Powerful DNS query tool - DIG

When we talk about the DNS query tool, we usually refer to nslookup. Now in this blog, we are going to talk about a more powerful tool called dig.

1.dig. Command without any parameters

root@ip-172-31-7-84:~# dig

; <<>> DiG 9.9.5-3-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25338
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       19664   IN      NS      d.root-servers.net.
.                       19664   IN      NS      e.root-servers.net.
.                       19664   IN      NS      f.root-servers.net.
.                       19664   IN      NS      g.root-servers.net.
.                       19664   IN      NS      h.root-servers.net.
.                       19664   IN      NS      i.root-servers.net.
.                       19664   IN      NS      j.root-servers.net.
.                       19664   IN      NS      k.root-servers.net.
.                       19664   IN      NS      l.root-servers.net.
.                       19664   IN      NS      m.root-servers.net.
.                       19664   IN      NS      a.root-servers.net.
.                       19664   IN      NS      b.root-servers.net.
.                       19664   IN      NS      c.root-servers.net.

;; Query time: 6 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Wed Jun 25 15:27:35 EST 2014
;; MSG SIZE  rcvd: 239

2.basic command: dig @DNS domain-name record-type

root@ip-172-31-7-84:~# dig @8.8.8.8 rms.nsw.gov.au AAAA

; <<>> DiG 9.9.5-3-Ubuntu <<>> @8.8.8.8 rms.nsw.gov.au AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23205
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;rms.nsw.gov.au.                        IN      AAAA

;; AUTHORITY SECTION:
rms.nsw.gov.au.         1799    IN      SOA     dns2.rta.nsw.gov.au. root.dns2.rta.nsw.gov.au. 2013120601 7200 3600 3600000 7200

;; Query time: 289 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jun 25 15:29:14 EST 2014
;; MSG SIZE  rcvd: 93

3.common options: Here is the most common options we will need to keep in mind.
-t [type]: by default, it is A record(address) but you can set MX for query

root@ip-172-31-7-84:~# dig -t MX rms.nsw.gov.au

; <<>> DiG 9.9.5-3-Ubuntu <<>> -t MX rms.nsw.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41964
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rms.nsw.gov.au.                        IN      MX

;; ANSWER SECTION:
rms.nsw.gov.au.         7200    IN      MX      30 mx22out.rta.nsw.gov.au.
rms.nsw.gov.au.         7200    IN      MX      40 waterways-b1.maritime.nsw.gov.au.
rms.nsw.gov.au.         7200    IN      MX      10 cluster4.us.messagelabs.com.
rms.nsw.gov.au.         7200    IN      MX      20 cluster4a.us.messagelabs.com.
rms.nsw.gov.au.         7200    IN      MX      30 mx11out.rta.nsw.gov.au.
rms.nsw.gov.au.         7200    IN      MX      30 mx12out.rta.nsw.gov.au.
rms.nsw.gov.au.         7200    IN      MX      30 mx21out.rta.nsw.gov.au.

;; Query time: 14 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Wed Jun 25 15:31:10 EST 2014
;; MSG SIZE  rcvd: 250

-q [domain]: -q can be omitted, but it makes more clear if you add the –q option.

root@ip-172-31-7-84:~# dig -q www.google.com

; <<>> DiG 9.9.5-3-Ubuntu <<>> -q www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60498
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         166     IN      A       74.125.237.180
www.google.com.         166     IN      A       74.125.237.176
www.google.com.         166     IN      A       74.125.237.177
www.google.com.         166     IN      A       74.125.237.178
www.google.com.         166     IN      A       74.125.237.179

;; Query time: 6 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Wed Jun 25 15:33:07 EST 2014
;; MSG SIZE  rcvd: 123

-x [IP]: reverse query. Get the hostname for the IP.

root@ip-172-31-7-84:~# dig -x 193.0.14.129

; <<>> DiG 9.9.5-3-Ubuntu <<>> -x 193.0.14.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19459
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;129.14.0.193.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
129.14.0.193.in-addr.arpa. 21600 IN     PTR     k.root-servers.net.

