228 lines
5.7 KiB
Markdown
228 lines
5.7 KiB
Markdown
DNS Delegation
|
|
==============
|
|
|
|
Tracing NS records trying to understand DNS delegation better.
|
|
|
|
Root Servers
|
|
------------
|
|
|
|
The root servers will return the TLD records for any domain
|
|
|
|
```bash
|
|
dig A @m.root-servers.net www.example.daplie.me
|
|
```
|
|
|
|
```
|
|
; <<>> DiG 9.8.3-P1 <<>> A @m.root-servers.net www.aj.daplie.me
|
|
; (1 server found)
|
|
;; global options: +cmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34843
|
|
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 10
|
|
;; WARNING: recursion requested but not available
|
|
|
|
;; QUESTION SECTION:
|
|
;www.aj.daplie.me. IN A
|
|
|
|
;; AUTHORITY SECTION:
|
|
me. 172800 IN NS c0.nic.me.
|
|
me. 172800 IN NS b0.nic.me.
|
|
me. 172800 IN NS a0.nic.me.
|
|
me. 172800 IN NS b2.nic.me.
|
|
me. 172800 IN NS a2.nic.me.
|
|
|
|
;; ADDITIONAL SECTION:
|
|
a0.nic.me. 172800 IN A 199.253.59.1
|
|
a2.nic.me. 172800 IN A 199.249.119.1
|
|
b0.nic.me. 172800 IN A 199.253.60.1
|
|
b2.nic.me. 172800 IN A 199.249.127.1
|
|
c0.nic.me. 172800 IN A 199.253.61.1
|
|
a0.nic.me. 172800 IN AAAA 2001:500:53::1
|
|
a2.nic.me. 172800 IN AAAA 2001:500:47::1
|
|
b0.nic.me. 172800 IN AAAA 2001:500:54::1
|
|
b2.nic.me. 172800 IN AAAA 2001:500:4f::1
|
|
c0.nic.me. 172800 IN AAAA 2001:500:55::1
|
|
|
|
;; Query time: 141 msec
|
|
;; SERVER: 202.12.27.33#53(202.12.27.33)
|
|
;; WHEN: Tue Oct 3 15:47:25 2017
|
|
;; MSG SIZE rcvd: 343
|
|
```
|
|
|
|
GTLD Servers
|
|
------------
|
|
|
|
The GTLD Servers will return the glue records for the nameserver which hosts the SLD in question
|
|
|
|
```bash
|
|
dig A @b0.nic.me www.aj.daplie.me
|
|
```
|
|
|
|
```
|
|
; <<>> DiG 9.8.3-P1 <<>> A @b0.nic.me www.aj.daplie.me
|
|
; (1 server found)
|
|
;; global options: +cmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52062
|
|
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
|
|
;; WARNING: recursion requested but not available
|
|
|
|
;; QUESTION SECTION:
|
|
;www.aj.daplie.me. IN A
|
|
|
|
;; AUTHORITY SECTION:
|
|
daplie.me. 86400 IN NS ns2.redirect-www.org.
|
|
daplie.me. 86400 IN NS ns1.redirect-www.org.
|
|
|
|
;; Query time: 29 msec
|
|
;; SERVER: 199.253.60.1#53(199.253.60.1)
|
|
;; WHEN: Tue Oct 3 15:48:41 2017
|
|
;; MSG SIZE rcvd: 86
|
|
```
|
|
|
|
If the nameserver were "in bailiwick" then it's A/AAAA records would be returned in an additional section.
|
|
|
|
SLD Nameservers
|
|
---------------
|
|
|
|
There are three main conditions:
|
|
|
|
* Exists
|
|
* Doesn't exist (but lives here)
|
|
* Delegated
|
|
|
|
There's also the condition of *"doesn't exist (and doesn't live here)"*, but we'll save that for another day
|
|
(or try `dig @ns1.google.com A yahoo.com`).
