When I do an nslookup on the net. zone, I get the following output:
nslookup -type=soa net 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
net
origin = a.gtld-servers.net
mail addr = nstld.verisign-grs.com
serial = 1542217316
refresh = 1800
retry = 900
expire = 604800
minimum = 86400
Authoritative answers can be found from:
This means that in order to get DNS records for the net. zone, one should query the DNS Server a.gtld-servers.net. However, the IP Address of a.gtld-servers.net is not given. This results in a catch-22, because in order to get the IP address of any subzone in the net. zone, one should query a.gtld-servers.net.
So my question is, how to get out of this catch-22? How can I get the IP address of a.gtld-servers.net without having to do another DNS request?
The root server addresses can be found in a file downloaded from iana
This means that in order to get DNS records for the net. zone, one should query the DNS Server a.gtld-servers.net
You could, and at least initially, probably would, but the root servers don't move around frequently, so once you got the ip address for .net server, for example, you would use the cached value.
Related
I am working on Backup server (failover) for my websites.
example.com is my domain, Host on IP 1.1.1.1
Copy of example.com, Host on IP 2.2.2.2
I want to use IP2 as backup only when IP 1 is down,
so i set both IPS in my DNS A record.
As per rule of DNS: if i set 2 IPs in A record, then it will work like round robin.
First visitor redirect on IP 1.1.1.1
Second Visitor redirect on IP 2.2.2.2
But i set "A record" Priority in DNS, So its always redirect all users to IP 1.1.1.1, and no users redirect on IP2 hosting.
Now, When IP 1.1.1.1 is down, then its browser or DNS nature, it will try again to other A record if IP2 available. (Its working perfect, and i want this thing)
Problem is that,
DNS keep trying to IP 1 for 30-60 seconds, after its fail, then DNS try on IP 2.
I want to reduce that DNS lookup time to 5 Seconds. I have Centos VPS with WHM.
Round-robin DNS does not work like you appear to think it works.
Most DNS nameservers will indeed rotate a list of multiple A RRs for a given name with each response, but remember the requestor will be an intermediate recursive resolver, often shared by many end clients, and those intermediate resolvers will cache each record for a minimum of 300 seconds or the maximum of the TTL given in the record. The intermediate resolver may or may not rotate the A RRs in the responses it sends to its individual clients. However ultimately the choice of address to try first between multiple A RRs for the same name is up to the client and some clients work differently.
The timeout for trying another address when multiple A RRs are given is mandated by the client through it's TCP connection attempt, not by anything supplied in a DNS response.
first of all I should mention that I'm fairly new to the world of DNS. I've purchased a VPS plan and I'm trying to run a web server and also a custom mail server (postfix and dovecot combination), which turns out to be a real pain. I'm aware of the fact that I can make my life easier by using Google App services but nonetheless I want to be able to do it myself.
I'm stuck with so called DNS records and as far as my understanding goes I should first of all create an A record for my mail.mydomain.com and afterwards a MX record, am I right? I checked every option my hosting provider provides, but unfortunately I couldn't find anything.
If I run:
nslookup -q=mx mydomain.com
it gives me:
Non-authoritative answer:
mydomain.com mail exchanger = 10 mail.mydomain.com
and for "Authoritative answers" I get nothing.
So first question: "'Authoritative answers' are answers from mydomain.com itself and to be able to give such answers I should run my own DNS Name Server and have so called 'zones file' in which I have these records setup, am I right?".
And following question would be: "to be able to do it I should have 'bind' software package installed, right?".
Another question: "if haven't done any of it how come I get 'Non-authoritative answer' for my MX query? Does it mean I already have one MX record from my service provider?".
And the last question would be, since it is for a custom mail server and if you are familiar with it: "could you tell me why do I have to have a reversed domain record (I think it is called PTR) in order to avoid my mail get landed in spam folder?"
You got Non-authoritative answer because you did not query records from name servers of the domain, and the results may contain IPs.
