DEV Community

Attila Molnar
Attila Molnar

Posted on • Edited on

Bypassing the DNS hierarchy with the dig command

Topics

  1. Temporarily switching domain name servers (NS from now).
  2. Tracing domain name resolutions.
  3. Finding a way to interrogate NS directly, bypassing the DNS hierarchy.

First Use case

You change your name server settings at your domain name registrar, but you do not see the effect immediately, lets say this problem emerges from the capability of your resolving NS of choice to cache domain name <--> IP (or other raw record) mappings.1

Solution

Instead of temporarily changing the name server settings on your whole system, you can use the dig command to override the name server for one request. The super power of dig is that it mimics NS requests.

synopsis:

dig [@address of the NS] [domain name] 
Enter fullscreen mode Exit fullscreen mode

example:

$ dig @208.67.222.222 wikipedia.org
Enter fullscreen mode Exit fullscreen mode

output:

; <<>> DiG 9.10.6 <<>> @208.67.222.222 wikipedia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4381
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wikipedia.org.                 IN      A

;; ANSWER SECTION:
wikipedia.org.          600     IN      A       91.198.174.192

;; Query time: 75 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Jan 11 11:43:32 CET 2018
;; MSG SIZE  rcvd: 58

Enter fullscreen mode Exit fullscreen mode

If you are interested only in the resulting IPs and raw data.

$ dig +noall +answer @208.67.222.222 github.io | rev | cut -f 1 | rev
Enter fullscreen mode Exit fullscreen mode

output:

151.101.1.147
151.101.65.147
151.101.129.147
151.101.193.147
Enter fullscreen mode Exit fullscreen mode

Second Use case

Similarly to the first case the domain name <--> IP mapping is cached but not by the resolving NS, rather some other NS in its delegation chain.

Solution

We will use some other neat features of dig, first we will trace how our query is delegated in the NS hierarchy, then bypass this hierarchy.

Usual hierarchy:
resolving NS --> Root NS --> TLD NS --> registry operator NS --> NS of a company.

$ dig +trace @208.67.222.222 en.wikipedia.org
Enter fullscreen mode Exit fullscreen mode
; <<>> DiG 9.10.6 <<>> +trace @208.67.222.222 en.wikipedia.org
; (1 server found)
;; global options: +cmd
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.
;; Received 239 bytes from 208.67.222.222#53(208.67.222.222) in 63 ms

org.                    172800  IN      NS      a2.org.afilias-nst.info.
org.                    172800  IN      NS      b0.org.afilias-nst.org.
org.                    172800  IN      NS      b2.org.afilias-nst.org.
org.                    172800  IN      NS      c0.org.afilias-nst.info.
org.                    172800  IN      NS      d0.org.afilias-nst.org.
org.                    172800  IN      NS      a0.org.afilias-nst.info.
org.                    86400   IN      DS      9795 7 2 3922B31B6F3A4EA92B19EB7B52120F031FD8E05FF0B03BAFCF9F891B FE7FF8E5
org.                    86400   IN      DS      9795 7 1 364DFAB3DAF254CAB477B5675B10766DDAA24982
org.                    86400   IN      RRSIG   DS 8 1 86400 20180124050000 20180111040000 41824 . BCA4iv0QFRRxn9WDpnUvHcuI7AnIMMuq/RhfnkyaSEA+XnYrcxHx2Tom UJDobnWucc5pDI/wLzdNFGP37VYUIfHKlnY8Fv9yFDWA5/nP2Wtdi591 SNrNFSmS+XXCwWIOMl7r6coouzGY1MRkmVXnbLjwN5FqvLqquAwFBWpa a5flfMnO7K5M2trNhYXUTo2BVB/ZnWNox+ynPjJB1xspkfS/K4Fv0BXx S6i6LMQk/rYEo4RIB/2JzPj+GWLTTSqD/LtQSA6f6kFFnDkywBSWSuBq hBGAxyrP0LWYbNuUBn8gP9H1kiWgcn8sgaHbcQlk4uKs9snB55myTQYw 7KLIUg==
;; Received 818 bytes from 192.33.4.12#53(c.root-servers.net) in 36 ms

