I l@ve RuBoard |
10.13 Tracing Name Resolution Using dig10.13.1 ProblemYou want to trace the process of name resolution using dig. 10.13.2 SolutionStarting with a root name server, send nonrecursive queries (with the +norec command-line option) for the records you're looking for. (The root name servers are named [a-m].root-servers.net.) For example: $ dig @a.root-servers.net www.oreilly.com +norec ; <<>> DiG 9.2.1 <<>> @a.root-servers.net www.oreilly.com +norec ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44699 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13 ;; QUESTION SECTION: ;www.oreilly.com. IN A ;; AUTHORITY SECTION: com. 172800 IN NS A.GTLD-SERVERS.NET. com. 172800 IN NS G.GTLD-SERVERS.NET. com. 172800 IN NS H.GTLD-SERVERS.NET. com. 172800 IN NS C.GTLD-SERVERS.NET. com. 172800 IN NS I.GTLD-SERVERS.NET. com. 172800 IN NS B.GTLD-SERVERS.NET. com. 172800 IN NS D.GTLD-SERVERS.NET. com. 172800 IN NS L.GTLD-SERVERS.NET. com. 172800 IN NS F.GTLD-SERVERS.NET. com. 172800 IN NS J.GTLD-SERVERS.NET. com. 172800 IN NS K.GTLD-SERVERS.NET. com. 172800 IN NS E.GTLD-SERVERS.NET. com. 172800 IN NS M.GTLD-SERVERS.NET. ;; ADDITIONAL SECTION: A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30 G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30 H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30 C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30 I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30 B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30 D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30 L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30 F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30 J.GTLD-SERVERS.NET. 172800 IN A 210.132.100.101 K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30 E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30 M.GTLD-SERVERS.NET. 172800 IN A 192.55.83.30 ;; Query time: 84 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Fri Jun 28 11:53:41 2002 ;; MSG SIZE rcvd: 465 When you receive a referral (a response with a NOERROR status, no answer section, and NS records in the authority section), send your next query to one of the name servers in the authority section. We'll query m.gtld-servers.net next: $ dig @m.gtld-servers.net www.oreilly.com +norec ; <<>> DiG 9.2.1 <<>> @m.gtld-servers.net www.oreilly.com +norec ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53652 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.oreilly.com. IN A ;; AUTHORITY SECTION: oreilly.com. 172800 IN NS NS.oreilly.com. oreilly.com. 172800 IN NS NS1.SONIC.NET. ;; ADDITIONAL SECTION: NS.oreilly.com. 172800 IN A 209.204.146.21 NS1.SONIC.NET. 172800 IN A 208.201.224.11 ;; Query time: 251 msec ;; SERVER: 192.55.83.30#53(m.gtld-servers.net) ;; WHEN: Fri Jun 28 12:06:26 2002 ;; MSG SIZE rcvd: 109 Now we'll query ns.oreilly.com: $ dig @ns.oreilly.com www.oreilly.com +norec ; <<>> DiG 9.2.1 <<>> @ns.oreilly.com www.oreilly.com +norec ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36079 ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.oreilly.com. IN A ;; ANSWER SECTION: www.oreilly.com. 7200 IN A 209.204.146.22 ;; AUTHORITY SECTION: oreilly.com. 7200 IN NS ns2.sonic.net. oreilly.com. 7200 IN NS ns.oreilly.com. oreilly.com. 7200 IN NS ns1.sonic.net. ;; ADDITIONAL SECTION: ns.oreilly.com. 7200 IN A 209.204.146.21 ns2.sonic.net. 80335 IN A 208.201.224.33 ;; Query time: 254 msec ;; SERVER: 209.204.146.21#53(ns.oreilly.com) ;; WHEN: Fri Jun 28 12:07:01 2002 ;; MSG SIZE rcvd: 143 This response has the record we were after in the answer section, so we're done. 10.13.3 DiscussionNotice that the query doesn't change: in this example, we look up A records for www.oreilly.com each time. By following the referrals, we get closer and closer to the name servers authoritative for the zone that contains the answer. BIND 9's version of dig has a command-line option to trace name resolution automatically -- very slick! To reproduce the output above, you only need to run: $ dig +trace www.oreilly.com dig starts by looking up the list of root name servers on your default name server, then sends a nonrecursive query to one of them for the records you specified on the command line. Then it follows referrals, as we did, until it finds an answer. If you're trying to track down a problem, not just reenacting name resolution for personal or pedagogical reasons, pay careful attention to dig's output. Look for responses that indicate that the domain name doesn't exist (NXDOMAIN in the status field of the header) or that refer you to name servers authoritative for a zone higher up in the namespace (for example, an oreilly.com name server referring you to a com name server), which is a symptom of a lame delegation. 10.13.4 See Alsodig(1); and Section 6.6, for using dig's +trace option to check delegation. |
I l@ve RuBoard |