This result is similar as yours.
$ nslookup -q=mx google.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
google.com mail exchanger = 30 alt2.aspmx.l.google.com.
google.com mail exchanger = 20 alt1.aspmx.l.google.com.
google.com mail exchanger = 40 alt3.aspmx.l.google.com.
google.com mail exchanger = 50 alt4.aspmx.l.google.com.
google.com mail exchanger = 10 aspmx.l.google.com.
Authoritative answers can be found from:
alt3.aspmx.l.google.com internet address = 173.194.204.26
alt4.aspmx.l.google.com internet address = 74.125.141.26
alt2.aspmx.l.google.com internet address = 173.194.219.27
aspmx.l.google.com internet address = 74.125.25.26
alt1.aspmx.l.google.com internet address = 74.125.193.27
So we can find name servers of the targeted domain.
$ nslookup -q=ns google.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
google.com nameserver = ns3.google.com.
google.com nameserver = ns1.google.com.
google.com nameserver = ns2.google.com.
google.com nameserver = ns4.google.com.
Authoritative answers can be found from:
ns3.google.com internet address = 216.239.36.10
ns2.google.com internet address = 216.239.34.10
ns1.google.com internet address = 216.239.32.10
ns4.google.com internet address = 216.239.38.10
Then we can get authoritative answer.
$ nslookup -q=mx google.com ns1.google.com
Server: ns1.google.com
Address: 216.239.32.10#53
google.com mail exchanger = 40 alt3.aspmx.l.google.com.
google.com mail exchanger = 10 aspmx.l.google.com.
google.com mail exchanger = 30 alt2.aspmx.l.google.com.
google.com mail exchanger = 50 alt4.aspmx.l.google.com.
google.com mail exchanger = 20 alt1.aspmx.l.google.com.
As the sample you posted, you can confirm if mail.mydomain.com has pointed to a IP ( so called A record ), and mail related services maight be OK if there are correct MX & A records.
You should find out name servers of your domain before you maintain the DNS records.
I guess your service provider ( or someone else ) have set up MX record of your domain, you may get more answers from your service provider.
I am new to BIND, and thought I had a grip on DNS, but obviously I was mistaken.
BIND is installed on Windows Server 2008 Web
I created a zone (example.com) with Dyn.
I registered the domain for that zone successfully, using the Dyn nameservers
I created two subdomains (A records) on the Dyn zone: ns1.example.com and ns2.example.com
Each subdomain points to a unique IP, bound to my server where BIND is listening
When I query ns1.example.com with nslookup, for the a new domain I created on that webserver, it returns ns1 with its ip, but gives the following error:
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to ns1.example.com timed-out
If I run nslookup on the webserver itself, with the same query, I get:
> example.com
Server: ns1.example.com (which is the slected nameserver)
Address: xx.xx.xx.xx
Name: example.com
Address: xx.xx.xx.xx
It might be worth mentioning, that the Webserver is located in the UK, and I am located in South Africa.
My registrar, in South Africa, returns the following when I try to register domainxyz.example:
The SOA record for domainxyz.example at xxx.xxx.xxx.xxx can not be retreived.
The most common reasons for this is that the Nameserver is not currently
reachable or the Nameserver has not been configured for this domain.
I can ping and resolve ns1 and ns2 from my pc, where the nslookup fails.
After a long discussion with myself, and curiously reviewing my post... I decided I must be really burnt out.. and I opened UDP port 53 on my windows firewall on the server.
Tadaaa.....works!
Sometimes it helps bouncing something off someone, even if its a lonely sunday night web page /forum.
Maybe this helps someone else in the future. This whole new web server commisioning has so many aspects to configure, and I lost site of the basics.
Cheers, and thanks..!
I installed Virtualmin GPL on CentOS 6.2. The hostname of the machine is srv01.[mydomain.tld] (where [mydomain.td] is an actual registered domain). On the server I have only 1 IP, so I assigned it to both ns1.[mydomain.tld] and ns2.[mydomain.tld]. After this I updated the nameserver details for my domain on the domain registrar and pointed both ns1 and ns2 to the IP of the server.
