I want to find all the name servers that serve a DNS zone (suppose it's google.com). Using $dig, I tried two different queries:
$dig +trace google.com <type>
The result looks like below:
dig +trace
I notice there are four NS records, grouped together, near the bottom of the query answers.
$dig google.com ANY
The result looks like below:
dig ANY
There are four NS records in total, which are exactly the same as in the first answer.
Are there any other ways to get all the name servers?
I want to find all the name servers that serve a DNS zone (suppose it's google.com).
Ask any of the parent nameservers for details on delegation:
$ dig com. NS +short|head -1
j.gtld-servers.net.
$ dig #j.gtld-servers.net. google.com. NS +noall +auth
google.com. 2d IN NS ns2.google.com.
google.com. 2d IN NS ns1.google.com.
google.com. 2d IN NS ns3.google.com.
google.com. 2d IN NS ns4.google.com.
This is how the DNS works and is designed: it uses delegations with the NS record type.
But do note two things:
lame delegation can happen: you can/should ask any of the delegated nameservers for what they think are the relevant nameservers and handle differences (there shouldn't be any but suprisingly there is in many zones)
results are sets, not lists, so do not expect any stable order
dig google.com ANY
Absolutely DO NOT use ANY. It does not have the meaning of ALL despite what people thinks, and is mostly to be considered deprecated and obsolete (see https://www.rfc-editor.org/rfc/rfc8482)
Related
Found a domain with MX record ".". What does that mean exactly (e.g., theplug.org)?
IN MX 3402 . 0
Is MX the same as the domain?
Means the dot a invalid MX?
Is it a catch-all mail address?
Or totally different?
This is a so-called "Null MX" record, defined by RFC 7505 in 2015. It explains, that this was introduced to bring
a simple mechanism by which a domain can indicate that it does not
accept email.
Further discussion on this topic here on serverfault.
I am trying to extract all domain names out of COM and NAME dns zone file. Those zone files contain all dns entries and there seem to be lack of information about structure of zone files.
Do all domain registered has NS entries? Even those which are not actively used? Which record/records should I use to extract domain names.
Zone files are very large and sorting them would be stupid idea. So if I can use one DNS record type to extract domain name than it would be easier.
I found this python script(I dont know python) on GitHub which uses only NS entries. Is it correct logically?
Someone with experience please comment.
The format of the DNS zone file is defined in RFC 1035 (section 5) and RFC 1034 (section 3.6.1). You can find many details on Wikipedia: https://en.wikipedia.org/wiki/Zone_file
It contains only the published domain names that is those having at least one nameserver and not being under clientHold or serverHold statuses (see http://www.icann.org/epp#clientHold and http://www.icann.org/epp#serverHold), which means in short it is NOT all domain names registered.
.COM zone file is huge indeed. In any case, you need to match on NS records lines and deduplicate domain names. There are multiple strategies to do that, depending on your constraints.
Note that many providers on line already do this work for you and can provide directly the domain names if this is all you are interested in. Some may also provide differential content, one day from the previous.
I need to find all IP addresses of certain websites (e.g. netflix.com). However, I want to use the Dig command but when I do something like
$ dig TXT +short netflix.com
and gives me the following data. First, what does this mean. I have all of google IP addresses by the way. But not sure about amazonses.com. I also thing the IP addresses is giving me is very limited.
"v=spf1 ip4:69.53.224.0/19 ip4:165.193.233.164/30 ip4:205.139.44.20 ip4:66.150.112.120
ip4:205.139.45.20 ip4:209.177.164.2 ip4:54.84.21.177 ip4:54.85.33.189 include:_spf.google.com
include:amazonses.com -all"
Please hep, I will really appreciate it.
Thank you in advance!
Short answer: You can't do what it sounds like you want.
Longer answer: Getting all IP addresses for a certain website is simply a question of issuing an A and an AAAA DNS query for its name. That will give you all the published addresses for that site. But, and I'm guessing here, it sounds like that's not what you want. If what you want is to find out which IP ranges are assigned to Netflix the corporation, you can find that by looking it up in the various RIR databases (easiest via whois, as Sami says in a comment up there). Most of those addresses probably aren't being used for their web servers (but for mail, VPN, internal communications and such). Also, it's likely that a lot of their web presence aren't on those IP addresses, but on addresses belonging to some CDN.
You need to ask a better question if you want to get a useful answer.
That big string is Netflix' SPF record. It's an email thing and tells the world what servers it should expect netflix.com email from.
