Things about DNS

Published: January 7, 2025, updated: January 14, 2025

This article contains interesting things that I’ve come across while learning more about DNS.

Anatomy of a DNS request

Here’s how you can run a full DNS request for the domain zombo.com using dig:

dig +trace +all zombo.com

When you run a full DNS request, dig retrieves the A DNS record for a domain by querying the whole chain of the fully qualified domain name (FQDN) zombo.com.. When a DNS client queries a FQDN, it starts at the root ., and recursively work its way down to query .com., and then .zombo.com. The precise sequence of queries that dig performs depends on each response.

With a full DNS request, you can query DNS records for domains from scratch without needing any DNS resolver or DNS cache.

This is the transcript, split by individual query.

Startup information

First, dig prints some general information, like the command that received, or its version:

; <<>> DiG 9.18.28 <<>> +trace +all zombo.com
;; global options: +cmd

Root name server

Next, dig queries the DNS resolver configured for the network this computer runs in. The DNS resolver has the IP address 10.0.48.1 and runs on a Ubiquiti Dream Router.

dig asks for the NS record for the name .. It receives a long list of NS records in the answer section. Each of these records starts with a single lowercase letter and ends on .root-servers.net.. Each of these names represent a root name server that dig can then ask for zombo.com.

Furthermore, the querying the name . also gives us back a few A and AAAA records for each of these root name servers. This tells dig what the IPv4 and IPv6 addresses of each of these root name servers are.

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38385
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			190794	IN	NS	b.root-servers.net.
.			190794	IN	NS	m.root-servers.net.
.			190794	IN	NS	h.root-servers.net.
.			190794	IN	NS	i.root-servers.net.
.			190794	IN	NS	j.root-servers.net.
.			190794	IN	NS	d.root-servers.net.
.			190794	IN	NS	a.root-servers.net.
.			190794	IN	NS	g.root-servers.net.
.			190794	IN	NS	f.root-servers.net.
.			190794	IN	NS	c.root-servers.net.
.			190794	IN	NS	e.root-servers.net.
.			190794	IN	NS	k.root-servers.net.
.			190794	IN	NS	l.root-servers.net.
.			445435	IN	RRSIG	NS 8 0 518400 20250118170000 20250105160000 26470 . m7C4icJMnOILA5mlMR9oDLoQBWE0Y9sPoqbXSoVUVrTKgWDbZNOrlMig xBubsOExXwQ4XZg3jwmh6FckcIMly1ZMIfZycMxWvyIvOrgxnBAt4Gu1 sMC4bn45v2BIaMHCaSLwW1jUB+MvrCPhBeYQJsfeLkRBi3W2VPwFIV60 BmPt2/i8jCJrkxx8bOaDGuTGFdwm1L62Ri2+QrewsbRGOcWpJHptJI/h Di61Q/C043YHHhc9w037cKYFeP8dupWS8RLcW/jIELTXhW2FrgETv285 3RndOgaFb9RBoTUo16i3lge1KIMZoS2eksoGQEt8kfgfYVrIKTrwQpf6 Z5NvCQ==

;; ADDITIONAL SECTION:
a.root-servers.net.	104582	IN	A	198.41.0.4
b.root-servers.net.	276147	IN	A	170.247.170.2
c.root-servers.net.	368518	IN	A	192.33.4.12
d.root-servers.net.	187359	IN	A	199.7.91.13
e.root-servers.net.	187359	IN	A	192.203.230.10
f.root-servers.net.	199714	IN	A	192.5.5.241
g.root-servers.net.	216475	IN	A	192.112.36.4
h.root-servers.net.	240623	IN	A	198.97.190.53
i.root-servers.net.	532693	IN	A	192.36.148.17
j.root-servers.net.	320888	IN	A	192.58.128.30
k.root-servers.net.	271911	IN	A	193.0.14.129
l.root-servers.net.	357258	IN	A	199.7.83.42
m.root-servers.net.	104622	IN	A	202.12.27.33
a.root-servers.net.	113505	IN	AAAA	2001:503:ba3e::2:30
b.root-servers.net.	294399	IN	AAAA	2801:1b8:10::b
c.root-servers.net.	331660	IN	AAAA	2001:500:2::c
d.root-servers.net.	32858	IN	AAAA	2001:500:2d::d
e.root-servers.net.	307198	IN	AAAA	2001:500:a8::e
f.root-servers.net.	408208	IN	AAAA	2001:500:2f::f
g.root-servers.net.	353355	IN	AAAA	2001:500:12::d0d
h.root-servers.net.	234104	IN	AAAA	2001:500:1::53
i.root-servers.net.	390219	IN	AAAA	2001:7fe::53
j.root-servers.net.	463450	IN	AAAA	2001:503:c27::2:30
k.root-servers.net.	37861	IN	AAAA	2001:7fd::1
l.root-servers.net.	225301	IN	AAAA	2001:500:9f::42
m.root-servers.net.	118907	IN	AAAA	2001:dc3::35

