When I do an nslookup on the net. zone, I get the following output:
nslookup -type=soa net 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
net
origin = a.gtld-servers.net
mail addr = nstld.verisign-grs.com
serial = 1542217316
refresh = 1800
retry = 900
expire = 604800
minimum = 86400
Authoritative answers can be found from:
This means that in order to get DNS records for the net. zone, one should query the DNS Server a.gtld-servers.net. However, the IP Address of a.gtld-servers.net is not given. This results in a catch-22, because in order to get the IP address of any subzone in the net. zone, one should query a.gtld-servers.net.
So my question is, how to get out of this catch-22? How can I get the IP address of a.gtld-servers.net without having to do another DNS request?
The root server addresses can be found in a file downloaded from iana
This means that in order to get DNS records for the net. zone, one should query the DNS Server a.gtld-servers.net
You could, and at least initially, probably would, but the root servers don't move around frequently, so once you got the ip address for .net server, for example, you would use the cached value.
first of all I should mention that I'm fairly new to the world of DNS. I've purchased a VPS plan and I'm trying to run a web server and also a custom mail server (postfix and dovecot combination), which turns out to be a real pain. I'm aware of the fact that I can make my life easier by using Google App services but nonetheless I want to be able to do it myself.
I'm stuck with so called DNS records and as far as my understanding goes I should first of all create an A record for my mail.mydomain.com and afterwards a MX record, am I right? I checked every option my hosting provider provides, but unfortunately I couldn't find anything.
If I run:
nslookup -q=mx mydomain.com
it gives me:
Non-authoritative answer:
mydomain.com mail exchanger = 10 mail.mydomain.com
and for "Authoritative answers" I get nothing.
So first question: "'Authoritative answers' are answers from mydomain.com itself and to be able to give such answers I should run my own DNS Name Server and have so called 'zones file' in which I have these records setup, am I right?".
And following question would be: "to be able to do it I should have 'bind' software package installed, right?".
Another question: "if haven't done any of it how come I get 'Non-authoritative answer' for my MX query? Does it mean I already have one MX record from my service provider?".
And the last question would be, since it is for a custom mail server and if you are familiar with it: "could you tell me why do I have to have a reversed domain record (I think it is called PTR) in order to avoid my mail get landed in spam folder?"
You got Non-authoritative answer because you did not query records from name servers of the domain, and the results may contain IPs.
This result is similar as yours.
$ nslookup -q=mx google.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
google.com mail exchanger = 30 alt2.aspmx.l.google.com.
google.com mail exchanger = 20 alt1.aspmx.l.google.com.
google.com mail exchanger = 40 alt3.aspmx.l.google.com.
google.com mail exchanger = 50 alt4.aspmx.l.google.com.
google.com mail exchanger = 10 aspmx.l.google.com.
Authoritative answers can be found from:
alt3.aspmx.l.google.com internet address = 173.194.204.26
alt4.aspmx.l.google.com internet address = 74.125.141.26
alt2.aspmx.l.google.com internet address = 173.194.219.27
aspmx.l.google.com internet address = 74.125.25.26
alt1.aspmx.l.google.com internet address = 74.125.193.27
So we can find name servers of the targeted domain.
$ nslookup -q=ns google.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
google.com nameserver = ns3.google.com.
google.com nameserver = ns1.google.com.
google.com nameserver = ns2.google.com.
google.com nameserver = ns4.google.com.
Authoritative answers can be found from:
ns3.google.com internet address = 216.239.36.10
ns2.google.com internet address = 216.239.34.10
ns1.google.com internet address = 216.239.32.10
ns4.google.com internet address = 216.239.38.10
Then we can get authoritative answer.
$ nslookup -q=mx google.com ns1.google.com
Server: ns1.google.com
Address: 216.239.32.10#53
google.com mail exchanger = 40 alt3.aspmx.l.google.com.
google.com mail exchanger = 10 aspmx.l.google.com.
google.com mail exchanger = 30 alt2.aspmx.l.google.com.
google.com mail exchanger = 50 alt4.aspmx.l.google.com.
google.com mail exchanger = 20 alt1.aspmx.l.google.com.