|
|
|
|
### Exists
|
|
|
|
```bash
|
|
dig A @ns2.redirect-www.org www.aj.daplie.me
|
|
```
|
|
|
|
```
|
|
; <<>> DiG 9.8.3-P1 <<>> A @ns2.redirect-www.org www.aj.daplie.me
|
|
; (1 server found)
|
|
;; global options: +cmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52373
|
|
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
|
|
;; WARNING: recursion requested but not available
|
|
|
|
;; QUESTION SECTION:
|
|
;www.aj.daplie.me. IN A
|
|
|
|
;; ANSWER SECTION:
|
|
www.aj.daplie.me. 300 IN A 45.56.59.142
|
|
|
|
;; Query time: 83 msec
|
|
;; SERVER: 66.172.33.29#53(66.172.33.29)
|
|
;; WHEN: Tue Oct 3 15:57:14 2017
|
|
;; MSG SIZE rcvd: 50
|
|
```
|
|
|
|
### Doesn't Exist (but would)
|
|
|
|
```bash
|
|
dig A @ns2.redirect-www.org doesntexist.aj.daplie.me
|
|
```
|
|
|
|
```
|
|
; <<>> DiG 9.8.3-P1 <<>> A @ns2.redirect-www.org doesntexist.aj.daplie.me
|
|
; (1 server found)
|
|
;; global options: +cmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19993
|
|
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
|
|
;; WARNING: recursion requested but not available
|
|
|
|
;; QUESTION SECTION:
|
|
;doesntexist.aj.daplie.me. IN A
|
|
|
|
;; AUTHORITY SECTION:
|
|
daplie.me. 1 IN SOA ns1.redirect-www.org. hostmaster.daplie.me. 2017020100 10800 3600 1209600 1800
|
|
|
|
;; Query time: 68 msec
|
|
;; SERVER: 66.172.33.29#53(66.172.33.29)
|
|
;; WHEN: Tue Oct 3 15:59:25 2017
|
|
;; MSG SIZE rcvd: 109
|
|
```
|
|
|
|
### Delegated Subdomain
|
|
|
|
Should look something like this, I'm pretty sure:
|
|
|
|
```
|
|
;; QUESTION SECTION:
|
|
;john.daplie.me. IN A
|
|
|
|
;; AUTHORITY SECTION:
|
|
john.daplie.me. 86400 IN NS ns2.dns-host.org.
|
|
john.daplie.me. 86400 IN NS ns1.dns-host.org.
|
|
```
|
|
|
|
I think that in practice anything matching `*.john.daplie.me` would be delegated,
|
|
but I but you could do something weird like host `whatever.john.daplie.me` on the original
|
|
nameserver by A) answering to it directly on the main nameserver and B) delegating
|
|
from `whatever.john.daplie.me` back to the original nameserver in case the resolving
|
|
client makes intelligent assumptions and caching.
|
|
|
|
When a domain doesn't exist
|
|
---------------------------
|
|
|
|
### NXDOMAIN
|
|
|
|
This nameserver can respond for that domain, but no record exists
|
|
|
|
```
|
|
dig @ns1.google.com doesntexist.google.com
|
|
```
|
|
|
|
```
|
|
; <<>> DiG 9.8.3-P1 <<>> @ns1.google.com doesntexist.google.com
|
|
; (1 server found)
|
|
;; global options: +cmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45549
|
|
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
|
|
;; WARNING: recursion requested but not available
|
|
|
|
;; QUESTION SECTION:
|
|
;doesntexist.google.com. IN A
|
|
|
|
;; AUTHORITY SECTION:
|
|
google.com. 60 IN SOA ns2.google.com. dns-admin.google.com. 170961396 900 900 1800 60
|
|
|
|
;; Query time: 50 msec
|
|
;; SERVER: 216.239.32.10#53(216.239.32.10)
|
|
;; WHEN: Wed Oct 4 01:14:09 2017
|
|
;; MSG SIZE rcvd: 90
|
|
```
|
|
|
|
### REFUSED
|
|
|
|
This nameserver does not store records for that domain
|
|
(and would appreciated it if you didn't ask)
|
|
|
|
```bash
|
|
dig @ns1.google.com daplie.com
|
|
```
|
|
|
|
```
|
|
; <<>> DiG 9.8.3-P1 <<>> @ns1.google.com daplie.com
|
|
; (1 server found)
|
|
;; global options: +cmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 47317
|
|
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
|
|
;; WARNING: recursion requested but not available
|
|
|
|
;; QUESTION SECTION:
|
|
;daplie.com. IN A
|
|
|
|
;; Query time: 52 msec
|
|
;; SERVER: 216.239.32.10#53(216.239.32.10)
|
|
;; WHEN: Wed Oct 4 01:14:20 2017
|
|
;; MSG SIZE rcvd: 28
|
|
```
|