DNS glue records - what is it and why are they so important?
The DNS service, invisible to the average user, periodically becomes the focus of interest of IT specialists. For various reasons. This topic is especially relevant during periods when the main DNS providers are subject to DDoS attacks. It is when the DNS becomes partially inoperable that an understanding comes that the DNS is the foundation, the backbone of the entire structure of the Internet.
DNS translates domain names into IP addresses. Despite the fact that this task looks very simple in appearance, in fact its solution has led to the emergence of probably the most complex and large information system on the planet.
All this makes the already simple system even more complicated.
Since DNS is not located on a single machine (being a hierarchical, distributed, and coherent database), it includes many hierarchies, objects. Ensuring that all these hierarchically-organized objects work correctly becomes a key task. At the top of the hierarchy are
')
Each level in this hierarchy plays an important role in the process of determining the desired IP address.
We are all part of this system, and it is very important for us to understand it and to keep in sight all the important aspects that allow the DNS system to function without errors and interruptions.
Consider the following important aspect of the DNS system - "additional records" or "glue records".
A glue record, or an additional record, is an A-record that stores the IP address assigned to a domain or subdomain. These records become extremely important when the domain name server is located on a subdomain of the same domain.
Glue record can be found in the “Additional records” section of the DNS response.
Let's look at an example of how these additional entries work. Suppose you have the domain yourdomain.com, whose name servers have the addresses:
And then there is a conflict to determine the address of yourdomain.com, you need to get it from ns1.yourdomain.com, whose address you need to get from him. It turns out an endless loop.
In order to break it, Glue record is just needed, which directly report the IP address of the name servers during the processing of the request for an address for yourdomain.com.
In this example, we see how the additional entries eliminate the circular dependency by issuing A-entries with IP addresses for ns1.ctrls.in and ns1.ctrls.in of the domain name servers ctrls.in.
For domains that do not use their own subdomains for name server addresses, additional entries are also useful, they reduce the number of steps in determining the address — for example, how it works for Wikipedia.org
In this example, Wikipedia.org returns ns1.wikimedia.org, ns2.wikimedia.org and ns3.wikimedia.org as the name server names for its domain. Additional entries immediately report their IP addresses, omitting the address search stage for the Wikimedia.org domain.
One large Chinese CDN A record returned incorrect IP addresses for its name servers.
The DNS Expierence check showed that various reputable name servers polled during the test return the correct IP address. But the Direct DNS check, when a global domain level name server is polled, returned an incorrect IP address.
The same results were obtained by studying the situation with the help of dig - dig "server name" root_server - the global name server gave incorrect addresses.
The error turned out to be that at some point the domain name registrar did not transfer the change to the Glue record higher in the hierarchy.
CDN representatives contacted the domain name registrar, and he updated the Glue record for the domain. Then the updated record was broadcast to all gTLD servers and the problem was thus resolved.
This incident stressed the importance of monitoring the operation of all levels of this huge system - DNS. And here you need to have the right strategy to identify the level at which the problem arose and how to solve it - is our efforts enough or should we establish contact with those who are competent in solving it.
You can check the correctness of the root (glue) DNS records using, for example, Pingdom : during the verification process, the IP addresses of the domain's NS servers will be obtained and their records in the root DNS servers will be compared with those specified directly in the DNS records of the zone.
DNS translates domain names into IP addresses. Despite the fact that this task looks very simple in appearance, in fact its solution has led to the emergence of probably the most complex and large information system on the planet.
- Domain Registries
- Global Top Level Domains (gTLDs)
- Different National Top Level Domains (ccTLDs)
- And growing every year a list of all other top-level domains (.space, .photography, and so on)
All this makes the already simple system even more complicated.
Since DNS is not located on a single machine (being a hierarchical, distributed, and coherent database), it includes many hierarchies, objects. Ensuring that all these hierarchically-organized objects work correctly becomes a key task. At the top of the hierarchy are
')
- Root (.)
- Global domain servers
- Authoritative Domain Name Servers
Each level in this hierarchy plays an important role in the process of determining the desired IP address.
- Registries (for example, Verisign that supports .com and .net)
- Registrars (e.g. GoDaddy and NameCheap)
- All those who register domain names for their sites
- Internet service providers
- DNS providers
We are all part of this system, and it is very important for us to understand it and to keep in sight all the important aspects that allow the DNS system to function without errors and interruptions.
Consider the following important aspect of the DNS system - "additional records" or "glue records".
Glue record or additional records
A glue record, or an additional record, is an A-record that stores the IP address assigned to a domain or subdomain. These records become extremely important when the domain name server is located on a subdomain of the same domain.
Glue record can be found in the “Additional records” section of the DNS response.
Let's look at an example of how these additional entries work. Suppose you have the domain yourdomain.com, whose name servers have the addresses:
ns1.yourdomain.com ns2.yourdomain.com
And then there is a conflict to determine the address of yourdomain.com, you need to get it from ns1.yourdomain.com, whose address you need to get from him. It turns out an endless loop.
In order to break it, Glue record is just needed, which directly report the IP address of the name servers during the processing of the request for an address for yourdomain.com.
In this example, we see how the additional entries eliminate the circular dependency by issuing A-entries with IP addresses for ns1.ctrls.in and ns1.ctrls.in of the domain name servers ctrls.in.
For domains that do not use their own subdomains for name server addresses, additional entries are also useful, they reduce the number of steps in determining the address — for example, how it works for Wikipedia.org
In this example, Wikipedia.org returns ns1.wikimedia.org, ns2.wikimedia.org and ns3.wikimedia.org as the name server names for its domain. Additional entries immediately report their IP addresses, omitting the address search stage for the Wikimedia.org domain.
One large Chinese CDN A record returned incorrect IP addresses for its name servers.
The DNS Expierence check showed that various reputable name servers polled during the test return the correct IP address. But the Direct DNS check, when a global domain level name server is polled, returned an incorrect IP address.
The same results were obtained by studying the situation with the help of dig - dig "server name" root_server - the global name server gave incorrect addresses.
The error turned out to be that at some point the domain name registrar did not transfer the change to the Glue record higher in the hierarchy.
CDN representatives contacted the domain name registrar, and he updated the Glue record for the domain. Then the updated record was broadcast to all gTLD servers and the problem was thus resolved.
This incident stressed the importance of monitoring the operation of all levels of this huge system - DNS. And here you need to have the right strategy to identify the level at which the problem arose and how to solve it - is our efforts enough or should we establish contact with those who are competent in solving it.
You can check the correctness of the root (glue) DNS records using, for example, Pingdom : during the verification process, the IP addresses of the domain's NS servers will be obtained and their records in the root DNS servers will be compared with those specified directly in the DNS records of the zone.
Source: https://habr.com/ru/post/328188/
All Articles