Linux – Why Does dig Not Show the Authority Section and How to Make It Show Authoritative Name Servers

authoritativedigdomain-name-systemlinuxnetworking

I started recently to learn about DNS, and I got stuck when using dig command in Linux. More exactly, I'd like to see the authoritative name servers (their names or IP addresses) that hold the answers to my DNS queries and I don't know how. As you probably already know, the dig's command output has 5 sections: HEADER, QUERY, ANSWER, AUTHORITY and ADDITIONAL. The last 3 include resource records found in the reply to the DNS request send by dig. The one that interests me is the AUTHORITY section which normally should show resource records of type NS (name server) that provide information about the authoritative name servers from which the answer to the initial query is retrieved. The authoritative servers are of course different from the cache servers that can improve efficiency.

Now, my problem is that every time I call dig the answer doesn't contain any AUTHORITY records. It is possible I don't know the proper options or some other issue which I'm not aware of may occur. What could be the reasons for not getting any authority answer and what should be done in order to get it? I would put an image of the terminal but I don`t have yet 10 reputation, but the question remains.

Best Answer

More exactly, I'd like to see the authoritative name servers (their names or IP addresses) that hold the answers to my DNS queries and I don't know how.

It all depends on which nameserver you query. If you don't specify any with the @ flag it uses the local recursive one to give you the final answer. This answer may have been computed by the recursive nameserver querying many different authoritative nameservers before coming to the answer, so there is not "one" authoritative nameserver in this scenario.

If you can dig with +trace it will behave itself like a recursive nameserver and will show you each step of the resolution, with each authoritative nameserver being queried and its answer.

The one that interests me is the AUTHORITY section which normally should show resource records of type NS (name server) that provide information about the authoritative name servers from which the answer to the initial query is retrieved.

It is more complicated than that. It depends which nameserver you are querying, and what query you do.

Let us use serverfault.com as example (and remember dig does an A record type query by default), and compare between recursive nameserver, authoritative on name, authoritative on parent.

Asking a recursive nameserver

$ dig serverfault.com  @9.9.9.9 +noall +auth +nottlunits
$

No data in AUTHORITY section, as expected. A recursive nameserver is not authoritative on the data, so it just gives you the answer you request.

Asking the zone authoritative nameservers

$ dig serverfault.com NS +short
ns-cloud-c1.googledomains.com.
ns-cloud-c2.googledomains.com.
ns-1135.awsdns-13.org.
ns-860.awsdns-43.net.
$ dig serverfault.com @ns-cloud-c1.googledomains.com. +noall +auth +nottlunits
$

No AUTHORITY either because you just do not need it, it is an optimization. Note that if you query the AWSDNS nameservers, you will get an AUTHORITY section, but it is not useful.

Asking the parent authoritative nameservers

$ dig com. NS +short
b.gtld-servers.net.
k.gtld-servers.net.
d.gtld-servers.net.
i.gtld-servers.net.
j.gtld-servers.net.
f.gtld-servers.net.
h.gtld-servers.net.
c.gtld-servers.net.
e.gtld-servers.net.
g.gtld-servers.net.
m.gtld-servers.net.
a.gtld-servers.net.
l.gtld-servers.net.
$ dig serverfault.com @g.gtld-servers.net. +noall +auth +nottlunits
serverfault.com.    172800 IN NS ns-860.awsdns-43.net.
serverfault.com.    172800 IN NS ns-1135.awsdns-13.org.
serverfault.com.    172800 IN NS ns-cloud-c1.googledomains.com.
serverfault.com.    172800 IN NS ns-cloud-c2.googledomains.com.

Here you will always (no matter which of the above nameservers you query) get an AUTHORITY section (and no ANSWER section in fact) because these nameservers do not have the answer to your query as they are not authoritative on the name but they do know a delegation exists so they give you back in AUTHORITY the list of nameservers you should query instead.

This is all normal DNS delegation workflow.

PS:

I would put an image of the terminal but I don`t have yet 10 reputation

No, don't put an image no matter what. A terminal is lines of text. Copy and paste relevant ones, AS TEXT, in any question. Absolutely do not attach a screenshot, this is bad on all aspects.

Related Solutions

DNS BIND – Why Does dig +trace Sometimes Reply with a List of Authoritative Nameservers?

The difference is that yahoo.com and bbc.com are returning an AUTHORITY section, but stackoverflow.com and google.com are not.

$ dig @ns1.yahoo.com +noall +question +authority yahoo.com
;yahoo.com.                     IN      A
yahoo.com.              172800  IN      NS      ns2.yahoo.com.
yahoo.com.              172800  IN      NS      ns6.yahoo.com.
yahoo.com.              172800  IN      NS      ns5.yahoo.com.
yahoo.com.              172800  IN      NS      ns4.yahoo.com.
yahoo.com.              172800  IN      NS      ns3.yahoo.com.
yahoo.com.              172800  IN      NS      ns1.yahoo.com.
$ dig @ns1.google.com +noall +question +authority google.com
;google.com.                    IN      A

You could hide this from your trace with the +noauthority option, but it would also make the output largely useless as you would be hiding the AUTHORITY section from the intermediate nameservers as well. (which, being delegations, is pretty much all there is to be seen unless you've set +additional)

It is up to individual nameserver implementations whether or not they wish to supply an AUTHORITY section in scenarios where they are not strictly required by RFC. BIND is one of the server implementations that does display this information by default, but it also provides a minimal-responses option for disabling the behavior. I strongly recommend this option in customer facing recursion scenarios as it reduces the overhead of amplification attacks against spoofed source IPs. (sadly, BCP 38 is not as widely implemented as it needs to be)

From the BIND ARM:

minimal-responses
If yes, then when generating responses the server will only add records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This may improve the performance of the server. The default is no.

Why does dig +trace seem to ignore the DNS glue records

The official documentation says that dig can use glue records for subsequent queries but may revert to recursive queries if glue records are not provided [1]:

dig may still send queries to the servers listed in /etc/resolv.conf when using +trace When following delegation iteratively as specified with the +trace option, dig will begin by requesting the NS records for the servers authoritative for root ("."). These may or may not be supplied with glue - that is A and AAAA records that can be used for the next queries dig has to send. When there is no glue provided, either on the initial query for the root nameservers, or later on when following delegation, dig will revert to recursively querying the servers listed in /etc/resolv.conf to obtain the needed A/AAAA RRsets.

Specifying @server does not change this behaviour - the server specified in this way will only be queried for the NS records for the servers authoritative for root (".").

It might be wrong documentation or a bug in dig.

[1] https://kb.isc.org/docs/aa-00208