DNS: dns2-exercise1.txt

File dns2-exercise1.txt, 11.9 KB (added by admin, 9 years ago)
DNS2 Exercise 1

Line
1	Exercise 2.1: Debugging nameservers using dig +norec
2	====================================================
3
4	You do NOT need to be root to run this exercise. NOTE: it is very good
5	practice to put a trailing dot after every hostname - this prevents the
6	default domain from `/etc/resolv.conf` being appended.
7
8	This example: testing __www.tiscali.co.uk.__
9
10	1. Make a query starting at a root nameserver
11	---------------------------------------------
12
13	The root servers are called `[a-m].root-servers.net.` - pick any one to
14	start.
15
16	$ dig +norec @a.root-servers.net. www.tiscali.co.uk. a
17
18	; <<>> DiG 9.3.1 <<>> +norec @a.root-servers.net. www.tiscali.co.uk. a
19	; (1 server found)
20	;; global options: printcmd
21	;; Got answer:
22	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5252
23	;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 10
24
25	;; QUESTION SECTION:
26	;www.tiscali.co.uk. IN A
27
28	;; AUTHORITY SECTION:
29	uk. 172800 IN NS NS1.NIC.uk.
30	uk. 172800 IN NS NS2.NIC.uk.
31	uk. 172800 IN NS NS4.NIC.uk.
32	uk. 172800 IN NS NS3.NIC.uk.
33	uk. 172800 IN NS NS5.NIC.uk.
34	uk. 172800 IN NS NSA.NIC.uk.
35	uk. 172800 IN NS NSB.NIC.uk.
36	uk. 172800 IN NS NS6.NIC.uk.
37	uk. 172800 IN NS NS7.NIC.uk.
38
39	;; ADDITIONAL SECTION:
40	NS1.NIC.uk. 172800 IN A 195.66.240.130
41	NS2.NIC.uk. 172800 IN A 217.79.164.131
42	NS4.NIC.uk. 172800 IN AAAA 2001:630:181:35::83
43	NS4.NIC.uk. 172800 IN A 194.83.244.131
44	NS3.NIC.uk. 172800 IN A 213.219.13.131
45	NS5.NIC.uk. 172800 IN A 213.246.167.131
46	NSA.NIC.uk. 172800 IN A 204.74.112.44
47	NSB.NIC.uk. 172800 IN A 204.74.113.44
48	NS6.NIC.uk. 172800 IN A 213.248.254.130
49	NS7.NIC.uk. 172800 IN A 212.121.40.130
50
51	;; Query time: 98 msec
52	;; SERVER: 198.41.0.4#53(198.41.0.4)
53	;; WHEN: Mon May 16 12:34:06 2005
54	;; MSG SIZE rcvd: 373
55
56	Note: We only got back NS records (plus some related information - the A
57	records which correspond to those nameservers). This is a REFERRAL.
58
59	In theory we should repeat this query for `b.root-servers.net`,
60	`c.root-servers.net` ... and check we get the same answers. Occasionally
61	you _might_ find inconsistencies between root servers, but it's rare.
62
63	2. Note the nine nameservers we saw in the response
64	---------------------------------------------------
65
66	(Remember that DNS names are not case sensitive. We also get them back in a
67	random order; this doesn't matter because we are going to try every one
68	anyway)
69
70	> ns1.nic.uk.
71	> ns2.nic.uk.
72	> ns3.nic.uk.
73	> ns4.nic.uk.
74	> ns5.nic.uk.
75	> ns6.nic.uk.
76	> ns7.nic.uk.
77	> nsA.nic.uk.
78	> nsB.nic.uk.
79
80	3. Repeat the query for all NS records in turn
81	----------------------------------------------
82
83	$ dig +norec @ns1.nic.uk. www.tiscali.co.uk. a
84
85	; <<>> DiG 9.3.1 <<>> +norec @ns1.nic.uk. www.tiscali.co.uk. a
86	; (1 server found)
87	;; global options: printcmd
88	;; Got answer:
89	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28452
90	;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
91
92	;; QUESTION SECTION:
93	;www.tiscali.co.uk. IN A
94
95	;; AUTHORITY SECTION:
96	tiscali.co.uk. 172800 IN NS ns0.as9105.com.
