TL;DR: Where, in a nslookup www.somedomain.com -debug will I find the name/IP of the server(s) which reply to the chain of queries?
Details:
I have a setup (Windows 10 machine)
- which is connected to a corporate LAN (
example.corp) and has an outbound OpenVPN connection in place (toexample.customer) - where the DNS requests are delegated to a local (
127.0.0.1) server (namely Unbound)
This DNS server is set up to forward DNS queries:
example.corpto a corporate DNSexample.customerto a customer DNS behind the VPN- Internet hosts (
google.com, ...) to the the customer DNS behind the VPN (there are several reasons for that, instead of using the corporate DNS or providers such as1.1.1.1)
I now would like to make sure that the right server resolves the right queries. This is easy for the corporate and customer related ones (nobody else can resolve them correctly, so if they are resolved it means the right DNS was hit) but I had doubts about the Internet ones (which could ultimately be correctly resolved by either of them).
The solution I used was to monitor the traffic of the VPN and see whether there would relevant DNS packets going through. There were so I know that teh setup is OK.
This approach is not the best one, I would prefer to use the capabilities of nslookup to find out that. I tried to set debug in the tool and see what would come out for an query of an internet machine (yahoo.fr).
The resolving first went though yahoo.fr.somesubdomain.example.corp, yahoo.fr.someothersubdomain.example.corp - everything which is in the list of domain suffixes. Obviously none of the queries went through and the next one was tried. An example:
------------
Got answer:
HEADER:
opcode = QUERY, id = 99, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
yahoo.fr.somesubdomain.example.corp, type = AAAA, class = IN
AUTHORITY RECORDS:
-> (root)
ttl = 3440 (57 mins 20 secs)
primary name server = thecorpnsserver.example.corp
responsible mail addr = root.thecorpnsserver.example.corp
serial = 2018113000
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
This is a failed query, but there I do not see anywhere the server which responded (this is not thecorpnsserver.example.corp which is just part of the SOA of example.corp). In other words, the one which provided the SOA (AUTHORITY RECORDS)
I finally get my answer with
------------
Got answer:
HEADER:
opcode = QUERY, id = 100, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 5, authority records = 0, additional = 0
QUESTIONS:
yahoo.fr, type = A, class = IN
ANSWERS:
-> yahoo.fr
internet address = 106.10.248.151
ttl = 17 (17 secs)
-> yahoo.fr
internet address = 98.136.103.24
ttl = 17 (17 secs)
-> yahoo.fr
internet address = 124.108.115.101
ttl = 17 (17 secs)
-> yahoo.fr
internet address = 74.6.136.151
ttl = 17 (17 secs)
-> yahoo.fr
internet address = 212.82.100.151
ttl = 17 (17 secs)
------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 101, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
yahoo.fr, type = AAAA, class = IN
AUTHORITY RECORDS:
-> yahoo.fr
ttl = 595 (9 mins 55 secs)
primary name server = hidden-master.yahoo.com
responsible mail addr = hostmaster.yahoo-inc.com
serial = 2018112700
refresh = 3600 (1 hour)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 600 (10 mins)
------------
Name: yahoo.fr
Addresses: 106.10.248.151
98.136.103.24
124.108.115.101
74.6.136.151
212.82.100.151
but it still does not say which DNS server processed the request.
