Solved

Need to understand how 2003 DNS server root hints work

Posted on 2006-06-10
23
1,809 Views
Last Modified: 2010-05-18
Hello Experts,
I've got a problem resolving a particular external Internet address on all the (internal domain) DNS servers in one of my domains.
I do not use forwarders, only root hints (no forwarders).  We switched ISPs about 2 weeks ago and have had this problem since.
I've configured several DNS servers like this, and slogged me way many other problems, but I've never had an issue with the root hints - so I've never really learned how they work in any detail.

I know they are well known established servers that somehow, mysteriously help DNS find a NS authoritative for whatever address you are trying to resolve.  I think this has something to do with breaking down the address (i.e. www.yahoo.com to www and yahoo and com).  That is about the extent of what I know.

I've examined debug logs on DNS servers from the effected domain and a domain that CAN resolve the address.  What I can't figure out is what is wrong, because I don't really understand how root hints work in detail.

Now that I've said a mouthful, I'm looking for a good place online where I can find out some detail so I can figure out these debug logs.

Anyone have good recommendation(s) on a site with details on how root hints work?
 Thanks in advance!!!
0
Comment
Question by:starmonkey
  • 5
  • 3
  • 3
  • +6
23 Comments
 
LVL 12

Accepted Solution

by:
GinEric earned 500 total points
Comment Utility
here:

http://www.internic.net/zones/named.root
ftp://ftp.internic.net/domain/named.root

It is always named.root and always under the control of the United States and managed by IANA [Internet Assigned Number Authority] iana.org

Windows has no command to get the root hints directly, while bind does, using a naked "dig" command.

Most people put the url or ftp in a shell script in the header of the root hints cache file, named.ca for most Linux systems, no idea the equivalent in Windows, and get it automatically every so often; what the updates are for and some TTL's.

The root servers will resolve your ISP, not your domain.  In fact, the root servers tell everyone where to go to get domain names resolved, that is their job, and basically their zones are just registry name servers, a far cry from ordinary name servers.

Your ISP, as far as the root servers are concerned, are defined by name servers, not by their domain names.  Root servers don't do domain names, they do only name servers.  Monstrous machines, mainframes, that are millions of times more capable than tiny PC's.  Which is why only the big U.S. Companies host all of the root servers and the U.S. is going to keep it that way.

The General Internet License [GIL], is a mostly free license granted by the U.S. to the rest of the world to freely use the Internet.  The Internet is owned and Copyrighted by those who own it, the People of the United States of America, and no one else.  Unfortunately, there are some out there who think the Internet belongs to the world; it absolutely does not!  The American People invented it and the computer, paid for both with their tax dollars, and because of that, and by U.S. Law, it belongs to them as the aboriginal Author.  It is not in the Public Domain.  Nor should it be.  This is backed up by the raisin d'etre of the Internet, to preserve American National Security.  Basically, it can't be just handed over to the world, it's not in the best interests of American National Security.

The same goes for the root servers.  If the root hints files and servers, the DNS root servers, were turned over to the world, immediate chaos would ensue as each tried to jostle and jog for political positions of supremacy, blackmail, censorship, all sorts of nasty things the old world has grown up with over the last 8,000 years of so; all experience hath shown that the old world will never obey the rules and behave.

So, America keeps certain rights, and rightly so.  One of them is the root servers exclusively within the U.S., under the GIL.

yahoo.com is a Top Level Domain.  www.yahoo.com is a CNAME or alias for yahoo.com, that is, "." is the root zone for yahoo.com at the Start of Authority [SOA], wherever that is found, and www just looks up yahoo.com and thereafter any host that answers and says "I'm yahoo.com" and/or "I'm www.yahoo.com" the proper way to set up a root zone.  root zone should not be confused with any definition of root servers; they are not the same thing.

Everybody needs a Reverse Record to be found.  The Reverse Record for a real domain is of the form d.c.b.a.in-addr.arpa
Example:

59.125.242.71.in-addr.arpa                  86400                  PTR                  musics.com

Forward Zone Example for above:

Musics.com                                        86400                   A                     71.242.125.59

Compare that to yahoo's records:

Forward:
yahoo.com 300 A 66.94.234.13
yahoo.com 300 A 216.109.112.135
Reverse:
13.234.94.66.in-addr.arpa 1200 PTR w2.rc.vip.scd.yahoo.com
135.112.109.216.in-addr.arpa 1200 PTR w2.rc.vip.dcn.yahoo.com

which uses two forwards and two Reverse Records neither of which point to the base domain yahoo.com  therefore, yahoo bends the DNS rules a bit.

Microsoft itself has 15 names for Microsoft.com and 15 exactly the same reverse names, but with 15 different hostnames, forked by two main machines given in the IP Addresses above.

