The dig
program now needs some additional options for useful DNS server testing
I've been using the venerable dig
program for a long time as my
primary tool to diagnose odd name server behavior. Recently,
I've discovered that I need to start using some additional options
in order for it to make useful tests, where by 'useful tests' I
mean that dig
's results correspond to results I would get through
a real DNS server such as Unbound.
(Generally my first test with DNS issues is just to query my local Unbound server, but if I want to figure out why that failed I need some tool that will let me find out specific details about what didn't work.)
For some time now I've known that some nameservers reject your
queries if you ask for recursive lookups, so I
try to use +norecurs
. In exploring an issue today, I discovered
that some nameservers also don't respond if you ask for some EDNS options,
which it turns out that dig
apparently now sets by default.
Specifically they don't respond to DNS queries that include an EDNS
COOKIE option, although they will respond to queries that are merely
EDNS ones without the COOKIE option or any other options.
(Some experimentation with dig
suggests that including any EDNS
option causes these DNS servers to not respond. I tried both
+nocookie +nsid
and +nocookie +expire
, and neither got a
response.)
This means that for testing I now want to use 'dig +norecurs
+nocookie
', at least. It's possible that I want to go all the way
to 'dig +norecurs +noedns
', although that may be sufficiently
different from what modern DNS servers send that I'll get failures
when a real DNS server would succeed. I expect that I'm going to
want to wrap all of this in a script, because otherwise I'll never
remember to set all of the switches all of the time and I'll sometimes
get mysterious failures.
(Some experimentation suggests that my Unbound setup sends EDNS0
queries with the 'DNSSEC Okay' bit set and no EDNS options, which
would be 'dig +norecurs +nocookie +dnssec
' if I'm understanding
the dig
manpage correctly. These options appear to produce DNS
queries that the balky DNS server will respond to. With three
options, I definitely want to wrap this in a script.)
What this suggests to me in general is that dig
is not going to be
the best tool for this sort of thing in the future. The Dig people
clearly feel free to change its default behavior, and in ways that don't
necessarily match what DNS servers do; future versions may include more
such changes, causing more silent failures or behavior differences until
I notice and carefully read the manpage to find what to turn off in this
new version.
(A casual search turns up drill
,
which is another thing from NLNet Labs,
the authors of Unbound and NSD. Like dig
, it defaults to 'recursion
allowed' queries, but that's probably going to be a common behavior.
Drill does have an interesting -T
option to do a full trace from
the root nameservers on down, bypassing whatever your local DNS
resolver may have cached. Unfortunately it doesn't have an option
to report the IP address of the DNS server it gets each set of
answers from; you have to go all the way to dumping the full queries
with -V 5
.)
Comments on this page:
|
|