Are SRV records being stripped by DNS resolvers? - dns

I'm building a custom DNS Server that, among other things, serves SRV records and associated A and AAAA records. I can verify that querying the server directly returns the expected answer:
$ dig lseed.bitcoinstats.com SRV #139.59.143.87 +short
10 10 9735 2c932136c294204bc65c73266300b30fe8ccb99c24fb2261d2e9980a7e8ffe9.80.lseed.bitcoinstats.com.
10 10 6331 31ce6a2b947fdbc97f10405c4062848393cf8140f33cc492aa044fe47d18f59.c6.lseed.bitcoinstats.com.
10 10 8334 283a918ae4609473c01f2e19491e9202788150dbe8d4361a3a04f3a879e9f0a.45.lseed.bitcoinstats.com.
10 10 53258 2673073e3751681b0c55aa88e5af17522c6d6b32d7d210bf4d65439d063c1ba.91.lseed.bitcoinstats.com.
However when querying through my ISPs resolver (or any of the public resolvers, like Google's 8.8.8.8) I get an empty answer back:
$ dig lseed.bitcoinstats.com SRV #8.8.8.8
; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> lseed.bitcoinstats.com SRV #8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10994
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;lseed.bitcoinstats.com. IN SRV
;; Query time: 86 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Nov 29 12:32:15 CET 2016
;; MSG SIZE rcvd: 51
The query returns immediately and I can see that my server receives an incoming query, however it is empty. Is it known behavior that the resolver strips SRV and additional answers? If this were the case, why is the query being forwarded at all to my server? Or is the error on my side, and the server simply replies with an incorrect answer?

Turns out that the answers were stripped due to non-matching names in the answer. The query was asking for lseed.bitcoinstats.com while the answers were replying with another domain (_lightning._tcp.lseed.bitcoinstats.com) hence the resolvers were stripping the non-matching answers, leaving just an empty reply with no answers. Setting the domain in the answers equal to the domain in the question results in resolvers passing the answers through.

Related

Consul dns round robin and ping

I setup test cluster which contains 3 servers. Consul, dnsmask and NetworkManager are installed on all machines under CentOS 7.
I'd like to test simple round robin procedure:
Expected: ping consul.service.consul must send icmp requests to one of three servers.
Actual: ping always send requests to one IP address (10.82.5.6)
However ip order is changed in answer section of dig command:
[vagrant#localhost ~]$ dig consul.service.consul
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> consul.service.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23466
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;consul.service.consul. IN A
;; ANSWER SECTION:
consul.service.consul. 0 IN A 10.82.5.5
consul.service.consul. 0 IN A 10.82.5.4
consul.service.consul. 0 IN A 10.82.5.6
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 13 13:40:20 UTC 2017
;; MSG SIZE rcvd: 98
If I reboot 10.82.5.6 node, dig returns 2 nodes and ping begins properly work - with round robin. But when I have my node 10.82.5.6 rebooted, only this node again responds to ping commands
according to https://www.consul.io/docs/agent/dns.html the DNS interface randomizes the returned nodes so it'll never be round robin.
there's also DNS caching https://www.consul.io/docs/guides/dns-cache.html the default TTL is 0, but you may have something different and/or results are cached somewhere else..

Mismatch in the number of ADDITIONAL RECORDS in dig query

While doing the DNS query through dig utility, sometimes i got Additional records in the results while sometimes not. This is very much normal.
But today i saw something interesting in the output of the dig. While querying for fb.com domain, i got some additional records in the response.
Interesting part is the information displayed along with flags.
There dig utility informs that there are ADDITIONAL: 5 (five additional records) while in the actual output section, it displays only 4 additional responses.
This is not specific to fb.com domain only but i am also getting similar things (mismatch in Additional Section) in other domains too.
`[root#Kansal~]# dig fb.com
; <<>> DiG 9.10.3-P3 <<>> fb.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34411
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fb.com. IN A
;; ANSWER SECTION:
fb.com. 221 IN A 31.13.74.36
;; AUTHORITY SECTION:
fb.com. 735 IN NS b.ns.facebook.com.
fb.com. 735 IN NS a.ns.facebook.com.
;; ADDITIONAL SECTION:
a.ns.facebook.com. 3485 IN A 69.171.239.12
a.ns.facebook.com. 3485 IN AAAA 2a03:2880:fffe:c:face:b00c:0:35
b.ns.facebook.com. 3485 IN A 69.171.255.12
b.ns.facebook.com. 3485 IN AAAA 2a03:2880:ffff:c:face:b00c:0:35
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 20 15:24:59 IST 2016
;; MSG SIZE rcvd: 183
[root#Kansal~]# `
Bind version is 9.10.3
Please explain what i am missing here ?
The fifth RR in the Additional section is the OPT pseudo-RR. Its information is displayed under the OPT PSEUDOSECTION header in your example, rather than among the other RRs, since it's special. You can read all about it in RFC 2671.