;; Query time: 21 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Wed Jun 25 15:34:54 EST 2014
;; MSG SIZE  rcvd: 86

+tcp: use tcp for query.

root@ip-172-31-7-84:~# dig +tcp www.myrta.com

; <<>> DiG 9.9.5-3-Ubuntu <<>> +tcp www.myrta.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27172
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.myrta.com.                 IN      A

;; ANSWER SECTION:
www.myrta.com.          30      IN      A       163.189.7.175

;; Query time: 43 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Wed Jun 25 15:38:26 EST 2014
;; MSG SIZE  rcvd: 58

+trace: shows the trace path of the recursive path

root@ip-172-31-7-84:~# dig +trace www.myetoll.com
; <<>> DiG 9.9.5-3-Ubuntu <<>> +trace www.myetoll.com
;; global options: +cmd
.                       18934   IN      NS      l.root-servers.net.
.                       18934   IN      NS      m.root-servers.net.
.                       18934   IN      NS      a.root-servers.net.
.                       18934   IN      NS      b.root-servers.net.
.                       18934   IN      NS      c.root-servers.net.
.                       18934   IN      NS      d.root-servers.net.
.                       18934   IN      NS      e.root-servers.net.
.                       18934   IN      NS      f.root-servers.net.
.                       18934   IN      NS      g.root-servers.net.
.                       18934   IN      NS      h.root-servers.net.
.                       18934   IN      NS      i.root-servers.net.
.                       18934   IN      NS      j.root-servers.net.
.                       18934   IN      NS      k.root-servers.net.
;; Received 239 bytes from 172.31.0.2#53(172.31.0.2) in 14 ms

com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20140701000000 20140623230000 40926 . lDy4cb2Mb6tyMYXfCNX1bcEwE2Rg6OkcsuSv+R81yFHEG5/luQvypHHr nt6apJYVf30t748Dtu5X3H56IXXlgftqgY93AbuAjugAz3gf8YiQtRW5 wQcKjtzq2luW1YIVYtujntwfC4om+sVxtCJbKT88cqQUwyTvKr8D6SxS QtA=
;; Received 739 bytes from 192.36.148.17#53(i.root-servers.net) in 237 ms

myetoll.com.            172800  IN      NS      dns1.rta.nsw.gov.au.
myetoll.com.            172800  IN      NS      dns2.rta.nsw.gov.au.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0QFMDQRCSRU0651QLVA1JQB21IF7UR NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20140630044832 20140623033832 56657 com. Co2ZGs6Fo2h2zlCv4wQS4E28nhjNxNQ/InfoiMq52MUH4/IJ9rh1Ot4C vuEmO3J1U4VVYUedu1EyFtBe6hGpajEfsntCYFA2EFbi2PgzAHAw8Ljr NCC24OnMBfcpbM6ew5UFd/157h6Tv/a+ilystE7+goWZi7q6Y6VNPWle B60=
RFJREQ8DI8OGS8V03LLBHDLV4J3EIPHK.com. 86400 IN NSEC3 1 1 0 - RFJVBCOQJUN2E7A6HEMG5MM79DAEKVMV NS DS RRSIG
RFJREQ8DI8OGS8V03LLBHDLV4J3EIPHK.com. 86400 IN RRSIG NSEC3 8 2 86400 20140701043512 20140624032512 56657 com. McX9ZVW1HVTK4ZkKSOOAj9pkHb8VzqKIbRNdcMWN8OJ75GaL/9II1bNx pXodneZpd+qtRe3TVhweJlv30zXEritWsN507cQDDsDoIgu+aNpgCzO7 louvilFNU88pOPPx4Wk1oTS9BNpNV/rcw0GWF/Yb/Y2Q/XTiyNl5NLe0 LiM=
;; Received 581 bytes from 192.12.94.30#53(e.gtld-servers.net) in 376 ms

www.myetoll.com.        7200    IN      NS      dns22.rta.nsw.gov.au.
www.myetoll.com.        7200    IN      NS      dns11.rta.nsw.gov.au.
;; Received 98 bytes from 163.189.23.22#53(dns2.rta.nsw.gov.au) in 26 ms

;; Received 12 bytes from 163.189.217.1#53(dns22.rta.nsw.gov.au) in 9 ms

+short: only show the result of the query.

root@ip-172-31-7-84:~# dig +short www.rms.nsw.gov.au
163.189.7.150

Bind configuration verification

DNS/Bind is the critical infrastructure over Internet. And it has the strict syntax format for it's configuration and zone files. the missing or typo can cause the service unable to start. When we are ready to restart or reload the configuration, we will need to  test the configuration.

