Decoding dig output: +norecurse #nameserver MX to domain - dig

From the output I can understand there was no errors, yet there aren't any answers section to the query. Just to be sure the right question was even asked:
"Dig +norecurse #s.nic.dk MX www.dtu.dk"
parsing this to:
"without recursion, query dtu mail exchange servers through the nameserver s.nic.dk"
Is the query not supposed to return nameservers of dtu MX?

No, it isn't supposed to, because you are asking the authoritative name server of the TLD (s.nic.dk) for the answer. It does not have this answer, but gives you the details of the name servers that do: that is why you receive the authority section (and additional section).
However, even if you do query the authoritative name servers (for example: #dns1.dtu.dk) there is no MX record for the domain name www.dtu.dk, but rather for dtu.dk. Which means your query should be: dig #dns1.dtu.dk MX dtu.dk.
For note, the addition of +norecurse shouldn't make a difference when you're querying an authoritative name server directly.

Related

When should I answer NS queries in the ANSWER vs AUTHORITY section?

Context: I'm writing an authoritative DNS name server.
When I receive an NS query, should I answer in the ANSWER section or the AUTHORITY section?
This is the behavior I have observed:
queries to a recursive server always answer in ANSWER
queries to an authoritative server for a zone that server serves, answer in ANSWER
ex: I query ns1.example.com for example.com
queries to an authoritative server for a zone delegated to another server, answer in AUTHORITY
ex: I query ns1.example.com for delegated.example.com
Setting aside the behavior of recursive resolvers, it seems like the rule is "If you are not authoritative for the zone in the query (i.e., you have delegated it to another server), never put anything in the ANSWER section".
Do I have this correct?

Can the authoritative NS be the same as the domain served?

Let's say I have a server (DNS and other), myserver.com. Now I register a domain, mydomain.com, and set it's NS at the registrar to myserver.com - it is therefore the authoritative server, if there is any such thing.
In the authoritative records for mydomain.com, can I set the NS to ns.mydomain.com?
I have two domains set up like that, one works, the other one seems reluctant to propagate. So I'm wondering if there is something wrong with that - I mean how can you resolve the name of the NS when you need to resolve the name of the NS to resolve the name of the NS...
And, If yes, how come parallels plesk sets them automatically in this way?
Ps: there is an A record for ns.mydomain.com on that same server, pointing to the proper IP
There's a solution for this problem - it's called "glue records", i.e. A records hosted in the parent zone that contain the IP addresses of the name servers.
See http://en.wikipedia.org/wiki/Domain_Name_System#Circular_dependencies_and_glue_records
Why would you want to set the NS record for the "mydomain.com":
to "myserver.com" in the delegation record that goes into the parent zone (com.), but
to "ns.mydomain.com" at the zone apex (inside the mydomain.com. zone)
? This creates an inconsistency (two different DNS servers answer the same question with two different answers) without any apparent benefit. You should try to help the DNS system as a whole issue consistent answers.
Unless you have a good reason to make the DNS inconsistent, you should decide what the correct, canonical name for your nameserver is, and publish that name in the NS record both in the delegation and at the zone apex for "mydomain.com".
That being said, it will still work:
If a recursive resolver which does not yet know anything about "mydomain.com" asks about it, it will be told by the gTLD servers to go look at "myserver.com". The gTLD will also issue A and AAAA glue records to help find "myserver.com", but even if they don't, you have A and AAAA records for "myserver.com" in the "myserver.com" zone file (right?).
If a recursive resolver which wants to refresh its cache for the "mydomain.com" NS record, it may query the authoritative server it already knows about. This server will answer that the nameserver is "ns.mydomain.com", with a glue record. This is different from what it had in its cache before, but ultimately it will map to a server with the same IP address.
As for "parallels plesk", I know nothing about that.

