Why aren’t our DNS records propagating out into the internet

binddomain-name-system

We run the name servers for our domain on our network. We use bind/named. Lets call the domain example.com. One thing I've noticed recently, when I goto a website like http://network-tools.com and run queries on URLs defined on our name servers, I see changes instantly.

For example, if I add an entry to our DNS server for the url funny.example.com and then look up that url on http://network-tools.com, I see the proper external static IP listed for it immediately.

That is telling me that any DNS requests related to example.com are coming straight to our DNS servers every time.

My suspicions were confirmed earlier in the week when our DNS servers went down for a very short period. And during that time period, if I used http://network-tools.com to query example.com or any of its subdomains, I would get zero results. Obviously its because the DNS servers were down and couldn't be reached.

So this brings me to my question. I thought changes to our DNS servers should be propogating out onto the internet to other DNS servers. That way, if our DNS goes down temporarily, other servers on the internet still know what IP address example.com points to.

Am I misunderstanding this DNS stuff? Are 3rd party-controlled DNS servers like ours not allowed to propagate DNS information to other servers on the net?

Where should I start investigating as to why the changes aren't making it out there? I can see on our firewall that port 53 traffic is making it to our DNS servers properly.

UPDATE

I know you guys are saying that its impossible to publish your DNS settings instantaneously, but all I know is this: If I make a DNS change on our DNS server(s) and then immediately check it on http://network-tools.com, I see the changes immediately.
If I turn off our DNS servers and then I try to check any of the URLs using http://network-tools.com, the site cannot find any of the URLs. But if I bring the DNS servers back online, all of the sudden http://network-tools.com can find the URLs again… This tells me that servers are NOT caching our DNS settings. Am I wrong? Also, our TTL settings are set to 900 (15 minutes) at the moment and our DNS servers have been running for over a year. So its not like DNS servers out on the internet haven't had a chance to cache it yet. Is the reason servers are not caching the settings because the TTL is so low at the moment? That kinda makes sense if that is the reason.

Best Answer

Yes, you are misunderstanding how DNS works. I'm going to use some emphasis here, but please don't be offended as none is intended.

DNS RECORDS ARE NOT PROPAGATED. THEY ARE CACHED.

That being said, here's a simplified explanation of what happens:

You create a new DNS record (A, CNAME, etc)
A remote user (more specifically a process\application launched by the user) tries to access a service accessed via that DNS record (a web browser trying to access the web site running on funny.example.com for instance)
The users DNS client sends a DNS query to it's DNS server, the DNS server then finds your name servers (usually through a series of recursive DNS queries) and asks them for the information regarding funny.example.com
Your name servers respond with the answers
The users DNS server then sends this information to the user (more specifically to the users DNS client resolver), which in turn returns the information to the process\application. This information comes with what is called a TTL (Time To Live) that tells the DNS client resolver how long this information may be kept in it's DNS cache (in memory) and how long the information can be considered current and accurate
The user's DNS client resolver then flushes this information when the TTL expires. Any new requests for the DNS record(s) in question requires a new DNS lookup and the above process repeats.

So the long and short of it is this:

Your DNS records do not propagate. No other DNS server has a copy of your DNS records or zones. A DNS client or server may cache information about your DNS records or zones (based on their DNS queries of your DNS records and zones) into their DNS cache. This information is temporarily cached and will be removed from their DNS cache when the TTL expires.

If your name servers are down, only those DNS clients that have any of your DNS records in their cache will be able to resolve those DNS records and only until the TTL expires. Also, when the TTL expires (neccessitating a new DNS lokkup) those DNS clients will no longer be able to resolve your DNS records.

Related Solutions

Overriding some DNS entries in BIND for internal networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

Why is it called DNS “Propagation”

Myth? Kind of.

There are 2 aspects that people often confuse. If you make a change to your domain name with your domain name registrar, for example changing the name servers, that is pushed to the name servers for your TLD (.com, .ca, .fr, etc). That's where the propagation comes into play. In years past, that could take hours or even days waiting for the registrar to take the information you provided, push that to their deployment servers which would update the TLD root servers twice per day. That's improved rapidly over the years and often times changes made to your domain name take take effect nearly immediately.

On the other hand, if you make a change to your DNS zone, like adding an A record or an MX change, that should take 'up to' as long as the TTL setting to be updated everywhere. That's not really propagation though, it's caching. Microsoft DNS, for example, defaults to 1 hour TTL.

With the caching, if you happen to use the domain name just before making a change, and the TTL is 1 hour, then it will take an hour for it to be updated. However, if you haven't tested anything with the domain name just prior to the change, then your change will be immediate for you. (i.e. add a new A record that you haven't tested with yet, and it will take effect immediately).

So, nowadays almost all changes will take affect within an hour (or whatever your DNS TTL is set for). The only exceptions are if a DNS server doesn't honor the TTL (spammers often don't), or if your domain name registrar's servers aren't updating properly to the internet and you make a registrar level change. That isn't often though.

Best Answer

Related Solutions

Overriding some DNS entries in BIND for internal networks

Why is it called DNS “Propagation”

Related Topic