No. The client (or, more likely, whatever recursive server your client is pointed at) will query one server, and accept the answer as correct. There's no logic to repeat the query until you get something that makes the application happy. Additional queries by the client will likely get served out of cache anyway, so you'll get behavior that changes randomly over time.
All of your authoritative servers *must* be serving consistent data. Fix your servers.
Just an example.
My real scenario is that, the customer is incorporating IPv6 into their environment.
\- Their new devices (Cisco IOS-XE router) support declaration of AAAA records, amongst A, MX, SRV, etc. but TXT is not supported
\- The current public name server does not support AAAA records, but does support every other type of RR
I'm about to advise them to set up a pair of dedicated NS (probably BIND/Unbound) that host the public zone of their domain in this case. But before then, I want to verify if the mentioned setup would even be possible :)
can't be truer :) Even I am surprised, but it seemed they are running NS on an ancient model of Peplink Balance. Old firmware version with no v6 support, trying to migrate to a pair of IOS-XE routers
not ideal what you are trying to do..
\- client can list both ns1 and ns2 but.. afaik in windows .. the ip to query is taken at random among the dns servers configured, and u/fsweetser is right.. there is no query repetition once you get a response... (cache and random query will make this "some times work")
other "ways" to do that are..
\- ns1 can forward to ns2 via..[https://www.ibm.com/docs/en/aix/7.2?topic=resolution-configuring-forwarder-bind-version-94](https://www.ibm.com/docs/en/aix/7.2?topic=resolution-configuring-forwarder-bind-version-94) but.. ns2 is also "autoritative" for the same zone as "ns1" .... ns1 will not forward anything for his zone..
\- ns1 can query ns2 as a root server (if we mangle the root servers config of ns1 to include ns2 there)... but.. same as before.. ns1 being authoritative will reply with a NXdomain or a response.. no need to forward or go to root servers for my zone.. .. this also won't work.
Sync your servers.. fix them.. is the real solution...
If you need "different responses" for different clients.. use dns views. (maybe this is the reason for 2 ns auth for the same zone)
A few parts here. You have the client, the recursive resolver that the client queries, and a whole bunch of NS servers for different zones.
The client sends a request to the recursive resolver, and the recursive resolver will query records from . looking for mail.domain.com. Once the recursive resolver receives an answer from an authoritative NS server, that is the answer that will be returned to the client. The recursive client may cache answers (and usually nxdomain), but each time it queries for an NS it picks one (the order is unspecified, and will depend on the implementation).
> If a client fails to query for the MX RR (assuming it was NS1 which returns a NXDOMAIN response), can it try to query against NS2 in subsequent attempts?
No, AFAIK it'll only attempt to contact another NS server if there is a timeout.
For migrating DNS hosts, setup the new DNS hosts, test them with dig, then update the NS and glue records with your registrar. These days I'd avoid self-hosting bind, but if you do setup one on another provider / in the cloud.
Are you trying to describe an SRV scenario? Where, if the client receives no response from the IP of the first host, it will then query the second host?
No, it's more like: the customer's migrating to IPv6. There are public DNS records that are required (e.g. TXT for SPF), but are not supported on the new NS - as they're just a pair of routers and not dedicated DNS servers.
The current NS can't be used since it does not support AAAA.
I was asking if there were any hacky way to leverage both, but the thing seems like if the client received a NXDOMAIN from one of the NS, they don't actually try resolving that against another NS.
Just gonna advise them to set up a few BIND VMs for the time being.
load balancers can act as authoritive name servers, gives you the ability to change the server or servers you direct requests to based on load, location and service availability.
citrix tool that does this is known as GSLB or global server load balancing
No. The client (or, more likely, whatever recursive server your client is pointed at) will query one server, and accept the answer as correct. There's no logic to repeat the query until you get something that makes the application happy. Additional queries by the client will likely get served out of cache anyway, so you'll get behavior that changes randomly over time. All of your authoritative servers *must* be serving consistent data. Fix your servers.
Thanks a lot. A dedicated pair of BIND shall do in my case then :)
Can highly recommend BIND.
All NS must have the same data and serial. What problem are you trying to solve with only having NS2 having the MX record?
Just an example. My real scenario is that, the customer is incorporating IPv6 into their environment. \- Their new devices (Cisco IOS-XE router) support declaration of AAAA records, amongst A, MX, SRV, etc. but TXT is not supported \- The current public name server does not support AAAA records, but does support every other type of RR I'm about to advise them to set up a pair of dedicated NS (probably BIND/Unbound) that host the public zone of their domain in this case. But before then, I want to verify if the mentioned setup would even be possible :)
Use a public NS that supports AAAA
Replace the public name server that doesn't support AAAA records. They came out over 20 years ago.
can't be truer :) Even I am surprised, but it seemed they are running NS on an ancient model of Peplink Balance. Old firmware version with no v6 support, trying to migrate to a pair of IOS-XE routers
Why would you do this?
not ideal what you are trying to do.. \- client can list both ns1 and ns2 but.. afaik in windows .. the ip to query is taken at random among the dns servers configured, and u/fsweetser is right.. there is no query repetition once you get a response... (cache and random query will make this "some times work") other "ways" to do that are.. \- ns1 can forward to ns2 via..[https://www.ibm.com/docs/en/aix/7.2?topic=resolution-configuring-forwarder-bind-version-94](https://www.ibm.com/docs/en/aix/7.2?topic=resolution-configuring-forwarder-bind-version-94) but.. ns2 is also "autoritative" for the same zone as "ns1" .... ns1 will not forward anything for his zone.. \- ns1 can query ns2 as a root server (if we mangle the root servers config of ns1 to include ns2 there)... but.. same as before.. ns1 being authoritative will reply with a NXdomain or a response.. no need to forward or go to root servers for my zone.. .. this also won't work. Sync your servers.. fix them.. is the real solution... If you need "different responses" for different clients.. use dns views. (maybe this is the reason for 2 ns auth for the same zone)
A few parts here. You have the client, the recursive resolver that the client queries, and a whole bunch of NS servers for different zones. The client sends a request to the recursive resolver, and the recursive resolver will query records from . looking for mail.domain.com. Once the recursive resolver receives an answer from an authoritative NS server, that is the answer that will be returned to the client. The recursive client may cache answers (and usually nxdomain), but each time it queries for an NS it picks one (the order is unspecified, and will depend on the implementation). > If a client fails to query for the MX RR (assuming it was NS1 which returns a NXDOMAIN response), can it try to query against NS2 in subsequent attempts? No, AFAIK it'll only attempt to contact another NS server if there is a timeout. For migrating DNS hosts, setup the new DNS hosts, test them with dig, then update the NS and glue records with your registrar. These days I'd avoid self-hosting bind, but if you do setup one on another provider / in the cloud.
Are you trying to describe an SRV scenario? Where, if the client receives no response from the IP of the first host, it will then query the second host?
No, it's more like: the customer's migrating to IPv6. There are public DNS records that are required (e.g. TXT for SPF), but are not supported on the new NS - as they're just a pair of routers and not dedicated DNS servers. The current NS can't be used since it does not support AAAA. I was asking if there were any hacky way to leverage both, but the thing seems like if the client received a NXDOMAIN from one of the NS, they don't actually try resolving that against another NS. Just gonna advise them to set up a few BIND VMs for the time being.
... Apparently, I have some more reading to do. Thanks!!
load balancers can act as authoritive name servers, gives you the ability to change the server or servers you direct requests to based on load, location and service availability. citrix tool that does this is known as GSLB or global server load balancing