"content" and "proxy" DNS servers

You've come to this page because you've asked a question similar to the following:

People keep talking about "content DNS servers" and "proxy DNS servers". What are these ?

This is the Frequently Given Answer to that question.

The RFCs make the unfortunate unstated assumption that all DNS servers are fundamentally the same. This is an entirely unwarranted assumption. There are in fact several distinct rôles that a DNS server can perform.

DNS is in fact very much like HTTP. (This isn't surprising, if one thinks about it.) Like HTTP servers, DNS servers are categorized into two classes: content servers and proxy servers. Modern DNS softwares have separate programs that perform each rôle. (In comparison, old DNS softwares, such as BIND and Microsoft's DNS server, have one big program that vainly attempts to wear all of the hats at once.)

The RFC terminology is idiosyncratic and arcane, and suffers from widespread egregious mis-use, with people ending up using the terminology quite wrongly and then reasoning from that quite badly. Fortunately, the HTTP terminology is clearer, more widely understood, and indeed more usefully describes the architectures that systems in practice actually implement.

Content Servers

Content servers publish DNS content to the world. The data that they publish are taken from a database, or are generated internally by the servers themselves. (Content servers don't need caches, therefore.) If one owns one's own domain, one uses a content server to publish the DNS information about that domain.

The IP addresses on which content servers listen

Public content servers, which serve up the portion of the overall DNS database for one or more particular domains, receive incoming queries from the rest of Internet, so they have to listen on an IP address that can be reached by the rest of Internet.

Private content servers, in contrast, serve up an "internal" view of the DNS for a domain to a restricted set of clients (usually just one or more resolving proxy servers, because they are the second of the two content DNS servers in a "split-horizon" DNS service employing two content servers), and so do not need to listen on an IP address that can be reached by the rest of Internet.

Delegations always point to content servers

Delegations in the DNS database always point to the IP addresses of content servers.

For the public DNS database, these must be public content servers, in order that everyone's resolving proxy servers are able to follow them and contact the content servers being delegated to. (Usually, resolving proxy servers are directed to private content servers by explicitly overriding the content of the DNS database, rather than by publishing delegations.)

Arranging delegations involves talking to human beings

How one tells the whole world where to look for one's content servers is not a matter that involves software. It involves human beings. If one owns the domain something.person., one contacts the people who own the person. servers, and pays them to have their content servers publish a referral pointing to one's own content servers. This referral will be the partial answer sent to anyone who asks them about something.person..

Commonly, the superdomain is a top-level domain, and the process of talking to the human beings who own its content servers is a formalized one involving middle-men.

DNS clients don't talk directly to content servers

DNS clients are never configured to talk directly to content servers. The IP address of a content server should not be listed in the /etc/resolv.conf file on Unix or Linux systems, for example.

DNS clients expect to receive complete answers, which content servers do not necessarily provide. Content servers may provide partial answers ending in referrals.

Content servers don't talk to other servers

Content servers never talk to each other (unless they are using BIND's zone transfer mechanism for their database replication) or initiate communication with any other sorts of DNS servers.

The programs that perform content service

Modern DNS packages have many programs that provide both general-purpose and specialised forms of content service.

Proxy servers

Proxy servers act as intermediaries between DNS clients (such as an application calling the gethostbyname() library function) and other DNS servers. They handle outgoing queries. They answer those queries from data that are obtained by sending one or more queries to other DNS servers. Usually they cache those data, reducing traffic and latency in the case that the data are frequently requested.

Proxy servers are further categorised into two subcategories: resolving proxy servers and forwarding proxy servers.

Resolving proxy servers

Resolving proxy servers talk directly to content servers. They perform the grunt work of query resolution.

Resolving proxy servers need to be able to talk to arbitrary content servers on the rest of Internet, as they follow the chain of referrals from content server to content server, working down from the root content servers, and thus must run on machines with direct connections to Internet.

Forwarding proxy servers

Forwarding proxy servers talk only to other proxy servers, not directly to content servers. They don't perform resolution. They pass that work on to other proxy servers. They concentrate multiple streams of DNS traffic into a single stream.

Essentially there is a chain of (zero or more) forwarding proxy servers between the DNS clients and the resolving proxy server.

Forwarding proxy servers only need to be able to talk to the proxy servers that they have been configured to forward queries to. They do not need to be able to access the whole of Internet.

Choosing whether and where to deploy forwarding and resolving proxy servers

The choices of whether and where to deploy forwarding and resolving proxy DNS servers involve various decision criteria:

ISPs often provide proxy DNS services to their customers. However, as with all such caching proxy services, the benefit is generally to the ISP, not to the customer. The main purpose of an ISP providing a caching proxy service, be it a caching proxy DNS service or a caching proxy HTTP service, is to reduce the traffic over its links with the rest of Internet (by collapsing identical transactions from multiple customers into one), and thus what it has to pay for. The main purpose is not access speed as far as the customer is concerned, contrary to common belief. (Indeed, as explained earlier, using one's own resolving proxy DNS server can in various situations actually be faster than having a forwarding proxy DNS server forwarding queries to the proxy DNS server provided by an ISP.) ISPs encourage their customers to use their caching proxy servers primarily for their own benefits.

DNS clients talk only to proxy servers

Proxy servers handle all outgoing DNS queries originating from processes running on one's machines (or on the machines of one's paying customers). DNS clients are always configured to talk to proxy servers. The IP address of a proxy server will be what is used in the /etc/resolv.conf file on Unix or Linux systems, for example.

DNS clients expect complete answers, which only proxy servers provide.

The IP addresses on which proxy servers listen

Proxy servers do not need to be, and shouldn't be, accessible from the outside world. They must be configured to listen on IP addresses that are, quite simply, not reachable from the rest of Internet, and not reachable from outside of the machine, site, or organization whose clients they are providing service to.

Delegations never point to proxy servers

Delegations in the DNS database never list the IP addresses of proxy servers.

The programs that perform proxy service

Modern DNS packages have programs that provide proxy service.

© Copyright 2000–2004,2007 Jonathan de Boyne Pollard. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp is preserved.