;; Query time: 18 msec
;; SERVER: 10.0.48.1#53(10.0.48.1) (UDP)
;; WHEN: Tue Jan 07 10:26:18 JST 2025
;; MSG SIZE  rcvd: 1109

Some other noteworthy things about the first DNS response:

Finding the top-level domain name server

Proceeding with the next query, dig asks the root name server j.root-servers.net for the FQDN zombo.com.. The root name server returns 13 AUTHORITY records that dig can query next to continue resolving zombo.com.. Furthermore, the AUTHORITY section contains the DNSSEC records DS and RRSIG. A recent version of dig is able to check DNSSEC signatures using the +dnssec flag. See this Stack Exchange answer for more information.

root-servers.net doesn’t hold records for .com domains itself, so it points dig to ask gtld-servers.net. next instead. gtld-servers.net is responsible for resolving .com domains.

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1157
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;zombo.com.			IN	A

;; AUTHORITY SECTION:
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			86400	IN	DS	19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com.			86400	IN	RRSIG	DS 8 1 86400 20250119210000 20250106200000 26470 . DQQ9SqKUcniHKVr6zFNzs6wHLVZ6CdfSFMr3q8tCwh+mLPrKCTRlbnpS TmJy1M8YDEDvrrBO0EFx1rr+cGwcB2RiIfOnLl8c2942n5aOpR+3tZB0 sCP1KFv1+BhiD1RL8dff+rMNJ8+0BWNgsID8/MmI+y8UB/70YERAz/W0 AmOhbN/pHkfgvZfbtrOs6Msz+wcUR17wRCOLazyFnBE19EWnek9SYhj9 Jw440nEZ1Kopi+KqWXG0K+kt1HqZS3J2kkO/TmHyU780F/fOtRP/dWmX 06gSiBe4cCSe3Hs7aHlIe2LwH/ICioNdJj0WjzFJ8IDoC+vmLdRkXh4b NVJHoQ==

;; ADDITIONAL SECTION:
a.gtld-servers.net.	172800	IN	A	192.5.6.30
b.gtld-servers.net.	172800	IN	A	192.33.14.30
c.gtld-servers.net.	172800	IN	A	192.26.92.30
d.gtld-servers.net.	172800	IN	A	192.31.80.30
e.gtld-servers.net.	172800	IN	A	192.12.94.30
f.gtld-servers.net.	172800	IN	A	192.35.51.30
g.gtld-servers.net.	172800	IN	A	192.42.93.30
h.gtld-servers.net.	172800	IN	A	192.54.112.30
i.gtld-servers.net.	172800	IN	A	192.43.172.30
j.gtld-servers.net.	172800	IN	A	192.48.79.30
k.gtld-servers.net.	172800	IN	A	192.52.178.30
l.gtld-servers.net.	172800	IN	A	192.41.162.30
m.gtld-servers.net.	172800	IN	A	192.55.83.30
a.gtld-servers.net.	172800	IN	AAAA	2001:503:a83e::2:30
b.gtld-servers.net.	172800	IN	AAAA	2001:503:231d::2:30
c.gtld-servers.net.	172800	IN	AAAA	2001:503:83eb::30
d.gtld-servers.net.	172800	IN	AAAA	2001:500:856e::30
e.gtld-servers.net.	172800	IN	AAAA	2001:502:1ca1::30
f.gtld-servers.net.	172800	IN	AAAA	2001:503:d414::30
g.gtld-servers.net.	172800	IN	AAAA	2001:503:eea3::30
h.gtld-servers.net.	172800	IN	AAAA	2001:502:8cc::30
i.gtld-servers.net.	172800	IN	AAAA	2001:503:39c1::30
j.gtld-servers.net.	172800	IN	AAAA	2001:502:7094::30
k.gtld-servers.net.	172800	IN	AAAA	2001:503:d2d::30
l.gtld-servers.net.	172800	IN	AAAA	2001:500:d937::30
m.gtld-servers.net.	172800	IN	AAAA	2001:501:b1f9::30

;; Query time: 11 msec
;; SERVER: 192.58.128.30#53(j.root-servers.net) (UDP)
;; WHEN: Tue Jan 07 10:26:18 JST 2025
;; MSG SIZE  rcvd: 1169

