domain-name-system interview questions

Top 15 domain-name-system interview questions

37 Jobs openings for domain-name-system

Are IP addresses "trivial to forge"?

I was reading through some of the notes on Google's new public DNS service:

I noticed under the security section this paragraph:

Until a standard system-wide solution to DNS vulnerabilities is universally implemented, such as the DNSSEC2 protocol, open DNS resolvers need to independently take some measures to mitigate against known threats. Many techniques have been proposed; see IETF RFC 4542: Measures for making DNS more resilient against forged answers for an overview of most of them. In Google Public DNS, we have implemented, and we recommend, the following approaches:

  • Overprovisioning machine resources to protect against direct DoS attacks on the resolvers themselves. Since IP addresses are trivial for attackers to forge, it's impossible to block queries based on IP address or subnet; the only effective way to handle such attacks is to simply absorb the load.

That is a depressing realization; even on Stack Overflow / Server Fault / Super User, we frequently use IP addresses as the basis for bans and blocks of all kinds.

To think that a "talented" attacker could trivially use whatever IP address they want, and synthesize as many unique fake IP addresses as they want, is really scary!

So my question(s):

  • Is it really that easy for an attacker to forge an IP address in the wild?
  • If so, what mitigations are possible?

Source: (StackOverflow)

List all DNS records in a domain using dig?

My company runs an internal DNS for mycompany.com

There is a machine on the network that I need to find, but I’ve forgotten its name. If I could see a list, it would probably jog my memory.

How can I list all of the domain records for mycompany.com?

Source: (StackOverflow)

Why is DNS failover not recommended?

From reading, it seems like DNS failover is not recommended just because DNS wasn't designed for it. But if you have two webservers on different subnets hosting redundant content, what other methods are there to ensure that all traffic gets routed to the live server if one server goes down?

To me it seems like DNS failover is the only failover option here, but the consensus is it's not a good option. Yet services like DNSmadeeasy.com provide it, so there must be merit to it. Any comments?

Source: (StackOverflow)

is a CNAME to CNAME chain allowed

Is it allowed in DNS to have a CNAME record that points to another CNAME record?

The reason we need this is that we have a hostname that we want to be looked up to the IP address of our web server computer. We also have another web server computer stand by that could be activated in case the first one would die. In such a case we would quickly need to point the hostname to the IP address of the stand by web server computer.

Unfortunately the hostname resides in a DNS domain where any change would take long time due to manual operation dependent on other sysadmins. But we have another DNS domain where we can perform the changes ourselves quickly. Having CNAME to CNAME chain seems like a possible solution. But is it allowed? Will web browsers understand it?

Source: (StackOverflow)

Windows 7: "localhost name resolution is handled within DNS itself". Why?

After 18 years of hosts files on Windows, I was surprised to see this in Windows 7 build 7100:

# localhost name resolution is handled within DNS itself.
# localhost
#   ::1 localhost

Does anyone know why this change was introduced? I'm sure there has to be some kind reasoning.

And, perhaps more relevantly, are there any other important DNS-related changes in Windows 7? It scares me a little bit to think that something as fundamental as localhost name resolution has changed... makes me think there are other subtle but important changes to the DNS stack in Win7.

Source: (StackOverflow)

Phishing site uses subdomain that I never registered

I recently received the following message from Google Webmaster Tools:

Dear site owner or webmaster of http://gotgenes.com/,


Below are one or more example URLs on your site which may be part of a phishing attack:



What I don't understand is that I never had a subdomain repair.gotgenes.com, but visiting it in the web browser gives an actual My DNS is FreeDNS, which does not list a repair subdomain. My domain name is registered with GoDaddy, and the nameservers are correctly set to NS1.AFRAID.ORG, NS2.AFRAID.ORG, NS3.AFRAID.ORG, and NS4.AFRAID.ORG.

