I am just curious if you could use dig to check if a certain nameserver responds to recursive queries.
Thanks!
Asked
Active
Viewed 5.2k times
3 Answers
22
Use dig and check the status of the RD and RA bits in the response.
By default dig will send a recursive query (RD set in the query header) unless you set the +norecurse command line flag.
If the server supports recursive queries the response will have the "recursion available" RA bit set in the response headers.
The RA bit is the diagnostic test for recursive query support.
Alnitak
- 20,901
- 3
- 48
- 81
14
See if you can query it for a DNS entry for which it is not authoritative, e.g., try: host www.cnn.com ns.example.com, where ns.example.com is the name server you're testing. If it doesn't respond to recursive queries, you will get a REFUSED.
$ host www.cnn.com. ns1.example.com
Using domain server:
Name: ns1.example.com
Address: 192.168.183.130#53
Aliases:
Host www.cnn.com not found: 5(REFUSED)
whereas a DNS server that does recursive queries:
$ host www.cnn.com. 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
www.cnn.com has address 157.166.255.18
www.cnn.com has address 157.166.255.19
www.cnn.com has address 157.166.226.25
www.cnn.com has address 157.166.226.26
cjc
- 24,533
- 2
- 49
- 69
-
Thanks a lot @cjc. I also figured out another method but using dig. Try to lookup a domain to a nameserver that is non-authorative to the domain. If it doesn't return anything, then it's not responding to recursive queries. – Mikko Mar 20 '12 at 23:28
-
@Mikko, yes, both `dig` and `host` (and the now deprecated `nslookup`) are DNS query tools. All of them are sufficient for determining whether a DNS server is allowing recursive queries from your IP address. – cjc Mar 21 '12 at 00:42
-
this is wrong - `REFUSED` is also the response code you get if you ask an authoritative name server for information about a domain for which it doesn't have a zone file. – Alnitak Nov 07 '13 at 20:41
