Question : Local DNS Cache

My Active Directory-enabled DNS server "RODENT" is in a Windows Server 2003 box. I'm confused about the DNS cache on the server. If I run ipconfig /displaydns on the RODENT, I only see two records, an A record to "localhost" (127.0.0.1) and a PTR record to the same "localhost." However, if I run nslookup in interactive mode from a workstation, point nslookup at RODENT (192.168.1.2), and run lookup commands on commons URLs (www.google.com, www.experts-exchange.com...) I get non-authoritative responses, implying that these responses came from RODENT's DNS cache. I don't get it. Are there actually two DNS caches on Rodent (maybe a client cache and a server cache)? Please explain.

Answer : Local DNS Cache

Hi wingatesl :)

I wouldn't have posted in the first instance if I wasn't very sure about my response. I fully understand how DNS and the DNS Resolver function, your conclusions are incorrect based on empirical evidence for a popular domain. Please don't take that as a slight against you, it's not intended as that; There are many areas where I couldn't possibly claim as much knowledge as this one.

You are correct in saying that my server will never be authoritative for a remote domain. However, that doesn't stop it providing an Authoritative Answer to the DNS Resolver. These two aspects should not be confused.

An Authoritative Answer can be defined as an Answer to a Query received directly from the Authoritative Server. i.e. An Answer that is not currently in the Cache.

As an example:

C:\Stuff\Scripts>nslookup
Default Server:
Address:

> www.google.com
Server:
Address:

Non-authoritative answer:
Name: www.l.google.com
Addresses: 64.233.183.147, 64.233.183.104, 64.233.183.99
Aliases: www.google.com

We have that cache, and we can see the remaining TTL if we turn Debug on (set debug):

QUESTIONS:
www.google.com, type = A, class = IN
ANSWERS:
-> www.google.com
canonical name = www.l.google.com
ttl = 66017 (18 hours 20 mins 17 secs)
-> www.l.google.com
internet address = 64.233.183.147
ttl = 126 (2 mins 6 secs)
-> www.l.google.com
internet address = 64.233.183.104
ttl = 126 (2 mins 6 secs)
-> www.l.google.com
internet address = 64.233.183.99
ttl = 126 (2 mins 6 secs)

Instead, if I pick something my server really doesn't know about (we use Google all the time, so even the short TTL on those A Records won't help):

> www.motorways.com
Server:
Address:

Name: www.motorways.com
Address: 218.48.222.58

A repeat of the query will show me:

> www.motorways.com
Server:
Address:

Non-authoritative answer:
Name: www.motorways.com
Address: 218.48.222.58

Again turning on Debug allows me to see the remaining TTL on the Non-Authoritative Answer:

QUESTIONS:
www.motorways.com, type = A, class = IN
ANSWERS:
-> www.motorways.com
internet address = 218.48.222.58
ttl = 3528 (58 mins 48 secs)

I'd have to expect that to be 1 hour. You can see the full TTL of a Cached Record if you Set Debug prior to retrieving the record.

In each case and are the same, and represent a DNS Server local to me, not a Name Server listed in the NS or SOA for the remote domain.

If you have a quiet DNS Server you can reproduce this behaviour by clearing the DNS Cache and re-requesting an answer for a domain (or an uncommon domain if you have a busy name server).

Chris

Random Solutions

DHCP service wont Start SBS2003

VOIP QOS deployment

script to check system info or system uptime of remote computer on same lan

Service DHCP Client on Vista not start

viewing hex output in tcpdump

need to configure 2 cisco 1800 routers over t1

circuit and packet switching

BIND - NOTIFY - NS and A Field