Posted on 2003-04-01 21:10:55, modified on 2006-01-09 16:29:20
Tags: Networking, DNS, dnstracer
This article regarding dnstracer was published in the SAGE-AU Advice Volume 9 Number 1 (March 2003) and The Journal of AUUG Inc. Volume 24 number 1 (March 2003)
The Domain Name Server system is a globally replicated and distributed database which primary translate hostnames (www.sage-au.org.au) into IP addresses (66.216.68.159), route mail (@sage-au.org.au) to mailhubs (sagemx.sage-au.org.au) and converts IP addresses (66.216.68.159) into hostnames (platypus.instaweb.com.au). Without it, we would have to use remember the IP addresses of the servers we want to connect to (telnet 131.155.132.36 4000) and it would be very hard to send emails as easy as it goes today (mcvax!moskvax!kremvax!chernenko).
Normally you don't have to worry about DNS, you just get the settings for the nameserver you have to use via PPP when dialing into an ISP or via DHCP when connecting to a LAN at a company. They make sure that their nameservers know where to get the rest of their data, which are initially the root-nameservers.
The root-nameservers are the 13 (13 logical, but physical more) most important nameservers on the internet. They know where the rest of the DNS servers can be found.
Furthermore you have master and slave servers for a domain: the data for a domain is only manually changed at the master, the slaves transfer the data via the internal DNS mechanics.
If you're requesting the IP address of www.sage-au.org.au your nameserver will ask one of the root-servers for it. It will reply that it doesn't know it, but that the answer can be found at the DNS servers for .au and supplies a list with them and their IP addresses (The list is known as Authority Data, the IP addresses are known as Additional Data). Your server will ask the question again at one of the servers responsible for .au and get a similair answer: it doesn't know it, but it hands you a list of servers for .org.au and their IP addresses. This goes on until you're at the servers which are responsible for sage-au.org.au, in which case you get the IP address of www.sage-au.org.au (Answer Data).
If you're requesting the IP address of www.sage-au.org.au your Your server now caches the data for .au, .org.au, .sage-au.org.au and www.sage-au.org.au for a short time (the Time To Live) so that following requests for that data doesn't need to explore so much, it just can do a quick lookup of in it's own cache and returns the answer.
The DNS system is not really a SPOF, it is designed as a globally replicated and distributed database which means that if you can't reach one of the servers, you can try it at a different one. As there are 13 root-servers which know where to find the rest, there are 6 servers for the .au domain (6 logical with a total of at least 8 IP addresses), there are 9 servers for the .org.au domain and two servers for the sage-au.org.au domain. The location of the servers on the internet and replication is used to overcome connectivity problems. Regarding the network, there isn't much which can go wrong. Regarding the administrative side of it, that's where things go wrong.
When you register a new domain, you are asked what the nameservers are and if necessary also the IP addresses. Furthermore, these nameservers have to be configured to answer requests for that new domain and to exchange information between them. And actually data has to be served on that domain. Five places for things to go wrong!
At the time of writing, one of the domains of a nameserver for .org.au has expired (for people interested: optus.net has expired at December 16th 2002 and after half a month it still hasn't been re-registrered). That means that the IP address of the nameserver audns01.syd.optus.net can't be found and that this server will never be queried (after all, if you don't know an IP address you can't connect to it)
Changing the IP address of a nameserver is a pain and often it will be forgotten on one or two machines (Remember that switch in the cupboard which got installed a long time ago? Yes, that one too has the IP address of the DNS server hardcoded). Or that the registrar makes it impossible to change the IP address of the nameserver via their website because of all kind of internal checks.
Lame servers are servers which are mentioned in the NS records for a domain but are not authoritative for that domain. This can happen because of a typo in the IP address or a change which has never been fully finished (new server added while it wasn't ready or old server data removed but never from the NS records).
Stealth servers are servers which are not mentioned in the NS records but are authoritative for that domains. For example servers which have been removed from the NS records but the configuration of the server never updated.
When data is changed on the master server, the slaves will have to transfer it from there. But sometimes they can't because the master has disabled it for some reason. In that case the data on the slaves will get more and more obsolete.
DNS server software has strange habbits and one of them is often that if you end a name without a dot, it will add the current domainname to it. So if you see a zonefile with www.sage-au.org.au.sage-au.org.au, you know that they forgot to end it with a dot at the end.
