Find out which DNS server answered your query

Question

I have a seemingly simple question but couldn't find the answer to precisely that question after some search:
I know that, if I want to look up the IP address of some domain name, I type, for example:

nslookup google.de

and get

Server:     127.0.1.1
Address:    127.0.1.1#53

Non-authoritative answer:
Name:   google.de
Address: 172.217.18.3

However, I don't know where I got this answer from. As far as I know at first my resolver tries to ask my local DNS server (which is on Ubuntu dnsmasq) and if that one doesn't have the answer it asks the next server and so on. But I want to know what exact server in the end had the answer. Is that possible?
I also tried

dig +trace www.google.com

which provides all information about the issued servers but performs a fully iterative lookup. I'd basically like an answer like that but with a normal look-up.

`But I want to know what exact server in the end had the answer` - The authoritatve name servers for the domain being queried are the ones that ultimately "answer" the query. — joeqwerty, Jun 25 '17 at 19:54
But I did not get an authoritative answer. I want to know the server that gave me the non-authoritative answer. — Staki42, Jun 25 '17 at 19:55
The name server that you're configured to use gave you a non-authoritative answer as does every other non-authoritative server in the query "chain". Only the authoritative name servers can give an authoritative answer. — joeqwerty, Jun 25 '17 at 20:05
The one that gave you the answer is the one you asked the question to. Non authoritative means it didn't go back out and check again, it answered from its cache from the last time it asked. — , Jun 25 '17 at 20:05
The problem I have is that I read that my dns server on Ubuntu is dnsmasq and by default it does not cache any entries. So how can it answer my query from its cache when it doesn't cache anything? — Staki42, Jun 25 '17 at 20:07
Just to elaborate, you are looking for the first server in the query chain that returns the result from its cache? — Tero Kilkanen, Jun 26 '17 at 02:40
Yes, exactly. Sorry if I was not able to state precisely that. — Staki42, Jun 26 '17 at 14:58

Phillip Williams · Answer 1 · 2017-06-26T21:38:40.820

9

See this https://stackoverflow.com/questions/38021/how-do-i-find-the-authoritative-name-server-for-a-domain-name

in short, nslookup set the query type to SOA

single line:

 nslookup -querytype=soa google.de
 nslookup -d2 -type=ANY google.de
 nslookup -d2 -type=ANY google.de 8.8.8.8

look for: primary name server

command line> nslookup
> set querytype=soa
> google.de
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
google.de
    primary name server = ns2.google.com 
    responsible mail addr = dns-admin.google.com
    serial  = 160093636
    refresh = 900 (15 mins)
    retry   = 900 (15 mins)
    expire  = 1800 (30 mins)
    default TTL = 60 (1 min)

>

EDIT:

I'm told that the SOA record may not be the best method. That it may not even be set correctly. So, the NS record would have been a better choice:

Where is the nameserver server for the domain...

  nslookup  -type=NS google.de

Or with a lot of debug info to find the nameserver

  nslookup -d2 -type=NS google.de

edited Jun 26 '17 at 21:38

answered Jun 26 '17 at 03:54

Phillip Williams

224
1
5

This is incorrect. The "primary name server" listed here comes from the `MNAME` field of the SOA record, which is not actually *used* anywhere in public facing DNS outside of dynamic DNS. (RFC 2136) It is not uncommon to see it set to bogus values in the wild. – Andrew B Jun 26 '17 at 20:45
Can you then give me a correct answer to my question Andrew? (see comments of my post for further elaboration) – Staki42 Jun 26 '17 at 21:04
@Andrew So in your view a better choice would have been `nslookup -d2 -type=NS google.de` ? – Phillip Williams Jun 26 '17 at 21:07
That's closer, but as it returns the list of *all* authoritative servers it still doesn't fulfill the conditions of the question. (there are also some caveats that I've named in my answer) – Andrew B Jun 26 '17 at 21:29
Do not use `nslookup` for DNS diagnostics. Use `dig`. – Patrick Mevzek Jun 26 '17 at 22:42

Andrew B · Accepted Answer · 2017-06-26T21:28:04.440

I want to know what exact server in the end had the answer. Is that possible?

This is not achievable. You will not find the specific authoritative server that was consulted named anywhere in the payload of a DNS reply. There are CHAOS queries that exist for the purpose of identifying the specific recursive server that replied to you, but no such equivalent for extracting the name of the exact authoritative server that a recursor obtained the data from.

The StackOverflow Q&A that Phillip linked to provides instructions for how to identify the list of NS records that were present in the authority section of a recursive DNS response. This is the full list of servers though, not the specific server. Even were that sufficient for your uses, this information is considered optional by the DNS standards and it is increasingly rare to see it in recursive responses in order to reduce the payload size of internally sourced reflection attacks.

If you know the name of the zone, you can request the full list of NS records via an explicit request for them. This requires knowing that you are at the apex of the zone; a request for example.com NS records will return the desired response but www.example.com will not, unless www was delegated to another set of servers. In this case, you have no choice but to work backwards iteratively until you discover the apex of the zone.

Long story short, there is no reliable short path (i.e. single query) to getting information about all upstream authority from a recursive server, and there is no way to learn the specific authoritative server that responded to a query without also controlling the authoritative server and creating unique data on each server. (if you do this, please create a unique zone for that purpose so that it does not interfere with your more sensitive production zone transfers)

So, as I see it, only getting the end point, the NS record, where the domain is being maintained and DNS being served from, but not getting all the places between you and it. no trick like PING method using an ever longer and longer TTL to discover where it stops at and doing lookups. That works mostly (Iknow there are some hidden proxies that will not report) — Phillip Williams, Jun 26 '17 at 21:32
@Phillip Not quite true, as you can do iterative lookups every step along the way. (see: `dig +trace`) lappen68 already ruled out that approach, and is looking for the specific authoritative server that answered besides. — Andrew B, Jun 26 '17 at 21:51
Alright. But if the answer is non-authoritative does it look any different? — Staki42, Jun 26 '17 at 22:08
`There are CHAOS queries that exist for the purpose of identifying the specific recursive server that replied to you` do you have any resources on how to do this? Some searches involving "CHAOS", "DNS" and "query" has brought up buzzword database-related software. — Ashley, Aug 02 '21 at 13:41
@Ashley Try searching for `id.server` and `hostname.bind`. Keep in mind that the server that you're querying may have hostname reporting disabled even if the feature is supported within the software. `id.server` is preferred when it is supported as the name is software agnostic. — Andrew B, Aug 03 '21 at 01:09

score 2 · Answer 3 · answered Jun 26 '17 at 22:45

2

When you use dig in the default reply you will have the IP of the answering nameserver, which should be the recursive nameserver configured in your system (/etc/resolv.conf typically).

answered Jun 26 '17 at 22:45

Patrick Mevzek

9,273
7
29
42

Find out which DNS server answered your query

3 Answers3