Agenda: dns2-exercise1.txt

File dns2-exercise1.txt, 11.7 KB (added by regnauld, 8 years ago)
Line 
1Exercise 2.1: Debugging nameservers using dig +norec
2====================================================
3
4You do NOT need to be root to run this exercise. NOTE: it is very good
5practice to put a trailing dot after every hostname - this prevents the
6default domain from `/etc/resolv.conf` being appended.
7
8This example: testing __www.tiscali.co.uk.__
9
100. Temporarily point your /etc/resolv.conf to 10.10.0.254, like so:
11------------------------------------------------------------------
12
13    # ee /etc/resolv.conf
14
15    ... and change 127.0.0.1 with 10.10.0.254:
16
17    nameserver 10.10.0.254
18
19    Save the file and exit the editor.
20
211. Make a query starting at a root nameserver
22---------------------------------------------
23
24The root servers are called `[a-m].root-servers.net.` - pick any one to
25start.
26
27    $ dig +norec @a.root-servers.net. www.tiscali.co.uk. a
28
29; <<>> DiG 9.7.2-P3 <<>> +norec @a.root-servers.net. www.tiscali.co.uk. a
30; (2 servers found)
31;; global options: +cmd
32;; Got answer:
33;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8712
34;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 11, ADDITIONAL: 14
35
36;; QUESTION SECTION:
37;www.tiscali.co.uk.     IN  A
38
39;; AUTHORITY SECTION:
40uk.         172800  IN  NS  ns1.nic.uk.
41uk.         172800  IN  NS  ns2.nic.uk.
42uk.         172800  IN  NS  ns3.nic.uk.
43uk.         172800  IN  NS  ns4.nic.uk.
44uk.         172800  IN  NS  ns5.nic.uk.
45uk.         172800  IN  NS  ns6.nic.uk.
46uk.         172800  IN  NS  ns7.nic.uk.
47uk.         172800  IN  NS  nsa.nic.uk.
48uk.         172800  IN  NS  nsb.nic.uk.
49uk.         172800  IN  NS  nsc.nic.uk.
50uk.         172800  IN  NS  nsd.nic.uk.
51
52;; ADDITIONAL SECTION:
53ns1.nic.uk.     172800  IN  AAAA    2a01:40:1001:35::2
54ns1.nic.uk.     172800  IN  A   195.66.240.130
55ns2.nic.uk.     172800  IN  A   217.79.164.131
56ns3.nic.uk.     172800  IN  A   213.219.13.131
57ns4.nic.uk.     172800  IN  AAAA    2001:630:181:35::83
58ns4.nic.uk.     172800  IN  A   194.83.244.131
59ns5.nic.uk.     172800  IN  A   213.246.167.131
60ns6.nic.uk.     172800  IN  A   213.248.254.130
61ns7.nic.uk.     172800  IN  A   212.121.40.130
62nsa.nic.uk.     172800  IN  AAAA    2001:502:ad09::3
63nsa.nic.uk.     172800  IN  A   156.154.100.3
64nsb.nic.uk.     172800  IN  A   156.154.101.3
65nsc.nic.uk.     172800  IN  A   156.154.102.3
66nsd.nic.uk.     172800  IN  A   156.154.103.3
67
68;; Query time: 8 msec
69;; SERVER: 198.41.0.4#53(198.41.0.4)
70;; WHEN: Tue Feb 15 15:53:13 2011
71;; MSG SIZE  rcvd: 497
72
73
74Note: We only got back NS records (plus some related information - the A
75records which correspond to those nameservers). This is a REFERRAL.
76
77In theory we should repeat this query for `b.root-servers.net`,
78`c.root-servers.net` ... and check we get the same answers. Occasionally
79you _might_ find inconsistencies between root servers, but it's rare.
80
812. Note the eleven nameservers we saw in the response
82-----------------------------------------------------
83
84(Remember that DNS names are not case sensitive. We also get them back in a
85random order; this doesn't matter because we are going to try every one
86anyway)
87
88  ns1.nic.uk.
89  ns2.nic.uk.
90  ns3.nic.uk.
91  ns4.nic.uk.
92  ns5.nic.uk.
93  ns6.nic.uk.
94  ns7.nic.uk.
95  nsa.nic.uk.
96  nsb.nic.uk.
97  nsc.nic.uk.
98  nsd.nic.uk.