BIND config error in ip/nameserver

I setup a couple of nameservers and updated my domain to use them, and as far as I can tell everything went fine and the nameservers have been updated, or so says every whois and dnstools type site ive used, (intodns, who.is etc are all saying the same thing: the new nameserrvers are in effect, and the site points to the new ip just fine). Problem is that The site is not showing up, and dig tells me that the old ip/nameservers are still effective.
In my DNS Records I have:
domain. A IN NS ns1.newnameserver
domain. A IN NS ns2.newnameserver
ns1 IN A newipaddress
ns2 IN A newipaddress
domain. IN A newipaddress
I'm very short on time and haven't found anything on the interweb, so any help would be much appreciated
The old IP address is probably being cached by the server you queried. First of all, check that BOTH your new authoritative nameservers are publishing the correct address by querying them directly with dig:
dig #ns1.newnameserver domain. a
dig #ns2.newnameserver domain. a
Assuming those queries give correct answers, dig some other servers that aren't:
dig domain. a # Use the system's default resolvers
dig #8.8.8.8 domain. a # Use Google's public resolver
dig #some.other.ip.address domain. a
If it gives the old answer, look at the TTL. That's the numeric field listed in the answer just after the name and before "IN". That's how many seconds you have to wait until the server you queried discards its cached data and will query the authoritative servers again.
Ask those same nameservers where they think "domain." is delegated:
dig domain. ns # Use the system's default resolvers
dig #8.8.8.8 domain. ns # Use Google's public resolver
dig #some.other.ip.address domain. ns
You want to see 2 NS reocrds for "domain.", one pointing to "ns1.newnamserver" and the other one to "ns2.newnameserver", but the resolvers likewise cache that information so they might still have the old nameservers. If so, look at the TTL on those NS records too. If the TTL on those records is longer than the TTL on the A records, those resolvers may still go to the old nameservers to get "domain."'s A records even when their currently cached copy expires... so you may need to wait for that TTL to expire first, and then for the TTL on the actual A record to expire again!
Another thing you can do is query some of the authoritative nameservers for the PARENT domain of your domain to see if they are indeed delegating it to "ns1.newnameserver" and "ns2.newnameserver". This will verify that the delegation in DNS matches what's in WHOIS.
dig com. ns # If your domain's parent domain is "com."
dig #<one-of-the-servers-that-resulted-from-that-query> domain. ns
Again, you want to see 2 NS reocrds for "domain.", one pointing to "ns1.newnamserver" and the other one to "ns2.newnameserver".
If the old nameservers are still running, either:
make sure they aren't, or
make sure they've also got the new zone data
Some people will still be talking to the old nameservers, and until they either stop answering or give the right answer, they won't learn the new nameservers from the parent zone.

How can (say) ns1.example.com be a name server of example.com?

Clearly I don't know much about DNS, so bear with me on this issue, which has been puzzling me me for a while.
Some WHOIS records show (say) ns1.example.com and ns2.example.com as name servers for example.com. Then how is the actual IP address found? Isn't this circular?
This question probably belongs on Severfault rather than Stackoverflow, but for the explanation you should read about glue records.
Name servers in delegations are
identified by name, rather than by IP
address. This means that a resolving
name server must issue another DNS
request to find out the IP address of
the server to which it has been
referred. If the name given in the
delegation is a subdomain of the
domain for which the delegation is
being provided, there is a circular
dependency. In this case the
nameserver providing the delegation
must also provide one or more IP
addresses for the authoritative
nameserver mentioned in the
delegation. This information is called
glue. The delegating name server
provides this glue in the form of
records in the additional section of
the DNS response, and provides the
delegation in the answer section of
the response.
There is also a nice explanation in this FAQ.
I hope this is taken the right way, but have a good read at this, particularly the section on "Domain Name Space" (even more specifically, "Domain name formulation").
http://en.wikipedia.org/wiki/Domain_Name_System
It explains the way in which a name is resolved and way, way more.

How can I query Spamhaus's SBL with a domain name?

I want to query Spamhaus's SBL using a domain name. I know this is possible to do because this form (Find SBL Listings by ISP Domain Name) does it and SpamAssassin does it, but I can only seem to get it to work with IP addresses. I took a quick look at the SpamAssassin code, but it has been so generalized that I could probably spend a couple hours tracking down the code that actually does something. Right now I can successfully query SBL for IP addresses like this:
#returns 127.0.0.2, so 208.73.210.0 is on the blacklist
dig +short 0.210.73.208.sbl.spamhaus.org
#returns nothing, so 72.14.225.72 isn't on the blacklist
dig +short 72.225.14.72.sbl.spamhaus.org
Querying with domain names seems to have something to do with DNS TXT records, but I don't know the right hostname to lookup. When I try something like
dig oversee.net.sbl.spamhaus.org TXT
I don't get any useful information back, but if you search with the form you find that oversee.net is associated with 208.73.210.0 which was reported as spamming on 30-Jul-2009 21:17 GMT.
Domains are in the "Domain Block List", not the SBL. Use dbl.spamhaus.org as the domain suffix.
The particular search you linked to is based on the ISP's domain name, and I don't believe it uses the same DNSBL interface.

Resources