7

How shall I understand the output of dig?

A DNS server stores a database of resource records.

Does dig return the resource records in the database of some DNS server? If yes, which DNS server's database's resource records does dig return?

For example, dig doesn't seem to return the resource records in the database of DNS server a.edu-servers.net. 

$ dig @a.edu-servers.net robot.cs.washington.edu

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> @a.edu-servers.net robot.cs.washington.edu
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2401
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 7
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;robot.cs.washington.edu.   IN  A

;; AUTHORITY SECTION:
washington.edu.     172800  IN  NS  marge.cac.washington.edu.
washington.edu.     172800  IN  NS  hanna.cac.washington.edu.
washington.edu.     172800  IN  NS  holly.s.uw.edu.

;; ADDITIONAL SECTION:
marge.cac.washington.edu. 172800 IN A   140.142.5.13
marge.cac.washington.edu. 172800 IN AAAA    2607:4000:200:43::13
hanna.cac.washington.edu. 172800 IN A   140.142.5.5
hanna.cac.washington.edu. 172800 IN AAAA    2607:4000:200:42::5
holly.s.uw.edu.     172800  IN  A   173.250.227.69
holly.s.uw.edu.     172800  IN  AAAA    2607:4000:301:1::69

;; Query time: 46 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Mon Feb 11 16:27:09 EST 2019
;; MSG SIZE  rcvd: 253
炸鱼薯条德里克
  • 1,337
  • 1
  • 12
  • 31
Tim
  • 98,580
  • 191
  • 570
  • 977
  • BTW, you can also query specific record types, try `dig @a.edu-servers.net robot.cs.washington.edu MX` which would query mailserver MX record for the domain – Sergiy Kolodyazhnyy Feb 11 '19 at 22:45
  • Simply said, it send a DNS query request to a specific server and print out the response. The data might com from the requested Server itself or another DNS server. Because requested server might do a further request to other servers to get you the answer you want – 炸鱼薯条德里克 Feb 13 '19 at 12:28

2 Answers2

3
$ dig @a.edu-servers.net robot.cs.washington.edu

You asked a.edu-servers.net to find the A records for robot.cs.washington.edu for you.

;; WARNING: recursion requested but not available

But it basically said "I'm not going to do all your work for you. However, I can tell you this much..."

;; AUTHORITY SECTION:
washington.edu.     172800  IN  NS  marge.cac.washington.edu.
washington.edu.     172800  IN  NS  hanna.cac.washington.edu.
washington.edu.     172800  IN  NS  holly.s.uw.edu.

"... As far as I know, Marge, Hanna and Holly have the official word for the washington.edu domain. If they don't know about something in that domain, it does not exist. If there are sub-domains they won't directly control, they'll point you onwards."

;; ADDITIONAL SECTION:
marge.cac.washington.edu. 172800 IN A   140.142.5.13
marge.cac.washington.edu. 172800 IN AAAA    2607:4000:200:43::13
hanna.cac.washington.edu. 172800 IN A   140.142.5.5
hanna.cac.washington.edu. 172800 IN AAAA    2607:4000:200:42::5
holly.s.uw.edu.     172800  IN  A   173.250.227.69
holly.s.uw.edu.     172800  IN  AAAA    2607:4000:301:1::69

"Here's how you can contact them, both in IPv4 and IPv6."

telcoM
  • 87,318
  • 3
  • 112
  • 232
  • Thanks. "You asked a.edu-servers.net to find the A records for robot.cs.washington.edu". Do you mean the output of `dig @a.edu-servers.net robot.cs.washington.edu` are the resource records stored in the database of DNS server `a.edu-servers.net` about `robot.cs.washington.edu`? – Tim Feb 11 '19 at 23:01
  • Yes - `a.edu-servers.net` is not an official authority for anything `washington.edu`, but it happened to have this information at hand in its cache. Since you did not explicitly specify the record type, `dig` requested the `IN A` records. – telcoM Feb 11 '19 at 23:20
  • How can I specify all kinds of record types to `dig`? – Tim Feb 11 '19 at 23:24
  • Specify the record type as `ANY`. – telcoM Feb 11 '19 at 23:36
  • Does the output of `dig @a.edu-servers.net robot.cs.washington.edu` come from **the DNS database** stored in DNS server a.edu-servers.net, or from **the cache** in DNS server a.edu-servers.net? – Tim Feb 11 '19 at 23:43
  • If the admin of `a.edu-servers.net` has a reason to mirror the domain's dataset from `washington.edu` and had arranged with `washington.edu`'s admin to make it so, then the information might be from the DNS database. However, since `a.edu-servers.net` did not display a SOA record (= did not claim to have authoritative information on the domain), it was probably from cache. – telcoM Feb 11 '19 at 23:52
  • @Tim You can also use `dig +trace` option to see how exactly the queries are resolved, btw – Sergiy Kolodyazhnyy Feb 12 '19 at 00:50
1

In this command you're using @a.edu-servers.net server to resolve robot.cs.washington.edu sub-domain of washington.edu domain, however that doesn't mean a.edu-servers.net is the authority to resolve queries about that. In the world of recursive nameservers, the way it works is that if your system has no cached records and a.edu-servers.net has none, first root server is queried . to find out who is responsible for answering about .edu domain, which then responds with who is responsible for answering who answers for washington.edu domain.

And that leads to the answer of

washington.edu.     172800  IN  NS  marge.cac.washington.edu.
washington.edu.     172800  IN  NS  hanna.cac.washington.edu.
washington.edu.     172800  IN  NS  holly.s.uw.edu.

where you have 3 nameservers that answer about washington.edu. domain. That's where this becomes important - it depends on the nameserver to supply resource records, such as SOA, TXT, etc. To quote a related answer:

It is up to individual nameserver implementations whether or not they wish to supply an AUTHORITY section in scenarios where they are not strictly required by RFC. BIND is one of the server implementations that does display this information by default, but it also provides a minimal-responses option for disabling the behavior.

Now, in my minimal experience, I've got extra information with a nameserver supplied by a VPS provider than with public nameserver such as OpenDNS, so my guess is that it also depends on where queries come from (residential IP addresses or other), but so far I couldn't find a confirmation to that idea.

Sergiy Kolodyazhnyy
  • 16,187
  • 11
  • 53
  • 104
  • 2
    The recommended practice, AFAIK, is to split the DNS server roles to some servers being **authority** servers (i.e. answering anyone's queries, but only if they're about the domains the servers are authoritative for), and others being **resolving** servers (= querying other nameservers on behalf of their clients, building up big DNS caches in the process). You generally don't want random outsiders to make queries all over the place on your resolver DNS servers, as this might open up the possibility of DNS cache pollution attacks and other nastiness. – telcoM Feb 11 '19 at 23:28
  • @telcoM How do you know if a DNS server is authority or resolving? Can a DNS server be both authority and resolving at the same time? – Tim Feb 12 '19 at 01:44
  • See also https://serverfault.com/q/422288/363611 – Sergiy Kolodyazhnyy Feb 12 '19 at 01:51
  • what 'IN NS' stand for ? – Guillaume Paris Feb 06 '23 at 17:04