Did you know that Authoritative DNS servers consist of primary and one or more backup or secondary servers? Did you also know that they are supposed to be in sync?
It is important that the servers be in sync. Why? a record in the primary may be very different from the same record in the secondary - especially if it was just changed. A query might get the wrong information (like an IP) if the secondary returns the record instead of the primary. That's why it is important to sync them fairly quickly.
The DNS servers are listed when you do a 'whois' query for a domain. Most domains have only two, a primary and secondary. When changes are made to the primary, then they are migrated to the secondary so that if for some reason the primary does not respond to DNS queries, the secondary may continue to do so.
It is important to know if those primary and secondary servers are in sync. You can look at the SOA serial field to find out. Normally they are identical for all DNS servers. If they are not, then that indicates a problem. You can use NSLOOKUP to retrieve the SOA records from each DNS (primary and secondary). This is a tedious process if there are more than two servers to look at.
We have a tool in NetScanTools Pro that simplifies this process by doing the queries for you very quickly. That way you can see a quick snapshot of the DNS update situation. It is part of the DNS Tools - Advanced and it is called "Auth Serial Check".
Here in this example for our domain showing matching serials. Note that the program looks that them to make sure they are OK:
[Start Query]
Authoritative DNS Serial Check
Starting Timestamp: 04/21/10 17:00:28
Query: netscantools.com
NS: ns2.webnethost.net -- Serial: 2010020400
NS: ns1.webnethost.net -- Serial: 2010020400
Analysis: All serial numbers are identical, no problems detected.
[End Query]
And now here is a query showing microsoft.com's DNS serials. Note that certain DNS servers are out of date with others. "ns1" is the primary and the others are backup.
[Start Query]
Authoritative DNS Serial Check
Starting Timestamp: 04/21/10 16:44:23
Query: microsoft.com
NS: ns3.msft.net -- Serial: 2010042102
NS: ns5.msft.net -- Serial: 2010042101
NS: ns1.msft.net -- Serial: 2010042102
NS: ns4.msft.net -- Serial: 2010042102
NS: ns2.msft.net -- Serial: 2010042101
Analysis: One or more serial numbers are out of sync with the other serial numbers.
[End Query]
I checked again 15 minutes later and found that all DNS serials in the microsoft.com listing were the same. This is probably normal for a domain of this size because it may take awhile to transfer the zone updates from the primary to the secondaries. I checked the SOA record and I could see that the refresh interval is 5 minutes and the retry interval is 10 minutes, so their DNS should not be out of sync for long. It's unusual to see this, so I thought it would make a good example.
A note about the serial field formatting. These both conform to what is now recommended where the serial is human readable. In the case of microsoft.com, you can see that it is April 21 2010, update numbers 1 and 2. In the case of netscantools.com, you can see that the serial has not changed since February 4, 2010. Not all serials conform to this method. Some are just straight incremental numbers.
You can try out the Auth Serial Check tool in the NetScanTools Pro Demo at our website.
No comments:
Post a Comment