DNS: dns2-exercise1.txt

File dns2-exercise1.txt, 11.9 KB (added by admin, 9 years ago)

DNS2 Exercise 1

Line 
1Exercise 2.1: Debugging nameservers using dig +norec
2====================================================
3
4You do NOT need to be root to run this exercise. NOTE: it is very good
5practice to put a trailing dot after every hostname - this prevents the
6default domain from `/etc/resolv.conf` being appended.
7
8This example: testing __www.tiscali.co.uk.__
9
101. Make a query starting at a root nameserver
11---------------------------------------------
12
13The root servers are called `[a-m].root-servers.net.` - pick any one to
14start.
15
16    $ dig +norec @a.root-servers.net. www.tiscali.co.uk. a
17
18    ; <<>> DiG 9.3.1 <<>> +norec @a.root-servers.net. www.tiscali.co.uk. a
19    ; (1 server found)
20    ;; global options:  printcmd
21    ;; Got answer:
22    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5252
23    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 10
24
25    ;; QUESTION SECTION:
26    ;www.tiscali.co.uk.             IN      A
27
28    ;; AUTHORITY SECTION:
29    uk.                     172800  IN      NS      NS1.NIC.uk.
30    uk.                     172800  IN      NS      NS2.NIC.uk.
31    uk.                     172800  IN      NS      NS4.NIC.uk.
32    uk.                     172800  IN      NS      NS3.NIC.uk.
33    uk.                     172800  IN      NS      NS5.NIC.uk.
34    uk.                     172800  IN      NS      NSA.NIC.uk.
35    uk.                     172800  IN      NS      NSB.NIC.uk.
36    uk.                     172800  IN      NS      NS6.NIC.uk.
37    uk.                     172800  IN      NS      NS7.NIC.uk.
38
39    ;; ADDITIONAL SECTION:
40    NS1.NIC.uk.             172800  IN      A       195.66.240.130
41    NS2.NIC.uk.             172800  IN      A       217.79.164.131
42    NS4.NIC.uk.             172800  IN      AAAA    2001:630:181:35::83
43    NS4.NIC.uk.             172800  IN      A       194.83.244.131
44    NS3.NIC.uk.             172800  IN      A       213.219.13.131
45    NS5.NIC.uk.             172800  IN      A       213.246.167.131
46    NSA.NIC.uk.             172800  IN      A       204.74.112.44
47    NSB.NIC.uk.             172800  IN      A       204.74.113.44
48    NS6.NIC.uk.             172800  IN      A       213.248.254.130
49    NS7.NIC.uk.             172800  IN      A       212.121.40.130
50
51    ;; Query time: 98 msec
52    ;; SERVER: 198.41.0.4#53(198.41.0.4)
53    ;; WHEN: Mon May 16 12:34:06 2005
54    ;; MSG SIZE  rcvd: 373
55
56Note: We only got back NS records (plus some related information - the A
57records which correspond to those nameservers). This is a REFERRAL.
58
59In theory we should repeat this query for `b.root-servers.net`,
60`c.root-servers.net` ... and check we get the same answers. Occasionally
61you _might_ find inconsistencies between root servers, but it's rare.
62
632. Note the nine nameservers we saw in the response
64---------------------------------------------------
65
66(Remember that DNS names are not case sensitive. We also get them back in a
67random order; this doesn't matter because we are going to try every one
68anyway)
69
70>     ns1.nic.uk.
71>     ns2.nic.uk.
72>     ns3.nic.uk.
73>     ns4.nic.uk.
74>     ns5.nic.uk.
75>     ns6.nic.uk.
76>     ns7.nic.uk.
77>     nsA.nic.uk.
78>     nsB.nic.uk.
79
803. Repeat the query for all NS records in turn
81----------------------------------------------
82
83    $ dig +norec @ns1.nic.uk. www.tiscali.co.uk. a
84
85    ; <<>> DiG 9.3.1 <<>> +norec @ns1.nic.uk. www.tiscali.co.uk. a
86    ; (1 server found)
87    ;; global options:  printcmd
88    ;; Got answer:
89    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28452
90    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
91
92    ;; QUESTION SECTION:
93    ;www.tiscali.co.uk.             IN      A
94
95    ;; AUTHORITY SECTION:
96    tiscali.co.uk.          172800  IN      NS      ns0.as9105.com.