As the sample you posted, you can confirm if mail.mydomain.com has pointed to a IP ( so called A record ), and mail related services maight be OK if there are correct MX & A records.
You should find out name servers of your domain before you maintain the DNS records.
I guess your service provider ( or someone else ) have set up MX record of your domain, you may get more answers from your service provider.
I perform nslookup on a non-local address, say Google. On my machine (running Ubuntu 12.10), I get this as a result:
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: www.google.com
Address: 173.194.37.52
Name: www.google.com
Address: 173.194.37.48
Name: www.google.com
Address: 173.194.37.49
Name: www.google.com
Address: 173.194.37.50
Name: www.google.com
Address: 173.194.37.51
I'm trying to understand this. I assume the list of addresses under "Non-authoritative answer" are all of the possible addresses that google.com is using, but why is it listing my local host information at the top? Also, is nslookup querying a local machine, or only the DNS server?
I was looking at this link to explain nslookup, but it's for Windows and I'm not sure that I understand what they're doing there.
I've also consulted the man pages, but those just tell me how to use nslookup, not any of the "theory" behind it. Would somebody mind explaining exactly where nslookup queries, preferably using an example, in order?
I'd appreciate it.
It queries wherever the appropriate values in /etc/resolv.conf tell it to. In this case it is pointing to the local machine, which is most likely acting as a caching or proxy DNS server. Use netstat to find out which program is listening on port 53.
I installed Virtualmin GPL on CentOS 6.2. The hostname of the machine is srv01.[mydomain.tld] (where [mydomain.td] is an actual registered domain). On the server I have only 1 IP, so I assigned it to both ns1.[mydomain.tld] and ns2.[mydomain.tld]. After this I updated the nameserver details for my domain on the domain registrar and pointed both ns1 and ns2 to the IP of the server.
The first issue I received was BIND-chroot issue, and after searching on the net, I removed BIND from chroot and BIND started. At this stage I was sure that everything will work normal, so I created a virtual server for [mydomain.tld]. At this point, I was sure that I can now access my site using the domain name.
So I opened network-tools.com and tried to perform a tracert for [mydomain.tld] but it failed to resolve the domain name and following are the details from the page:
Retrieving DNS records for [mydomain.tld]...
DNS servers
ns1.[mydomain.tld] [1.2.3.4]
Query for DNS records for [mydomain.tld] failed: Timed out
Whois query for [mydomain.tld]...
I tried to ping srv01.[mydomain.tld] and failed. Then I tried to ping ns1.[mydomain.tld] and it worked. My first guess was that maybe the NS on my server isn’t working, so I SSHed and performed nslookup google.com:
$ nslookup google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 173.194.33.39
I think that the NS is working properly on my server. After this, I performed:
$ nslookup [mydomain.tld]
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: [mydomain.tld]
Address: IP
It looks like the server is resolving the name properly locally, but not working on the Internet. I also checked all the Zone records for [mydomain.tld] and it contains the following records:
[mydomain.tld]. -- NS -- ns1.[mydomain.tld].
[mydomain.tld]. -- NS -- ns2.[mydomain.tld].
[mydomain.tld]. -- A -- IP
www.[mydomain.tld]. -- A -- IP
ns1.[mydomain.tld]. -- A -- IP
ns2.[mydomain.tld]. -- A -- IP
plus A records for subdomains ftp.[mydomain.tld], m.[mydomain.tld], localhost.[mydomain.tld], webmail.[mydomain.tld], admin.[mydomain.tld] and mail.[mydomain.tld] pointing to the server’s IP, plus MX and SPF records.
