Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I haven't found the answer to this question anywhere and I'm a bit confused.. I want to know if the root DNS servers are queried iteratively or recursively?
As far as my understanding of the subject goes, they can be queried recursively,as they are the 'last option' to resove a name, so they must answer with the IP address/error message. Am I correct? Please make this clear for me. Thanks.
Queries to any DNS server, regardless of whether they're the root server or not, get answered with information that the server is allowed to give out about names they know something about. What that means is that if you query a server for a name it doesn't know about, but it does know who owns part of it, it'll refer you to the next place to ask.
Lets say you need to find out where www.example.com is. If you use the dig utility from the bind package, you can query the root for the answer and see what it will tell you:
# dig #b.root-servers.net. www.example.com a
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
; [...11 more authority servers for .com not shown...]
;; ADDITIONAL SECTION:
h.gtld-servers.net. 172800 IN A 192.54.112.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
; [...11 more IP addresses for .com not shown...]
The effect of the above response is the root server telling you "I
don't know where www.exmaple.com is. You'll need to go ask .com next,
which is at the following list of addresses.
And so off you'd march to ask the .com server's the same question:
# dig #h.gtld-servers.net. www.example.com a
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
example.com. 172800 IN NS a.iana-servers.net.
example.com. 172800 IN NS b.iana-servers.net.
;; ADDITIONAL SECTION:
a.iana-servers.net. 172800 IN A 199.43.132.53
a.iana-servers.net. 172800 IN AAAA 2001:500:8c::53
b.iana-servers.net. 172800 IN A 193.0.0.236
b.iana-servers.net. 172800 IN AAAA 2001:610:240:2::c100:ec
This answer helps you further by saying "I don't know either, but go
ask the owners of example.com". Asking them will finally get you a
real answer you were looking for:
# dig #a.iana-servers.net. www.example.com a
;; ANSWER SECTION:
www.example.com. 172800 IN A 192.0.32.10
And finally we have a server that is willing to give us the real
answer.
Note, however, we asked each server in turn, starting from the root
and going down. At each step someone either said "I have the answer"
or "I don't have the answer, but I know who you should talk to next".
Recursive servers (i.e. the ones serving end-user clients) perform iterative queries to authoritative servers.
In response to those iterative queries, each authoritative server in the chain down from the root will either return the answer if it's authoritative for that domain, or a referral to the next servers down the chain that might have the answer.
The root name servers do not offer fully recursive service, only referrals to the name servers run by each TLD.
Related
When setting up Google Adsense or Gmail as a site owner, you are required to modify a CNAME record for verification. Microsoft does the same thing.
I am building a website where I would like an owner of a group to verify ownership of a domain in the same way. How do I accomplish this?
There's lots of ways to do this. Listed in order of preference:
microid
whois (check email address and/or name)
OpenID w/ delegation
DNS TXT (or CNAME if you must)
Insert HTML comment <!-- verify code --> into main page
I would recommend implementing some combination of these. The last one should be a measure of last resort for people who can't insert things into the <head> section of their sites. Done well, many users might be able to claim ownership of their domain without having to take any action at all, provided they've supplied you with an email address already.
For the specific issue of getting DNS information, try this:
$ dig TXT google.com
; <<>> DiG 9.4.3-P3 <<>> TXT google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN TXT
;; ANSWER SECTION:
google.com. 3600 IN TXT "v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
;; Query time: 131 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Oct 24 16:50:56 2009
;; MSG SIZE rcvd: 122
This particular query gives you the SPF entries for google.com. You could just as easily do:
dig TXT verify.example.com
Then check the confirmation code in the answer section.
You need to query DNS server for the CNAME record of that domain. It can be as simple as using dig/nslookup/etc and scraping data from it or using name resolving capabilities of your platform/language.
You might also be aware of this technique and already dismissed it (since this really shows who has control over a site rather than a domain as you specify), but you could ask the person to place a file of a specific name and content on the root level of the domain.
For example:
http://www.blahdeblah.net/**verify.txt**
The one advantage is that once they do this you don't have to wait for changes to propagate, its immediate.
From the output I can understand there was no errors, yet there aren't any answers section to the query. Just to be sure the right question was even asked:
"Dig +norecurse #s.nic.dk MX www.dtu.dk"
parsing this to:
"without recursion, query dtu mail exchange servers through the nameserver s.nic.dk"
Is the query not supposed to return nameservers of dtu MX?
No, it isn't supposed to, because you are asking the authoritative name server of the TLD (s.nic.dk) for the answer. It does not have this answer, but gives you the details of the name servers that do: that is why you receive the authority section (and additional section).
However, even if you do query the authoritative name servers (for example: #dns1.dtu.dk) there is no MX record for the domain name www.dtu.dk, but rather for dtu.dk. Which means your query should be: dig #dns1.dtu.dk MX dtu.dk.
For note, the addition of +norecurse shouldn't make a difference when you're querying an authoritative name server directly.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 12 months ago.
