I have run across a situation that has challenged my previous understanding of how this is supposed to work. I have two cases. I had an understanding of how this worked based on the first case, then the second case has come along and challenged that understanding. I’m seeking clarification.
The first case was something like this… The authoritative name servers for a domain became inaccessible due to an erroneous firewall configuration in an ISP network. I did an NS type query for the domain, assuming that if the delegation records on the com servers were correct, I would get that information as an answer. I did not get an answer, and believed that this indicated a problem with delegation to the authoritative name servers. Not so. The delegation was fine, but I did not receive an answer for the query because the answer needed to come from one of the name servers for that child domain I was querying for. In other words, even though I (or, the client I was using) could see the delegation information from the com servers, this information was not, and should not have been, used to actually answer the query. I read some RFCs as well which helped lead me to this understanding. (I think 2181 and 4697, but maybe others/newer ones as well)
Now comes case 2. In this case, someone misconfigured DNS so that delegation goes to one set of name servers (say, ns1,2,3.delegated.com), but then they set NS records on those servers to some other set of servers (say, ns1,2,3.authoritative.com).
Now, if I configure a DNS server with no forwarders, and do an NS query for this domain, it will work its way down the hierarchy and finally query ns[x].authoritative.com and return ns1,2,3.authoritative.com for the answer to the NS query. That is consistent with my previous understanding.
If I configure this same DNS server to use certain caching servers, then (most of the time) instead of getting the answer ns1,2,3.authoritative.com for the NS query, I get ns1,2,3.delegated.com from the caching server, which seems to me to suggest that the caching server is returning delegation records as answers to the NS query.
I understand this is purely an academic question, since this is all due to a misconfiguration, but I would like to know whether this caching server is doing something it should not by returning these delegation records (which never originated from any authoritative server for the domain) as answers to the NS query? I am just assuming that if the delegation records shouldn’t be used to answer a query, they also shouldn’t be cached and then later used to answer a query… but I guess I could be wrong in that assumption.
TLDR: A caching DNS server should NOT cache delegation information from com servers and use it to answer NS queries for a child of com, right?
Hopefully I am understanding this correctly. I did a brief search of this subreddit but didn’t find a similar question and answer.
Powered by WPeMatico