none
DNS Zone resolution order RRS feed

  • Question

  • Hi,

    Trying to get some clarity on how DNS resolves overlapping zones.

    Say we have

    • Two zones function.api.example.com and api.example.com
    • function.api.example.com has a single A record of 192.168.1.1 that uses the parent domain
    • api.example.com has an A record of 192.168.1.2 for "function"

    Would nslookup of function.api.example.com return .1 or .2?

    I've done some testing and it's returning .1, i.e. from the more explicit zone, but I'd read elsewhere that Windows DNS started from the least specific and if there was no record it wouldn't return anything, i.e. an nslookup on function.api.example.com would fail.

    So my testing, proves this works , but something explicitly saying that this is how it should work would put my mind at ease a bit more. I'm trying to consolidate numerous zones that don't need to be individual ones and don't want to end up breaking them all as soon as I create the higher level api.example.com zone and it end up overriding the existing function.api.example.com records.

    Thanks!



    Wednesday, June 13, 2018 12:07 PM

Answers

  • Hi,

    Thanks for your question.

    Please try the following suggestions to see if it could be of help.

    • “function” in function.api.example.com is a namespace and in api.example.com is a hostname. If you resolve a namespace it will fail but resolve a hostname it will return the address.

    However, if you create an A record with same as parent folder means the same name as the parent name and then you can resolve the namespace “function”.

    • When overlapping zones are defined on an authoritative nameserver, the most specific zone is used to provide the answer. In your specific example, the returned value for the query

    function.api.example.com should be 192.168.1.1 because the function.api.example.com zone provides an A record definition for itself.

    • To use DNS terminology, there is effectively a zone cut at the boundary between the parent zone and the more specific zone. RFC2181 §6.1 describes the proper behavior for your scenario:

    Such a server is authoritative for all resource records in a zone that are not in another zone. The NS records that indicate a zone cut are the property of the child zone created, as are any other records for the origin of that child zone, or any sub-domains of it. A server for a zone should not return authoritative answers for queries related to names in another zone, which includes the NS, and perhaps A, records at a zone cut, unless it also happens to be a server for the other zone.

    Other than the DNSSEC cases mentioned immediately below, servers should ignore data other than NS records, and necessary A records to locate the servers listed in the NS records, that may happen to be configured in a zone at a zone cut.

    Refer to the following link:

    DNS Processes and Interactions

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552(v=ws.10)

    Hope you have a nice day!

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by OffColour1972 Thursday, June 14, 2018 12:34 PM
    Thursday, June 14, 2018 10:56 AM
    Moderator
  • Absolutely perfect answer! Thanks, Travis.
    • Marked as answer by OffColour1972 Friday, June 15, 2018 7:51 AM
    Thursday, June 14, 2018 12:34 PM

All replies

  • Hi,

    Thanks for your question.

    Please try the following suggestions to see if it could be of help.

    • “function” in function.api.example.com is a namespace and in api.example.com is a hostname. If you resolve a namespace it will fail but resolve a hostname it will return the address.

    However, if you create an A record with same as parent folder means the same name as the parent name and then you can resolve the namespace “function”.

    • When overlapping zones are defined on an authoritative nameserver, the most specific zone is used to provide the answer. In your specific example, the returned value for the query

    function.api.example.com should be 192.168.1.1 because the function.api.example.com zone provides an A record definition for itself.

    • To use DNS terminology, there is effectively a zone cut at the boundary between the parent zone and the more specific zone. RFC2181 §6.1 describes the proper behavior for your scenario:

    Such a server is authoritative for all resource records in a zone that are not in another zone. The NS records that indicate a zone cut are the property of the child zone created, as are any other records for the origin of that child zone, or any sub-domains of it. A server for a zone should not return authoritative answers for queries related to names in another zone, which includes the NS, and perhaps A, records at a zone cut, unless it also happens to be a server for the other zone.

    Other than the DNSSEC cases mentioned immediately below, servers should ignore data other than NS records, and necessary A records to locate the servers listed in the NS records, that may happen to be configured in a zone at a zone cut.

    Refer to the following link:

    DNS Processes and Interactions

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552(v=ws.10)

    Hope you have a nice day!

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by OffColour1972 Thursday, June 14, 2018 12:34 PM
    Thursday, June 14, 2018 10:56 AM
    Moderator
  • Absolutely perfect answer! Thanks, Travis.
    • Marked as answer by OffColour1972 Friday, June 15, 2018 7:51 AM
    Thursday, June 14, 2018 12:34 PM