I have the following questions:

  1. Where is repair.gotgenes.com actually registered?
  2. How was it registered?
  3. What action can I take to have it removed from DNSs?
  4. How can I prevent this from happening in the future?

This is pretty disconcerting; I feel like my domain has been hijacked. Any help would be much appreciated.

Source: (StackOverflow)

Why can't a CNAME record be used at the apex (aka root) of a domain?

This is a Canonical Question about CNAMEs at the apices (or roots) of zones

It's relatively common knowledge that CNAME records at the apex of a domain are a taboo practice.

Example: example.com. IN CNAME ithurts.example.net.

In a best case scenario nameserver software might refuse to load the configuration, and in the worst case it might accept this configuration and invalidate the configuration for example.com.

Recently I had a webhosting company pass instructions to a business unit that we needed to CNAME the apex of our domain to a new record. Knowing that this would be a suicide config when fed to BIND, I advised them that we would not be able to comply and that this was bunk advice in general. The webhosting company took the stance that it is not outright forbidden by standard defining RFCs and that their software supports it. If we could not CNAME the apex, their advice was to have no apex record at all and they would not provide a redirecting webserver. ...What?

Most of us know that RFC1912 insists that A CNAME record is not allowed to coexist with any other data., but let's be honest with ourselves here, that RFC is only Informational. The closest I know to verbiage that forbids the practice is from RFC1034:

If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different.

Unfortunately I've been in the industry long enough to know that "should not" is not the same as "must not", and that's enough rope for most software designers to hang themselves with. Knowing that anything short of a concise link to a slam dunk would be a waste of my time, I ended up letting the company get away with a scolding for recommending configurations that could break commonly used software without proper disclosure.

This brings us to the Q&A. For once I'd like us to get really technical about the insanity of apex CNAMEs, and not skirt around the issue like we usually do when someone posts on the subject. RFC1912 is off limits, as are any other Informational RFC applicable here that I didn't think of. Let's shut this baby down.

Source: (StackOverflow)

I changed my TTL from 24 hours to 5 minutes. Do I need to wait 24 hours before changing the records?

I am migrating our app from a cloud server at Rackspace t a dedicated server.

I want to bring the application down for ~5 minutes to copy the data from the cloud server to the dedicated server, so I don't want requests going to the old server after I have copied the data.

I want to point our DNS record at the new server, but the TTL was set to 24 hours. I have changed it to 300 seconds. Do I need to wait the 24 hours before updating the ip that domain points to / copying the data?

Source: (StackOverflow)

Force dig to resolve without using cache

I'm wondering if there is a way to query a DNS server and bypass caching (with dig). Often I change a zone on the DNS server and I want to check if it resolves correctly from my workstation. But since the server caches resolved requests, I often get the old ones. Restarting or -loading the server is not really something nice.

Source: (StackOverflow)

Is Round-Robin DNS "good enough" for load balancing static content?

We have a set of shared, static content that we serve up between our websites at http://sstatic.net. Unfortunately, this content is not currently load balanced at all -- it's served from a single server. If that server has problems, all the sites that rely on it are effectively down because the shared resources are essential shared javascript libraries and images.

We are looking at ways to load balance the static content on this server, to avoid the single server dependency.

I realize that round-robin DNS is, at best, a low end (some might even say ghetto) solution, but I can't help wondering -- is round robin DNS a "good enough" solution for basic load balancing of static content?

There is some discussion of this in the [dns] [load-balancing] tags, and I've read through some great posts on the topic.

I am aware of the common downsides of DNS load balancing through multiple round-robin A records:

  • there's typically no heartbeats or failure detection with DNS records, so if a given server in the rotation goes down, its A record must manually be removed from the DNS entries
  • the time to live (TTL) must necessarily be set quite low for this to work at all, since DNS entries are cached aggressively throughout the internet
  • the client computers are responsible for seeing that there are multiple A records and picking the correct one

But, is round robin DNS good enough as a starter, better than nothing, "while we research and implement better alternatives" form of load balancing for our static content? Or is DNS round robin pretty much worthless under any circumstances?

