DNS Root-Server: Is there one Central Root-Server to query the Rootservers itself

domain-name-system

if I want to querey the DNS delegation "manually", I normally start using one of the "DNS-Root-Servers", like b.root-servers.net.

dig @b.root-servers.net test.com

But what if the root servers would change? My question is, is there any possibility to query a "central Server" even being "above" the root servers that returns me the list of Root servers?

Best Answer

You can 'dig @b.root-servers.net . ns' to get updated root hints (which you should do periodically). Every root DNS server can return the root hints, so as long as all the root servers don't change at once you can always get updates re: those that have changed from those that have not.

Related Solutions

Bind is not resolving specific host

In your dig output, the name servers for that domain appear to be ns.agasoft.co.il and ns3.agasoft.co.il.

However, as of right now, their name servers are webserver1.agasoft.co.il and webserver2.agasoft.co.il.

It appears they changed their name servers.

In addition, mailhost.agasoft.co.il does not exist, according to those servers. Instead, their mail server (as identified by their MX record) is mailserver1.agasoft.co.il. This host does exist, and both name servers return the same address for it: 82.80.246.156.

Also note that in your dig output above, you requested a trace for mailhost.agasoft.co.il but the output shows for mailserver1.agasoft.co.il. Was that a typo in your question?

Summary: the agasoft.co.il domain appears to have recently changed their name servers and possibly also their mail server. If you are trying to find out why mail couldn’t be delivered to them, that’s why. The old name servers (according to your dig output) have a TTL of 1 day, so the problem should clear up in a day or so.

Why don’t DNS root servers answer

Sounds like your internet provider must blocking access to the root name servers. They obviously don't block access to their own resolvers, and they probably exempt a couple of other popular external resolvers like Google Public DNS, but might block all domain-port access otherwise.

Is this common? It depends. I think it's relatively common for such blocks to be present on university and corporate networks, but I would say it's not supposed to be a particularly common occurrence with regular residential providers. (Most providers do block outgoing smtp-port, however.)

Why would anyone block external nameservers? This has probably to do with various man-in-the-middle attacks that are possible if legitimate nameservers are substituted for compromised ones. To avoid any such attacks and to reduce user complaints, most providers usually redirect all domain-port requests to their own servers: when they do so, you can't run your own recursive server anymore or do dig +trace troubleshooting, but at least you wouldn't have to change your DNS settings otherwise.

Anyhow, indeed there is nothing wrong with your command itself: you're supposed to receive a reply as below, which would make it possible for you to make another request on the manual recursive path to the resolution of the given name.

# dig @b.root-servers.net www.ubuntu.com

; <<>> DiG 9.7.3 <<>> @b.root-servers.net www.ubuntu.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20828
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.ubuntu.com.                        IN      A

;; AUTHORITY SECTION:
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net.     172800  IN      A       192.5.6.30
b.gtld-servers.net.     172800  IN      A       192.33.14.30
c.gtld-servers.net.     172800  IN      A       192.26.92.30
d.gtld-servers.net.     172800  IN      A       192.31.80.30
e.gtld-servers.net.     172800  IN      A       192.12.94.30
f.gtld-servers.net.     172800  IN      A       192.35.51.30
g.gtld-servers.net.     172800  IN      A       192.42.93.30
h.gtld-servers.net.     172800  IN      A       192.54.112.30
i.gtld-servers.net.     172800  IN      A       192.43.172.30
j.gtld-servers.net.     172800  IN      A       192.48.79.30
k.gtld-servers.net.     172800  IN      A       192.52.178.30
l.gtld-servers.net.     172800  IN      A       192.41.162.30
m.gtld-servers.net.     172800  IN      A       192.55.83.30
a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30

;; Query time: 12 msec
;; SERVER: 192.228.79.201#53(192.228.79.201)
;; WHEN: Sat Jan 12 22:52:12 2013
;; MSG SIZE  rcvd: 492

Best Answer

Related Solutions

Bind is not resolving specific host

Why don’t DNS root servers answer

Related Topic