wikipedia.org.          86400   IN      NS      ns0.wikimedia.org.
wikipedia.org.          86400   IN      NS      ns2.wikimedia.org.
wikipedia.org.          86400   IN      NS      ns1.wikimedia.org.
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB H9PARR669T6U8O1GSG9E1LMITK4DEM0T  NS SOA RRSIG DNSKEY NSEC3PARAM
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400 20180201111010 20180111101010 1862 org. A3vUwzoJIFJbiWgQK1/ACwB6ZyvIK99ulaAJAoalHwrKn1JnecZ7Sina rEhvKs4vL+FWLvwLNfDWthfaFsO0++eaVFFQ3A6tWvx8PQk2nSKsGdEI Ri6Nld7lJIkL3DCo0PY+0+WwJFnhUGXTtr+B0uPSGA+jSBsQWYTmJnQI 2dM=
hhdfcaa81hb1nfs0h6sd0pq6ctib1781.org. 86400 IN NSEC3 1 1 1 D399EAAB HHE2JLM2DDBRLOQF1RVBUAGVETJ6EPFD 
hhdfcaa81hb1nfs0h6sd0pq6ctib1781.org. 86400 IN RRSIG NSEC3 7 2 86400 20180130153401 20180109143401 1862 org. YK0/K+mWIph03k8zsmD90XnmsxU2bdm60usXSMR8QnbsS4aJpmzGvGOQ FZOnOuUAv58++rtlXU5SI0cQ5vZ0L/iTGW3iXlD9WBQoa/e45E7vtzbK Kn2fhMSLVLWzn377i8AWOgpC4LNHPKIyA1o1NRtdvxkhASNbY5PQWaQI oN8=
;; Received 642 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 299 ms

en.wikipedia.org.       600     IN      A       91.198.174.192
;; Received 89 bytes from 91.198.174.239#53(ns2.wikimedia.org) in 52 ms


Enter fullscreen mode Exit fullscreen mode

Every table is a response from a different NS. The columns are:

  1. The domain name to look up
  2. The time-to-live value [ seconds ] how much time the requester should cache this result.
  3. The Class of the network where the domain name is mapped, which is almost always the internet IN. If you see something like CH, then you will meet history itself.
  4. Type of the record.
  5. The raw data of the record, like the IP address.

The most important lines for us have this form:

;; Received [number] bytes from [address]#[port](domain name) in [milliseconds] ms
Enter fullscreen mode Exit fullscreen mode

like:

;; Received 89 bytes from 91.198.174.239#53(ns2.wikimedia.org) in 52 ms
Enter fullscreen mode Exit fullscreen mode

They expose the address and port of the name server, which we can use to bypass the name resolution hierarchy, which can be useful to identify caching issues.

Applying this:

$ dig -p 53 @208.80.154.238 en.wikipedia.org
Enter fullscreen mode Exit fullscreen mode
; <<>> DiG 9.10.6 <<>> -p 53 @208.80.154.238 en.wikipedia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31772
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;en.wikipedia.org.              IN      A

;; ANSWER SECTION:
en.wikipedia.org.       600     IN      A       91.198.174.192

;; ADDITIONAL SECTION:
en.wikipedia.org.       600     IN      AAAA    2620:0:862:ed1a::1

;; Query time: 135 msec
;; SERVER: 208.80.154.238#53(208.80.154.238)
;; WHEN: Thu Jan 11 13:55:53 CET 2018
;; MSG SIZE  rcvd: 89

Enter fullscreen mode Exit fullscreen mode

I used the -p switch to set the port explicitly, however 53 is the default port for domain name requests.

Installation

Linux

It is almost always provided by your default package manager or use Nix.

MacOS

You can use MacPorts, Homebrew or Nix.

Windows

As Jack Fletcher pointed out in the discussion you can use Chocolatey.

Online

@nslookuptool shared a link to a nice web interface for dig.

Further reading

Conceptual introduction for DNS
What's in a DNS response?

I hope this post provides others a new aspect how the Domain Name System works.

Notes:

1. Your browser is also capable to cache domain names, as well as your OS. Windows and MacOS do this by default, on Linux you can install and configure dnsmasq but you shouldn't, since your browser is caching domain names for you. I would even disable OS level DNS caching if I had one running.

Top comments (3)

Collapse
 
kauhat profile image
Jack Fletcher

Dig is fantastic and I use it every day.

If you're on Windows and have Chocolatey, you can install it with: choco install bind-toolsonly

Collapse
 
attilavm profile image
Attila Molnar

Thank you, I forgot about the installation part. I'll update the post.

You can also use cygwin or Windows Subsystem for Linux on Windows 10, still your suggestion would be most convenient for the majority of Windows users.

Collapse
 
nslookuptool profile image
NslookupTool

DiG GUI - dig command web interface
diggui.com/