2 redundant pipes and 15 redundant hosts who will answer with "I am Microsoft.com"

www.yahoo.com is complex as well, using akadns for mostly streaming purposes:

www.yahoo.com 300 CNAME www.yahoo.akadns.net

akadns.net will yield "Connection Refused" a part of its paranoid DNS system; it lives in a protective shell bubble.  Of course, this causes DNS resolution problems because it won't answer directly to any but its weaning mommy servers.

If all that is too much for you, just get the root zone hints from IANA via Internic:

http://www.internic.net/zones/named.root
ftp://ftp.internic.net/domain/named.root
0
 
LVL 12

Expert Comment

by:GinEric
Comment Utility
P.S.:  remember this "Root Servers do not resolve domain names, they only resolve registry name servers which then resolve domain names."

That means, if you're only hitting root servers, you are not going to get an answer unless you accept other name servers [delgation].  If you're the root zone [the domain], then you must configure your Start of Authority to receive information from some other domain's name servers that are registry name servers, such as your ISP's name servers.  They must allow and you must accept zone transfers.  In most cases, you will not be allowed to update your ISP's name servers; it's a one-way ticket.

If, however, your domain is either webhosted or dnshosted, you may get some permissions to administer upstream name servers, but this is dangerous for the upstream server because one wrong record can mark that server as a "lame server."

A "lame server" will be ingnored by nearly all name servers after a time period wherein it consistently returns bad records.  And if you run DNS in Windows, and you spew out bad records, you may, indeed, be marked as a "lame server."

This will cause lots of problems with name resolution.

0
 
LVL 18

Expert Comment

by:carl_legere
Comment Utility
being designated as a lame server should not affect lookup requests.  I do not support using windoes DNS without forwarders.  Resolution via root hints is slow.  You have to make 4 or more calls to resolve anything and each call has the latency of your copper last mile each way.
0
 
LVL 12

Expert Comment

by:GinEric
Comment Utility
Most name servers will shut off all requests from a lame server, for time periods starting around 1 hour.  There are other things that are done when name servers either don't answer, have conflicting answers, and so forth.  The idea is to simply stop routing bad information until someone with DNS knowledge fixes it in order to stop it and perhaps thousands or millions of other irresponsible name servers from clotting requests with repeated erroneous data and responses.

They do affect lookups, if you keep going to the same ones without the option of alternate routes.  With a lot of corporate traffic, which doesn't trust everyone, they are getting more and more lags as they search for trusted name servers.  It takes a lot longer to track down things like loops, where name servers in a given order point back to an endless loop.  Eventually, they'll time out and the request will timeout as its time to live is exceeded.

Routes resolved sans root servers is unreliable.  How do you get to .com and .net roots if you don't ask the root servers?  And can you trust the answers?  Both answers are "unreliable."

Firewalls and stealthing have basically added timeouts to every domain that doesn't answer a DNS query.  That may be a big part of the problem.  The first name server you hit, usually the one at your ISP, already knows the roots and so doesn't have to look them up at all.  If you're traces show you hitting the root server, and you're not a registry name server, then you are simply misconfigured.  It's not the fault of the root servers if you're a regstry name server, or configured as such, it's your DNS configuration that is wrong.

Perhaps the problem is that you shouldn't be querying the root servers in the first place; a very likely event if you're banging away at servers that are only going to tell you "go back to your name server that is delegated to handle your requests."

You should only need the root servers once, to initialize your DNS database to find out where your name servers are, the upstream ones that are delegated to answer your requests.  It makes sense that if you switched ISP's, then you are having a problem with your assigned name servers from your ISP, or, you have the old ISP name servers somewhere, or, they have not deleted the old records that pointed to your domain.

Here's a typical example:  we switched IP Address Blocks more than a month ago, yet, the old Reverse Record is still there, check if you care, do a reverse record lookup for 68.162.85.5 result is Musics.com but if you do a Reverse Record lookup for 71.242.125.59 you'll also get Musics.com

The effect?  Well, it's possible for someone to get the wrong pointer and perhaps get a timeout, although we maintain a server on that IP Address pending record deletion.  You might want to check the Reverse Records for your domain as well.  It's also possible that your getting conflicting updates, which is what would happen to us if we didn't write our own records for two other domains in an attempt to eliminate the upstream name servers and rely solely on our own and the root servers.  This requires some major changes in the way we do DNS, it's not so simple as "you just plug in your own name servers," it doesn't work that way because at least one name server must be a registry name server.  That requires applications to IANA, and some other rules, such as all Registrars must see the new name server as a registry name server, or they will not accept it as a domain name server.

It also costs lots of money, at least a payment of $2,500.00 to IANA because they consider the territory to be that of an ISP and you must register as an ISP.