Remember the traceroute(8) utility? It shows the path an IP packet takes when you send it to its destination IP address. Remember ntptrace(8)? It shows the path of NTP servers which your NTP client is syncing on. Dnstracer is something similair, it shows you where a DNS server will go for its information. So if you want to know the path to www.sage-au.org.au:
[~] edwin@k7>dnstracer -s . -o www.sage-au.org.au Tracing to www.sage-au.org.au via A.ROOT-SERVERS.NET, timeout 15 seconds A.ROOT-SERVERS.NET [.] (198.41.0.4) |\___ SEC3.APNIC.NET [au] (202.12.28.140) | |\___ ns3.melbourneit.com [org.au] (203.27.227.10) | | |\___ ns2.sage-au.org.au [sage-au.org.au] (130.102.171.100) Got authoritative answer | | \___ ns1.sage-au.org.au [sage-au.org.au] (203.27.221.52) Got authoritative answer | |\___ ns3.ausregistry.net [org.au] (203.18.56.43) | | |\___ ns1.sage-au.org.au [sage-au.org.au] (203.27.221.52) (cached) | | \___ ns2.sage-au.org.au [sage-au.org.au] (130.102.171.100) (cached) | |\___ ns2.ausregistry.net [org.au] (203.18.56.42) | | |\___ ns2.sage-au.org.au [sage-au.org.au] (130.102.171.100) (cached) | | \___ ns1.sage-au.org.au [sage-au.org.au] (203.27.221.52) (cached) | |\___ ns1.ausregistry.net [org.au] (203.18.56.41) | | |\___ ns1.sage-au.org.au [sage-au.org.au] (203.27.221.52) (cached) | | \___ ns2.sage-au.org.au [sage-au.org.au] (130.102.171.100) (cached) | |\___ audns01.syd.optus.net [org.au] (No IP address) | |\___ au2ld.csiro.au [org.au] (130.116.2.21) | | |\___ ns2.sage-au.org.au [sage-au.org.au] (130.102.171.100) (cached) | | \___ ns1.sage-au.org.au [sage-au.org.au] (203.27.221.52) (cached) | |\___ dns1.telstra.net [org.au] (203.50.5.200) | | |\___ ns1.sage-au.org.au [sage-au.org.au] (203.27.221.52) (cached) | | \___ ns2.sage-au.org.au [sage-au.org.au] (130.102.171.100) (cached) | |\___ box2.aunic.net [org.au] (203.202.150.20) | | |\___ ns2.sage-au.org.au [sage-au.org.au] (130.102.171.100) (cached) | | \___ ns1.sage-au.org.au [sage-au.org.au] (203.27.221.52) (cached) | \___ ns4.ausregistry.net [org.au] (210.8.15.253) | |\___ ns2.sage-au.org.au [sage-au.org.au] (130.102.171.100) (cached) | \___ ns1.sage-au.org.au [sage-au.org.au] (203.27.221.52) (cached) |\___ SEC1.APNIC.NET [au] (202.12.29.59) | |\___ au2ld.csiro.au [org.au] (130.116.2.21) (cached) | |\___ dns1.telstra.net [org.au] (203.50.5.200) (cached) | |\___ box2.aunic.net [org.au] (203.202.150.20) (cached) [...] ns1.sage-au.org.au (203.27.221.52) www.sage-au.org.au -> 66.216.68.159 ns2.sage-au.org.au (130.102.171.100) www.sage-au.org.au -> 66.216.68.159
Just like expected: the server goes to a root-server, the servers for the .au domain, the servers for the .org.au domain and the servers of the .sage-au.org.au domains. The answers received are printed at the end and they agree on it.
Sometimes it will go wrong, for example when a lame server is detected:
[~] edwin@k7>dnstracer -o -s RELAY-1.FTEL.CO.UK fataldimensions.nl.eu.org Tracing to fataldimensions.nl.eu.org via RELAY-1.FTEL.CO.UK, timeout 15 seconds RELAY-1.FTEL.CO.UK (192.65.220.24) |\___ ns.cistron.nl [nl.eu.org] (62.216.31.55) Got answer |\___ ns.lf.net [nl.eu.org] (212.9.160.1) Got answer |\___ ns.eu.org [nl.eu.org] (137.194.2.218) Lame server |\___ ns2.ispi.net [nl.eu.org] (206.131.193.15) Got authoritative answer |\___ ns.patriots.net [nl.eu.org] (206.131.200.40) Got authoritative answer \___ auth1.dns.elm.net [nl.eu.org] (81.17.34.251) Got authoritative answer [...]
The difference between "Got answer" and "Got authoritative answer" is that the first one can be a cached answer, while the second one is one from a server which admits that its responsible for that domain.
See http://www.mavetju.org/unix/dnstracer.php for more information about the dnstracer utility and how to obtain it. For FreeBSD and OpenBSD, it is in the ports-collection. For Linux, there is an RPM for it. Otherwise, just grab the tarball and compile it.
| Share on Facebook | Share on Twitter