2013. május 9., csütörtök

dig a little deeper into root servers' with dig

Here's an interesting thing I just figured out today after some inconsistencies with a company DNS records where my expertise was requested. The differing data was between the authoritative TLD servers and the company NS records. The glue records are provided by the TLD servers, in the ADDITIONAL SECTION. These are the IP addresses of the DNS servers. They've got a TTL set to 172800. That means two days. That means, if the zone is updated with the NS records containing glue records, some DNS servers might still contain the old IP addresses for NS servers until their TTL expires. So our local DNS servers still had the timeout value of 61476, showing the outdated IP address value for the secondary DNS server as well as the TLD DNS servers. 

[miklos.quartus@miklos-mac: ~]$ dig +norec @b.gtld-servers.net sdgtl.net NS

; <<>> DiG 9.8.3-P1 <<>> +norec @b.gtld-servers.net sdgtl.net NS
; (1 server found)
;; global options: +cmd
;; Got answer:

;; ->>HEADER<<- 17165="" font="" id:="" noerror="" opcode:="" query="" status:="">

;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:
;sdgtl.net. IN NS


;; AUTHORITY SECTION:
sdgtl.net. 172800 IN NS ns1.sdgtl.net.
sdgtl.net. 172800 IN NS ns4.sdgtl.net.


;; ADDITIONAL SECTION:
ns1.sdgtl.net. 172800 IN A 87.83.19.215
ns4.sdgtl.net. 172800 IN A 38.106.13.119


;; Query time: 37 msec
;; SERVER: 192.33.14.30#53(192.33.14.30)
;; WHEN: Thu May 9 17:51:22 2013
;; MSG SIZE rcvd: 95


[miklos.quartus@miklos-mac: ~]$

As you see above, the TLD responds with the TTL value of 172800, which is exactly two days. However, our DNS servers lagging behind due to their TTL value is still active and not yet expired. See below the query result of our servers. 

"


[miklos.quartus@miklos-mac: ~]$ host -v ns4.sdgtl.net 10.Z.X.Y
Trying "ns4.sdgtl.net"

Using domain server:
Name: 10.Z.X.Y
Address: 10.Z.X.Y#53

Aliases:
;; ->>HEADER<<- 32901="" font="" id:="" noerror="" opcode:="" query="" status:="">

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ns4.sdgtl.net. IN A

;; ANSWER SECTION:
ns4.sdgtl.net. 61476 IN A 38.106.13.119

Received 47 bytes from 10.Z.X.Y#53 in 38 ms


Look above: the current value is 61476 seconds! I figured out that our DNS servers still have the old IP address value (38.106.13.119 is the old value, correct value is 199.249.231.119) and need about cca. 17 hours to have their TTL expire. In the meantime, I found out how to query any TLD domain's authoritative NS servers. Let's take for e.g. the .net domain. 


[miklos.quartus@miklos-mac: ~]$ dig +short net. NS
b.gtld-servers.net.
j.gtld-servers.net.
h.gtld-servers.net.
d.gtld-servers.net.
a.gtld-servers.net.
f.gtld-servers.net.
e.gtld-servers.net.
i.gtld-servers.net.
l.gtld-servers.net.
m.gtld-servers.net.
k.gtld-servers.net.
g.gtld-servers.net.
c.gtld-servers.net.


Voila! The above list shows the list of authoritative name servers for the .net TLD. Anyway. If the domain registrar's settings are wrongly containing the DNS server IP addresses, they continue to provide the wrong, outdated values for glue records, despite the right values are inside the authoritative domain zone. Solution: fix the domain registrar's values so that the correct IP address should be registered for the NS servers.

Nincsenek megjegyzések: