DNS Always Getting Non-Authoritative Answer

domain-name-system

I'm trying to get an authoritative answer on a DNS query. I've used nslookup using "set querytype=ns" to get the primary name server, which returned the following:

yesecommerce.com
        primary name server = ns.123-reg.co.uk
        responsible mail addr = hostmaster.yesecommerce.com
        serial  = 2011091001
        refresh = 86400 (1 day)
        retry   = 3600 (1 hour)
        expire  = 1209600 (14 days)
        default TTL = 14400 (4 hours)

However when I then try "nslookup www.yesecommerce.com ns.123-reg.co.uk" I get the following:

Server:  ns.123-reg.co.uk
Address:  212.67.202.2

Non-authoritative answer:
Name:    www.yesecommerce.com
Address:  95.154.207.68

I though that when querying the primary nameserver I would receive an authoritative answer and i'm confused as to why not – any ideas?

Thanks!

Best Answer

I don't:

[me@risby me]$ nslookup www.yesecommerce.com ns.123-reg.co.uk
Server:         ns.123-reg.co.uk
Address:        212.67.202.2#53

Name:   www.yesecommerce.com
Address: 92.19.219.18

Some ISPs do transparent proxying of DNS requests; it may be that your ISP is amongst them. The fact that we get consistently different A records returned points in that direction, too.

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Looking at the IP addresses in your resolv.conf I get the feeling that your BIND server is on 192.168.1.52. As far as I can tell, you can't specify in resolv.conf something like "for these domains, use this name server". Basically, your BIND server will never be queried. As you can see in your dig lookup (which is incorrect, it is asking for a reverse DNS entry), it tries 80.58.0.33, which I assume is your provider's DNS server.

You already set up BIND as caching nameserver by using the 'forwarders' option, so what you need to do is have only 192.168.1.52 in the client PCs as nameserver.

To see if your BIND is configured correctly, try this:

dig example.test @192.168.1.52

DNS – Understanding Non-Authoritative Answers in NSLOOKUP

Basically, it's what the name says it is. An authoritative answer comes from a nameserver that is considered authoritative for the domain which it's returning a record for (one of the nameservers in the list for the domain you did a lookup on), and a non-authoritative answer comes from anywhere else (a nameserver not in the list for the domain you did a lookup on).

It's basically a distinction between a nameserver that's an official nameserver for the domain you're querying, and a nameserver that isn't. Nameservers that aren't authoritative are getting their answers second (or third or fourth...) hand - just relaying the information along from somewhere else.

So, for example, If I did an nslookup of maps.google.com right now, I would get a response from one of my configured nameservers. (Either from my ISP, or my domain.) It would come back as non-authoritative because neither my ISP's nameservers, nor my own are in the list of nameservers for google.com. They aren't Google's nameservers, so they're not the authoritative source that creates the NS records.

The list of authoritative nameservers for Google is below (from whois.internic.net).

Domain Name: GOOGLE.COM

Registrar: MARKMONITOR INC.

Whois Server: whois.markmonitor.com

Name Server: NS1.GOOGLE.COM

Name Server: NS2.GOOGLE.COM

Name Server: NS3.GOOGLE.COM

Name Server: NS4.GOOGLE.COM

Updated Date: 20-jul-2011

Creation Date: 15-sep-1997

Expiration Date: 14-sep-2020

If I changed my configured DNS server to one of the ones in that list, and then did an nslookup against maps.google.com, I'd get an authoritative answer back. Those servers are the authority, (or source) for what are valid names in Google's domains, and what aren't. All other nameservers, non-authoritative nameservers, get their NS records from the authoritative servers somewhere down the line.

Best Answer

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

DNS – Understanding Non-Authoritative Answers in NSLOOKUP

Related Topic