Re: NSLOOKUP SRV Record Output - IP address necessary?
- From: "Steve Duff [MVP]" <ergodic@xxxxxxxxxxxxxxxxxxx>
- Date: Thu, 14 Jul 2005 14:07:58 -0700
The output at the bottom of nslookup is just giving you the "additional records" section of the response to your DNS query. This
contains other information that the responder believes might be useful - in other words answers to other lookups you're likely to
need to make. In your case it is giving you IPs for dc1&dc2.example.microsoft.com because these names appear in the SRV records.
There is only one set of "additional records" per query -- not per host or answer, if that is your question, and there can be no
additional records at all. The section and its contents are pretty much arbitrary on the part of the responder.
To say it is "optional" isn't quite the whole story: The problem is that this information may be unreliable, it may even be entirely
unrelated to the original query. So if it is used or cached it can lead to misdirected names (intentional or otherwise: the
so-called 'cache poisioning' and related types of DNS namespace attacks.)
So a properly secured DNS server just ignores an answer that isn't verifiably authoritative from the responder -- which often pretty
much takes out the entire "additional records" section's answers. So your DNS server may have to make several queries to fully
resolve, say, an MX record for a domain, this even though the first response might answer everything via its authority and
additional records sections. Such is the cost of security.
You can nonetheless see this section's data in an nslookup -- which uses its own query/resolution engine and is not impacting
resoluion in your running system.
None of this is normally a problem for a local DNS serving SRV records for its own Active Directory domain, since it is
authoritative for it. In the case of SRV records, you can use netdiag /fix to insure and verify that all the correct DNS records
have been installed in Active Directory.
Steve Duff, MCSE, MVP
Ergodic Systems, Inc.
"bmack500" <brett.mack@xxxxxxxxx> wrote in message news:1121365869.844829.228290@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> We have a Non-MS DNS implementation. We supposedly have DDNS enabled &
> functioning, however I've discovered things which I am not sure have an
> effect. Suppose we do the following query, with it's associated output:
> ***************************************************************************
> C:\nslookup
> Default Server: dc1.example.microsoft.com
> Address: 10.0.0.14
> set type=srv
> _ldap._tcp.dc._msdcs.example.microsoft.com
> Server: dc1.example.microsoft.com
> Address: 10.0.0.14
> _ldap._tcp.dc._msdcs.example.microsoft.com SRV service location:
> priority = 0
> weight = 0
> port = 389
> svr hostname = dc1.example.microsoft.com
> _ldap._tcp.dc._msdcs.example.microsoft.com SRV service location:
> priority = 0
> weight = 0
> port = 389
> svr hostname = dc2.example.microsoft.com
> dc1.example.microsoft.com internet address = 10.0.0.14
> dc2.example.microsoft.com internet address = 10.0.0.15
> ***************************************************************************
> Many of our SRV records are missing the last part - the Host name
> followed by the internet address. For the same record, some of them are
> there and some aren't.
> Reading the RFC, it looks as though this is optional. However, what is
> Microsoft's view on this? Does it break things if the target record is
> present, the a record for the target exists in DNS, but an SRV query
> does not return the address?
>
.
- Follow-Ups:
- References:
- NSLOOKUP SRV Record Output - IP address necessary?
- From: bmack500
- NSLOOKUP SRV Record Output - IP address necessary?
- Prev by Date: Re: DNS Trouble
- Next by Date: Re: Can Win98 clients use DNS?
- Previous by thread: NSLOOKUP SRV Record Output - IP address necessary?
- Next by thread: Re: NSLOOKUP SRV Record Output - IP address necessary?
- Index(es):
Relevant Pages
|
