https://www.justus.pw/mediawiki/index.php?action=history&feed=atom&title=DNS_things DNS things - Revision history 2026-05-25T02:29:07Z Revision history for this page on the wiki MediaWiki 1.44.3 https://www.justus.pw/mediawiki/index.php?title=DNS_things&diff=82&oldid=prev Justus: Created page with "This article contains interesting things that I’ve come across while learning more about DNS. <!--more--> <span id="anatomy-of-a-dns-request"></span> = Anatomy of a DNS request = Here’s how you can run a '''full DNS request''' for the domain <code>zombo.com</code> using <code>dig</code>: <syntaxhighlight lang="bash">dig +trace +all zombo.com</syntaxhighlight> When you run a full DNS request, <code>dig</code> retrieves the <code>A</code> DNS record for a domain by..." 2026-01-30T04:54:21Z <p>Created page with &quot;This article contains interesting things that I’ve come across while learning more about DNS. &lt;!--more--&gt; &lt;span id=&quot;anatomy-of-a-dns-request&quot;&gt;&lt;/span&gt; = Anatomy of a DNS request = Here’s how you can run a &#039;&#039;&#039;full DNS request&#039;&#039;&#039; for the domain &lt;code&gt;zombo.com&lt;/code&gt; using &lt;code&gt;dig&lt;/code&gt;: &lt;syntaxhighlight lang=&quot;bash&quot;&gt;dig +trace +all zombo.com&lt;/syntaxhighlight&gt; When you run a full DNS request, &lt;code&gt;dig&lt;/code&gt; retrieves the &lt;code&gt;A&lt;/code&gt; DNS record for a domain by...&quot;</p> <p><b>New page</b></p><div>This article contains interesting things that I’ve come across while learning more about DNS.<br /> <br /> &lt;!--more--&gt;<br /> &lt;span id=&quot;anatomy-of-a-dns-request&quot;&gt;&lt;/span&gt;<br /> = Anatomy of a DNS request =<br /> <br /> Here’s how you can run a &#039;&#039;&#039;full DNS request&#039;&#039;&#039; for the domain &lt;code&gt;zombo.com&lt;/code&gt; using &lt;code&gt;dig&lt;/code&gt;:<br /> <br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;dig +trace +all zombo.com&lt;/syntaxhighlight&gt;<br /> When you run a full DNS request, &lt;code&gt;dig&lt;/code&gt; retrieves the &lt;code&gt;A&lt;/code&gt; DNS record for a domain by querying the whole chain of the &#039;&#039;&#039;Fully Qualified Domain Name&#039;&#039;&#039; (FQDN) &lt;code&gt;zombo.com.&lt;/code&gt;. When a DNS client queries a FQDN, it starts at the root &lt;code&gt;.&lt;/code&gt;, and recursively work its way down to query &lt;code&gt;.com.&lt;/code&gt;, and then &lt;code&gt;.zombo.com&lt;/code&gt;. The precise sequence of queries that &lt;code&gt;dig&lt;/code&gt; performs depends on each response.<br /> <br /> With a full DNS request, you can query DNS records for domains &#039;&#039;&#039;from scratch&#039;&#039;&#039; without needing any DNS resolver or DNS cache.<br /> <br /> This is the transcript, split by individual query.<br /> <br /> &lt;span id=&quot;startup-information&quot;&gt;&lt;/span&gt;<br /> == Startup information ==<br /> <br /> First, &lt;code&gt;dig&lt;/code&gt; prints some general information, like the command that received, or its version:<br /> <br /> &lt;pre&gt;; &amp;lt;&amp;lt;&amp;gt;&amp;gt; DiG 9.18.28 &amp;lt;&amp;lt;&amp;gt;&amp;gt; +trace +all zombo.com<br /> ;; global options: +cmd&lt;/pre&gt;<br /> &lt;span id=&quot;root-name-server&quot;&gt;&lt;/span&gt;<br /> == Root name server ==<br /> <br /> Next, &lt;code&gt;dig&lt;/code&gt; queries the &#039;&#039;&#039;DNS resolver&#039;&#039;&#039; configured for the network this computer runs in. The DNS resolver has the IP address &lt;code&gt;10.0.48.1&lt;/code&gt; and runs on a Ubiquiti Dream Router.