Tools such as DiG or NSLookup are used to verify DNS records are being resolved correctly. First, query an external DNS server (such as Google public DNS at 8.8.8.8) to confirm the appropriate server is acting as the authority. If queries are being resolved incorrectly by a server other than the Ecessa appliance, the DNS records on the server will need to be updated. Below are examples for tracing a DNS query, determining authority, and testing records configured on the Ecessa appliance using the DiG and NSLookup utilities.
DiG command syntax:
The server can be identified by IP address or Fully Qualified Domain Name (FQDN).
Using DiG to trace lines of authority for a DNS query:
C:\>dig @8.8.8.8 www.google.com +trace +nodnssec
; <<>> DiG 9.9.1-P3 <<>> @8.8.8.8 www.google.com +trace +nodnssec
; (1 server found)
;; global options: +cmd
. 3890 IN NS j.root-servers.net.
. 3890 IN NS a.root-servers.net.
. 3890 IN NS m.root-servers.net.
. 3890 IN NS f.root-servers.net.
. 3890 IN NS i.root-servers.net.
. 3890 IN NS c.root-servers.net.
. 3890 IN NS k.root-servers.net.
. 3890 IN NS e.root-servers.net.
. 3890 IN NS h.root-servers.net.
. 3890 IN NS d.root-servers.net.
. 3890 IN NS l.root-servers.net.
. 3890 IN NS b.root-servers.net.
. 3890 IN NS g.root-servers.net.
;; Received 239 bytes from 8.8.8.8#53(8.8.8.8) in 84 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 531 bytes from 128.63.2.53#53(128.63.2.53) in 105 ms
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
;; Received 179 bytes from 192.33.14.30#53(192.33.14.30) in 59 ms
www.google.com. 300 IN A 74.125.225.210
www.google.com. 300 IN A 74.125.225.212
www.google.com. 300 IN A 74.125.225.211
www.google.com. 300 IN A 74.125.225.209
www.google.com. 300 IN A 74.125.225.208
;; Received 112 bytes from 216.239.32.10#53(216.239.32.10) in 69 ms
Examining the trace we see that the authority for “google.com” are the name servers: ns2.google.com, ns1.google.com, ns3.google.com, and ns4.google.com. These are highlighted in bold. Finally, an authority is queried to resolve “www.google.com” and the A records are listed at the end of the trace. The very last line notes which server responded with the answer.
A reverse lookup (dig –x) can confirm the answers came from ns1.google.com:
C:\>dig -x 216.239.32.10
; <<>> DiG 9.9.1-P3 <<>> -x 216.239.32.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2672
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.32.239.216.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.32.239.216.in-addr.arpa. 73804 IN PTR ns1.google.com.
;; Query time: 4 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: Thu Jan 10 12:52:08 2013
;; MSG SIZE rcvd: 83
The previous example shows the lines of authority. The Ecessa appliance should be the authority for the domain and resolving DNS queries. The following examples will show different ways to test DNS resolution from the Ecessa appliance to confirm DNS queries are being resolved correctly. For the following examples, the WAN IP address for the Ecessa appliance is 12.34.56.78 and the domain is example.com.
Using DiG to test DNS resolution from the Ecessa appliance:
C:\>dig @198.51.100.2 example.com
; <<>> DiG 9.9.1-P3 <<>> @198.51.100.2 example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61715
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 30 IN A 198.51.100.20
;; AUTHORITY SECTION:
example.com. 360 IN NS ns1.example.com.
example.com. 360 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 360 IN A 198.51.100.2
ns2.example.com. 360 IN A 203.0.113.66
;; Query time: 5 msec
;; SERVER: 198.51.100.2#53(198.51.100.2)
;; WHEN: Wed Jan 16 11:54:00 2013
;; MSG SIZE rcvd: 135
Testing a Load-Balanced Host Record (Round-Robin):
C:\>dig @198.51.100.2 www.example.com
; <<>> DiG 9.9.1-P3 <<>> @198.51.100.2 www.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55767
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 30 IN A 203.0.113.46
www.example.com. 30 IN A 198.51.100.20
;; AUTHORITY SECTION:
example.com. 360 IN NS ns1.example.com.
example.com. 360 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 360 IN A 198.51.100.2
ns2.example.com. 360 IN A 203.0.113.66
;; Query time: 35 msec
;; SERVER: 198.51.100.2#53(198.51.100.2)
;; WHEN: Wed Jan 16 11:55:56 2013
;; MSG SIZE rcvd: 159
With load-balanced host records, the Ecessa appliance will answer a query with the configured addresses, in this case 198.51.100.20 and 203.0.113.46, which will be sent to clients in a round-robin fashion.
