Wednesday, September 26, 2018

linux - Why is it unable to make query directly from the country level DNS?



I tried to make a DNS trace request (taking Oxford's website www.ox.ac.uk as an example) starting from Google's DNS 8.8.8.8. I can successfully get the result and the route was via the country level DNS nsa.nic.uk.




However, when I tried to ask nsa.nic.uk directly, there is no route shown. Is that normal and why didn't it show the result?



Thanks in advance!



Command 1 (asking Googld DNS):-



$ dig +trace www.ox.ac.uk @8.8.8.8



Command 1 Result (get route successfully):-




8.8.8.8 (Google DNS)



-> 192.203.230.10 (e.root-servers.net)



-> 156.154.100.3 (nsa.nic.uk)



-> 193.62.157.66 (ns4.ja.net)



-> 193.63.105.17 (ns2.ja.net)




-> 129.67.242.155 (www.ox.ac.uk)



Command 2 (asking nsa.nic.uk directly):-



$ dig +trace www.ox.ac.uk @156.154.100.3



Command 2 Result (get no route):-



Received 28 bytes from 156.154.100.3#53(156.154.100.3) in 79 ms



Answer



Yes, this is normal.



Google DNS 8.8.8.8 is a "recursive" DNS, which means it will resolve any domains for you (by querying the consecutive authoritative DNS servers for each of the components of the domain, starting with the root and going all the way to the "www" component.)



The country DNS nsa.nic.uk is an authoritative DNS for "uk." but it does not accept recursive queries.



If you do the "dig" command without +trace, you'll see it will reply something, but it's only the next level of the tree:



$ dig www.ox.ac.uk @156.154.100.3

;; AUTHORITY SECTION:
ac.uk.          172800  IN  NS  ns3.ja.net.
ac.uk.          172800  IN  NS  ns4.ja.net.
ac.uk.          172800  IN  NS  ns2.ja.net.
ac.uk.          172800  IN  NS  ns1.surfnet.nl.
ac.uk.          172800  IN  NS  dns-3.dfn.de.
ac.uk.          172800  IN  NS  ns0.ja.net.
ac.uk.          172800  IN  NS  auth03.ns.uu.net.



If then you go to the next step and ask one of those for the domain, you'll get the next step:



$ dig www.ox.ac.uk @ns0.ja.net
;; AUTHORITY SECTION:
ox.ac.uk.       86400   IN  NS  dns1.ox.ac.uk.
ox.ac.uk.       86400   IN  NS  dns2.ox.ac.uk.
ox.ac.uk.       86400   IN  NS  dns0.ox.ac.uk.
ox.ac.uk.       86400   IN  NS  ns2.ja.net.



When you query 8.8.8.8, it does all the steps of the resolution for you... And when you do +trace, it will show you the individual steps too...


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...