<br /> <br /> &lt;code&gt;dig&lt;/code&gt; asks for the &lt;code&gt;NS&lt;/code&gt; record for the name &lt;code&gt;.&lt;/code&gt;. It receives a long list of &lt;code&gt;NS&lt;/code&gt; records in the answer section. Each of these records starts with a single lowercase letter and ends on &lt;code&gt;.root-servers.net.&lt;/code&gt;. Each of these names represent a &#039;&#039;&#039;root name server&#039;&#039;&#039; that &lt;code&gt;dig&lt;/code&gt; can then ask for &lt;code&gt;zombo.com&lt;/code&gt;.<br /> <br /> Furthermore, the querying the name &lt;code&gt;.&lt;/code&gt; also gives us back a few &lt;code&gt;A&lt;/code&gt; and &lt;code&gt;AAAA&lt;/code&gt; records for each of these root name servers. This tells &lt;code&gt;dig&lt;/code&gt; what the IPv4 and IPv6 addresses of each of these root name servers are.<br /> <br /> &lt;pre&gt;;; Got answer:<br /> ;; -&amp;gt;&amp;gt;HEADER&amp;lt;&amp;lt;- opcode: QUERY, status: NOERROR, id: 38385<br /> ;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27<br /> <br /> ;; OPT PSEUDOSECTION:<br /> ; EDNS: version: 0, flags: do; udp: 1232<br /> ;; QUESTION SECTION:<br /> ;. IN NS<br /> <br /> ;; ANSWER SECTION:<br /> . 190794 IN NS b.root-servers.net.<br /> . 190794 IN NS m.root-servers.net.<br /> . 190794 IN NS h.root-servers.net.<br /> . 190794 IN NS i.root-servers.net.<br /> . 190794 IN NS j.root-servers.net.<br /> . 190794 IN NS d.root-servers.net.<br /> . 190794 IN NS a.root-servers.net.<br /> . 190794 IN NS g.root-servers.net.<br /> . 190794 IN NS f.root-servers.net.<br /> . 190794 IN NS c.root-servers.net.<br /> . 190794 IN NS e.root-servers.net.<br /> . 190794 IN NS k.root-servers.net.<br /> . 190794 IN NS l.root-servers.net.<br /> . 445435 IN RRSIG NS 8 0 518400 20250118170000 20250105160000 26470 . m7C4icJMnOILA5mlMR9oDLoQBWE0Y9sPoqbXSoVUVrTKgWDbZNOrlMig xBubsOExXwQ4XZg3jwmh6FckcIMly1ZMIfZycMxWvyIvOrgxnBAt4Gu1 sMC4bn45v2BIaMHCaSLwW1jUB+MvrCPhBeYQJsfeLkRBi3W2VPwFIV60 BmPt2/i8jCJrkxx8bOaDGuTGFdwm1L62Ri2+QrewsbRGOcWpJHptJI/h Di61Q/C043YHHhc9w037cKYFeP8dupWS8RLcW/jIELTXhW2FrgETv285 3RndOgaFb9RBoTUo16i3lge1KIMZoS2eksoGQEt8kfgfYVrIKTrwQpf6 Z5NvCQ==<br /> <br /> ;; ADDITIONAL SECTION:<br /> a.root-servers.net. 104582 IN A 198.41.0.4<br /> b.root-servers.net. 276147 IN A 170.247.170.2<br /> c.root-servers.net. 368518 IN A 192.33.4.12<br /> d.root-servers.net. 187359 IN A 199.7.91.13<br /> e.root-servers.net. 187359 IN A 192.203.230.10<br /> f.root-servers.net. 199714 IN A 192.5.5.241<br /> g.root-servers.net. 216475 IN A 192.112.36.4<br /> h.root-servers.net. 240623 IN A 198.97.190.53<br /> i.root-servers.net. 532693 IN A 192.36.148.17<br /> j.root-servers.net. 320888 IN A 192.58.128.30<br /> k.root-servers.net. 271911 IN A 193.0.14.129<br /> l.root-servers.net. 357258 IN A 199.7.83.42<br /> m.root-servers.net. 104622 IN A 202.12.27.33<br /> a.root-servers.net. 113505 IN AAAA 2001:503:ba3e::2:30<br /> b.root-servers.net. 294399 IN AAAA 2801:1b8:10::b<br /> c.root-servers.net. 331660 IN AAAA 2001:500:2::c<br /> d.root-servers.net. 32858 IN AAAA 2001:500:2d::d<br /> e.root-servers.net. 307198 IN AAAA 2001:500:a8::e<br /> f.root-servers.net. 408208 IN AAAA 2001:500:2f::f<br /> g.root-servers.net. 353355 IN AAAA 2001:500:12::d0d<br /> h.root-servers.net. 234104 IN AAAA 2001:500:1::53<br /> i.root-servers.net. 390219 IN AAAA 2001:7fe::53<br /> j.root-servers.net. 463450 IN AAAA 