99
1003. Repeat the query for all NS records in turn
101----------------------------------------------
102
103    $ dig +norec @ns1.nic.uk. www.tiscali.co.uk. a
104
105    ; <<>> DiG 9.7.2-P3 <<>> +norec @ns1.nic.uk. www.tiscali.co.uk. a
106    ; (1 server found)
107    ;; global options:  printcmd
108    ;; Got answer:
109    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28452
110    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
111
112    ;; QUESTION SECTION:
113    ;www.tiscali.co.uk.             IN      A
114
115    ;; AUTHORITY SECTION:
116    tiscali.co.uk.          172800  IN      NS      ns0.as9105.com.
117    tiscali.co.uk.          172800  IN      NS      ns0.tiscali.co.uk.
118
119    ;; ADDITIONAL SECTION:
120    ns0.tiscali.co.uk.      172800  IN      A       212.74.114.132
121
122    ;; Query time: 20 msec
123    ;; SERVER: 195.66.240.130#53(195.66.240.130)
124    ;; WHEN: Mon May 16 12:37:23 2005
125    ;; MSG SIZE  rcvd: 97
126
127
128    $ dig +norec @ns2.nic.uk. www.tiscali.co.uk. a
129    ... results snipped to save paper
130
131    $ dig +norec @ns3.nic.uk. www.tiscali.co.uk. a
132    ... results snipped to save paper
133    ... etc
134
135*Check the results are consistent!*
136
137Note: if a server is authoritative for both a domain and a subdomain, it
138will immediately return the result for the subdomain. This is OK. In this
139example, the same servers are authoritative for both `.uk` and `.co.uk`,
140so they can delegate us immediately to the servers for `tiscali.co.uk`, taking
141us down two levels of the DNS hierarchy in one go.
142
143You can see here that we are getting another delegation, this time to two
144other nameservers:
145
146>     ns0.as9105.com
147>     ns0.tiscali.co.uk
148
1494. Continue to repeat the query for all NS records found in step 3
150------------------------------------------------------------------
151
152    $ dig +norec @ns0.tiscali.co.uk. www.tiscali.co.uk. a
153
154    ; <<>> DiG 9.7.2-P3 <<>> +norec @ns0.tiscali.co.uk. www.tiscali.co.uk. a
155    ; (1 server found)
156    ;; global options: +cmd
157    ;; Got answer:
158    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52841
159    ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
160   
161    ;; QUESTION SECTION:
162    ;www.tiscali.co.uk.     IN  A
163   
164    ;; ANSWER SECTION:
165    www.tiscali.co.uk.  300 IN  A   212.74.99.30
166   
167    ;; AUTHORITY SECTION:
168    tiscali.co.uk.      3600    IN  NS  ns0.tiscali.co.uk.
169    tiscali.co.uk.      3600    IN  NS  ns0.as9105.com.
170   
171    ;; ADDITIONAL SECTION:
172    ns0.as9105.com.     604800  IN  A   212.139.129.130
173    ns0.tiscali.co.uk.  604800  IN  A   212.74.114.132
174   
175    ;; Query time: 322 msec
176    ;; SERVER: 212.74.114.132#53(212.74.114.132)
177    ;; WHEN: Tue Feb 15 16:01:04 2011
178    ;; MSG SIZE  rcvd: 129
179
180
181    $ dig +norec @ns0.as9105.com. www.tiscali.co.uk. a
182    ...
183    ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
184    ...
185    ;; ANSWER SECTION:
186    www.tiscali.co.uk.  300 IN  A   212.74.99.30
187
188
189This time, instead of getting another delegation, we have found the answer
190we are looking for. Note that the nameservers are both giving authoritative
191answers (`flags: aa`), and the results are the same. Also note that the
192'AUTHORITY SECTION' in the response has the *same* list of nameservers as we
193used to perform the query. (This second set of NS records are contained
194within the authoritative server itself, as opposed to the delegation from
195above)
196
1975. Checklist
198------------
199
200*   Were all the nameservers reachable?
201*   Were there at least two nameservers on two different subnets?
202*   Did they all give either a referral or an AA (Authoritative Answer)?
203*   Were all the answers the same?
204*   Were the TTL values reasonable?
205*   Does the final list of nameservers in the AUTHORITY SECTION match the
206    list of nameservers in the referral?
207
2086. Now check the NS records themselves!
209---------------------------------------
210
211Notice that every NS record points to the NAME of a host, not an IP
212address. (It is illegal for an NS record to point at an IP address, it will
213not work at all)
214
215However, when we issued a command like `dig @ns0.as9105.com ...`, we were
216relying on dig converting this name to the correct IP address. It performs a
217recursive lookup to find the IP address of this server, so that it can send
218the query there.
