Introduction

Do you have a need for a DNS server that is authoritative for a zone being queried to query one or more other authoritative DNS servers instead of returning a non-existent domain (NXDOMAIN) response to a DNS client? These other DNS servers could be from business partners or, for example, vendors in a public cloud computing service, such as Amazon Web Services (AWS) Marketplace. If you have this need, TCPWave enables you to meet it with a solution unique among DNS-related products: TCPWave DNS Proxy Appliances.

 

In addition to querying alternate DNS servers, DNS Proxy Appliances provide other unique functions. One related function is to remove the Authority sections and nameserver (NS) records in them from query responses from alternate servers before returning the final responses to DNS clients. Consequently, clients do not cache the NS records, which point to alternate DNS servers, and later attempt to use them to directly contact the alternate DNS servers. This is beneficial, since it prevents clients, such as internal DNS caching servers, from bypassing Proxy Appliances, which are authoritative for some zones. Also, it prevents internal clients, which do not have network connectivity to the internet, from attempting to directly contact external alternate DNS servers on the internet.

 

For those who would like to better understand these capabilities and take advantage of them, information on an example query flow using a DNS Proxy Appliance and configuration of a Proxy Appliance is presented in the sections below.

Query Flow

An example query flow diagram for querying alternate DNS servers is presented below.

 

Diagram Description automatically generated

Example Query Flow for Querying Alternate DNS Servers

 

A summary of the DNS queries and responses in this diagram is as follows:

  1. A DNS client sends a query to a company’s internal DNS caching appliance, which is not connected to the internet.
  2. The internal DNS caching appliance queries an internal DNS root appliance.
  3. The internal DNS root appliance contains a nameserver (NS) record for the queried domain that points to the DNS Proxy Appliance, so the root appliance responds with a referral to the Proxy Appliance.
  4. The internal DNS caching appliance queries the DNS Proxy Appliance.
  5. The DNS Proxy Appliance, which is authoritative for the requested data, checks the appropriate zone file for matching records. If it contains one or more matches, then it will return an answer to the internal DNS caching appliance. Assume there are not any matching records. In this case, an authoritative DNS server would normally return a non-existent domain (NXDOMAIN) response. Instead of doing this, the Proxy Appliance simultaneously sends queries to the alternate DNS servers that it has been configured to use. Note that the alternates are assumed to be redundant. (In an upcoming version of the Proxy Appliance, it will be able to query a prioritized sequence of groups of DNS servers in which each group contains different data.)
  6. One or more alternate DNS servers return a query response.
  7. The DNS Proxy Appliance uses the first query response that an alternative DNS server returns. Also, the Proxy Appliance deletes the Authority section in the query response if it is present. When present, the Authority section contains NS records, each of which specifies a DNS server that is authoritative for a domain. Then the Proxy Appliance returns the modified response to the internal DNS caching appliance.
  8. Finally, the internal DNS caching appliance returns the query response to the DNS client that initiated the query flow.

As a result of this query flow, the DNS Proxy Appliance and the alternate DNS servers, which are all authoritative for the client’s query, are queried.

Configuration

The main step needed to configure a DNS Proxy Appliance to query alternate DNS servers is to specify one or more alternates in the Proxy Appliance. A screenshot showing example configuration data for a DNS Proxy Appliance is shown below. In this example, IP addresses for three alternate DNS servers are specified. Also configured are the number of query retries that the DNS Proxy Appliance will make in an attempt to reach unresponsive alternates and the timeout value for the time between retries. Details on all the configuration steps needed for a DNS Proxy Appliance are presented in the TCPWave IPAM System Administrator Reference Guide.

 

Graphical user interface, application Description automatically generated

Solutions

If you need an authoritative DNS server to query one or more other authoritative DNS servers instead of returning a non-existent domain (NXDOMAIN) response, TCPWave DNS Proxy Appliances enable you to meet it with a solution unique among DNS-related products. For more information on DNS Proxy Appliances and how other unique and beneficial features in TCPWave’s DNS, DHCP, and IP address management (DDI) products can meet your needs, contact the TCPWave Sales Team.