What are all the flags in a dig response

digdomain-name-system

dig responses return flags in the comments section:

$ dig example.com +noall +comments

; <<>> DiG 9.8.3-P1 <<>> example.com +noall +comments
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

On the last line here, there are flags:

flags: qr rd ra;

What are all the possible flags that dig has?

Here's a list of the ones I've found so far:

rd – Recursion Desired
ra – Recursion Available
aa – Authoritative Answer
qr – Query?
cd – Checking Disabled (not sure what this means)
others?

Best Answer

I am using RFC 1035 as source, keeping to the sequence from there, regardless if you already mentioned it in your question.

QR specifies whether this message is a query (0), or a response (1)
OPCODE A four bit field, only valid values: 0,1,2
AA Authoritative Answer
TC TrunCation (truncated due to length greater than that permitted on the transmission channel)
RD Recursion Desired
RA Recursion Available
Z Reserved for future use. Must be zero

There were two more DNSSEC-related flags introduced in RFC 4035:

CD (Checking Disabled): indicates a security-aware resolver should disable signature validation (that is, not check DNSSEC records)
AD (Authentic Data): indicates the resolver believes the responses to be authentic - that is, validated by DNSSEC

Related Solutions

CNAME to another domain fails on some office networks, why

Looking at your log, it doesn't seem to be a problem with the Volusion nameservers, it's more likely to be a problems with the caching resolvers used by the misbehaving private office networks.

The first resolution intent is by appending what I suppose is their own domain name, so when you look up find.aspenfasteners.com the resolvers first asks for find.aspenfasteners.com.fastenerwholesale.com. Then the resolver asks for the actual domain without appending anything. It asks for the IP associated with the domain by specifying the resource record type A. The Volusion name server correctly sets the return code to NXDOMAIN (=non-existing domain), because it has no A record for the domain you asked for. However, it does return the CNAME resource record in the aswer section, so it is now the job of the resolver to look up the hostname specified in the CNAME resource record.

I would look for problems on the resolver side.

Global Reverse DNS look-ups not working

You've set it up correctly on your server, but your server is not marked as authoritative for 123.5.253.159.in-addr.arpa. Your reverse DNS is managed by your ISP (the whole 5.253.159.in-addr.arpa zone):

; <<>> DiG 9.7.3-P3 <<>> ns 5.253.159.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43579
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;5.253.159.in-addr.arpa.        IN  NS

;; ANSWER SECTION:
5.253.159.in-addr.arpa. 86010   IN  NS  ns3.uxw.nl.
5.253.159.in-addr.arpa. 86010   IN  NS  ns4.uxw.nl.

You have 2 solutions to solve that:

ask your ISP to define the 123.5.253.159.in-addr.arpa record for you on their DNS (ns3.uxw.nl and ns4.uxw.nl),
ask your ISP to delegate the 123.5.253.159.in-addr.arpa record to your server, as per the RFC 2317, this is just a matter of defining a CNAME pointing to a new record on a new zone on your DNS (you then have to define this special zone on your DNS, your ISP will tell you how to name this new zone).

First solution is probably the quickest, but if you change your server's name in the future, you've got to ask them to change it again. Second solution is the most flexible, if your ISP is willing to support RFC 2317. If your ISP is providing you with more than a single address, reverse DNS can be delegated for all of them (the whole range) so you can be in charge. I'd recommend you to ask for that.

This similar question is worth reading.

Trivia: a few years ago (5, or 10 years back), some people were advocating against RFC-2317, because some DNS clients couldn't handle the reverse queries well. However, I don't think that is relevant anymore, RFC-2317 exists for about 15 years now.

Best Answer

Related Solutions

CNAME to another domain fails on some office networks, why

Global Reverse DNS look-ups not working

Related Topic