I am just looking at our NT4 server

[cjkenworthy]

I am just looking at our NT4 server, which has our DNS server running on it (NT4's own DNS service) - however I can't seem to find the external DNS IP addresses of our ISP DNS servers.

They clearly aren't there! so I also tried looking at our firewall settings (a Watchguard firebox), but that simply lets DNS requests out, it doesn't forward/do anything with them.

I have been in touch with our ISP who has given me the IP addresses of the DNS servers our DNS seems magically able to find - my problem is that I don't quite understand how it works, could I have a quick explanation of DNS in the context of the above setup? cheers.

 

[Smoothie2u]

You want the "forwarder address" (I can't remember the exact name for NT4). This should be your ISP DNS IP address.

Any DNS server, my experience is with MSDNS servers only, can have a number of domains that it is responsible for (SOA or Start Of Authority) such as yourcompany.com and yourcompany2.com, it can also cache domain records for which it is not responsible (non-authoritative). The difference is SOA puts your server at the top of the DNS food chain, where as non-authoritative means your server relies on another DNS server for that zone information. Here is an example.

Your server has yourcompany.com and your company2.com domains as SOA. You type in your browser

http://www.yourcompany.com,

your workstation contacts its primary DNS which has the SOA on that domain and points you to the correct IP and all is happy. If you put

http://www.microsoft.com

into your browser then your workstation contacts its primary DNS, which is still your NT4 system, however this time your DNS does not have the SOA for that domain so it will call to it's "forwarder address" and get a response from it.

Now it gets alittle tricky. There are "root" DNS servers on the Internet, 13 to be exact. When any given DNS server does not have either an SOA or a cached zone record for a requested domain name it will first try its "forwarder address", if none is listed it will then contact the "root" servers.

Once the "root" DNS server responds with the IP of the DNS responsible for that domain, your DNS will contact that responsible DNS and request the record for the requested domain. This record is now cached on your DNS. If another request for that same domain occurs before the cache is flushed your DNS will respond to that request with it's cached zone record. If the cache has already been flushed then the process of contacting the "forwarder address" or "root" begins again.

The benefit of using a "forwarder adress" is that if you have a large ISP such as Verizon (DNS1 4.2.2.1/DNS2 4.2.2.2/DNS3 4.2.2.3) then DNS requests can be very quick to respond. This is because all Verizon DNS requests are cached to these servers. Your ISP DNS servers and usually geographically or at least digitally (network hops) favorable. You will have access to the complete cache of almost all Verizon users DNS resolution requests which can number into the millions.

I don't know if this really qualifies as quick but DNS is not really a quick subject .

Hope this helps you out.

Smoothie2u
-On the road of life there are drivers and there is roadkill, so look both ways before you step out.