I am implementing a middleware DNS server (I know, I know, I probably shouldn't) to create a DNS based service discovery (like Kubernetes) for my infrastructure.
I am currently using a go-based DNS library and it has been running smoothly so far. I am using this server
localhost:53 of all my machines (by overwriting the
nameserver in /etc/resolv.conf).
All DNS questions in my infrastructure go through this custom DNS server I wrote.
I want to deal with this middleware DNS server:
local domains (e.g.
*.foo.local.): No problem here.
external domains (e.g.
example.com.): Forward (NOT proxy or recursion) the clients to the original
nameserverthe machine (e.g. the original value that I save in /etc/resolv.conf)
In order to implement the last point above, I have to answer DNS queries as follows: "I don't know the answer to this message, query this other name server". Is there something that customers recognize?
So far I have tried to answer with
rcode: NOERROR and send
NS RRs with
the IP address of the original name server in the response area. That didn't work (customers don't understand).
(I can implement recursion in my DNS server, but I prefer not to.)
Aside: I have found that some public DNS servers (not all like 188.8.131.52 or 184.108.40.206) actually respond with a "permission section" pointing to other name servers.
For example, here is the Comcast's DNS server (220.127.116.11) that responds to a .dev domain search by sending it to Google Domains name servers:
dig +norecurse @18.104.22.168 ahmet.dev. ; <<>> DiG 9.10.6 <<>> +norecurse @22.214.171.124 ahmet.dev. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21419 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 11 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;ahmet.dev. IN A ;; AUTHORITY SECTION: dev. 72560 IN NS ns-tld4.charlestonroadregistry.com. dev. 72560 IN NS ns-tld2.charlestonroadregistry.com. dev. 72560 IN NS ns-tld5.charlestonroadregistry.com. dev. 72560 IN NS ns-tld3.charlestonroadregistry.com. dev. 72560 IN NS ns-tld1.charlestonroadregistry.com. ;; ADDITIONAL SECTION: ns-tld4.charlestonroadregistry.com. 158960 IN A 126.96.36.199 ns-tld4.charlestonroadregistry.com. 158960 IN AAAA 2001:4860:4802:38::69 ns-tld2.charlestonroadregistry.com. 158960 IN A 188.8.131.52 ns-tld2.charlestonroadregistry.com. 158960 IN AAAA 2001:4860:4802:34::69 ns-tld5.charlestonroadregistry.com. 158960 IN A 184.108.40.206 ns-tld5.charlestonroadregistry.com. 158960 IN AAAA 2001:4860:4805::69 ns-tld3.charlestonroadregistry.com. 158960 IN A 220.127.116.11 ns-tld3.charlestonroadregistry.com. 158960 IN AAAA 2001:4860:4802:36::69 ns-tld1.charlestonroadregistry.com. 158960 IN A 18.104.22.168 ns-tld1.charlestonroadregistry.com. 158960 IN AAAA 2001:4860:4802:32::69 ;; Query time: 56 msec ;; SERVER: 22.214.171.124#53(126.96.36.199) ;; WHEN: Sat Feb 29 15:56:32 PST 2020 ;; MSG SIZE rcvd: 394
I don't quite understand how someone adds an authority section to a message (is that just a "reply section" with NS records?).
So it seems that a name server can actually answer questions by sending the client to another name server? How do I implement this answer myself?