What is DNS resolution? – Threadmark Cyber

DNS resolution types:

authoritative – authoritative servers hold zone records for what is requested. When a request is made to an authoritative server, the information comes direct from the zone. An example of an authoritative server would be a name server, which hosts domain names for hosting.

Non-authoritative – This is a cache response. These are cached records that have been requested and stored with a TTL. Servers do this to minimise network traffic.

Recursive – Recursive DNS servers, like Google 8.8.8.8, retrieve the record from authoritative DNS servers and serve the response.

Non-recursive – This resolving technique only returns the address for the next DNS server to resolve. This can be used in scenarios where large traffic loads need to be managed between many recursive resolvers.

DNS client resolution types

Forwarded – when a server is acting in forwarding mode, this makes the internal server request DNS from a single or many resolvers. This mode will give the reply as if it made the recursive resolution. You will notice in most consumer grade internet equipment that your DNS is set to the gateway IP. This gateway IP is acting as a forwarder to your ISP’s DNS systems or an IP set in the network device. That said, there are many different configurations but this is the most common.

Recursive: An example of a recursive client resolution, is your local DNS set to googles 8.8.8.8 . Your computer is contacting a public recursive resolver (google) to make the request on your behalf.

The below is done with a DNS tool “Dig”

a request for google.com from 8.8.8.8 gives the below answer.

;; ANSWER SECTION:
google.com.au.		300	IN	A	142.250.70.227

Iterative: In this scenario your local DNS server is contacting the authoritative servers by following root server resolutions. the server reply’s with the nameserver for a client to resolve directly. example below.

root server lookup all the way to name server.

.			82309	IN	NS	g.root-servers.net.
.			82309	IN	NS	h.root-servers.net.
.			82309	IN	NS	i.root-servers.net.
.			82309	IN	NS	j.root-servers.net.
.			82309	IN	NS	k.root-servers.net.
.			82309	IN	NS	l.root-servers.net.
.			82309	IN	NS	m.root-servers.net.
.			82309	IN	NS	a.root-servers.net.
.			82309	IN	NS	b.root-servers.net.
.			82309	IN	NS	c.root-servers.net.
.			82309	IN	NS	d.root-servers.net.
.			82309	IN	NS	e.root-servers.net.
.			82309	IN	NS	f.root-servers.net.

Received 447 bytes from 127.0.0.53#53(127.0.0.53)

au.			172800	IN	NS	s.au.
au.			172800	IN	NS	r.au.
au.			172800	IN	NS	q.au.
au.			172800	IN	NS	t.au.


google.com.au.		900	IN	NS	ns4.google.com.
google.com.au.		900	IN	NS	ns2.google.com.
google.com.au.		900	IN	NS	ns1.google.com.
google.com.au.		900	IN	NS	ns3.google.com.

;; Received 623 bytes from 65.22.197.1#53(r.au)

follow up iterative request by the client resolver to ns1.google.com

google.com.au.		300	IN	A	142.250.70.227

Your all in one modem/router will most likely have a recursive resolver pointing to your ISP’s internal recursive resolver or a public resolver like google. These settings can be changed in most devices, and you should review how your devices handles DNS regularly.

forwarded-iterative: Some devices act in a type of forwarded-iterative mode. Meaning the internal DNS on your local network is following root server resolutions AND authoritative. This can be confusing because to computers looking at the DNS server on local network, it looks as though its simply recursively resolving.

A recursive request is made by a client to a local DNS server. The DNS server makes the request iteratively on the client’s behalf.

.			81752	IN	NS	g.root-servers.net.
.			81752	IN	NS	h.root-servers.net.
.			81752	IN	NS	i.root-servers.net.
.			81752	IN	NS	j.root-servers.net.
.			81752	IN	NS	k.root-servers.net.
.			81752	IN	NS	l.root-servers.net.
.			81752	IN	NS	m.root-servers.net.
.			81752	IN	NS	a.root-servers.net.
.			81752	IN	NS	b.root-servers.net.
.			81752	IN	NS	c.root-servers.net.
.			81752	IN	NS	d.root-servers.net.
.			81752	IN	NS	e.root-servers.net.
.			81752	IN	NS	f.root-servers.net.
;; Received 447 bytes from 127.0.0.53#53(127.0.0.53)

au.			172800	IN	NS	q.au.
au.			172800	IN	NS	r.au.
au.			172800	IN	NS	s.au.
au.			172800	IN	NS	t.au.

;; Received 617 bytes from 192.5.5.241#53(f.root-servers.net)

google.com.au.		900	IN	NS	ns3.google.com.
google.com.au.		900	IN	NS	ns4.google.com.
google.com.au.		900	IN	NS	ns2.google.com.
google.com.au.		900	IN	NS	ns1.google.com.

;; Received 623 bytes from 65.22.198.1#53(s.au)

google.com.au.		300	IN	A	142.250.70.227
;; Received 58 bytes from 216.239.38.10#53(ns4.google.com)

The DNS server now having the domain A record, responds to the client request.


;; ANSWER SECTION:
google.com.au.		300	IN	A	142.250.70.227

;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)

Notice that your modem was responding like a recursive request, but the iterative requests were coming from your modem/router?

How to detect the type of resolution

To find your actual IP address, you can open a browser and google “what’s my IP” and choose a service. or alternatively from a terminal with “dig”-Domain information groper installed.

dig mydns.threadmarkcyber.com.au +trace | grep "3600 IN"

Once you have your public IP address you can test your DNS endpoint. For example you can now see if your IP is making any iterative requests if the next command shows your public IP.

dig mydns.threadmarkcyber.com.au | grep -v ";" | grep "IN"

if the output IP is different, this is indicative of a recursion. if the result gave the same IP for both, this would indicate your modem is iteratively resolving.