Finding all of a website's IP addresses can be a pretty tough thing in the general case. One answer that's often enough is to just trust whatever the DNS server is giving you as the A record for that domain at the time:
% dig netflix.com
netflix.com. 74 IN A 69.53.236.17
Some websites will have several records, and will let you know those up front:
% dig google.com
google.com. 205 IN A 173.194.33.103
google.com. 205 IN A 173.194.33.110
google.com. 205 IN A 173.194.33.96
google.com. 205 IN A 173.194.33.105
google.com. 205 IN A 173.194.33.100
google.com. 205 IN A 173.194.33.97
google.com. 205 IN A 173.194.33.99
google.com. 205 IN A 173.194.33.102
google.com. 205 IN A 173.194.33.98
google.com. 205 IN A 173.194.33.104
google.com. 205 IN A 173.194.33.101
Depending on the site, things can get tricky in a hurry. Many sites, especially larger ones, will give you a different set of records at different times (or for each time you ask):
% dig indeed.com
indeed.com. 19 IN A 50.97.195.27
% dig indeed.com
indeed.com. 30 IN A 50.97.35.152
And some will give you a different address depending on which part of the world you're in. Like wordpress.com from India:
Seattle WA, United States: 192.0.78.9, 192.0.78.17
Montreal QC, Canada: 192.0.78.9, 192.0.78.17
Paris, France: 192.0.78.9, 192.0.78.17
St. Petersburg, Russia: 192.0.78.9, 192.0.78.17
Beijing, China: 192.0.78.9, 192.0.78.17
Mumbai, India: 203.90.66.98
Some sites will even mix and match those types of responses.
IPv6 throws a wrench into this, as does HTTP redirection.
Probably the thing to start with when considering which answer is best for you: what are you trying to accomplish with this information?
Is it possible to (and if so, how would I), given a domain name for a particular website, look up all other domain names that redirect to that same site? I'm thinking not, though if it were possible, I'd break the problem down into two parts:
1) Get the IP address that corresponds to the original domain name (there seem to be a lot of web services that do this - although they provide me with ~4 IP addresses for the one site, any idea what that's about?)
2) Do some kind of reverse DNS lookup on those IP addresses - this yields results of the form any-in-XXXX.1e100.net (where XXXX is a 4-digit number)
So, I'm guessing this doesn't work because of redirects and things, and any-in-XXXX.1e100.net is some sort of intermediate server in between me and the domain name I'm looking up? So the task I've described above should be impossible, then, right? Can someone who knows a bit more about how DNS works confirm (or refute) this and correct any wrong assumptions I've made? Thanks!
It will only work if sites set up their reverse DNS that way. Which, I can pretty much assure you they haven't for whatever site you're considering. However, here's an example of how to do it using bind's dig utility:
Get the original address:
# dig www.google.com a
...
www.google.com. 145 IN A 74.125.239.114
www.google.com. 145 IN A 74.125.239.115
www.google.com. 145 IN A 74.125.239.113
www.google.com. 145 IN A 74.125.239.116
www.google.com. 145 IN A 74.125.239.112
Now that we have the addresses, you can issue a reverse query for it and attempt to see how it's registered:
# dig -x 74.125.239.114
...
114.239.125.74.in-addr.arpa. 656 IN PTR nuq05s01-in-f18.1e100.net.
So in this case, you can see it was at least registered. But certainly that name doesn't match the actual registered URL. So they added a reverse entry for their "service node", but not for the URL itself (ie, they didn't add a PTR record for the www.google.com record).
This will be so common you'll be hard pressed to find something where the reverse name actually matches, at least for the web. For mail servers, on the other hand, it's actually much more common. Though even they don't frequently match exactly (but at least there is almost always a PTR record in the first place`
I'm trying to write a script where part of its functionality depends on if a user-provided domain is a zone apex (example.com) or not (www.example.com). What is a robust way to determine if I'm dealing with a zone apex or a subdomain? I'm hoping for a purely pattern-based approach but that seems tricky (example: xx.yy.co is not a root domain but xx.co.uk is).
Are there any tried and true approaches to determine if a zone is a root domain or not?
The Public Suffix List indicates lists of top level and second level domains under which one can register a domain name. If a name has exactly one more level beyond its matching entry on this list, then it's what you are looking for.
(Note that "subdomains" as you call them can be DNS zones in their own right and have independent nameservers from the parent zone. These can generally be detected by the presence of an SOA record for that fully qualified name, and nameservers for that name in the parent zone.)
Yes, I had to write a script that performed this recently.
Run a non-recursive query (i.e. dig +norecurse) against the authoritative nameserver for the entity you're examining. Use a query type of SOA. Do not use a recursive server, the behavior becomes much less predictable. If it's a server that mixes auth and recursive answers, make sure you're checking for the AA (authoritative answer) flag on the reply.
If the response code is NOERROR, examine the leftmost component of the returned ANSWER section (if present). Otherwise, check the AUTHORITY section. One of the two will be present. The upshot of preferring the ANSWER is that this ensures your result is a SOA record instead of a NS record. It keeps the type of your result consistent, which can be useful if you're writing something against a resolver library.
If the response code is NXDOMAIN, examine the leftmost component of the returned AUTHORITY section. Obviously this won't be the apex, but this will tell you what the apex is.
Anything other than those response codes indicates that the server does not consider itself authoritative.
The result will be the apex. Your request is not the apex if your result is less specific, and it is the apex if they're identical.
www.example.com (assuming it isn't a subdomain, e.g., there are no foo.www.example.com entries) will not have a DNS SOA RR. However, example.com may have other subdomains e.g, xyz.example.com which contains foo.xyz.example.com and bar.xyz.example.com so I don't know if this helps you.
Walk the name backwards component by component checking for NS records.
Example: www.example.com
Does www.example.com. have a NS record? No.
Does example.com. have a NS record? Yes.
Does com. have a NS record? Yes.
Make your determination accordingly, based on whatever definition you use for "is a zone apex" (it's not 100% clear to me from your question.)