To troubleshoot it from the beginning to the end, do the following
Find address of your TLD nameservers: dig TLD NS
Find how your domain authoritative nameservers configured in the TLD: dig #[one-of-tld-nameservers] [mydomain.tld] NS. You expect to get your authoritative servers: ns1.[mydomain.tld] and ns2.[mydomain.tld] and their IP addresses (which are both pointing to your single IP). If this is NOT what you get, your problem is that you did not register your authoritative servers with your registrar.
Query your server: dig #[your IP] www.[mydomain.tld] if you request times-out, port 53 on your server is unreachable for some reason. Since it IS reachable locally, it could be firewall or NAT issue.
Now to various specifics of your question:
I tried to ping srv01.[mydomain.tld] and failed...
In the zone records in your post I don't see a record for srv01. Ping will not be able to resolve srv01 without appropriate DNS record.
Timed out Whois query for [mydomain.tld]...
Whois have nothing to do with DNS resolution, I presume it's DNS and not Whois. It seems that the nameserver defined as authoritative for mydomain.tld is not accessible.
I tried to ping ns1.[mydomain.tld] and VOLA it worked
I'm not sure, but possibly your DNS resolver knows the address ns1.[mydomain.tld] from TLD nameservers, and NOT from authoritative nameserver (also I'm not sure whether it's correct behavior or not).
Conlusion: my best guess is that port 53 of your server is not accessible from the internet.
How can I find the origins of conflicting DNS records?
You'll want the SOA (Start of Authority) record for a given domain name, and this is how you accomplish it using the universally available nslookup command line tool:
command line> nslookup
> set querytype=soa
> stackoverflow.com
Server: 217.30.180.230
Address: 217.30.180.230#53
Non-authoritative answer:
stackoverflow.com
origin = ns51.domaincontrol.com # ("primary name server" on Windows)
mail addr = dns.jomax.net # ("responsible mail addr" on Windows)
serial = 2008041300
refresh = 28800
retry = 7200
expire = 604800
minimum = 86400
Authoritative answers can be found from:
stackoverflow.com nameserver = ns52.domaincontrol.com.
stackoverflow.com nameserver = ns51.domaincontrol.com.
The origin (or primary name server on Windows) line tells you that ns51.domaincontrol is the main name server for stackoverflow.com.
At the end of output all authoritative servers, including backup servers for the given domain, are listed.
You used the singular in your question but there are typically several authoritative name servers, the RFC 1034 recommends at least two.
Unless you mean "primary name server" and not "authoritative name server". The secondary name servers are authoritative.
To find out the name servers of a domain on Unix:
% dig +short NS stackoverflow.com
ns52.domaincontrol.com.
ns51.domaincontrol.com.
To find out the server listed as primary (the notion of "primary" is quite fuzzy these days and typically has no good answer):
% dig +short SOA stackoverflow.com | cut -d' ' -f1
ns51.domaincontrol.com.
To check discrepencies between name servers, my preference goes to the old check_soa tool, described in Liu & Albitz "DNS & BIND" book (O'Reilly editor). The source code is available in http://examples.oreilly.com/dns5/
% check_soa stackoverflow.com
ns51.domaincontrol.com has serial number 2008041300
ns52.domaincontrol.com has serial number 2008041300
Here, the two authoritative name servers have the same serial number. Good.
On *nix:
$ dig -t ns <domain name>
You could find out the nameservers for a domain with the "host" command:
[davidp#supernova:~]$ host -t ns stackoverflow.com
stackoverflow.com name server ns51.domaincontrol.com.
stackoverflow.com name server ns52.domaincontrol.com.
I found that the best way it to add always the +trace option:
dig SOA +trace stackoverflow.com
It works also with recursive CNAME hosted in different provider. +trace trace imply +norecurse so the result is just for the domain you specify.
The term you should be googling is "authoritative," not "definitive".
On Linux or Mac you can use the commands whois, dig, host, nslookup or several others. nslookup might also work on Windows.
An example:
$ whois stackoverflow.com
[...]