Source: (StackOverflow)

Why does Heroku warn against "naked" domain names?

I ran across this page in the Heroku docs...

Naked domains, also called bare or apex domains, are configured in DNS via A-records and have serious availability implications when used in highly available environments such as massive on-premise datacenters, cloud infrastructure services, and platforms like Heroku.

For maximum scalability and resiliency applications should avoid naked domains and instead rely solely on subdomain-based hostnames.

Does anyone here speak Enterprise? What are the "availability implications" they're warning about?

(I notice that http://stackoverflow.com works no problem, so evidently there are viable alternate philosophies on this issue.)

Source: (StackOverflow)

Vagrant / VirtualBox DNS not working

I am running a fresh install of Linux Mint Nadia (14). I am following the instructions on Vagrant Getting Started but have gotten stuck on the Provisioning. It seems the Vagrant box cannot connect outside and so I can't install anything using either Chef or Puppet.

In the basic Vagrant resolve.conf contains nameserver But with that set I can't ping us.archive.ubuntu.com.

If I change it to then I can ping us.archive.ubuntu.com but it does not stay set, and after a reboot it changes back to - so provisioning fails again.

Ideally I would like for to work on my setup. Failing that I would like a way to permanently change resolv.conf so that I can do provisioning.

Source: (StackOverflow)

DNS - NSLOOKUP what is the meaning of the non-authoritative answer?

When I do a NS Lookup, for some domains I get the reply saying Non-authorative answer:. I want to know what it means?

Got answer:
        opcode = QUERY, id = 3, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional =

        www.ssss.com.SME, type = AAAA, class = IN
    ->  (root)
        ttl = 1787 (29 mins 47 secs)
        primary name server = a.root-servers.net
        responsible mail addr = nstld.verisign-grs.com

Non-authoritative answer:

Name:    xxx.com
Address:  199.1xx.xx.1xx
Aliases:  www.xxx.com

Source: (StackOverflow)

Should CNAME Be Used For Subdomains?

I manage multiple websites that currently have the following DNS configuration:

example.com      - A Record - Production Server IP
test.example.com - A Record - Test Server IP
www.example.com  - CNAME    - example.com
beta.example.com - CNAME    - test.example.com
dev.example.com  - CNAME    - test.example.com

Is this an appropriate use of CNAME records? I've looked online and have not found a clear answer. Some people claim that CNAME records are bad (they are not, however, clear on why this is) and propose the following setup:

example.com      - A Record - Production Server IP
test.example.com - A Record - Test Server IP
www.example.com  - A Record - Production Server IP
beta.example.com - A Record - Test Server IP
dev.example.com  - A Record - Test Server IP

Which one of these is the better approach (and why)?

Note: The subdomains do not require their own MX records, so that is not an issue here.

Source: (StackOverflow)

DNS failing to propagate worldwide

I haven't changed anything related to the DNS entry for serverfault.com, but some users were reporting today that the serverfault.com DNS fails to resolve for them.

I ran a justping query and I can sort of confirm this -- serverfault.com dns appears to be failing to resolve in a handful of countries, for no particular reason that I can discern. (also confirmed via What's My DNS which does some worldwide pings in a similar fashion, so it's confirmed as an issue by two different sources.)

  • Why would this be happening, if I haven't touched the DNS for serverfault.com ?

  • our registrar is (gag) GoDaddy, and I use default DNS settings for the most part without incident. Am I doing something wrong? Have the gods of DNS forsaken me?

  • is there anything I can do to fix this? Any way to goose the DNS along, or force the DNS to propagate correctly worldwide?

Update: as of Monday at 3:30 am PST, everything looks correct.. JustPing reports site is reachable from all locations. Thank you for the many very informative responses, I learned a lot and will refer to this Q the next time this happens..

Source: (StackOverflow)