IANA has about a million such stupid rules and regulations that stop domain owners from doing business; these should be corrected by law because IANA is not going to change until ordered to do so, they're too obstinate about their "precious."  They should also be stopped because they violate anti trust laws, the ones that say you can't control a business by means which effectively stop or delay that business in its pursuit of success.  Two things at IANA do this, 01.)  the monopoly of who can get a registry name server, and 02.) the monopoly of who can get an IP Address block.  These effectively put all the gold coins in the hands of a few corporations, completely cut off all third world and undeveloped countries and their businesses from quick success, if any success at all, and institute a system of controlling the assignment of IP4 and IPv6 blocks based on economic scale.  This retards the growth of all other businesses save the Fortune 10 who provide the root servers, if you must know the truth of what purpose the root servers really serve.

For now, unless you can afford IANA's fees, and live up to their requirement that you use a full /22 prefix block, and prove it every month, else it will be confiscated back from you, you have to pay your ISP for IP Address Block space and you have to use their name servers.  Whatever load they are experiencing will affect just how fast you get results.  You see?  The current system is broken and there is no incentive for them to fix it, they're making too much money from it and controlling business and economies world wide.

Which is why IANA, IEEE, and the IETF [all the same people, from the top ten American (sic!) corporations], are so obstinate; they're all making lots of money by holding IP Addresses "hostage."

Which only, as carl_legere has said, slows the entire Internet down.

Maybe France will nationalize the root servers in France and make IP Address blocks available to all Frenchmen, free of charge, and maybe this will force the hardheads to change, as each country in turn does the same until only America is the one charging for IP Addresses, at which point, no one but Americans will care, and will perhaps finally do something about this "tax on numbers," this corporate welfare system that keeps them all in undeserved income at the expense of the rest of us.

I will suggest further what I always suggest; get either Ethereal or use Network Monitor and see on a packet per packet basis what is slowing things down and causing breaks in fetches and queries.  Sometimes the logs are just not enough.
0
 
LVL 18

Expert Comment

by:carl_legere
Comment Utility
in my post I was referring strictly to DNS as it pertains to being a recursive lookup database, NOT DNS for maintaining authoritative records on your side.

The question, as written appears to be reguarding DNS recursion and not DNS authoritative.
0
 
LVL 75

Expert Comment

by:Anthony Perkins
Comment Utility
>>The American People invented it and the computer, paid for both with their tax dollars, and because of that, and by U.S. Law, it belongs to them as the aboriginal Author.  <<
Aside form the rest of the ra-ra claptrap, the use of "aboriginal Author" was amusing to say the least.
0
 

Expert Comment

by:day_lander
Comment Utility
Fortunately DNS root servers are now distributed so if the Germans (who invented the first programmable computer) turned off their k.root-servers.net in Frankfurt and the British (who invented the first electronic computer) turned off their k-root-servers.net in London the French (who invented the punched card system) could still resolve ccTLD and gTLD queries from the k-root-servers.net in Amsterdam.
0
 
LVL 18

Expert Comment

by:carl_legere
Comment Utility
lol
dont forget poland, they were in the coalition of the willing
0
 

Expert Comment

by:day_lander
Comment Utility
The Poles have one in Poznan; www.root-servers.org.
0
 
LVL 75

Expert Comment

by:Anthony Perkins
Comment Utility
>>dont forget poland, they were in the coalition of the willing<<
Also Honduras.
0
 
LVL 3

Expert Comment

by:baldrick
Comment Utility
I thought Al Gore invented the interweb!
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 9

Expert Comment

by:gilbar
Comment Utility
no No NO!  al gore said he CREATED the internet, not invented it
0
 
LVL 12

Expert Comment

by:GinEric
Comment Utility
yeah, yeah, yeah, and a German, Albert Einstein, invented the atomic bomb.

J. Presper Eckert and John Mauchly invented the first computer.  Period.

Any other statement is one of those old U.S.S.R. statement about how they invented everything, with a dyslexic language, no less.

Personally, if Germany and France turned off their root servers, no one would even notice.

C'est la vie, c'est la guerre.
0
 
LVL 36

Expert Comment

by:SidFishes
Comment Utility
"J. Presper Eckert and John Mauchly invented the first computer. "

Actually a Brit came up with the idea
http://www.fourmilab.ch/babbage/contents.html

and a German invented it first
http://www.epemag.com/zuse/

"yeah, yeah, yeah, and a German, Albert Einstein, invented the atomic bomb."

Einstein's work on the bomb consisted of 2 days work and the signing of a letter to Roosevelt.
The "inventor" of the bomb was a team of people led by Oppenheimer and Teller.

"Any other statement is one of those old U.S.S.R. statement about how they invented everything, with a dyslexic language, no less."

ya...no sense in having some actual facts to back up your point. And add a slur in for good measure.