97    tiscali.co.uk.          172800  IN      NS      ns0.tiscali.co.uk.
98
99    ;; ADDITIONAL SECTION:
100    ns0.tiscali.co.uk.      172800  IN      A       212.74.114.132
101
102    ;; Query time: 20 msec
103    ;; SERVER: 195.66.240.130#53(195.66.240.130)
104    ;; WHEN: Mon May 16 12:37:23 2005
105    ;; MSG SIZE  rcvd: 97
106
107
108    $ dig +norec @ns2.nic.uk. www.tiscali.co.uk. a
109    ... results snipped to save paper
110
111    $ dig +norec @ns3.nic.uk. www.tiscali.co.uk. a
112    ... results snipped to save paper
113    ... etc
114
115*Check the results are consistent!*
116
117Note: if a server is authoritative for both a domain and a subdomain, it
118will immediately return the result for the subdomain. This is OK. In this
119example, the same servers are authoritative for both `.uk` and `.co.uk`,
120so they can delegate us immediately to the servers for `tiscali.co.uk`, taking
121us down two levels of the DNS hierarchy in one go.
122
123You can see here that we are getting another delegation, this time to two
124other nameservers:
125
126>     ns0.as9105.com
127>     ns0.tiscali.co.uk
128
1294. Continue to repeat the query for all NS records found in step 3
130------------------------------------------------------------------
131
132    $ dig +norec @ns0.tiscali.co.uk. www.tiscali.co.uk. a
133
134    ; <<>> DiG 9.3.1 <<>> +norec @ns0.tiscali.co.uk. www.tiscali.co.uk. a
135    ; (1 server found)
136    ;; global options:  printcmd
137    ;; Got answer:
138    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35827
139    ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
140
141    ;; QUESTION SECTION:
142    ;www.tiscali.co.uk.             IN      A
143
144    ;; ANSWER SECTION:
145    www.tiscali.co.uk.      3600    IN      A       212.74.101.10
146
147    ;; AUTHORITY SECTION:
148    tiscali.co.uk.          3600    IN      NS      ns0.as9105.com.
149    tiscali.co.uk.          3600    IN      NS      ns0.tiscali.co.uk.
150
151    ;; ADDITIONAL SECTION:
152    ns0.as9105.com.         2419200 IN      A       212.139.129.130
153    ns0.tiscali.co.uk.      2419200 IN      A       212.74.114.132
154
155    ;; Query time: 21 msec
156    ;; SERVER: 212.74.114.132#53(212.74.114.132)
157    ;; WHEN: Mon May 16 12:40:00 2005
158    ;; MSG SIZE  rcvd: 129
159
160
161    $ dig +norec @ns0.as9105.com. www.tiscali.co.uk. a
162    ...
163    ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
164    ...
165    ;; ANSWER SECTION:
166    www.tiscali.co.uk.      3600    IN      A       212.74.101.10
167
168This time, instead of getting another delegation, we have found the answer
169we are looking for. Note that the nameservers are both giving authoritative
170answers (`flags: aa`), and the results are the same. Also note that the
171'AUTHORITY SECTION' in the response has the *same* list of nameservers as we
172used to perform the query. (This second set of NS records are contained
173within the authoritative server itself, as opposed to the delegation from
174above)
175
1765. Checklist
177------------
178
179*   Were all the nameservers reachable?
180*   Were there at least two nameservers on two different subnets?
181*   Did they all give either a referral or an AA (Authoritative Answer)?
182*   Were all the answers the same?
183*   Were the TTL values reasonable?
184*   Does the final list of nameservers in the AUTHORITY SECTION match the
185    list of nameservers in the referral?
186
1876. Now check the NS records themselves!
188---------------------------------------
189
190Notice that every NS record points to the NAME of a host, not an IP
191address. (It is illegal for an NS record to point at an IP address, it will
192not work at all)
193
194However, when we issued a command like `dig @ns0.as9105.com ...`, we were
195relying on dig converting this name to the correct IP address. It performs a
196recursive lookup to find the IP address of this server, so that it can send
197the query there.
198
199Therefore, you need to start again and check every NS record you found,
200starting from the root again, in exactly the same way! This is tedious, and
201usually the top-level servers are right. But it's worth checking your
202country-level NS records and your own NS records.
