How does a Windows DNS Server work?

[+John Teacake MVC]

OK So I am not a noob here, However I am now been told or rather querying this........ So imagine if you will you have a DNS server on a Windows Domain. Clients use this to resolve DNS. Fine.

 

Explain the process of how this works?? My understanding is as follows

 

You query the DNS server, It needs to look up external so for arguments sake it uses your ISP's DNS. make sense right? If your ISP's DNS servers dont resolve it then it uses the built in root servers on the internet. If they cant resolve that then it returns a failure (NX Domain???)

 

So there is no way that the Windows DNS server should be looking at ANYTHING other than your ISP's and the Root Servers in this scenario?

 

 

[sc302 Veteran]

Root servers

Forwarders

local dns

 

 

 

Pc queries the local dns, if the local dns doesn't know, it moves up the the forwarder, if the forwarder doesn't know, it moves up to the root, if the root doesn't know it says it can't find.  most admins disable root server lookup once they set the forwarders. Forwarders could be google dns, open dns, isp dns, or any other internet dns server.

 

Does that help? 

 

 

say pc2 queries pc1.local.dc.com, the local dns server will be able to see that and return an ip associated to pc1.

 

say pc2 queries www.google.com, the local dns server will say I don't know that, let me forward that to the forward dns server to see if it knows, the internet forward dns server knows that and returns an ip associated to www.google.com...but lets say the forwarder doesn't know, the dns server would then go up to the root server to see if it knows and would return an ip associated to www.google.com

 

The internet servers do not know to resolve pc1.local.dc.com, they don't know what ip it is on so it will always fail when looking that up...but your internal dns server knows local.dc.com as it hosts that dns zone so it can resolve that. 

[TAZMINATOR]

https://technet.microsoft.com/en-us/library/dd197446%28v=ws.10%29.aspx

 

 

Edit: Ah, sc jumped in quick!

[+John Teacake MVC]

Root servers

Forwarders

local dns

 

 

 

Pc queries the local dns, if the local dns doesn't know, it moves up the the forwarder, if the forwarder doesn't know, it moves up to the root, if the root doesn't know it says it can't find.  most admins disable root server lookup once they set the forwarders.

 

yes so that is what I thought. I should see NO traffic going to any DNS servers in China for example. The Server Admins think this is normal because they are saying if the root server cant find it just looks it up from somewhere.

 

My query is that if that IS the case then how would it know when to stop, How does it find these magic DNS servers and how does it know which to trust.

[sc302 Veteran]

DNS servers to look at are defined in the Forwarders tab and Root Hints tab of your DNS server(s).  Each DNS server has its own local config.  Like I said though, most disable the root hints lookup if they have forwarders.

[Roger H. Veteran]

I generally used root but forwarders are good if you have external DNS setup for restrictions to certain sites. Sure firewalls can do that too but I guess

Windows DNS is a must however for AD and clients should definitely use it to have a proper functioning local network.

[+John Teacake MVC]

Yeah I get that, So basically the only DNS traffic I should see going out from the Windows DNS server is to my ISP's DNS Server IP's and the Root Hint IP's. No where else right?

[sc302 Veteran]

Yeah I get that, So basically the only DNS traffic I should see going out from the Windows DNS server is to my ISP's DNS Server IP's and the Root Hint IP's. No where else right?

 

That is correct, unless your clients have something configured either statically or in their dhcp, or an application is doing something funky (malware/virus for example).  A netstat should help determine what process is communicating to what.

 

elevated command prompt

 

netstat -a -b -n

 

may have to pipe it into a text document

 

netstat -a -b -n >%userprofile%\desktop\netstat.txt

 

 

 

I generally used root but forwarders are good if you have external DNS setup for restrictions to certain sites. Sure firewalls can do that too but I guess

Windows DNS is a must however for AD and clients should definitely use it to have a proper functioning local network.

sometimes the roots are slow to respond, so configuring forwarders may result in faster/instantaneous response.

[+BudMan MVC]

"the only DNS traffic I should see going out from the Windows DNS server is to my ISP's DNS Server IP's and the Root Hint IP's. No where else right?"

If you have forwarders setup then all you should see is traffic to what your forwarding too. If your using root hints, ie resolver mode then you would see traffic to roots, then to the authoritative serves for whatever domains your looking resolve a record in. Roots are not recursive, they will just tell you where you resolver needs to to look up what your looking to resolve.

While sc302 started the flow, its not finished..

Authoritative name server.