The first issue I received was BIND-chroot issue, and after searching on the net, I removed BIND from chroot and BIND started. At this stage I was sure that everything will work normal, so I created a virtual server for [mydomain.tld]. At this point, I was sure that I can now access my site using the domain name.
So I opened network-tools.com and tried to perform a tracert for [mydomain.tld] but it failed to resolve the domain name and following are the details from the page:
Retrieving DNS records for [mydomain.tld]...
DNS servers
ns1.[mydomain.tld] [1.2.3.4]
Query for DNS records for [mydomain.tld] failed: Timed out
Whois query for [mydomain.tld]...
I tried to ping srv01.[mydomain.tld] and failed. Then I tried to ping ns1.[mydomain.tld] and it worked. My first guess was that maybe the NS on my server isn’t working, so I SSHed and performed nslookup google.com:
$ nslookup google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 173.194.33.39
I think that the NS is working properly on my server. After this, I performed:
$ nslookup [mydomain.tld]
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: [mydomain.tld]
Address: IP
It looks like the server is resolving the name properly locally, but not working on the Internet. I also checked all the Zone records for [mydomain.tld] and it contains the following records:
[mydomain.tld]. -- NS -- ns1.[mydomain.tld].
[mydomain.tld]. -- NS -- ns2.[mydomain.tld].
[mydomain.tld]. -- A -- IP
www.[mydomain.tld]. -- A -- IP
ns1.[mydomain.tld]. -- A -- IP
ns2.[mydomain.tld]. -- A -- IP
plus A records for subdomains ftp.[mydomain.tld], m.[mydomain.tld], localhost.[mydomain.tld], webmail.[mydomain.tld], admin.[mydomain.tld] and mail.[mydomain.tld] pointing to the server’s IP, plus MX and SPF records.
To troubleshoot it from the beginning to the end, do the following
Find address of your TLD nameservers: dig TLD NS
Find how your domain authoritative nameservers configured in the TLD: dig #[one-of-tld-nameservers] [mydomain.tld] NS. You expect to get your authoritative servers: ns1.[mydomain.tld] and ns2.[mydomain.tld] and their IP addresses (which are both pointing to your single IP). If this is NOT what you get, your problem is that you did not register your authoritative servers with your registrar.
Query your server: dig #[your IP] www.[mydomain.tld] if you request times-out, port 53 on your server is unreachable for some reason. Since it IS reachable locally, it could be firewall or NAT issue.
Now to various specifics of your question:
I tried to ping srv01.[mydomain.tld] and failed...
In the zone records in your post I don't see a record for srv01. Ping will not be able to resolve srv01 without appropriate DNS record.
Timed out Whois query for [mydomain.tld]...
Whois have nothing to do with DNS resolution, I presume it's DNS and not Whois. It seems that the nameserver defined as authoritative for mydomain.tld is not accessible.
I tried to ping ns1.[mydomain.tld] and VOLA it worked
I'm not sure, but possibly your DNS resolver knows the address ns1.[mydomain.tld] from TLD nameservers, and NOT from authoritative nameserver (also I'm not sure whether it's correct behavior or not).
Conlusion: my best guess is that port 53 of your server is not accessible from the internet.
I'm using nslookup to find the DNS name that has the a given IP address as one of its associated addresses. So, I use nslookup interactively...
command line > nslookup -
set query=ptr
24.248.56.68
Non-authoritative answer:
68.56.248.24.in-addr.arpa name = wsip-24-248-56-68.ri.ri.cox.net.
Authoritative answers can be found from:
24.in-addr.arpa nameserver = x.arin.net.
24.in-addr.arpa nameserver = u.arin.net.
24.in-addr.arpa nameserver = t.arin.net.
24.in-addr.arpa nameserver = v.arin.net.