2001:503:c27::2:30<br /> k.root-servers.net. 37861 IN AAAA 2001:7fd::1<br /> l.root-servers.net. 225301 IN AAAA 2001:500:9f::42<br /> m.root-servers.net. 118907 IN AAAA 2001:dc3::35<br /> <br /> ;; Query time: 18 msec<br /> ;; SERVER: 10.0.48.1#53(10.0.48.1) (UDP)<br /> ;; WHEN: Tue Jan 07 10:26:18 JST 2025<br /> ;; MSG SIZE rcvd: 1109&lt;/pre&gt;<br /> Some other noteworthy things about the first DNS response:<br /> <br /> * The &#039;&#039;&#039;opcode&#039;&#039;&#039; in the answer is &lt;code&gt;QUERY&lt;/code&gt;. The sender of the DNS query sets this value, in this case &lt;code&gt;dig&lt;/code&gt;. See &lt;code&gt;opcode: QUERY&lt;/code&gt; in line 2.<br /> * The DNS resolver set the &lt;code&gt;QUERY&lt;/code&gt; flag to &lt;code&gt;1&lt;/code&gt;, which means that this an &#039;&#039;&#039;answer&#039;&#039;&#039; to a DNS query. You can see this in the second line in &lt;code&gt;QUERY: 1&lt;/code&gt;. In the DNS protocol Request For Comments (RFC), [https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.1 RFC 1035] the &lt;code&gt;QUERY&lt;/code&gt; field is instead called &lt;code&gt;QR&lt;/code&gt;.<br /> * The resolver tells &lt;code&gt;dig&lt;/code&gt; that it includes 14 &#039;&#039;&#039;answer records&#039;&#039;&#039; in this response. You can see this in the second line in &lt;code&gt;ANSWER: 14&lt;/code&gt;. The DNS protocol specification calls this header value &lt;code&gt;ANCOUNT&lt;/code&gt;.<br /> * The answer contains 27 &#039;&#039;&#039;additional records&#039;&#039;&#039;. The DNS protocol specification calls this value &lt;code&gt;ARCOUNT&lt;/code&gt;. These are values that &lt;code&gt;dig&lt;/code&gt; hasn’t requested directly. Instead, the resolver still wants &lt;code&gt;dig&lt;/code&gt; to know about these.<br /> * If you manually count the records in the &lt;code&gt;ADDITIONAL&lt;/code&gt; section, you may only see 26 records. I don’t know why that’s the case.<br /> * The query response contains no &#039;&#039;&#039;authority records&#039;&#039;&#039;.<br /> <br /> &lt;span id=&quot;finding-the-top-level-domain-name-server&quot;&gt;&lt;/span&gt;<br /> == Finding the top-level domain name server ==<br /> <br /> Proceeding with the next query, &lt;code&gt;dig&lt;/code&gt; asks the root name server &lt;code&gt;j.root-servers.net&lt;/code&gt; for the FQDN &lt;code&gt;zombo.com.&lt;/code&gt;. The root name server returns 13 &lt;code&gt;AUTHORITY&lt;/code&gt; records that &lt;code&gt;dig&lt;/code&gt; can query next to continue resolving &lt;code&gt;zombo.com.&lt;/code&gt;. Furthermore, the &lt;code&gt;AUTHORITY&lt;/code&gt; section contains the DNSSEC records &lt;code&gt;DS&lt;/code&gt; and &lt;code&gt;RRSIG&lt;/code&gt;. A recent version of &lt;code&gt;dig&lt;/code&gt; is able to check DNSSEC signatures using the &lt;code&gt;+dnssec&lt;/code&gt; flag. See [https://serverfault.com/a/154075 this Stack Exchange answer] for more information.<br /> <br /> &lt;code&gt;root-servers.net&lt;/code&gt; doesn’t hold records for &lt;code&gt;.com&lt;/code&gt; domains itself, so it points &lt;code&gt;dig&lt;/code&gt; to ask &lt;code&gt;gtld-servers.net.&lt;/code&gt; next instead. &lt;code&gt;gtld-servers.net&lt;/code&gt; is responsible for &#039;&#039;&#039;resolving .com domains&#039;&#039;&#039;.<br /> <br /> &lt;pre&gt;;; Got answer:<br /> ;; -&amp;gt;&amp;gt;HEADER&amp;lt;&amp;lt;- opcode: QUERY, status: NOERROR, id: 1157<br /> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27<br /> <br /> ;; OPT PSEUDOSECTION:<br /> ; EDNS: version: 0, flags: do; udp: 1472<br /> ;; QUESTION SECTION:<br /> ;zombo.com. IN A<br /> <br /> ;; AUTHORITY SECTION:<br /> com. 172800 IN NS a.gtld-servers.net.