97	tiscali.co.uk. 172800 IN NS ns0.tiscali.co.uk.
98
99	;; ADDITIONAL SECTION:
100	ns0.tiscali.co.uk. 172800 IN A 212.74.114.132
101
102	;; Query time: 20 msec
103	;; SERVER: 195.66.240.130#53(195.66.240.130)
104	;; WHEN: Mon May 16 12:37:23 2005
105	;; MSG SIZE rcvd: 97
106
107
108	$ dig +norec @ns2.nic.uk. www.tiscali.co.uk. a
109	... results snipped to save paper
110
111	$ dig +norec @ns3.nic.uk. www.tiscali.co.uk. a
112	... results snipped to save paper
113	... etc
114
115	Check the results are consistent!
116
117	Note: if a server is authoritative for both a domain and a subdomain, it
118	will immediately return the result for the subdomain. This is OK. In this
119	example, the same servers are authoritative for both `.uk` and `.co.uk`,
120	so they can delegate us immediately to the servers for `tiscali.co.uk`, taking
121	us down two levels of the DNS hierarchy in one go.
122
123	You can see here that we are getting another delegation, this time to two
124	other nameservers:
125
126	> ns0.as9105.com
127	> ns0.tiscali.co.uk
128
129	4. Continue to repeat the query for all NS records found in step 3
130	------------------------------------------------------------------
131
132	$ dig +norec @ns0.tiscali.co.uk. www.tiscali.co.uk. a
133
134	; <<>> DiG 9.3.1 <<>> +norec @ns0.tiscali.co.uk. www.tiscali.co.uk. a
135	; (1 server found)
136	;; global options: printcmd
137	;; Got answer:
138	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35827
139	;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
140
141	;; QUESTION SECTION:
142	;www.tiscali.co.uk. IN A
143
144	;; ANSWER SECTION:
145	www.tiscali.co.uk. 3600 IN A 212.74.101.10
146
147	;; AUTHORITY SECTION:
148	tiscali.co.uk. 3600 IN NS ns0.as9105.com.
149	tiscali.co.uk. 3600 IN NS ns0.tiscali.co.uk.
150
151	;; ADDITIONAL SECTION:
152	ns0.as9105.com. 2419200 IN A 212.139.129.130
153	ns0.tiscali.co.uk. 2419200 IN A 212.74.114.132
154
155	;; Query time: 21 msec
156	;; SERVER: 212.74.114.132#53(212.74.114.132)
157	;; WHEN: Mon May 16 12:40:00 2005
158	;; MSG SIZE rcvd: 129
159
160
161	$ dig +norec @ns0.as9105.com. www.tiscali.co.uk. a
162	...
163	;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
164	...
165	;; ANSWER SECTION:
166	www.tiscali.co.uk. 3600 IN A 212.74.101.10
167
168	This time, instead of getting another delegation, we have found the answer
169	we are looking for. Note that the nameservers are both giving authoritative
170	answers (`flags: aa`), and the results are the same. Also note that the
171	'AUTHORITY SECTION' in the response has the same list of nameservers as we
172	used to perform the query. (This second set of NS records are contained
173	within the authoritative server itself, as opposed to the delegation from
174	above)
175
176	5. Checklist
177	------------
178
179	* Were all the nameservers reachable?
180	* Were there at least two nameservers on two different subnets?
181	* Did they all give either a referral or an AA (Authoritative Answer)?
182	* Were all the answers the same?
183	* Were the TTL values reasonable?
184	* Does the final list of nameservers in the AUTHORITY SECTION match the
185	list of nameservers in the referral?
186
187	6. Now check the NS records themselves!
188	---------------------------------------
189
190	Notice that every NS record points to the NAME of a host, not an IP
191	address. (It is illegal for an NS record to point at an IP address, it will
192	not work at all)
193
194	However, when we issued a command like `dig @ns0.as9105.com ...`, we were
195	relying on dig converting this name to the correct IP address. It performs a
196	recursive lookup to find the IP address of this server, so that it can send
197	the query there.
198
199	Therefore, you need to start again and check every NS record you found,
200	starting from the root again, in exactly the same way! This is tedious, and
201	usually the top-level servers are right. But it's worth checking your
202	country-level NS records and your own NS records.
