Topics
- Temporarily switching domain name servers (NS from now).
- Tracing domain name resolutions.
- Finding a way to interrogate NS directly, bypassing the DNS hierarchy.
First Use case
You change your name server settings at your domain name registrar, but you do not see the effect immediately, lets say this problem emerges from the capability of your resolving NS of choice to cache domain name <--> IP (or other raw record) mappings.1
Solution
Instead of temporarily changing the name server settings on your whole system, you can use the dig
command to override the name server for one request. The super power of dig
is that it mimics NS requests.
synopsis:
dig [@address of the NS] [domain name]
example:
$ dig @208.67.222.222 wikipedia.org
output:
; <<>> DiG 9.10.6 <<>> @208.67.222.222 wikipedia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4381
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wikipedia.org. IN A
;; ANSWER SECTION:
wikipedia.org. 600 IN A 91.198.174.192
;; Query time: 75 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Jan 11 11:43:32 CET 2018
;; MSG SIZE rcvd: 58
If you are interested only in the resulting IPs and raw data.
$ dig +noall +answer @208.67.222.222 github.io | rev | cut -f 1 | rev
output:
151.101.1.147
151.101.65.147
151.101.129.147
151.101.193.147
Second Use case
Similarly to the first case the domain name <--> IP mapping is cached but not by the resolving NS, rather some other NS in its delegation chain.
Solution
We will use some other neat features of dig
, first we will trace how our query is delegated in the NS hierarchy, then bypass this hierarchy.
Usual hierarchy:
resolving NS --> Root NS --> TLD NS --> registry operator NS --> NS of a company.
$ dig +trace @208.67.222.222 en.wikipedia.org
; <<>> DiG 9.10.6 <<>> +trace @208.67.222.222 en.wikipedia.org
; (1 server found)
;; global options: +cmd
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; Received 239 bytes from 208.67.222.222#53(208.67.222.222) in 63 ms
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS a0.org.afilias-nst.info.
org. 86400 IN DS 9795 7 2 3922B31B6F3A4EA92B19EB7B52120F031FD8E05FF0B03BAFCF9F891B FE7FF8E5
org. 86400 IN DS 9795 7 1 364DFAB3DAF254CAB477B5675B10766DDAA24982
org. 86400 IN RRSIG DS 8 1 86400 20180124050000 20180111040000 41824 . BCA4iv0QFRRxn9WDpnUvHcuI7AnIMMuq/RhfnkyaSEA+XnYrcxHx2Tom UJDobnWucc5pDI/wLzdNFGP37VYUIfHKlnY8Fv9yFDWA5/nP2Wtdi591 SNrNFSmS+XXCwWIOMl7r6coouzGY1MRkmVXnbLjwN5FqvLqquAwFBWpa a5flfMnO7K5M2trNhYXUTo2BVB/ZnWNox+ynPjJB1xspkfS/K4Fv0BXx S6i6LMQk/rYEo4RIB/2JzPj+GWLTTSqD/LtQSA6f6kFFnDkywBSWSuBq hBGAxyrP0LWYbNuUBn8gP9H1kiWgcn8sgaHbcQlk4uKs9snB55myTQYw 7KLIUg==
;; Received 818 bytes from 192.33.4.12#53(c.root-servers.net) in 36 ms
wikipedia.org. 86400 IN NS ns0.wikimedia.org.
wikipedia.org. 86400 IN NS ns2.wikimedia.org.
wikipedia.org. 86400 IN NS ns1.wikimedia.org.
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB H9PARR669T6U8O1GSG9E1LMITK4DEM0T NS SOA RRSIG DNSKEY NSEC3PARAM
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400 20180201111010 20180111101010 1862 org. A3vUwzoJIFJbiWgQK1/ACwB6ZyvIK99ulaAJAoalHwrKn1JnecZ7Sina rEhvKs4vL+FWLvwLNfDWthfaFsO0++eaVFFQ3A6tWvx8PQk2nSKsGdEI Ri6Nld7lJIkL3DCo0PY+0+WwJFnhUGXTtr+B0uPSGA+jSBsQWYTmJnQI 2dM=
hhdfcaa81hb1nfs0h6sd0pq6ctib1781.org. 86400 IN NSEC3 1 1 1 D399EAAB HHE2JLM2DDBRLOQF1RVBUAGVETJ6EPFD
hhdfcaa81hb1nfs0h6sd0pq6ctib1781.org. 86400 IN RRSIG NSEC3 7 2 86400 20180130153401 20180109143401 1862 org. YK0/K+mWIph03k8zsmD90XnmsxU2bdm60usXSMR8QnbsS4aJpmzGvGOQ FZOnOuUAv58++rtlXU5SI0cQ5vZ0L/iTGW3iXlD9WBQoa/e45E7vtzbK Kn2fhMSLVLWzn377i8AWOgpC4LNHPKIyA1o1NRtdvxkhASNbY5PQWaQI oN8=
;; Received 642 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 299 ms
en.wikipedia.org. 600 IN A 91.198.174.192
;; Received 89 bytes from 91.198.174.239#53(ns2.wikimedia.org) in 52 ms
Every table is a response from a different NS. The columns are:
- The domain name to look up
- The time-to-live value [ seconds ] how much time the requester should cache this result.
- The Class of the network where the domain name is mapped, which is almost always the internet
IN
. If you see something like CH, then you will meet history itself. - Type of the record.
- The raw data of the record, like the IP address.
The most important lines for us have this form:
;; Received [number] bytes from [address]#[port](domain name) in [milliseconds] ms
like:
;; Received 89 bytes from 91.198.174.239#53(ns2.wikimedia.org) in 52 ms
They expose the address and port of the name server, which we can use to bypass the name resolution hierarchy, which can be useful to identify caching issues.
Applying this:
$ dig -p 53 @208.80.154.238 en.wikipedia.org
; <<>> DiG 9.10.6 <<>> -p 53 @208.80.154.238 en.wikipedia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31772
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;en.wikipedia.org. IN A
;; ANSWER SECTION:
en.wikipedia.org. 600 IN A 91.198.174.192
;; ADDITIONAL SECTION:
en.wikipedia.org. 600 IN AAAA 2620:0:862:ed1a::1
;; Query time: 135 msec
;; SERVER: 208.80.154.238#53(208.80.154.238)
;; WHEN: Thu Jan 11 13:55:53 CET 2018
;; MSG SIZE rcvd: 89
I used the -p
switch to set the port explicitly, however 53 is the default port for domain name requests.
Installation
Linux
It is almost always provided by your default package manager or use Nix.
MacOS
You can use MacPorts, Homebrew or Nix.
Windows
As Jack Fletcher pointed out in the discussion you can use Chocolatey.
Online
@nslookuptool
shared a link to a nice web interface for dig
.
Further reading
Conceptual introduction for DNS
What's in a DNS response?
I hope this post provides others a new aspect how the Domain Name System works.
Notes:
1. Your browser is also capable to cache domain names, as well as your OS. Windows and MacOS do this by default, on Linux you can install and configure dnsmasq but you shouldn't, since your browser is caching domain names for you. I would even disable OS level DNS caching if I had one running.
Top comments (3)
Dig is fantastic and I use it every day.
If you're on Windows and have Chocolatey, you can install it with:
choco install bind-toolsonly
Thank you, I forgot about the installation part. I'll update the post.
You can also use cygwin or Windows Subsystem for Linux on Windows 10, still your suggestion would be most convenient for the majority of Windows users.
DiG GUI - dig command web interface
diggui.com/