<br /> com. 172800 IN NS b.gtld-servers.net.<br /> com. 172800 IN NS c.gtld-servers.net.<br /> com. 172800 IN NS d.gtld-servers.net.<br /> com. 172800 IN NS e.gtld-servers.net.<br /> com. 172800 IN NS f.gtld-servers.net.<br /> com. 172800 IN NS g.gtld-servers.net.<br /> com. 172800 IN NS h.gtld-servers.net.<br /> com. 172800 IN NS i.gtld-servers.net.<br /> com. 172800 IN NS j.gtld-servers.net.<br /> com. 172800 IN NS k.gtld-servers.net.<br /> com. 172800 IN NS l.gtld-servers.net.<br /> com. 172800 IN NS m.gtld-servers.net.<br /> com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A<br /> com. 86400 IN RRSIG DS 8 1 86400 20250119210000 20250106200000 26470 . DQQ9SqKUcniHKVr6zFNzs6wHLVZ6CdfSFMr3q8tCwh+mLPrKCTRlbnpS TmJy1M8YDEDvrrBO0EFx1rr+cGwcB2RiIfOnLl8c2942n5aOpR+3tZB0 sCP1KFv1+BhiD1RL8dff+rMNJ8+0BWNgsID8/MmI+y8UB/70YERAz/W0 AmOhbN/pHkfgvZfbtrOs6Msz+wcUR17wRCOLazyFnBE19EWnek9SYhj9 Jw440nEZ1Kopi+KqWXG0K+kt1HqZS3J2kkO/TmHyU780F/fOtRP/dWmX 06gSiBe4cCSe3Hs7aHlIe2LwH/ICioNdJj0WjzFJ8IDoC+vmLdRkXh4b NVJHoQ==<br /> <br /> ;; ADDITIONAL SECTION:<br /> a.gtld-servers.net. 172800 IN A 192.5.6.30<br /> b.gtld-servers.net. 172800 IN A 192.33.14.30<br /> c.gtld-servers.net. 172800 IN A 192.26.92.30<br /> d.gtld-servers.net. 172800 IN A 192.31.80.30<br /> e.gtld-servers.net. 172800 IN A 192.12.94.30<br /> f.gtld-servers.net. 172800 IN A 192.35.51.30<br /> g.gtld-servers.net. 172800 IN A 192.42.93.30<br /> h.gtld-servers.net. 172800 IN A 192.54.112.30<br /> i.gtld-servers.net. 172800 IN A 192.43.172.30<br /> j.gtld-servers.net. 172800 IN A 192.48.79.30<br /> k.gtld-servers.net. 172800 IN A 192.52.178.30<br /> l.gtld-servers.net. 172800 IN A 192.41.162.30<br /> m.gtld-servers.net. 172800 IN A 192.55.83.30<br /> a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30<br /> b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30<br /> c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30<br /> d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30<br /> e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30<br /> f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30<br /> g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30<br /> h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30<br /> i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30<br /> j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30<br /> k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30<br /> l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30<br /> m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30<br /> <br /> ;; Query time: 11 msec<br /> ;; SERVER: 192.58.128.30#53(j.root-servers.net) (UDP)<br /> ;; WHEN: Tue Jan 07 10:26:18 JST 2025<br /> ;; MSG SIZE rcvd: 1169&lt;/pre&gt;<br /> &lt;span id=&quot;top-level-domain-name-server&quot;&gt;&lt;/span&gt;<br /> == Top-level domain name server ==<br /> <br /> Here’s what happens when &lt;code&gt;dig&lt;/code&gt; asks the &#039;&#039;&#039;Top Level Domain (TLD) name server&#039;&#039;&#039; &lt;code&gt;d.gtld-servers.net&lt;/code&gt; for &lt;code&gt;zombo.com.&lt;/code&gt;. Verisign operates the servers at &lt;code&gt;gtld-servers.net&lt;/code&gt;. Here are some noteworthy things about the reply that &lt;code&gt;d.gtld-servers.net&lt;/code&gt; gives back to &lt;code&gt;dig&lt;/code&gt;:<br /> <br /> * The response contains signed NSEC3 records. [https://dnsinstitute.com/documentation/dnssec-guide/ch06s02.html NSEC3 records are complex], and I don’t understand them well right now.