5

Is there a way I can trace a DNS request to see where the answer is coming from?

Our network has internal DNS servers that provide internal IP address resolution, and we use EasyDNS to host our public-facing DNS.

The situation is that EasyDNS is set up correctly for a certain address with its external IP, but when I do a dig from within our network, I get the (correct) internal IP - but the domain does not appear to be set up on any of our internal DNS servers. Our primary DNS server (Active Directory) lists the domain as cached, but doesn't say from where.

How can I trace where dig is getting its results from?

Brent
  • 22,219
  • 19
  • 68
  • 102
  • 2
    Are you using NAT routing? Some NAT routers will inspect DNS packets and translate known external IPs that it handles and convert them to the internal IP addresses in the response before forwarding the packet along the network. – Justin Scott May 01 '09 at 21:14
  • Thank you - I think this is EXACTLY what was happening. Unfortunately I can't ACCEPT a comment as the answer (write it again as an answer and I'll accept it) – Brent May 01 '09 at 21:42

2 Answers2

5

If using dig:

dig +trace ....

otherwise, run Wireshark to capture the packets.

Alnitak
  • 20,901
  • 3
  • 48
  • 81
  • As soon as I add +trace, dig resolves the EXTERNAL ip address instead of the internal - remove +trace and I get INTERNAL ip address again! – Brent May 01 '09 at 16:44
  • that's, umm, odd... is that dig running on Windows or UNIX? – Alnitak May 01 '09 at 16:48
  • linux - tried from a couple linux machines. – Brent May 01 '09 at 16:52
  • ok, that's really odd, then. adding +trace to the query only enables local debugging, it doesn't change the query sent to the server. – Alnitak May 01 '09 at 17:09
  • @Alnaitak +trace tells dig to resolve the query from first principals. From the man page "When tracing is enabled, dig makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup." – Dave Cheney May 05 '09 at 16:48
  • Yes, you're right (doh!). I should have checked - I thought it just enabled libresolv's debugging output. – Alnitak May 05 '09 at 16:52
  • The DNS packet coming through the NAT router isn't any different when you run with or without +trace. This would then contradict Justin Scott's answer. Brent do you want to do a packet trace on your caching DNS while you use a client to do a dig with and without +trace? – nearora Jun 05 '12 at 06:09
1

I'm quoting Justin Scott's answer, because I'm pretty sure he was right:

Are you using NAT routing? Some NAT routers will inspect DNS packets and translate known external IPs that it handles and convert them to the internal IP addresses in the response before forwarding the packet along the network.

Brent
  • 22,219
  • 19
  • 68
  • 102