DNS Basics
DNS is a topic that some people just don’t get. My goal is to make it as simple as possible for you to understand.
DNS zones fall into three categories:
- Forwarders
- Conditional Forwarders
- Zone Transfers
Forwarders
DNS queries that are not answered by this server are forwarded to these DNS servers if you are outside my domain/zone. Usually, this is used for external DNS lookups, such as those on the internet.
Conditional Forwarders
Conditional Forwarders specify that if you aren’t in my DNS domain/zone, you will NOT be sent to my Forwarders (above), but to the Forwarders listed here for these specific domains/zones. Using this option, you can select which domains/zones you want requests forwarded to. Active Directory is a common example of this. As an example, you might host example.com
on your primary DNS servers and conditionally forward ad.example.com
to your domain controllers.
Zone Transfers
Basically, zone transfers allow the whole zone to be transferred to a different DNS server. If you decide to use them, you should lock down the process. I’ve seen environments with this set to ANY, which poses a security risk. It is easy to imagine how one bad character can sink your entire DNS zone during their RECON stage. However, you may have a case for conditional forwarding if you are trying to accomplish what you are trying to achieve.
Setup
In the examples below, I’m running PowerDNS as my primary DNS server with a conditional forwarder for support.local
for Active Directory.
Setup:
PowerDNS Master Server:
- a1ubpdnsmp01 / 172.27.2.19
Note: This server is the primary DNS server for the domain support.tools
and runs PowerDNS with MariaDB as Read/Write master. It is important to note that no requests are normally sent to this server it’s only used for managing PowerDNS.
PowerDNS Slave Servers:
- a1ubpdnsp01 / 172.27.2.23
- a1ubpdnsp02 / 172.27.2.24
- a0ubpdnsp01 / 192.168.69.23
Note: These servers are the slaves for the domain support.tools
and run PowerDNS with MariaDB as Read-Only slave.
Example
Local query lookup for support.local
:
Command
dig rancher.support.tools
Output:
mmattox@a1ubthorp01:~$ dig rancher.support.tools
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> rancher.support.tools
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57746
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;rancher.support.tools. IN A
;; ANSWER SECTION:
rancher.support.tools. 33 IN A 192.243.222.44
;; Query time: 0 msec
;; SERVER: 192.168.69.23#53(192.168.69.23) (UDP)
;; WHEN: Fri Jul 15 11:45:33 CDT 2022
;; MSG SIZE rcvd: 66
mmattox@a1ubthorp01:~$
As you can see the query was answered by the PowerDNS server 192.168.69.23
. Because the zone support.tools
is hosted on this server, it will be served directly.
External query lookup for google.com
:
Command
dig google.com
Output:
mmattox@a1ubthorp01:~$ dig google.com
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56419
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 112 IN A 172.217.4.206
;; Query time: 72 msec
;; SERVER: 192.168.69.23#53(192.168.69.23) (UDP)
;; WHEN: Fri Jul 15 11:48:15 CDT 2022
;; MSG SIZE rcvd: 55
mmattox@a1ubthorp01:~$
As you can see the query was answered by the PowerDNS server 192.168.69.23
but because the zone google.com
is not hosted on this server, it was forwarded to CloudFlare 1.1.1.1
.
Note: I’m running PowerDNS Recursor on all my servers so all external DNS queries are forwarded to the PowerDNS Recursor first then to CloudFlare with PowerDNS Recursor acting as a caching layer.
Forwarded query lookup for support.local
:
Command:
dig support.local
Output:
mmattox@a1ubthorp01:~$ dig support.local
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> support.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18031
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;support.local. IN A
;; ANSWER SECTION:
support.local. 593 IN A 172.27.2.7
support.local. 593 IN A 192.168.69.26
support.local. 593 IN A 172.27.2.8
;; Query time: 0 msec
;; SERVER: 192.168.69.23#53(192.168.69.23) (UDP)
;; WHEN: Fri Jul 15 11:52:17 CDT 2022
;; MSG SIZE rcvd: 90
mmattox@a1ubthorp01:~$
As you can see the query was answered by the PowerDNS server 192.168.69.23
but because the zone support.local
has a conditional forwarder, it was forwarded to my Active Directory servers IE 172.27.2.7
, 172.27.2.8
, and 192.168.69.26
. This means my Windows servers and desktop computers will be able to resolve the domain support.local
even tho their DNS settings point to the PowerDNS servers.