Root servers

Forwarders

local dns

So if you have your dns setup to ask forwarders, I really can not think of a time it would ever have to go to roots and then name server for the domain. Unless you were using modified root hints for your own stuff.

Normally you would use either forwarder mode or resolver mode. Normally would not use both at the same time to be honest.

If you do a trace of how something gets looked up you would see your resolver ask for the tld owner, lets use www.neowin.net as example

would ask the root servers, hey who is authoritative for .net, the root hints is what tells your resolver where to start.

You can always grab current root hints from here

http://www.internic.net/domain/named.root

So what happens is one of those is asked for who owns .net. Here you see a full trace of the process here, I had it not do dnssec so a cleaner output.

user@ubuntu:~$ dig www.neowin.net +trace +nodnssec

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> www.neowin.net +trace +nodnssec

;; global options: +cmd

. 501168 IN NS a.root-servers.net.

. 501168 IN NS b.root-servers.net.

. 501168 IN NS c.root-servers.net.

. 501168 IN NS d.root-servers.net.

. 501168 IN NS e.root-servers.net.

. 501168 IN NS f.root-servers.net.

. 501168 IN NS g.root-servers.net.

. 501168 IN NS h.root-servers.net.

. 501168 IN NS i.root-servers.net.

. 501168 IN NS j.root-servers.net.

. 501168 IN NS k.root-servers.net.

. 501168 IN NS l.root-servers.net.

. 501168 IN NS m.root-servers.net.

;; Received 239 bytes from 192.168.9.253#53(192.168.9.253) in 26 ms

net. 172800 IN NS a.gtld-servers.net.

net. 172800 IN NS b.gtld-servers.net.

net. 172800 IN NS c.gtld-servers.net.

net. 172800 IN NS d.gtld-servers.net.

net. 172800 IN NS e.gtld-servers.net.

net. 172800 IN NS f.gtld-servers.net.

net. 172800 IN NS g.gtld-servers.net.

net. 172800 IN NS h.gtld-servers.net.

net. 172800 IN NS i.gtld-servers.net.

net. 172800 IN NS j.gtld-servers.net.

net. 172800 IN NS k.gtld-servers.net.

net. 172800 IN NS l.gtld-servers.net.

net. 172800 IN NS m.gtld-servers.net.

;; Received 528 bytes from 192.58.128.30#53(j.root-servers.net) in 77 ms

neowin.net. 172800 IN NS ns-180.awsdns-22.com.

neowin.net. 172800 IN NS ns-917.awsdns-50.net.

neowin.net. 172800 IN NS ns-1610.awsdns-09.co.uk.

neowin.net. 172800 IN NS ns-1312.awsdns-36.org.

;; Received 212 bytes from 192.52.178.30#53(k.gtld-servers.net) in 120 ms

www.neowin.net. 21600 IN CNAME neowin.net.

neowin.net. 300 IN A 54.86.19.37

neowin.net. 300 IN A 54.172.165.25

neowin.net. 300 IN A 54.173.39.38

neowin.net. 172800 IN NS ns-1312.awsdns-36.org.

neowin.net. 172800 IN NS ns-1610.awsdns-09.co.uk.

neowin.net. 172800 IN NS ns-180.awsdns-22.com.

neowin.net. 172800 IN NS ns-917.awsdns-50.net.

;; Received 242 bytes from 205.251.195.149#53(ns-917.awsdns-50.net) in 316 ms

Here is a great picture that explains the process of using roots.

In forwarder mode... Just add some steps until you get to a point where there is an actual resolver.

So you could have

client looks in his cache, nothing so asks its name server

ns - nothing in cache, forward to isp

isp - nothing in cache, can either forward again or actual resolve

resolver - nothing in cache, ask roots, ask ns tld, ask ns of domain, ask ns of delegated subdomain, ask authoritative server for domain for record of host looking up.

[+John Teacake MVC]

Yeah thats exactly how I thought it happens. 

 

I suspect that the DNS server has something funky on it that is doing its own DNS requests.......... malware/virus. Hence the traffic I am seeing on the firewall going to China/Korea etc. 

 

The fact that it is a DNS server is confusing some of the guys here. What I really should be saying is that the OS of the DNS server itself is infected perhaps. 

[+BudMan MVC]

well if you have it in root hint mode, and someone does a query for something in china, then you would see it query the name servers. Or if forwarder doesn't know them for some reason its possible for it to go ask roots and then whatever ns are listed for the domains someone is asking for.

You have some sniffs of the traffic to see exactly what its doing? And what specific mode are you in? forwarder only?? Or root hints only? Or the kind of pointless forwarder than hints mode?