Domain servers in listed order:
NS51.DOMAINCONTROL.COM
NS52.DOMAINCONTROL.COM
As for the extra credit: Yes, it is possible.
aryeh is definitely wrong, as his suggestion usually will only give you the IP address for the hostname. If you use dig, you have to look for NS records, like so:
dig ns stackoverflow.com
Keep in mind that this may ask your local DNS server and thus may give wrong or out-of-date answers that it has in its cache.
We've built a dns lookup tool that gives you the domain's authoritative nameservers and its common dns records in one request.
Example: https://www.misk.com/tools/#dns/stackoverflow.com
Our tool finds the authoritative nameservers by performing a realtime (uncached) dns lookup at the root nameservers and then following the nameserver referrals until we reach the authoritative nameservers. This is the same logic that dns resolvers use to obtain authoritative answers. A random authoritative nameserver is selected (and identified) on each query allowing you to find conflicting dns records by performing multiple requests.
You can also view the nameserver delegation path by clicking on "Authoritative Nameservers" at the bottom of the dns lookup results from the example above.
Example: https://www.misk.com/tools/#dns/stackoverflow.com#f.root-servers.net
You can use the whois service. On a UNIX like operating system you would execute the following command. Alternatively you can do it on the web at http://www.internic.net/whois.html.
whois stackoverflow.com
You would get the following response.
...text removed here...
Domain servers in listed order:
NS51.DOMAINCONTROL.COM
NS52.DOMAINCONTROL.COM
You can use nslookup or dig to find out more information about records for a given domain. This might help you resolve the conflicts you have described.
I have found that for some domains, the above answers do not work. The quickest way I have found is to first check for an NS record. If that doesn't exist, check for an SOA record. If that doesn't exist, recursively resolve the name using dig and take the last NS record returned. An example that fits this is analyticsdcs.ccs.mcafee.com.
Check for an NS record
host -t NS analyticsdcs.ccs.mcafee.com.
If no NS found, check for an SOA record
host -t SOA analyticsdcs.ccs.mcafee.com.
If neither NS or SOA, do full recursive and take the last NS returned
dig +trace analyticsdcs.ccs.mcafee.com. | grep -w 'IN[[:space:]]*NS' | tail -1
Test that the name server returned works
host analyticsdcs.ccs.mcafee.com. gtm2.mcafee.com.
An easy way is to use an online domain tool. My favorite is Domain Tools (formerly whois.sc). I'm not sure if they can resolve conflicting DNS records though. As an example, the DNS servers for stackoverflow.com are
NS51.DOMAINCONTROL.COM
NS52.DOMAINCONTROL.COM
SOA records are present on all servers further up the hierarchy, over which the domain owner has NO control, and they all in effect point to the one authoritative name server under control of the domain owner.
The SOA record on the authoritative server itself is, on the other hand, not strictly needed for resolving that domain, and can contain bogus info (or hidden primary, or otherwise restricted servers) and should not be relied on to determine the authoritative name server for a given domain.
You need to query the server that is authoritative for the top level domain to obtain reliable SOA information for a given child domain.
(The information about which server is authoritative for which TLD can be queried from the root name servers).
When you have reliable information about the SOA from the TLD authoritative server, you can then query the primary name server itself authoritative (the one thats in the SOA record on the gTLD nameserver!) for any other NS records, and then proceed with checking all those name servers you've got from querying the NS records, to see if there is any inconsistency for any other particular record, on any of those servers.
This all works much better/reliable with linux and dig than with nslookup/windows.
Unfortunately, most of these tools only return the NS record as provided by the actual name server itself. To be more accurate in determining which name servers are actually responsible for a domain, you'd have to either use "whois" and check the domains listed there OR use "dig [domain] NS #[root name server]" and run that recursively until you get the name server listings...
I wish there were a simple command line that you could run to get THAT result dependably and in a consistent format, not just the result that is given from the name server itself. The purpose of this for me is to be able to query about 330 domain names that I manage so I can determine exactly which name server each domain is pointing to (as per their registrar settings).
Anyone know of a command using "dig" or "host" or something else on *nix?