24.in-addr.arpa nameserver = dill.arin.net.
24.in-addr.arpa nameserver = y.arin.net.
24.in-addr.arpa nameserver = z.arin.net.
24.in-addr.arpa nameserver = w.arin.net.
t.arin.net internet address = 199.253.249.63
u.arin.net internet address = 204.61.216.50
u.arin.net has AAAA address 2001:500:14:6050:ad::1
v.arin.net internet address = 63.243.194.2
v.arin.net has AAAA address 2001:5a0:10::2
w.arin.net internet address = 72.52.71.2
w.arin.net has AAAA address 2001:470:1a::2
x.arin.net internet address = 199.71.0.63
x.arin.net has AAAA address 2001:500:31::63
y.arin.net internet address = 192.42.93.32
z.arin.net internet address = 199.212.0.63
z.arin.net has AAAA address 2001:500:13::63
dill.arin.net internet address = 192.35.51.32
Now I want to find what name servers were contacted to do that lookup. I think I'm supposed to set query=ns but that returns the same answer. How can I find what name servers were contacted?
The server that processed your query should be displayed along with the result, e.g.
Server: 192.168.1.253
Address: 192.168.1.253#53
Non-authoritative answer:
68.56.248.24.in-addr.arpa name = wsip-24-248-56-68.ri.ri.cox.net.
Typically this is the default nameserver configured for your workstation. To select a different nameserver use the nslookup "server" command.
Since your query returned a non-authoritative answer that means your nameserver is not authoritative for that pointer. It had to query other nameserver(s) in order to respond. As far as I know, there is no nslookup option to show the lookup sequence performed by your nameserver.
If your objective is to determine the authoritative nameserver for the pointer then you need to do one or more additional nslookup queries based on the authoritative 'hints'. In your example, the first hint is "x.arin.net" (one of the internet root servers). Using this hint, your next step would be send the same query to that server, e.g.
> server x.arin.net
Default server: x.arin.net
Address: 199.71.0.63#53
> 24.248.56.68
Server: x.arin.net
Address: 199.71.0.63#53
Non-authoritative answer:
*** Can't find 68.56.248.24.in-addr.arpa.: No answer
Authoritative answers can be found from:
248.24.in-addr.arpa nameserver = ns.cox.net.
248.24.in-addr.arpa nameserver = ns.west.cox.net.
248.24.in-addr.arpa nameserver = ns.east.cox.net.
This response shows x.arin.net isn't authoritative either but the new hint indicates the next server to query is "ns.cox.net" (or "ns.west.cox.net" or "ns.east.cox.net"). Set your server to the new hint, execute the query again and repeat the process until you get an authoritative answer, e.g.
> server ns.cox.net
Default server: ns.cox.net
Address: 68.1.16.107#53
> 24.248.56.68
Server: ns.cox.net
Address: 68.1.16.107#53
Non-authoritative answer:
*** Can't find 68.56.248.24.in-addr.arpa.: No answer
Authoritative answers can be found from:
56.248.24.in-addr.arpa nameserver = ns2.coxmail.com.
56.248.24.in-addr.arpa nameserver = ns1.coxmail.com.
> server ns2.coxmail.com
Default server: ns2.coxmail.com
Address: 68.111.106.70#53
> 24.248.56.68
Server: ns2.coxmail.com
Address: 68.111.106.70#53
68.56.248.24.in-addr.arpa name = wsip-24-248-56-68.ri.ri.cox.net.
This result shows the authoritative nameserver for the pointer is "ns2.coxmail.com". Depending on how your nameserver is configured, it may have gone through the same series of queries you did. However if your nameserver is set up for caching, the next time you make the same query it may answer from its cache rather than go through the same process.
I hope this helps. Keep in mind this may not be exactly how it works for you because a lot depends on the configuration of your workstation, the configuration of your nameserver as well as the configuration of the additional nameservers that are queried.
Other tools more sophisticated than nslookup may make this process easier for you.