Improve this question
I read a document which says that a host with a complicated hostname can have one or more alias names. For example, relay1.west-coast.media.com is a canonical hostname whereas media.com is an alias. They both are related with each other by 'A' record and 'CNAME' record in DNS system follows:
media.com CNAME relay1.west-coast.media.com
relay1.west-coast.media.com A 210.23.25.32
What makes us use the complicated canonical hostname? Can't we simply associate alias with the ip address by adding record 'A' in the DNS system as follows:
media.com A 210.23.25.32
CNAME entries are useful when running multiple services on a single server. For example you could point www.media.com, ftp.media.com, and mud.media.com all to relay1.west-coast.media.com.
That way if the IP address of relay1... ever needed to change, it would be a single update to the A record instead of multiple.
Yes, you can.
First, as Lanexbg explained your specific example is wrong since you can not have a CNAME at apex (root) of the zone because by definition a CNAME record can not coexist with anything else (we will forget about the exceptons here) and at apex you need to have SOA and NS records for your zone to work correctly.
So let us just instead use the appropriate names for configuration/documentation needs and discuss about the difference between www.example.com A and www.example.com CNAME www.example.net + www.example.net A
The end result of the www.example.com A resolution would be the same for an end user, besides various points that can be neglected on a first approach (like performance issues).
If you are maintaining both the authoritative nameservers for example.com and example.net you are free to choose between the two cases. As Chris Meueur noted, the big difference is when you need to change the data (IPv4 address) of the A record. In the first case you will need to change it as many times as you have records for it where in the second case you will need to change it only once, and all other records having a CNAME pointing to www.example.net will get automatically updated.
CNAME have their drawbacks too: they can influence performance, you need to avoid chains of them and even more loops, they can not be used everywhere in the same way as a name in an A record, etc.
So it is a compromise.
But there is another case to take into account: if you are the administrator of example.com but not of example.net. ExampleNET Inc. could be a big hosting company, or a CDN. You want to use their services for your www.example.com website. If they give you an A record to put in your zone they have the problem that they will basically never be able to change it if they need because all their clients will have its current value hardcoded in all their zonefiles, so that is a big problem against agility, and sometimes you need to be able to renumerate in an hurry, like during a DDOS attack.
Instead if they advise you to do a CNAME, they would be free to change their A record without anything else having anything to do and with the results "immediately" applied to everyone.
This is a very common case, specifically for CDN.
Among many others see this live example when asking for www.microsoft.com:
;; ANSWER SECTION:
www.microsoft.com. 3600 IN CNAME www.microsoft.com-c-3.edgekey.net.
www.microsoft.com-c-3.edgekey.net. 20499 IN CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. 3600 IN CNAME e13678.dspb.akamaiedge.net.
e13678.dspb.akamaiedge.net. 3600 IN A 23.67.120.106
(of course advanced setups can also be enable for load-balancing and/or fail-over and/or varying the result based on the geography of the source).
This is not the only way to do it (for example, instead, they could have asked you to change the authoritative nameservers for your example.com zone so that they could control it), and it has limits too (the most important one being the one outlined at the beginning: you could not put a CNAME at apex so if you wanted also a website on http://example.com/ (note the lack of www) you would need other solutions).
I think media.com could have different sub-domains under the actual domain, for example - www.media.com, ftp.media.com, mud.media.com these are some of the sub-domains under media.com. Each and every sub-domain will have a different IP address also, so if we just point it to media.com A 210.23.25.32, it won't be able to resolve the full query that the user needs.
This morning I tried to visit a website I run, only to see that the dns lookup failed, this problem is visible on multiple devices and broswers. This was surprising to me - things were running fine yesterday. What are some possible causes for why a websites dns can just stop resolving?
The specific domain I'm working with is candocomputing.com. [Warning: commercial link]
Answer from 192.5.6.30 (a.gtld-servers.net):
;; QUESTION SECTION (1 record)
;; candocomputing.com. IN A
;; AUTHORITY SECTION (2 records)
candocomputing.com. 172800 IN NS ns2.verification-hold.suspended-domain.com.
candocomputing.com. 172800 IN NS ns1.verification-hold.suspended-domain.com.
According to this, looks like you did not respond to verification email within 15 days after registration and now your domain is suspended.
Two questions from a dns newb:
Is it possible for a subdomain to use a different set of nameservers than its parent domain?
Eg: abc.ca uses ns.whatever.com and ns2.whatever.com, while sub.abc.ca uses ns.anything.com and ns2.anything.com
If this is possible, what is the command to look this up? Would something as simple as this work?
dig ns sub.abc.ca
To be on the safe side you should directly ask the authoritative servers at the parent domain about any NS records for the sub-domain.
% dig +norec #parent sub.example.com. ns
This ensures you'll get the current answer straight from the horses mouth, rather than whatever happens to be in your local recursive resolver's cache.
Yes, you're spot on. Other options include: host -t NS sub.abc.ca