If I try to query a root server with dig
, I never receive an answer.
For example the output for dig @b.root-servers.net www.ubuntu.com
is
; <<>> DiG 9.8.1-P1 <<>> @b.root-servers.net www.ubuntu.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
But if I query other servers (the one of my ISP, or 8.8.8.8), they answer correctly.
Why?
P.S. Using Wireshark I can see the outgoing queries to the right IP address of the root-server, but there aren't incoming packets from the same IP.
Best Answer
Sounds like your internet provider must blocking access to the root name servers. They obviously don't block access to their own resolvers, and they probably exempt a couple of other popular external resolvers like Google Public DNS, but might block all
domain
-port access otherwise.Is this common? It depends. I think it's relatively common for such blocks to be present on university and corporate networks, but I would say it's not supposed to be a particularly common occurrence with regular residential providers. (Most providers do block outgoing
smtp
-port, however.)Why would anyone block external nameservers? This has probably to do with various man-in-the-middle attacks that are possible if legitimate nameservers are substituted for compromised ones. To avoid any such attacks and to reduce user complaints, most providers usually redirect all
domain
-port requests to their own servers: when they do so, you can't run your own recursive server anymore or dodig +trace
troubleshooting, but at least you wouldn't have to change your DNS settings otherwise.Anyhow, indeed there is nothing wrong with your command itself: you're supposed to receive a reply as below, which would make it possible for you to make another request on the manual recursive path to the resolution of the given name.