Thursday, December 4, 2008

Specialized DNS Tools

Authoritative DNS servers are databases that contain all the records describing a domain in what are called 'zones'. When you do an IP address lookup of a hostname within a domain, that query may end up going all the way to the authoritative servers using a process known as recursion or it may come from a cached record along the way.

There are usually two authoritative servers, but sometimes more servers are used in the case of a large company with a distributed network. In some DNS implementations, the DNS maintainer changes a record like an MX record defining which machine handles SMTP email by hand and at the same time changes the serial number to show that the zone was altered. This serial number change is automated in other implementions.

The secondary servers get zone information from the primary server when they see that the serial number in SOA record in the primary server is different than the serial number currently in the secondary server. If the serial numbers are not the same, then a "zone transfer" is initiated either using a full zone AXFR or an incremental zone IXFR transfer.

As a side note, zone serial numbers are usually in one of two formats, the first being the most common: YYYYMMDDNN format, where YYYY is the year (four digits), MM is the month (two digits), DD is the day of month (two digits) and nn is the version per day (two digits); the second format is unix time, ie. the number of seconds since Jan 1, 1970. Some DNS maintainers use a simple incrementing number like a revision number.

If there is a breakdown in the process of replicating data between the primary and secondary servers (some DNS software can use methods other than zone transfers), the serial numbers may end up out of sync--especially if the serial number is maintained by hand. To check this, a DNS maintainer would have to individually query each authoritative DNS for its current serial number using NSLOOKUP or DIG to verify that they are all in sync.

To help speed up this process, I have created a new tool that finds the authoritative servers for a domain, then it quickly checks each authoritative server for serial number mismatches. It analyzes the results and tells you if there is a problem -- and since we show each authoritative server with its serial number for the zone, you can quickly see the results yourself. This new tool is tentatively called "Auth Serial Check" and it appears in the new DNS Tools - Advanced window in NetScanTools Pro 10.8 (which is not out yet -- be patient).

No comments: