Share via

Help Required to understand DNS WorkFlow with Source and Destination IP

Joomla 81 Reputation points
2019-11-06T11:31:22.153+00:00

Hi,

I need to understand the recursive DNS flow to understand what actually source and destination IP addresses travel over the internet while sending DNS queries to know the response.

Lets say small topology is:-

Client(192.168.10.10)---Primary DNS Server(192.168.20.2)----FW NAT Address (20.20.20.20)----Internet---Root Server (30.30.30.30)

Now Client wants to know the IP address of example.com and sends query to Primary DNS server. Where Primary DNS server does not know the answer and forward that query further with the help of Firewall NAT address to the internet. So what would traffic flow. The very first flow I know is as below:-

Client IP Port DNS IP Port
192.168.10.10--32456---Destination(192.168.20.2)--53

What would be thereafter.

Its like

192.168.20.2--53----->20.20.20.20--34567

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
41,956 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Philippe Levesque 5,816 Reputation points
    2019-11-06T17:53:49.013+00:00

    Hi

    For your question;

    what actually source and destination IP addresses travel over the internet while sending DNS queries to know the response

    In your case as you have a firewall that do NAT'ing;

    The only IP that get on the internet is 20.20.20.20 <---> 30.30.30.30. The NAT'ing hide the sender.

    Your router will remember in it's NAT'ing cache the communication, and will answer 192.168.20.2 after it receive an answer from 30.30.30.30.

    So in your flow there is actually 3 distinct conversation;

    192.168.10.10 <--> 192.168.20.2
    192.168.20.2 <--> (Internal IP of your router)
    20.20.20.20 <--> 30.30.30.30

    Thanks

  2. Dany shoe 0 Reputation points
    2025-02-07T19:45:52.9966667+00:00

    I'll break down the complete recursive DNS query flow for resolving example.com, showing the source and destination IP addresses and ports at each step:

    1. Initial Client Query:
    
Source: 192.168.10.10:32456 -> Destination: 192.168.20.2:53

Query: "What is the IP address of example.com?"
    1. Primary DNS to Root Server:
    
Source: 20.20.20.20:34567 -> Destination: 30.30.30.30:53

(NAT translates 192.168.20.2 to 20.20.20.20)

Query: "What is the IP address of example.com?"
    1. Root Server Response:
    
Source: 30.30.30.30:53 -> Destination: 20.20.20.20:34567

Response: "Ask the .com TLD server at 40.40.40.40"
    1. Primary DNS to TLD Server:
    
Source: 20.20.20.20:34567 -> Destination: 40.40.40.40:53

Query: "What is the IP address of example?"
    1. TLD Server Response:
    
Source: 40.40.40.40:53 -> Destination: 20.20.20.20:34567

Response: "Ask authoritative server at 50.50.50.50"
    1. Primary DNS to Authoritative Server:
    
Source: 20.20.20.20:34567 -> Destination: 50.50.50.50:53

Query: "What is the IP address of example.com?"
    1. Authoritative Server Response:
    
Source: 50.50.50.50:53 -> Destination: 20.20.20.20:34567

Response: "example.com's IP address is 60.60.60.60"
    1. Final Response to Client:
    
Source: 192.168.20.2:53 -> Destination: 192.168.10.10:32456

Response: "example.com's IP address is 60.60.60.60"

    Key points:

    • The primary DNS server maintains the original client's query while making its own recursive queries
    • The firewall NAT address (20.20.20.20) is used for all external queries
    • Each server in the chain responds with either an answer or a referral to the next server
    • The source port (34567) used by the primary DNS server typically remains the same throughout its queries
    • Port 53 is the standard DNS port used by all DNS servers
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.