Testing a Load-Balanced Host Record (Redundancy Only):
C:\>dig @198.51.100.2 www.example.com
; <<>> DiG 9.9.1-P3 <<>> @198.51.100.2 www.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50065
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 30 IN A 198.51.100.20
;; AUTHORITY SECTION:
example.com. 360 IN NS ns1.example.com.
example.com. 360 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 360 IN A 198.51.100.2
ns2.example.com. 360 IN A 203.0.113.66
;; Query time: 38 msec
;; SERVER: 198.51.100.2#53(198.51.100.2)
;; WHEN: Wed Jan 16 11:55:29 2013
;; MSG SIZE rcvd: 143
When a load-balanced host record is configured for Redundancy Only, the Ecessa appliance will answer a query with the first configured IP address. If the first IP address belongs to a WAN that is currently down, the Ecessa will answer the query with a different configured IP address from an operational WAN line if possible. If there are no IP addresses from operational WAN lines, the query will resolve with a blank for the IP address.
Testing for specific record types (NS Records):
C:\>dig @198.51.100.2 example.com -t ns
; <<>> DiG 9.9.1-P3 <<>> @198.51.100.2 example.com -t ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15595
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com. IN NS
;; ANSWER SECTION:
example.com. 360 IN NS ns1.example.com.
example.com. 360 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 360 IN A 198.51.100.2
ns2.example.com. 360 IN A 203.0.113.66
;; Query time: 29 msec
;; SERVER: 198.51.100.2#53(198.51.100.2)
;; WHEN: Wed Jan 16 11:56:21 2013
;; MSG SIZE rcvd: 119
Testing for specific record types (MX Records):
C:\>dig @198.51.100.2 example.com -t mx
; <<>> DiG 9.9.1-P3 <<>> @198.51.100.2 example.com -t mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21888
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com. IN MX
;; ANSWER SECTION:
example.com. 30 IN MX 10 mail.example.com.
;; AUTHORITY SECTION:
example.com. 360 IN NS ns1.example.com.
example.com. 360 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
mail.example.com. 30 IN A 198.51.100.88
ns1.example.com. 360 IN A 198.51.100.2
ns2.example.com. 360 IN A 203.0.113.66
;; Query time: 35 msec
;; SERVER: 198.51.100.2#53(198.51.100.2)
;; WHEN: Wed Jan 16 11:56:37 2013
;; MSG SIZE rcvd: 156
In this example domain, the MX record points to mail.example.com:
C:\>dig @198.51.100.2 mx.example.com
; <<>> DiG 9.9.1-P3 <<>> @198.51.100.2 mx.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46595
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mx.example.com. IN A
;; ANSWER SECTION:
mx.example.com. 30 IN CNAME mail.example.com.
mail.example.com. 30 IN A 198.51.100.88
;; AUTHORITY SECTION:
example.com. 360 IN NS ns1.example.com.
example.com. 360 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 360 IN A 198.51.100.2
ns2.example.com. 360 IN A 203.0.113.66
;; Query time: 4 msec
;; SERVER: 198.51.100.2#53(198.51.100.2)
;; WHEN: Wed Jan 16 12:04:32 2013
;; MSG SIZE rcvd: 160
NSLookup command syntax:
The server can be identified by IP address or Fully Qualified Domain Name (FQDN).
