Why send authoritative nameserver in DNS?
Out of curiosity, I'm checking the Wireshark DNS packets. I can see that there's a DNS query from the host, and then DNS response from the DNS server. Everything is just as expected.
However, if you further check in the query, you can see that the server also sends the NS (authoritative name server). My question is: why?
As a host, I only care about the IP. That's the main point of DNS, to resolve a name into an IP address.
Why, as a host, would I need the NS info?
Solution 1:
Traditionally name servers don't send a short response to a query but an RFC 1034-1035 compliant full response which includes the authority section that contains Resource Records that point toward the authoritative name server(s).
The why is probably because with the distributed and delegated nature of DNS it seemed a good idea at the time to include the "source of truth" in responses.
Edit: By the way: sending the authority section is RFC compliant but not mandatory for all query responses.
In BIND this behaviour can be tuned with the minimal-responses yes | no;
directive, where the default is no
and the Authority and Additional sections of the query response will always be fully populated.
Other name servers CloudFlare, AWS Route 53, Infoblocks and probably others will already always send such minimal responses by default. Google's public resolvers will return an Authority section when available, Cloudflare.
I think the origin of that tradition to include both the authority section in as well as the actual query response finds its root in the (pseudo) code from the now obsolete RFC882 page 15-16
If the name server is not authoritative, the code copies
the RRs for a closer name server into the response.
The last section of the code copies all relevant RRs into the response.
Solution 2:
The server doesn't know whether the request is coming from an end client, or is a recursive request from another nameserver. If it's another nameserver, it can cache the Authority Section and query those nameservers directly in the future.
I believe that was the original justification in the protocol, but it has security implications. A response can include an Authority Section that lists bogus nameservers, and this has been used in cache poisoning attacks. So nameservers will generally not cache NS records unless they're delegation records for a subdomain of the domain you're querying.