203
204	Example: check ns0.as9105.com
205
206	$ dig +norec @a.root-servers.net. ns0.as9105.com. a
207	... referral to [a-m].gtld-servers.net.
208
209	$ dig +norec @a.gtld-servers.net. ns0.as9105.com. a
210	;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
211	;; ANSWER SECTION:
212	ns0.as9105.com. 172800 IN A 212.139.129.130 <====
213
214	;; AUTHORITY SECTION:
215	as9105.com. 172800 IN NS ns0.as9105.com.
216	as9105.com. 172800 IN NS ns0.tiscali.co.uk.
217
218	Notice that here we got an answer - but it is not an authoritative answer!
219	(As well as 'aa' missing, notice that the machine we queried is not one of
220	the machines listed in the 'authority section')
221
222	This is not an error as long as the answer is correct - it's called a "glue
223	record" which we'll discuss later - but we need to continue downwards to
224	find the true authoritative source:
225
226	$ dig +norec @ns0.as9105.com. ns0.as9105.com. a
227	;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
228
229	;; ANSWER SECTION:
230	ns0.as9105.com. 2419200 IN A 212.139.129.130 <====
231
232	;; AUTHORITY SECTION:
233	as9105.com. 600 IN NS ns0.tiscali.co.uk.
234	as9105.com. 600 IN NS ns0.as9105.com.
235
236	;; ADDITIONAL SECTION:
237	ns0.tiscali.co.uk. 2419200 IN A 212.74.114.132
238
239
240	$ dig +norec @ns0.tiscali.co.uk. ns0.as9105.com. a
241	;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
242
243	;; ANSWER SECTION:
244	ns0.as9105.com. 2419200 IN A 212.139.129.130 <====
245
246	;; AUTHORITY SECTION:
247	as9105.com. 600 IN NS ns0.tiscali.co.uk.
248	as9105.com. 600 IN NS ns0.as9105.com.
249
250	;; ADDITIONAL SECTION:
251	ns0.tiscali.co.uk. 2419200 IN A 212.74.114.132
252
253	Now we check:
254
255	* Were all the answers the same? (Yes: 212.139.129.130 from both
256	`a.gtld-servers.net` and the authoritative nameservers)
257	* Did the delegation match the NS records in the authoritative
258	nameservers? (Yes: delegation to `ns0.as9105.com` and
259	`ns0.tiscali.co.uk`, and these records were also given in the
260	'authority section' of the final response)
261
262	Negative answers
263	----------------
264
265	The non-existence of a RR is an important piece of information too. The
266	response you get should look like this:
267
268	$ dig +norec @ns0.tiscali.co.uk. wibble.tiscali.co.uk. a
269	;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51165
270	;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
271
272	;; AUTHORITY SECTION:
273	tiscali.co.uk. 3600 IN SOA ns0.tiscali.co.uk.
274	hostmaster.uk.tiscali.com. 2005051301 10800 3600 604800 3600
275
276	AA is set, but there is nothing in the answer apart from the SOA. The
277	parameters in the SOA are used to work out how much negative caching is
278	allowed. (Old caches use the TTL of the SOA itself; new caches uses the SOA
279	'minimum' value. It's best to set both to the same value. We'll look at the
280	exact format of the SOA record shortly.)
281
282	Meaning of flags (from RFC 1034/RFC 1035)
283	-----------------------------------------
284
285	QR A one bit field that specifies whether this message is a
286	query (0), or a response (1).
287
288	AA Authoritative Answer - this bit is valid in responses,
289	and specifies that the responding name server is an
290	authority for the domain name in question section.
291
292	RD Recursion Desired - this bit may be set in a query and
293	is copied into the response. If RD is set, it directs
294	the name server to pursue the query recursively.
295	Recursive query support is optional.
296
297	RA Recursion Available - this be is set or cleared in a
298	response, and denotes whether recursive query support is
299	available in the name server.
300
301	As well as the lack of 'AA' flag, a good way to spot cached answers
302	is to repeat the query a few times and watch the TTL counting downwards.
303
304	$ dig psg.com.
305	;; ANSWER SECTION:
306	psg.com. 14397 IN A 147.28.0.62
307	^^^^^
308	$ dig psg.com.
309	;; ANSWER SECTION:
310	psg.com. 14384 IN A 147.28.0.62
311	^^^^^