1. named-checkconf:
This tool is used to check the BIND main configuration (named.conf)
basic usage is:
named-checkconf [path of named.conf]
this is a bad example
[root@ns tmp]# named-checkconf  /etc/named.conf
/etc/named.conf:27: missing ';' before end of file

this is a good example:
[root@ns tmp]# named-checkconf  /etc/named.conf
[root@ns tmp]#

the tool will check the syntax of named.conf but it won't be able to check the logic mistakes such as missing zone files

2. named-checkzone
This tool is used to check the zone configuration file
basic usage is:
named-checkzone [zone-name] [zone file]
good example
[root@ns tmp]# named-checkzone "localhost"  /var/named/named.localhost
zone localhost/IN: loaded serial 0
OK
[root@ns tmp]# named-checkzone "rafa.com" /var/named/rafa.com
zone rafa.com/IN: loaded serial 2014052401
OK
[root@ns tmp]# named-checkzone "56.168.192.in-addr.arpa" /var/named/192.168.56.zone
zone 56.168.192.in-addr.arpa/IN: loaded serial 2014052401
OK
[root@ns tmp]#

bad example:
[root@ns tmp]# named-checkzone "www.rafa.com" /var/named/rafa.com
/var/named/rafa.com:2: ignoring out-of-zone data (rafa.com)
zone www.rafa.com/IN: has 0 SOA records
zone www.rafa.com/IN: has no NS records
zone www.rafa.com/IN: not loaded due to errors.


3. service named configtest
this is the tool for all configuration verification. 

[root@ns tmp]# service named configtest
zone localhost/IN: loaded serial 0
zone 0.0.127.in-addr.arpa/IN: loaded serial 0
zone rafa.com/IN: loaded serial 2014052401
zone 56.168.192.in-addr.arpa/IN: loaded serial 2014052401
umount: /var/named/chroot/var/named: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))

DNS Technology Introduction

DNS

DNS (Domain Name Service) is one of the most important Internet infrastructures. It provides a human readable name for the Internet users while translate it to IP address or other machine understandable marks.

In DNS world, we usually use the item domain name or hostname, such as www.google.com or mail.gmail.com. the standard name is FQDN: Full Qualified Domain Name and it should be ended with a '.' eg www.google.com.

In most case, DNS provides the translation between FQDN and IP but that is not all it does.

NSSWITCH

hosts: files dns
file: /etc/hosts
dns: DNS

in OS, it uses libnss_file.so or libnss_dns.so as it's C library.

Stub Resolver

stub resolver: is the resolver client program on the host.it will handle the DNS request for the application but it can only understand a full answer to the request. it can't deal with a referral.
if it doesn't find an answer to the query in its cache, it will ask the recursive resolver that is configured.
it will accept the first valid answer that comes through, ignoring any answers that might come later.

Domain type:

organization domains：.com, .org, .net, .cc
country domains: .cn, .tw, .hk, .iq, .ir, .jp
reversed domains: IP-->FQDN

Query type: 

Recursive Query: the DNS client requires that the DNS server respond to the client with either the requested resource record or an error message stating that the record or domain name does not exist. The DNS server cannot just refer the DNS client to a different DNS server.

Iterative Query: is one in which a DNS client allows the DNS server to return the best answer it can give based on its cache or zone data. If the queried DNS server does not have an exact match for the queried name, the best possible information it can return is a referral (that is, a pointer to a DNS server authoritative for a lower level of the domain namespace). The DNS client can then query the DNS server for which it obtained a referral. It continues this process until it locates a DNS server that is authoritative for the queried name, or until an error or time-out condition is met.
DNS database is a global distributed database
    The parent know where it's directed attached children
    The Child don't know where is his parent node, usually it knows the ROOT.

DNS Server functions:

accept the local requests for 
local clients query the non-authority DNS query(recursive)
outside clients query the authority DNS query(iterative)
whether positive or nagative, DNS should give the answer with a TTL
for the outside clients query the non-authority DNS query, usually it should be denied.

DNS server types:

master DNS server: the SOA of the domain and maintain the database.
slave DNS server: the SOA of the domain and but synchronize the database from master
cached DNS server: only cache the result. Non-SOA
forwarding server: only forward the query to some other DNS server.