In this exercise you'll learn about DNS by using dig to make DNS queries. These are the primary objectives of this exercise:
- Expose the different responsibilities of different members of the DNS hierarchy.
- Explore how different DNS servers respond differently to different DNS queries.
- Familiarize yourself with the different kinds of DNS record types, and distinguish between them.
dig is a command line tool that comes installed on most unix and linux systems, or can be installed with your favorite package manager. If not, you can use this web interface -- but the user experience is much worse so I strongly suggest you use the command line instead.
There are many different kinds of DNS records. The two most important types of record are:
- A and AAAA -- A and quad A records map domain names to IP addresses. A records are for IPv4 addresses and AAAA records are for IPv6 addresses.
- NS -- NS records map domain names to other domain names. Specifically they map a domain name to the name of it's authoritative DNS server.
Lets use dig to explore the differences between these record types. Try the following in your terminal:
dig A google.com
My response looks like this, yours ought to look similar:
; <<>> DiG 9.10.6 <<>> A google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39086
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 68 IN A 172.217.2.238
;; Query time: 13 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Jun 22 15:05:03 PDT 2018
;; MSG SIZE rcvd: 55
What IP address did your DNS resolver tell you to use for google.com?
For me, the IP address was
172.217.2.238. You should have an IP address in the answer section as well, but it might not match mine. Google has many IP addresses but there are two ways to confirm your answer. One way is type into your terminalwhois 172.217.2.238and confirm that Google is the owner of that IP address in the whois database. The second way is to copy the IP address into your browsers URL bar -- this second option will not work for all websites, but it does for Google.
You may have a different IP address than I received. Is this expected behavior for DNS? Why or why not?
Yes, it is. Google is a global organization with many different servers world wide. DNS supports having a single domain name map to multiple IP addresses for this reason (and others).
If you did get a different IP address, how different is it? Can you spot any similarities to my result?
IP addresses are assigned to organizations in large contiguous blocks. It's likely (especially if you are in a location geographically close to my own) that your IP address partially overlaps with mine -- for example does your IP address start with 172?
What happens if you paste the IP address you received into your web browser's URL bar?
Google's servers respond to HTTP messages, so you should be routed to the Google homepage. Not all web servers behave this way, but Google's do.
This line (found near the bottom of the output from dig) is probably different for you:
;; SERVER: 1.1.1.1#53(1.1.1.1).
1.1.1.1 is the IP address of the DNS resolver I am using -- a service provided by CloudFlare.
Use the whois terminal command to determine who is operating your DNS resolver. For example, whois 1.1.1.1 will tell that 1.1.1.1 is an "APNIC and Cloudflare DNS Resolver project"
For most people, the IP address of your default DNS resolver will be associated with your Internet Service Provider (ISP). There are a lot of DNS resolvers to choose from. Each is provided by different organizations and offers different levels of service.
Now try this:
dig AAAA google.com
What is the difference between the answer to this query, and the last query?
Because we made an AAAA request, the response contains IPv6 addresses, instead of IPv4 addresses delivered for an A request. IPv6 addresses are 4 times longer (128 bits instead of 32 bits), hence the 4 A's.
Now try this:
dig NS google.com
My results look like this, and yours should look similar:
; <<>> DiG 9.10.6 <<>> ns google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59422
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;google.com. IN NS
;; ANSWER SECTION:
google.com. 6259 IN NS ns1.google.com.
google.com. 6259 IN NS ns2.google.com.
google.com. 6259 IN NS ns3.google.com.
google.com. 6259 IN NS ns4.google.com.
;; Query time: 15 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Jun 22 15:15:27 PDT 2018
;; MSG SIZE rcvd: 111
4 servers are identified by name, ns1.google.com, ns2.google.com, ns3.google.com and ns4.google.com.
What are these servers?
These are Google's authoritative name servers.
How can you use dig to determine an IP address for each of these servers?
The following command will work:
dig A ns1.google.com. The domain name of the name server is still just a domain name, so we can query it as we would with any other domain name.
Use whois to determine who owns those IP addresses?
Doing so reveals that Google owns these servers. This will not be true of all DNS name servers; in particular many small companies use services like GoDaddy or Namecheap for their authoritative DNS servers.
In this exercise, we have been relying exclusively on your "default DNS resolver" to answer questions for us. In the next exercise we will use dig to explore the DNS hierarchy by sending DNS queries directly to root, TLD, and authoritative servers.