Why are multiple queries being made to my DNS Server?

As part of a project I've written a very simplistic DNS server whose only purpose is to resolve queries for the zone it serves, and to store the IP addresses of the server that made the query.
I've noticed that if I use dig, my DNS server gets queried multiple times - sometimes from the same IP address. Why does this happen? Is it due to the unreliable nature of UDP?
For example, here's a dig reply I made:
C:\Data>dig xyz.dns.example.com
; <<>> DiG 9.10.4-P2 <<>> xyz.dns.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2539
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xyz.dns.example.com. IN A
;; ANSWER SECTION:
xyz.dns.example.com. 12321 IN A 50.16.166.175
;; Query time: 224 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Aug 11 15:07:42 Eastern Daylight Time 2016
;; MSG SIZE rcvd: 77
In this example, the zone file for example.com has an NS record for dns.example.com which is where my simplistic DNS server runs. Fror this one query, my server was called 4 times from 2 different IP addresses.
I also noticed that I'm supposedly returning an "Additional" record, but the data I return in bytes 10 and 11 are clearly 0. Could this be causing a problem?
Try dig's +trace option:
dig example.com +trace

What does it mean when a "dig" command with "+nssearch" option returns nothing?

When I run the following dig command on www.google.com with the +nssearch option I get no results:
mac$ dig www.google.com +nssearch
mac$
Can someone explain why no data is returned here? The +nssearch option reads the SOA of all the authoritative name servers I believe. Does this mean there are no authoritative name servers? How is that possible? The domain www.google.com obviously works so I was expecting some sort of result.
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40522
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 20 IN A 74.125.196.106
www.google.com. 20 IN A 74.125.196.104
www.google.com. 20 IN A 74.125.196.99
www.google.com. 20 IN A 74.125.196.147
www.google.com. 20 IN A 74.125.196.105
www.google.com. 20 IN A 74.125.196.103
;; Query time: 2 msec
;; SERVER: 192.168.186.1#53(192.168.186.1)
;; WHEN: Wed Jun 17 17:17:37 CDT 2015
;; MSG SIZE rcvd: 139
From "man dig":
+[no]nssearch
When this option is set, dig attempts to find the authoritative name servers for the zone containing the name being
looked up and display
the SOA record that each name server has for the zone.
Since there's no authority section in the response, +nssearch is going to return nothing.
www.google.com is not a zone, but a name in a zone. Therefore it doesn't have any NS records (or SOA records) for dig to display. Try dropping the www. bit and you'll get more output.

Why I get a SOA dig response?

Some time ago I setup a site with some subdomains (example.com, test.example.com...)
Last week I added a new subdomain new.example.com and today I've realize that when I dig to the secondary server I get the SOA record as a response, not the answer itself:
root#Nigeria:~$ dig new.example.com #ns.kimsufi.com
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> new.example.com #ns.kimsufi.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11559
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;new.example.com. IN A
;; AUTHORITY SECTION:
example.com. 86400 IN SOA ns345678.ip-93-122-113.eu. info.test.com. 2015021005 28800 7200 604800 86400
;; Query time: 36 msec
;; SERVER: 213.186.33.199#53(213.186.33.199)
;; WHEN: Mon Feb 16 11:14:35 2015
;; MSG SIZE rcvd: 108
I'm wondering why I'm getting an authority response instead of the right response. If I dig into 'ns345678.ip-93-122-113.eu' which is the right server where my website and my DNS server is hosted, I get the expected response:
;; ANSWER SECTION:
new.example.com. 86400 IN A 93.122.113.255
Why the secondary DNS is not giving an answer to the new subdomain? It is giving an answer to old subdomains like 'test.example.com'. And how I must interpret the SOA response? What does it mean?
A SOA record in the Authority segment together with having the AA flag set is an indication that the reply is authoritative. So what the response you pasted means is that ns.kimsufi.com says that it knows with certainty that the name you asked for (new.example.com) does not exist.
And if you hadn't hidden the actual domain name, someone might have been able to tell you the reason you're not getting the response you expect. But as it is, this is about all you will get.

Resources