<br /> * Verisign tells &lt;code&gt;dig&lt;/code&gt; that the authoritative name servers are with &lt;code&gt;liquidweb.com&lt;/code&gt;, specifically: &lt;code&gt;ns.liquidweb.com&lt;/code&gt; and &lt;code&gt;ns1.liquidweb.com&lt;/code&gt;.<br /> * &lt;code&gt;dig&lt;/code&gt; also receives the &lt;code&gt;A&lt;/code&gt; records for the two &lt;code&gt;liquidweb.com&lt;/code&gt; name server<br /> <br /> Here’s the DNS query response that &lt;code&gt;dig&lt;/code&gt; prints out:<br /> <br /> &lt;pre&gt;;; Got answer:<br /> ;; -&amp;gt;&amp;gt;HEADER&amp;lt;&amp;lt;- opcode: QUERY, status: NOERROR, id: 29896<br /> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 3<br /> <br /> ;; OPT PSEUDOSECTION:<br /> ; EDNS: version: 0, flags: do; udp: 4096<br /> ;; QUESTION SECTION:<br /> ;zombo.com. IN A<br /> <br /> ;; AUTHORITY SECTION:<br /> zombo.com. 172800 IN NS ns.liquidweb.com.<br /> zombo.com. 172800 IN NS ns1.liquidweb.com.<br /> CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM<br /> CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250111002631 20250103231631 29942 com. HiG6TuJBV47MnPmttWN98zHscsehwlRhgzemiswIdlmKh993eKxhdUbB d4hhuK7piTIFoZ4Gi/THENgJJKuCmg==<br /> E5F0ON130HM3M2JQH41BK2763KA5559S.com. 900 IN NSEC3 1 1 0 - E5F126VHCT3KQ620F4OFQ11HB5BJBFRT NS DS RRSIG<br /> E5F0ON130HM3M2JQH41BK2763KA5559S.com. 900 IN RRSIG NSEC3 13 2 900 20250113013526 20250106002526 29942 com. 0SoW/r4xPtu4bnmOTSLtkwb9ezAyCHkI1XLAQPRWvu0x7xCBVwguEw8j eR+ZHeLU4x5n5q7d/3/1n/uH2x6kig==<br /> <br /> ;; ADDITIONAL SECTION:<br /> ns.liquidweb.com. 172800 IN A 69.16.222.254<br /> ns1.liquidweb.com. 172800 IN A 69.16.223.254<br /> <br /> ;; Query time: 10 msec<br /> ;; SERVER: 192.31.80.30#53(d.gtld-servers.net) (UDP)<br /> ;; WHEN: Tue Jan 07 10:26:18 JST 2025<br /> ;; MSG SIZE rcvd: 472&lt;/pre&gt;<br /> &lt;span id=&quot;registrar-name-server&quot;&gt;&lt;/span&gt;<br /> == Registrar name server ==<br /> <br /> &lt;code&gt;d.gtld-servers.net&lt;/code&gt; told &lt;code&gt;dig&lt;/code&gt; that it should ask &lt;code&gt;ns.liquidweb.com&lt;/code&gt; for &lt;code&gt;zombo.com.&lt;/code&gt;. Here’s the response &lt;code&gt;dig&lt;/code&gt; receives after querying &lt;code&gt;zombo.com&lt;/code&gt;’s &#039;&#039;&#039;authoritative name&#039;&#039;&#039; server. The response contains a single &lt;code&gt;A&lt;/code&gt; record for &lt;code&gt;zombo.com&lt;/code&gt;’s IPv4 address.<br /> <br /> Note that the previous DNS queries had no &lt;code&gt;ANSWER&lt;/code&gt; section, not counting the query for &lt;code&gt;.&lt;/code&gt; in the beginning. Every DNS query response before &lt;code&gt;dig&lt;/code&gt; asks &lt;code&gt;ns.liquidweb.com&lt;/code&gt; contained &lt;code&gt;AUTHORITY&lt;/code&gt; and &lt;code&gt;ADDITIONAL&lt;/code&gt; records.<br /> <br /> &lt;pre&gt;;; Got answer:<br /> ;; -&amp;gt;&amp;gt;HEADER&amp;lt;&amp;lt;- opcode: QUERY, status: NOERROR, id: 37369<br /> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<br /> <br /> ;; OPT PSEUDOSECTION:<br /> ; EDNS: version: 0, flags: do; udp: 1680<br /> ;; QUESTION SECTION:<br /> ;zombo.com. IN A<br /> <br /> ;; ANSWER SECTION:<br /> zombo.com. 300 IN A 50.28.52.163<br /> <br /> ;; Query time: 9 msec<br /> ;; SERVER: 69.16.222.254#53(ns.liquidweb.com) (UDP)<br /> ;; WHEN: Tue Jan 07 10:26:18 JST 2025<br /> ;; MSG SIZE rcvd: 54&lt;/pre&gt;<br /> This illustrates the recursive nature of DNS name resolution. &lt;code&gt;dig&lt;/code&gt; is able to query any DNS record &#039;&#039;from scratch&#039;&#039;. It can do so without needing to know each individual name server responsible for a single domain. Instead, &lt;code&gt;dig&lt;/code&gt; figures out which name servers it has to ask on the way to reach the final authoritative name server.