219
220Therefore, you need to start again and check every NS record you found,
221starting from the root again, in exactly the same way! This is tedious, and
222usually the top-level servers are right. But it's worth checking your
223country-level NS records and your own NS records.
224
225Example: check ns0.as9105.com
226
227    $ dig +norec @a.root-servers.net. ns0.as9105.com. a
228    ... referral to [a-m].gtld-servers.net.
229
230    $ dig +norec @a.gtld-servers.net. ns0.as9105.com. a
231    ;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
232    ;; ANSWER SECTION:
233    ns0.as9105.com.         172800  IN      A       212.139.129.130     <====
234
235    ;; AUTHORITY SECTION:
236    as9105.com.             172800  IN      NS      ns0.as9105.com.
237    as9105.com.             172800  IN      NS      ns0.tiscali.co.uk.
238
239Notice that here we got an answer - but it is not an authoritative answer!
240(As well as 'aa' missing, notice that the machine we queried is not one of
241the machines listed in the 'authority section')
242
243This is not an error as long as the answer is correct - it's called a "glue
244record" which we'll discuss later - but we need to continue downwards to
245find the true authoritative source:
246
247    $ dig +norec @ns0.as9105.com. ns0.as9105.com. a
248    ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
249
250    ;; ANSWER SECTION:
251    ns0.as9105.com.         2419200 IN      A       212.139.129.130     <====
252
253    ;; AUTHORITY SECTION:
254    as9105.com.             600     IN      NS      ns0.tiscali.co.uk.
255    as9105.com.             600     IN      NS      ns0.as9105.com.
256
257    ;; ADDITIONAL SECTION:
258    ns0.tiscali.co.uk.      2419200 IN      A       212.74.114.132
259
260
261    $ dig +norec @ns0.tiscali.co.uk. ns0.as9105.com. a
262    ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
263
264    ;; ANSWER SECTION:
265    ns0.as9105.com.         2419200 IN      A       212.139.129.130     <====
266
267    ;; AUTHORITY SECTION:
268    as9105.com.             600     IN      NS      ns0.tiscali.co.uk.
269    as9105.com.             600     IN      NS      ns0.as9105.com.
270
271    ;; ADDITIONAL SECTION:
272    ns0.tiscali.co.uk.      2419200 IN      A       212.74.114.132
273
274Now we check:
275
276*   Were all the answers the same? (Yes: 212.139.129.130 from both
277    `a.gtld-servers.net` and the authoritative nameservers)
278*   Did the delegation match the NS records in the authoritative
279    nameservers? (Yes: delegation to `ns0.as9105.com` and
280    `ns0.tiscali.co.uk`, and these records were also given in the
281    'authority section' of the final response)
282
283Negative answers
284----------------
285
286The non-existence of a RR is an important piece of information too. The
287response you get should look like this:
288
289    $ dig +norec @ns0.tiscali.co.uk. wibble.tiscali.co.uk. a
290    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51165
291    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
292
293    ;; AUTHORITY SECTION:
294    tiscali.co.uk. 3600 IN  SOA ns0.tiscali.co.uk. hostmaster.talktalkplc.com.
295    2011012703 10800 3600 604800 3600
296
297
298AA is set, but there is nothing in the answer apart from the SOA. The
299parameters in the SOA are used to work out how much negative caching is
300allowed.
301
302Meaning of flags (from RFC 1034/RFC 1035)
303-----------------------------------------
304
305    QR              A one bit field that specifies whether this message is a
306                    query (0), or a response (1).
307
308    AA              Authoritative Answer - this bit is valid in responses,
309                    and specifies that the responding name server is an
310                    authority for the domain name in question section.
311
312    RD              Recursion Desired - this bit may be set in a query and
313                    is copied into the response.  If RD is set, it directs
314                    the name server to pursue the query recursively.
315                    Recursive query support is optional.
316
317    RA              Recursion Available - this be is set or cleared in a
318                    response, and denotes whether recursive query support is
319                    available in the name server.
320
321As well as the lack of 'AA' flag, a good way to spot cached answers
322is to repeat the query a few times and watch the TTL counting downwards.
323
324    $ dig psg.com.
325    ;; ANSWER SECTION:
326    psg.com.                14397   IN      A       147.28.0.62
327                            ^^^^^
328    $ dig psg.com.
329    ;; ANSWER SECTION:
330    psg.com.                14384   IN      A       147.28.0.62
331                            ^^^^^