Friday, November 14, 2008

dig +trace

If you are curious about how DNS works, you probably should have a look at dig +trace. Dig +trace gives you a hierarchical listing of the DNS servers responsible for each level of a domain name.

The tool starts by going to the top level name servers (you know, the 13 root servers that make DNS work) and asking for the top level domain name servers for .com or .net or .uk or .whatever. Then it picks one of those top level servers and asks for the servers responsible for the next level, like netscantools.com, etc. It does this until it finds the authoritative servers for the hostname or domain name or IP address you entered.

It's great for getting a top down view of how the DNS system works. You can also see if there are problems finding the authoritative servers. You can do this from the unix/linux command line (dig hostname +trace) or from our software.

Here is an example using www.microsoft.com as an input to NetScanTools Pro's Name Server Lookup tool:

[Start Query]
DiG Starting Timestamp: 11/14/08 21:03:54

; <<>> DiG 9.x <<>> www.microsoft.com +trace
. 65326 IN NS a.root-servers.net
. 65326 IN NS b.root-servers.net
{snip}
;; Received 228 bytes from 208.200.248.8 (208.200.248.8) in 63 ms

com. 172800 IN NS H.GTLD-SERVERS.NET
com. 172800 IN NS I.GTLD-SERVERS.NET
{snip}
;; Received 509 bytes from a.root-servers.net (198.41.0.4) in 140 ms

(note: these are the authoritative domain servers for handling the queries for hostnames in the microsoft.com domain)
microsoft.com. 172800 IN NS ns1.msft.net
microsoft.com. 172800 IN NS ns2.msft.net
microsoft.com. 172800 IN NS ns3.msft.net
microsoft.com. 172800 IN NS ns4.msft.net
microsoft.com. 172800 IN NS ns5.msft.net
;; Received 209 bytes from H.GTLD-SERVERS.NET (192.54.112.30) in 234 ms

www.microsoft.com. 3600 IN CNAME toggle.www.ms.akadns.net
;; Received 73 bytes from ns1.msft.net (207.68.160.190) in 62 ms

[End Query]

With each level, you can see that a number was returned. This is the TTL (time-to-live) for the DNS record in seconds. If you do the dig +trace query again, the numbers for the root servers will be smaller reflecting the time you took between queries.

You can see that ns1 told us that www.microsoft.com is aliased to a server handled by Akamai. It did not tell us the IP address -- we did an 'ANY' query and the CNAME record was all that was returned to us.

No comments: