1

I've read this article and I'm a little confused. They say:

it IS possible for a DNS server that is NOT an authoritative server for a domain to give an 'authoritative response' to a DNS query for a domain it does not serve

How can we know if the server is indeed authoritative or not? Am I right that we can compare the server IP with the SOA record returned and if the IP is on the NS servers list for the domain in question the server is indeed authoritative?

Mark Riddell
  • 1,173
Mulligan
  • 111
  • Whether a server considers itself authoritative or is receiving a delegation (to make that authority useful) is another story entirely. dig +trace +additional example.com will show you how the referral chain is followed. – Andrew B Aug 20 '16 at 21:13

1 Answers1

3

it IS possible for a DNS server that is NOT an authoritative server for a domain to give an 'authoritative response' to a DNS query for a domain it does not serve

The operators of a DNS server can indeed configure it to give any response they want.

How can we get to know if the server is indeed authoritative or not?

DNSsec is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data ...

Alternatively you can follow the DNS delegation path and run a trace query to check and see which name servers are indeed supposed to be authoritative.

Community
  • 1
HBruijn
  • 80,330
  • 24
  • 138
  • 209
  • Thx for reply. BTW - Is the idea i suggested right? If no why won't it work? – Mulligan Aug 20 '16 at 10:38
  • All those records can be set by the operator of the DNS server you're querying. – HBruijn Aug 20 '16 at 11:00
  • So any DNS operator i'm queering can edit cached SOA record and change NS values to fake it's authority? – Mulligan Aug 20 '16 at 11:06
  • Editing cached records is probably not the easiest method, but yes the responses can be manipulated. Fairly typical and benign is to cache records longer (modify the TTL) to reduce load on DNS servers and there is for instance the response policy zone feature in Bind, intended as a DNS firewall – HBruijn Aug 20 '16 at 11:18
  • Regarding to my newly posted question ("DNS servers propagation data") - the data exchanged during domain propagation is SOA records? – Mulligan Aug 20 '16 at 11:25
  • Did you read the linked duplicate? Because I think that what you're asking comes from an incorrect understanding of the working of DNS and that linked Q&A explains a fair bit. – HBruijn Aug 20 '16 at 11:32