Using Dig tool for DNS lookups and Nameserver query
Dig tool in linux has become so important tool for querying dns servers and
fixing many dns related issues. I will show the easy way to use dig tool for
complex dns queries.
Lookup DNS Nameservers
Let us see what nameservers (NS records) are availale for the domain google.com.
The additional section automatically maps the corresponding NS records to their
IP address.
dig google.com NS
; <<>> DiG 9.2.4 <<>> google.com NS
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31521
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4;; QUESTION SECTION:
;google.com. IN NS;; ANSWER SECTION:
google.com. 33347 IN NS ns3.google.com.
google.com. 33347 IN NS ns4.google.com.
google.com. 33347 IN NS ns2.google.com.
google.com. 33347 IN NS ns1.google.com.;; ADDITIONAL SECTION:
ns1.google.com. 287232 IN A 216.239.32.10
ns2.google.com. 287232 IN A 216.239.34.10
ns3.google.com. 287232 IN A 216.239.36.10
ns4.google.com. 287232 IN A 216.239.38.10;; Query time: 3 msec
;; SERVER: xxx
;; WHEN: Wed Sep 23 07:39:23 2009
;; MSG SIZE rcvd: 164
Check DNS Recursion (Open DNS Server)
Any nameserver which answers to recursive queries are normally called open
dns server. Answering to recursive queries is a big SECURITY RISK if you are
running your own dns server and can cause lot of load on your dns.. The only
exception are ISPs who are required to run their DNS servers respond to recursive
queries to their clients.
To explain this easily, suppose you are in a host running your dns server hosted
locally to resolve google.com and it does resolving. What if an outside r sends
a dns query to resolve facebook.com and other domains? This is why it is called
‘open’ which means anybody can use your server to perform lookups.
This dig command will check the ns1.google.com whether it performs any recursive
query for outside domains.
dig @ns1.google.com example.com
; <<>> DiG 9.3.4-P1 <<>> @ns1.google.com example.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 29850
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;example.com. IN A;; Query time: 89 msec
;; SERVER: xxxxx
;; WHEN: Wed Sep 23 13:52:05 2009
;; MSG SIZE rcvd: 29
If you carefully observe the output, there is NO answer section showing the
IP address of example.com. This means the nameserver we asked is not open dns
server. You should also check all of your NS servers to see whether it responds
to recursive queries. Refer to this article on securing
dns server
Checking Authoritative Nameservers
Any nameserver of a domain must give Authoritative answer (means zone information)
for the domain. If you do not get authoritative answer, this means the name
server does not have zone information for the domain (called lame delegation).
A simpleway to put non-authoritative answer is…you are asking the name server of ns1.google.com for NS records of domain example.com, instead of asking ns1.example.com. There
is no way you can get this.
dig @ns1.google.com google.com NS
; <<>> DiG 9.3.4-P1 <<>> @ns1.google.com google.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23404
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;google.com. IN A;; ANSWER SECTION:
google.com. 300 IN A 74.125.45.100
google.com. 300 IN A 74.125.127.100
google.com. 300 IN A 74.125.67.100;; Query time: 90 msec
;; SERVER: xxxx
;; WHEN: Wed Sep 23 14:02:34 2009
;; MSG SIZE rcvd: 76
To check for authoritative answer, all you have to do is check the AA flag
in header,
flags: qr aa rd
which means the nameserver has answered authoritatively for the domain google.com.
Lookup Parent Nameservers
The whole dns lookup would never make sense if your nameservers doesnt show
up on parent nameservers (or root servers). When a person types your domain
in browser, the resolver of ISP looks for IP address (A record) in its cache
and if not there it would ask the root servers and through process of recursion
and referring to other dns servers the domain is resolved and IP address returned
to users browser. So if your nameservers doesnt show up on root servers (through
whois update from your domain registrar), no one would be able to find your
site. Refer to a list of root servers and their IPs
Here is how you check it using dig tool.
dig @a.root-servers.net google.com NS
; <<>> DiG 9.3.4-P1 <<>> +trace @a.root-servers.net
google.com NS
; (2 servers found)
;; global options: printcmd
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
;; Received 500 bytes from 198.41.0.4#53(198.41.0.4) in 26 mscom. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
com. 172800 IN NS A.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS I.GTLD-SERVERS.NET.
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS M.GTLD-SERVERS.NET.
;; Received 500 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in 28 msgoogle.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
;; Received 164 bytes from 192.52.178.30#53(K.GTLD-SERVERS.NET) in 159 ms
Look carefully the above output and see how the answer has arrived. First i
started asking A.ROOT-SERVERS.NET, then it referred to E.ROOT-SERVERS.NET then
K.GLTD-SERVERS.NET gave the answer. This how the whole DNS system works. If
one dont know the answer it refers to the next authoritative root server and
so on. With each referral we are getting closer and closer to the answer.
Remember the DOT always placed in the ending of domain name in DNS zone file!
example.com.
IN A 11.22.33.44
What this means, start from the root server, then query COM root servers to
get the corresponding name server NS records. Writing a dns zone file without
DOT means nobody would find your nameservers, which means it wont resolve.
Checking ZONE Transfers (AXFR)
Zone transfers are used mainly by secondary slave nameservers to keep up to
date information about the zone information from the master name server. The
slave nameservers transfer the entire Zone file from the master server through
a process called Zone Transfer upon REFRESH interval set in SOA record. This
uses TCP of port 53.
Enabling a Zone Transfer can be a big SECURITY RISK and it should only be limited
to your local servers and do not let anyone from outside to retrieve your zone
information. If they were to do so, it would expose your zone information which
may lead to attacks.
To check if the nameserver can perform a zone transfer of domain, ask the nameserver
of the domain.
> dig @ns1.example.com example.com AXFR
; <<>> DiG 9.3.4-P1 <<>> @ns1.example.com example.com
AXFR
; (1 server found)
;; global options: printcmd
; Transfer failed.
which means the zone transfer is disabled and restriced to local hosts. If it is enabled it would show the entire zone file of the domain. Refer this tutorial on disabling zone transfer
How to find DNS server version?
Dont expose the version of dns server running on your host. If you do it may expose the vulnerabilities to attacker in case you havent updated the latest version.
The following dig command will print the version of bind running on the dns server.
# dig @ns1.domain.com version.bind txt chaos
<<>> DiG 9.3.4-P1 <<>> @ns1.domain.com version.bind txt chaos
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11526 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "9.2.4" ;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind.
To disable/hide the bind version place version within options line
[code lang=’python’]
options {
….
version “Undisclosed”;
}
[/code]