Top-level domain name server

Here’s what happens when dig asks the TLD name server d.gtld-servers.net for zombo.com.. Verisign operates the servers at gtld-servers.net. Here are some noteworthy things about the reply that d.gtld-servers.net gives back to dig:

Here’s the DNS query response that dig prints out:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29896
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zombo.com.			IN	A

;; AUTHORITY SECTION:
zombo.com.		172800	IN	NS	ns.liquidweb.com.
zombo.com.		172800	IN	NS	ns1.liquidweb.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250111002631 20250103231631 29942 com. HiG6TuJBV47MnPmttWN98zHscsehwlRhgzemiswIdlmKh993eKxhdUbB d4hhuK7piTIFoZ4Gi/THENgJJKuCmg==
E5F0ON130HM3M2JQH41BK2763KA5559S.com. 900 IN NSEC3 1 1 0 - E5F126VHCT3KQ620F4OFQ11HB5BJBFRT NS DS RRSIG
E5F0ON130HM3M2JQH41BK2763KA5559S.com. 900 IN RRSIG NSEC3 13 2 900 20250113013526 20250106002526 29942 com. 0SoW/r4xPtu4bnmOTSLtkwb9ezAyCHkI1XLAQPRWvu0x7xCBVwguEw8j eR+ZHeLU4x5n5q7d/3/1n/uH2x6kig==

;; ADDITIONAL SECTION:
ns.liquidweb.com.	172800	IN	A	69.16.222.254
ns1.liquidweb.com.	172800	IN	A	69.16.223.254

;; Query time: 10 msec
;; SERVER: 192.31.80.30#53(d.gtld-servers.net) (UDP)
;; WHEN: Tue Jan 07 10:26:18 JST 2025
;; MSG SIZE  rcvd: 472

Registrar name server

d.gtld-servers.net told dig that it should ask ns.liquidweb.com for zombo.com.. Here’s the response dig receives after querying zombo.com’s authoritative name server. The response contains a single A record for zombo.com’s IPv4 address.

Note that the previous DNS queries had no ANSWER section, not counting the query for . in the beginning. Every DNS query response before dig asks ns.liquidweb.com contained AUTHORITY and ADDITIONAL records.

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37369
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;zombo.com.			IN	A

;; ANSWER SECTION:
zombo.com.		300	IN	A	50.28.52.163

;; Query time: 9 msec
;; SERVER: 69.16.222.254#53(ns.liquidweb.com) (UDP)
;; WHEN: Tue Jan 07 10:26:18 JST 2025
;; MSG SIZE  rcvd: 54

This illustrates the recursive nature of DNS name resolution. dig is able to query any DNS record from scratch. It can do so without needing to know each individual name server responsible for a single domain. Instead, dig figures out which name servers it has to ask on the way to reach the final authoritative name server.

In this example, the authoritative name server is with liquidweb.com. An authoritative name server for a domain name can change in the future. Being able to perform recursive queries and always retrieving accurate information is important for inter-networking.

The DNS security extensions (DNSSEC) further increase the reliability of this system. dig can verify the whole chain of DNS responses. You can see for yourself how dig utilizes DNSSEC by starting dig using the +dnssec flag.

Reference

This Stack Exchange answer has more information on how to query a domain name and receive a complete trace.

The section DNS message format in the Wikipedia article on the Domain Name System explains all the header flags in detail.

DNS zone transfer protocol

The IETF published RFC 5936 in June 2010. This document specifies the DNS zone transfer protocol, also called AXFR. AXFR stands for Authoritative Transfer.

The RFC says that there SHOULD be means to restrict sessions to specific clients, but doesn’t specify them further. Access controls are only RECOMMENDED. See section 5 of RFC 5936:

[...]
A DNS implementation SHOULD provide means to restrict AXFR sessions
to specific clients.
[...]
A general-purpose implementation is RECOMMENDED to implement access
controls based upon "Secret Key Transaction Authentication for DNS
(TSIG)" [RFC2845] and/or "DNS Request and Transaction Signatures
( SIG(0)s )" [RFC2931].

A CVE missing critical details

Check out CVE-1999-0532. It lists the following vulnerability:

A DNS server allows zone transfers.

The CVE doesn’t contain any other description, such as affected software or version. Judging by this Red Hat Solution, this affects BIND 9 on Red Hat Enterprise Linux (RHEL) 6 and 7. RHEL 6 was first released in 2010, and RHEL 7 is from 2013. The timelines don’t add up, since the CVE is from 1999.

This CVE reads like a CWE, since it describes an abstract vulnerability. Compare for example CWE-276: incorrect default permissions.

Tags

I would be thrilled to hear from you! Please share your thoughts and ideas with me via email.

Back to Index