Question : Local DNS Cache

My Active Directory-enabled DNS server "RODENT" is in a Windows Server 2003 box. I'm confused about the DNS cache on the server. If I run ipconfig /displaydns on the RODENT, I only see two records, an A record to "localhost" (127.0.0.1) and a PTR record to the same "localhost." However, if I run nslookup in interactive mode from a workstation, point nslookup at RODENT (192.168.1.2), and run lookup commands on commons URLs (www.google.com, www.experts-exchange.com...) I get non-authoritative responses, implying that these responses came from RODENT's DNS cache. I don't get it. Are there actually two DNS caches on Rodent (maybe a client cache and a server cache)? Please explain.

Answer : Local DNS Cache

Hi wingatesl :)

I wouldn't have posted in the first instance if I wasn't very sure about my response. I fully understand how DNS and the DNS Resolver function, your conclusions are incorrect based on empirical evidence for a popular domain. Please don't take that as a slight against you, it's not intended as that; There are many areas where I couldn't possibly claim as much knowledge as this one.

You are correct in saying that my server will never be authoritative for a remote domain. However, that doesn't stop it providing an Authoritative Answer to the DNS Resolver. These two aspects should not be confused.

An Authoritative Answer can be defined as an Answer to a Query received directly from the Authoritative Server. i.e. An Answer that is not currently in the Cache.

As an example:

C:\Stuff\Scripts>nslookup
Default Server:
Address:

> www.google.com
Server:
Address:

Non-authoritative answer:
Name: www.l.google.com
Addresses: 64.233.183.147, 64.233.183.104, 64.233.183.99
Aliases: www.google.com

We have that cache, and we can see the remaining TTL if we turn Debug on (set debug):

QUESTIONS:
www.google.com, type = A, class = IN
ANSWERS:
-> www.google.com
canonical name = www.l.google.com
ttl = 66017 (18 hours 20 mins 17 secs)
-> www.l.google.com
internet address = 64.233.183.147
ttl = 126 (2 mins 6 secs)
-> www.l.google.com
internet address = 64.233.183.104
ttl = 126 (2 mins 6 secs)
-> www.l.google.com
internet address = 64.233.183.99
ttl = 126 (2 mins 6 secs)

Instead, if I pick something my server really doesn't know about (we use Google all the time, so even the short TTL on those A Records won't help):

> www.motorways.com
Server:
Address:

Name: www.motorways.com
Address: 218.48.222.58

A repeat of the query will show me:

> www.motorways.com
Server:
Address:

Non-authoritative answer:
Name: www.motorways.com
Address: 218.48.222.58

Again turning on Debug allows me to see the remaining TTL on the Non-Authoritative Answer:

QUESTIONS:
www.motorways.com, type = A, class = IN
ANSWERS:
-> www.motorways.com
internet address = 218.48.222.58
ttl = 3528 (58 mins 48 secs)

I'd have to expect that to be 1 hour. You can see the full TTL of a Cached Record if you Set Debug prior to retrieving the record.

In each case and are the same, and represent a DNS Server local to me, not a Name Server listed in the NS or SOA for the remote domain.

If you have a quiet DNS Server you can reproduce this behaviour by clearing the DNS Cache and re-requesting an answer for a domain (or an uncommon domain if you have a busy name server).

Chris

Random Solutions

Router keeps requiring reset. Continues to drop connection once or twice per week.

SPF record question

Best adsl modem supported by verizon

Visual Network Diagramming/Configuration Management/Documentation tool

SME ADSL and EMail redundancy approach

How to configure filter for webservices in jbossws.sar

How to configure different range in DHCP ?

Proxy server or content filter recomendations