3 are updated but not seen immediately on our recursive servers
Solution: Customer lowers TTL on appropriate data before changing.
- Customer or Hostmaster initiated adns change does not immediately show up on our resolvers
Solution: Lower TTL on appropriate data before changing.
Solution: Flush recursive DNS cache on campus resolvers for the data in question.