With DNS, what is the difference between Delegation, Forwarding, Conditional Forwarding, and Stub zones?

domain-name-system dns-zone delegation
14,816

Watki02,

That is quite an ask. I tried to answer your question, but I think some more research on your part might be in order ;)

You are asking less of a question and more for a class on how DNS works.

I did not provide pictures, but if you read my answer they should be easy for you to make.

Delegation

Take domain.com. For the purpose of this discussion you registerd domain.com with GoDaddy. You have a website hosted by another company. Your website is www.domain.com.

You have decided that you want your zone file to be hosted by the same company that hosts your website content.

By default, your zone file is hosted where your domain is registered. For you to have the server that hosts your website content host your zone file you would login to GoDaddy and configure DNS delegation. That would require you to enter the Fully Qualified Domain Name (FQDN) of the name servers provided by the company that is hosting your website content.

When someone queries www.domain.com the request goes to GoDaddy who says you need to contact the name servers of the company that hosts the website content. GoDaddy provides the records for the name servers.

The query then obtains the information from the name servers that were specified.

Forwarding

DNS forwarding is something that a DNS server with forwarding configured does.

For our discussion we will say your internal domain name is network.com. If a computer in your network asks for server.network.com, your DNS server in your office that is the authoritative server for network.com will resolve the request. If a computer in your network asks for www.example.com, the request will first go to your DNS server in your office and the DNS server will say, I do not have any information for example.com, so you need to go to an external DNS server. The external DNS server is the forwarder.

So your DNS server in your office (ns.network.com) manages the zone file for network.com. If a request is made for something in the domain network.com ns.network.com is going to do the resolution. If a request is made for a zone that ns.network.com does not manage then ns.network.com says I don't know anything about the domain you need records to but here is the DNS forwarder that you need to get the records from. So if Google is your DNS forwarder then the request would be forwarded to Google. Google would then process the resolution request and provide a response.

Conditional Forwarding

Conditional forwarding is similar to forwarding except instead of forwarding all DNS requests that the DNS server cannot resolve to an external DNS server it only forwards DNS requests for specific domains.

So let's say you have a DNS server in your office (ns.network.com) and it has a DNS forwarder 8.8.8.8 (this is the public IP address for a Google public DNS server) but you want DNS requests for client.com to go to ns.client.com, then you would create a conditional forwarder that says DNS requests for client.com go to ns.client.com. If you do that even though ns.network.com cannot resolve desktop.client.com it will not be forwarded to Google but it will be forwarded to ns.client.com.

Stub Zone

A Stub Zone is a DNS zone file that contains the bare minimum DNS records so it can respond to queries. Usually a Stub Zone has a Start of Authority (SOA) record and Name Server (NS) records. This is useful if you have two different DNS servers each managing a zone and the two DNS servers need to talk with each other so each network can communicate with the other using internal DNS.

You can read more about DNS on the following pages:

How DNS Query Works: Domain Name System (DNS)

Using forwarders: Domain Name System (DNS)

Understanding stub zones: Domain Name System (DNS)

Share:
14,816

Related videos on Youtube

Watki02
Author by

Watki02

I am a network engineer (ex-VB & C# .Net Programmer) in Columbus, OH. I enjoy researching problems, learning about new technologies, thinking about software architecture, looking for loopholes (in any system, not just I.T.), doing things better/faster, and seeing systems built and functioning. I also have a secret passion: Physics. While only a hobby right now, I someday hope to go back to school to finish a degree in physics.

Updated on September 18, 2022

Comments

  • Watki02
    Watki02 almost 2 years

    I am surprised at how many different ways I have read answers to this question and I still don't know the fine differences of the answer.

    For each of these similar DNS concepts:

    • Delegation
    • Forwarding
    • Conditional Forwarding
    • Stub Zones

    I would like a step-by-step layout of the life of a typical query, preferably "happy path" (query succeeds) and "sad path"(query fails due to a relevant misconfiguration).

    In each step:

    • "Who"(or what) is participating? (e.g. authoritative servers? caching servers? dual-purpose servers? clients? example domains/IPs preferred)
    • What is the raw information being sent in the query? (i.e. a domain? an IP? whose is it? Where FROM and TO is it being sent in this step?)
    • What and where is information being stored? (e.g. server only stores certain records

    I prefer pictures with important details embedded.

    Lastly, a summary of why you would use each concept/method over the others would be nice.

    • Andrew B
      Andrew B about 8 years
      You're mixing terms that are associated with recursive and authoritative DNS. Unless you feel confidant that you understand the difference, answers that you get here aren't going to be very helpful: you're in need of a book.
  • Watki02
    Watki02 about 8 years
    The ironic thing is that I am taking a training on DNS and that is how I thought to ask the question. I'll answer it for myself (and everyone else) the way I was thinking once I know the answer(s).
  • user5870571
    user5870571 about 8 years
    If you read my answer, I suspect you will find that a number of your questions are answered.
  • krad
    krad about 6 years
    Some inaccuracies. Delegation: Godaddy would never be involved in the lookup. For a full recursive lookup you would 1st, goto the root name servers, then the .com ones, then finally the authoritative one for domain.com. Delegation is the where you say if you want anything in this subdomain got get it from these name servers. So the resolution path is . -> com -> domain.com The only place where godaddy will be mentioned is as the registrar in the whois information.
  • krad
    krad about 6 years
    Forwarding: This is where all requests that the office server is not authoritative for are pushed to another dns server to fully resolve. This can be external, and usually is but doesn't have to be. You would usually do this to benefit from large scale caching and other services which are better catered for upstream. The forwarding DNS is the office one not the remote one, that is the recursive dns server.
  • krad
    krad about 6 years
    You can also configure the office dns server to do fully recursive lookups as well and not use the upstream recursive server. This will add load and you wont benefit from having caches warmed. However is you want secure validated DNS lookups using DNSSEC you need to do this to verify the validity of the lookups, at least at this point in time.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

BIND: how to delegate subzone to other DNS server?
DNS referral / delegation: which DNS is responsible; How to delegate the right way?
Adding a zone from a file via dnscmd - Microsoft DNS
named cannot be loaded; because zone file errors
domain/IN: has no NS records
Windows Server Domain Controller doesn't forward DNS queries from client
WS 2012 r2 DNS server issue: Access was denied
NS list does not match list from parent zone
BIND - SERVFAIL errors when using views
BIND: one forward, multiple reverse?