New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Does every device check other nameservers if one is down?
I couldn't find any documentation for this question. I guess I might be searching for the wrong thing. Maybe someone here knows the answer....
Obviously, the point of pointing a domain to more than one nameserver is to provide some redundancy (in addition to any redundancy in place on that nameserver entry - anycast etc.). However, do all devices necessarily check the additional nameservers if they can't get a response from one (if the query is refused or if it times out)? Are there some situations where they don't?
I am not concerned about inconsistencies - just timeouts/zone doesn't exist.
Comments
Most devices, ask a public nameserver like google or cloudflare, and yea they do.
Maybe its hardcoded or something.
... No. Just no.
Yea, I missed the magical pony, inbetween.
Obviously, I am not going write down the hole path from your computers cache, to the router, to your isp, to the domain registration, to the actual nameservers.
If one nameserver is offline at your side, the public nameserver that gets your requests, ask the other one.
I am guessing that you are asking this - what will a recursive DNS server do if there are multiple authoritative DNS servers for a zone and one of the authoritative DNS servers is non-responsive.
You may have to check the relevant RFCs for what the official behavior is for recursive and iterative DNS queries but as I recall - if there is a timeout condition, the querying DNS server will make a request to another authoritative server. But if an NXDOMAIN response (domain doesn't exist) is returned, I think that that response will be returned to the downstream DNS servers.
This is maintained and configured from the registrar or a service, like Cloudflare.
Yes. In addtion to 'nxdomain' an authoritative nameserver might return 'refused' for a zone it is not authoritative for. 'nxdomain' and 'refused' are valid replies, so an alternate nameserver won't be queried.
Make sure your nameservers are in sync
I had an issue that people resolving through 8.8.8.8 couldn't get my domain when my primary NS was down. Apparently Google's backend resolvers did NOT check other NSes. So the OP's concern is a valid one. Still not much you can do, it's not an excuse to not have backup NSes, and in any case just try ensuring everything is up at all times.
And in fact that's easy to recheck, when I'm stopping my primary NS, indeed my domain stops resolving via 8.8.8.8 most of the time (seems to depend on their caching) with a SERVFAIL error. Tried 1.1.1.1, and it is also affected in the same way. Seems like these services have sacrificed reliability in favor of speed.
Interesting - what happens if you reduce the TTL on the NS record?
Could something like DNSSEC misconfigurations, lame delegation, incorrect SOA. I don't know enough about DNS to know how those issues could result in a SERVFAIL. I'm just surprised to hear that Google DNS recursive servers would behave that way.
That sounds terrible. This defeats the whole requirement of requiring multiple hosts for authoritative DNS. (AFAIK)
Have you checked what happens when you query 8.8.8.8 from another geography VPS to see if Google fetches from the secondary authoritative DNS? Maybe it's a google regional-dnscache that's configured to be lazy.
Interesting, I could not reproduce this with 1.1.1.1 or 8.8.8.8. And I have only a TTL of 600, so they must have asked the secondary.
Yeah - same here. I couldn't repro the issue neither which is why I was curious how other people experience the issue.