Shammer's Philosophy

My private adversaria

DNS forward and delegate

DNS/Bind

Introduction

I have a question about the difference between DNS forward and delegate, I referred this point in this article. And I found the article about DNS sub-domain, http://www.atmarkit.co.jp/fwin2k/win2ktips/740dnsdelegate/dnsdelegate.html, and this gave me an inspiration against my question.

Detailed my question

My question is based on the understanding about DNS behavior. If DNS server received a query which is not managed by them, DNS server issues the query to other DNS servers which manage the queried domain. This action is common in forwarding and delegating, in my assumption.

DNS delegate

About the above article, DNS delegation is used for sub-domain. For example, there is a DNS server that is an SOA of mydomain.com. Then, sub.mydomain.com also exists. It is possible to manage both domains as a same zone. In that case, a zone file includes domains whose end is mydomain.com and sub.mydomain.com like below.

www IN A 1.1.1.1
smtp IN A 1.1.1.2
...
www.sub IN A 2.2.2.2
smtp.sub IN A 2.2.2.3
...

If domains end-with sub count is low, it is easy. But for example, domains end-with sub count would be more than 1000 and domains not end-with sub count would be more than 1000, record management operation is not clear. In this case, it is better to create new SOA sub.mydomain.com. Then, sub.mydomain.com SOA will be managed in the same organization or related organization. And the IP address of new SOA is known by the organization managing mydomain.com. This means that DNS record file can include the SOA of sub.mydomain.com. Here is a sample.

sub IN NS dns.sub.mydomain.com.
dns.sub.mydomain.com IN A X.X.X.X

So delegation is used for the separated domains.

DNS forward

DNS forward is used on DNS cache servers who don't manage any zones generally. Of course, DNS server can act both cache server and authority at the same time, but I feel it is not better for performance and security reason.
DNS forward means a full resolver. Their behavior is below.

  1. Forwarder receives a query for www.google.com
  2. Forwarder asks root DNS servers what is an IP address of www.google.com
  3. Root DNS servers return that you should ask the DNS server who manages com domain, it's IP address is X.X.X.X
  4. Forwarder asks X.X.X.X what is an IP address of www.google.com
  5. X.X.X.X returns that you should ask the DNS server who manages google.com, it's IP address is Y.Y.Y.Y
  6. Forwarder asks Y.Y.Y.Y what is an IP address of www.google.com
  7. Y.Y.Y.Y returns the IP address of www.google.com

DNS Forwarder means a DNS server who acts those actions instead.

Conclusion

DNS forward is a DNS server acting a full resolver. DNS delegation is an answer the DNS server which a full resolver should ask next. I think I can say that root domain DNS servers delegate com management to X.X.X.X, and Y.Y.Y.Y is delegated google.com records by X.X.X.X in above example.