"The General Internet License [GIL], is a mostly free license granted by the U.S. to the rest of the world to freely use the Internet.  The Internet is owned and Copyrighted by those who own it, the People of the United States of America, and no one else."

google for "general internet license" you'll get one hit...(out of 25,270,000,000 indexed pages)

http://www.experts-exchange.com/Networking/Q_21881951.html

say...you didn't invent the GIL didya?










0
 
LVL 12

Expert Comment

by:GinEric
Comment Utility
The first computer was invented by J. Presper Eckert and John Mauchly at the University of Pensylvania, in Philadelphia, Pennsylvania in 1946.  The United States of America was founded in Philadelphia, Pennsylvania in 1776.

If you can't admit the truth, then join the communist party, where such denials of history belong.

The Russian language and alphabet is dyslexic, you're trolling now, by twisting accepted truths.

The Internet was invented in America.

Why is it that even when America gives people a gift, they have to insist that we're only returning something they lost?  Sounds like sheer jealousy and envy to me.

Stop lying about who invented the computer and the Internet and just accept it.  No one keeps company or respects liars.  Suse and Turing may as well be put in with the French loom as far as having invented a computer, which predates them by a few hundred years and was programmable.

None of the Suse, Turing, or Frenchie ideas though were computers.

Such jealousy.

It's actually an insult, to us, to the University, and to the city where America became Ameri ca.  Why don't you try and enforce your theory of Internet copyrights with the United States Armed Forces; I'd like to see how far that gets these obviously false ideas about who invented what and who created what.

And if you can't say "Thanks" to America, then return the gift and just leave.
0
 
LVL 23

Expert Comment

by:MalicUK
Comment Utility
> No one keeps company or respects liars.  

Good good, how's the solatary life then?

> The first computer was invented by J. Presper Eckert and John Mauchly at the University of Pensylvania, in Philadelphia, Pennsylvania in 1946.

You don't define "computer". Personally I feel that the gong goes to the German who built a working device to automatically calculate sums 153 years before America was founded:
http://en.wikipedia.org/wiki/History_of_computing_hardware "In 1623 Wilhelm Schickard built the first mechanical calculator and thus became the father of the computing era."

> The Internet was invented in America.
Again, your definintion of "internet" is vague. If you are talking about the first interconnected computers then indeed, that claim to fame probably goes to ARPANET. However, in reality the internet we know today was developed by TBL, at CERN, and then by W3C who have developed the standards which make it exactly what we now use.
http://en.wikipedia.org/wiki/Tim_berners-lee

But never minding that, your arrogance is entertaining. Please continue to enlighten us with your endless wisdom (ahem), and dim-witted insults.
0
 
LVL 75

Expert Comment

by:Anthony Perkins
Comment Utility
Yes, please don't stop, it is extremely entertaining and pathetic at the same time:  To think that a great nation and people has been reduced to this.  But I can't wait to read your next diatribe. I wonder if you know the meaning of hubris?
0
 
LVL 36

Expert Comment

by:SidFishes
Comment Utility
I didn't see an explanation for the "GIL".

I've opened a new q for so you may tell us how it really is...

http://www.experts-exchange.com/Miscellaneous/Lounge/Q_21900641.html

0
 

Expert Comment

by:day_lander
Comment Utility
None of the Zuse[sp], Turing, or Frenchie ideas though were computers.

Turing didn't design Colossus, it was Tommy Flowers. And it definitely was an electronic computer but it wasn't electronically programmed.
0
 
LVL 3

Expert Comment

by:baldrick
Comment Utility
I believe either the Babylonians or the Chinese invented the abacus betwee, 2400BC and 300BC. Since the beads maintain state, the abacus is programmable. Since it is also operated by the application of an algorithm stored in the memory of the operator via a low-bandwidth 10 bit wide wetware interface according to a strictly defined algorithm, I believe we have found the first computer. And anybody who dares state otherwise is potentially a liar, a communist and a terrorist sympathiser.
0
 
LVL 22

Expert Comment

by:_TAD_
Comment Utility


Actually, the first programable "computer" was a weaving loom created by Joseph Marie Jacquard in 1804.

http://tdi.uregina.ca/~complit/comphist.htm
0
 
LVL 9

Expert Comment

by:gilbar
Comment Utility
>low-bandwidth 10 bit wide wetware interface    ?????

LOW-bandwidth 10 bit wide ?!!??!?
baldrick, are you implying that ancient iraqis used their TOES! to interface with their abacii?  I'm sure they used a 'higher' 10bit interface than that.  Or would you describe toes as (even) lower 10bit bandwith?

Here in beautiful Ames, Iowa, we like to pretend that the  Atanasoff-Berry Computer (which was really an electronic calculator) was the first in 1937.  It WAS the first to use tubes to add numbers together.
0
 
LVL 3

Expert Comment

by:baldrick
Comment Utility
:-)
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now