Using NSLookup to determine the authoritative name servers for the domain from the SOA record:
C:\>nslookup -type=SOA google.com. 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
google.com
primary name server = ns1.google.com
responsible mail addr = dns-admin.google.com
serial = 2013010300
refresh = 7200 (2 hours)
retry = 1800 (30 mins)
expire = 1209600 (14 days)
default TTL = 300 (5 mins)
C:\>nslookup www.google.com ns1.google.com
Server: ns1.google.com
Address: 216.239.32.10
Name: www.google.com
Addresses: 2607:f8b0:400f:801::1012
74.125.225.210
74.125.225.212
74.125.225.211
74.125.225.209
74.125.225.208
Using NSLookup with the “debug” option:
C:\>nslookup -debug www.google.com. ns1.google.com
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
10.32.239.216.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 10.32.239.216.in-addr.arpa
name = ns1.google.com
ttl = 86400 (1 day)
------------
Server: ns1.google.com
Address: 216.239.32.10
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, want recursion
questions = 1, answers = 5, authority records = 0, additional = 0
QUESTIONS:
www.google.com, type = A, class = IN
ANSWERS:
-> www.google.com
internet address = 74.125.225.212
ttl = 300 (5 mins)
-> www.google.com
internet address = 74.125.225.210
ttl = 300 (5 mins)
-> www.google.com
internet address = 74.125.225.209
ttl = 300 (5 mins)
-> www.google.com
internet address = 74.125.225.208
ttl = 300 (5 mins)
-> www.google.com
internet address = 74.125.225.211
ttl = 300 (5 mins)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, auth. answer, want recursion
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
www.google.com, type = AAAA, class = IN
ANSWERS:
-> www.google.com
AAAA IPv6 address = 2607:f8b0:400f:801::1013
ttl = 300 (5 mins)
------------
Name: www.google.com
Addresses: 2607:f8b0:400f:801::1013
74.125.225.212
74.125.225.210
74.125.225.209
74.125.225.208
74.125.225.211
Using NSLookup to test DNS resolution from the Ecessa appliance:
C:\>nslookup -type=SOA example.com. 198.51.100.2
Server: ns1.example.com
Address: 198.51.100.2
example.com
primary name server = ns1.example.com
responsible mail addr = hostmaster@example.com
serial = 2013011604
refresh = 360 (6 mins)
retry = 60 (1 min)
expire = 86400 (1 day)
default TTL = 30 (30 secs)
example.com nameserver = ns1.example.com
example.com nameserver = ns2.example.com
ns1.example.com internet address = 198.51.100.2
ns2.example.com internet address = 203.0.113.66
C:\>nslookup example.com. 198.51.100.2
Server: ns1.example.com
Address: 198.51.100.2
Name: example.com
Addresses: 198.51.100.20
203.0.113.46
Testing a Load-Balanced Host Record (Round-Robin):
C:\>nslookup www.example.com. 198.51.100.2
Server: ns1.example.com
Address: 198.51.100.2
Name: www.example.com
Addresses: 198.51.100.20
203.0.113.46
Testing a Load-Balanced Host Record (Redundancy Only):
C:\>nslookup www.example.com. 198.51.100.2
Server: ns1.example.com
Address: 198.51.100.2
Name: www.example.com
Address: 198.51.100.20
Testing for specific record types (NS Records):
C:\>nslookup -type=ns example.com. 198.51.100.2
Server: ns1.example.com
Address: 198.51.100.2
example.com nameserver = ns1.example.com
example.com nameserver = ns2.example.com
ns1.example.com internet address = 198.51.100.2
ns2.example.com internet address = 203.0.113.66
Testing for specific record types (MX Records):
C:\>nslookup -type=mx example.com. 198.51.100.2
Server: ns1.example.com
Address: 198.51.100.2
example.com MX preference = 10, mail exchanger = mail.example.com
example.com nameserver = ns1.example.com
example.com nameserver = ns2.example.com
mail.example.com internet address = 198.51.100.88
ns1.example.com internet address = 198.51.100.2
ns2.example.com internet address = 203.0.113.66
In this example domain, the MX record points to mail.example.com:
C:\>nslookup mx.example.com. 198.51.100.2
Server: ns1.example.com
Address: 198.51.100.2
Name: mail.example.com
Address: 198.51.100.88
Aliases: mx.example.com
0 Comments