203
204Example: check ns0.as9105.com
205
206    $ dig +norec @a.root-servers.net. ns0.as9105.com. a
207    ... referral to [a-m].gtld-servers.net.
208
209    $ dig +norec @a.gtld-servers.net. ns0.as9105.com. a
210    ;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
211    ;; ANSWER SECTION:
212    ns0.as9105.com.         172800  IN      A       212.139.129.130     <====
213
214    ;; AUTHORITY SECTION:
215    as9105.com.             172800  IN      NS      ns0.as9105.com.
216    as9105.com.             172800  IN      NS      ns0.tiscali.co.uk.
217
218Notice that here we got an answer - but it is not an authoritative answer!
219(As well as 'aa' missing, notice that the machine we queried is not one of
220the machines listed in the 'authority section')
221
222This is not an error as long as the answer is correct - it's called a "glue
223record" which we'll discuss later - but we need to continue downwards to
224find the true authoritative source:
225
226    $ dig +norec @ns0.as9105.com. ns0.as9105.com. a
227    ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
228
229    ;; ANSWER SECTION:
230    ns0.as9105.com.         2419200 IN      A       212.139.129.130     <====
231
232    ;; AUTHORITY SECTION:
233    as9105.com.             600     IN      NS      ns0.tiscali.co.uk.
234    as9105.com.             600     IN      NS      ns0.as9105.com.
235
236    ;; ADDITIONAL SECTION:
237    ns0.tiscali.co.uk.      2419200 IN      A       212.74.114.132
238
239
240    $ dig +norec @ns0.tiscali.co.uk. ns0.as9105.com. a
241    ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
242
243    ;; ANSWER SECTION:
244    ns0.as9105.com.         2419200 IN      A       212.139.129.130     <====
245
246    ;; AUTHORITY SECTION:
247    as9105.com.             600     IN      NS      ns0.tiscali.co.uk.
248    as9105.com.             600     IN      NS      ns0.as9105.com.
249
250    ;; ADDITIONAL SECTION:
251    ns0.tiscali.co.uk.      2419200 IN      A       212.74.114.132
252
253Now we check:
254
255*   Were all the answers the same? (Yes: 212.139.129.130 from both
256    `a.gtld-servers.net` and the authoritative nameservers)
257*   Did the delegation match the NS records in the authoritative
258    nameservers? (Yes: delegation to `ns0.as9105.com` and
259    `ns0.tiscali.co.uk`, and these records were also given in the
260    'authority section' of the final response)
261
262Negative answers
263----------------
264
265The non-existence of a RR is an important piece of information too. The
266response you get should look like this:
267
268    $ dig +norec @ns0.tiscali.co.uk. wibble.tiscali.co.uk. a
269    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51165
270    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
271
272    ;; AUTHORITY SECTION:
273    tiscali.co.uk.          3600    IN      SOA     ns0.tiscali.co.uk.
274    hostmaster.uk.tiscali.com. 2005051301 10800 3600 604800 3600
275
276AA is set, but there is nothing in the answer apart from the SOA. The
277parameters in the SOA are used to work out how much negative caching is
278allowed. (Old caches use the TTL of the SOA itself; new caches uses the SOA
279'minimum' value. It's best to set both to the same value. We'll look at the
280exact format of the SOA record shortly.)
281
282Meaning of flags (from RFC 1034/RFC 1035)
283-----------------------------------------
284
285    QR              A one bit field that specifies whether this message is a
286                    query (0), or a response (1).
287
288    AA              Authoritative Answer - this bit is valid in responses,
289                    and specifies that the responding name server is an
290                    authority for the domain name in question section.
291
292    RD              Recursion Desired - this bit may be set in a query and
293                    is copied into the response.  If RD is set, it directs
294                    the name server to pursue the query recursively.
295                    Recursive query support is optional.
296
297    RA              Recursion Available - this be is set or cleared in a
298                    response, and denotes whether recursive query support is
299                    available in the name server.
300
301As well as the lack of 'AA' flag, a good way to spot cached answers
302is to repeat the query a few times and watch the TTL counting downwards.
303
304    $ dig psg.com.
305    ;; ANSWER SECTION:
306    psg.com.                14397   IN      A       147.28.0.62
307                            ^^^^^
308    $ dig psg.com.
309    ;; ANSWER SECTION:
310    psg.com.                14384   IN      A       147.28.0.62
311                            ^^^^^