<br /> <br /> In this example, the authoritative name server is with &lt;code&gt;liquidweb.com&lt;/code&gt;. An authoritative name server for a domain name can change in the future. Being able to perform recursive queries and always retrieving accurate information is important for inter-networking.<br /> <br /> The DNS security extensions (DNSSEC) further increase the reliability of this system. &lt;code&gt;dig&lt;/code&gt; can verify the whole chain of DNS responses. You can see for yourself how &lt;code&gt;dig&lt;/code&gt; utilizes DNSSEC by starting &lt;code&gt;dig&lt;/code&gt; using the &lt;code&gt;+dnssec&lt;/code&gt; flag.<br /> <br /> &lt;span id=&quot;reference&quot;&gt;&lt;/span&gt;<br /> == Reference ==<br /> <br /> This [https://serverfault.com/a/1045018 Stack Exchange answer] has more information on how to query a domain name and receive a complete trace.<br /> <br /> The section [https://en.wikipedia.org/wiki/Domain_Name_System#DNS_message_format DNS message format] in the Wikipedia article on the Domain Name System explains all the header flags in detail.<br /> <br /> &lt;span id=&quot;dns-zone-transfer-protocol&quot;&gt;&lt;/span&gt;<br /> = DNS zone transfer protocol =<br /> <br /> The Internet Engineering Task Force (IETF) published [https://datatracker.ietf.org/doc/html/rfc5936 RFC 5936] in June 2010. This document specifies the DNS zone transfer protocol, also called Authoritative Transfer (AXFR).<br /> <br /> The RFC says that there &#039;&#039;SHOULD&#039;&#039; be means to restrict sessions to specific clients, but doesn’t specify them further. Access controls are only &#039;&#039;RECOMMENDED&#039;&#039;. See [https://datatracker.ietf.org/doc/html/rfc5936#section-5 section 5] of RFC 5936:<br /> <br /> &lt;pre&gt;[...]<br /> A DNS implementation SHOULD provide means to restrict AXFR sessions<br /> to specific clients.<br /> [...]<br /> A general-purpose implementation is RECOMMENDED to implement access<br /> controls based upon &amp;quot;Secret Key Transaction Authentication for DNS<br /> (TSIG)&amp;quot; [RFC2845] and/or &amp;quot;DNS Request and Transaction Signatures<br /> ( SIG(0)s )&amp;quot; [RFC2931].&lt;/pre&gt;<br /> &lt;span id=&quot;a-cve-missing-critical-details&quot;&gt;&lt;/span&gt;<br /> == A CVE missing critical details ==<br /> <br /> Check out [https://nvd.nist.gov/vuln/detail/CVE-1999-0532 CVE-1999-0532]. It lists the following vulnerability:<br /> <br /> &lt;blockquote&gt;A DNS server allows zone transfers.<br /> &lt;/blockquote&gt;<br /> <br /> The CVE doesn’t contain any other description, such as affected software or version. Judging by this [https://access.redhat.com/solutions/3173331 Red Hat Solution], this affects the Berkeley Internet Name Domain (BIND) version 9 server on Red Hat Enterprise Linux (RHEL) 6 and 7. RHEL 6 was first released in 2010, and RHEL 7 is from 2013. The timelines don’t add up, since the CVE is from 1999.<br /> <br /> This CVE reads like a CWE, since it describes an abstract vulnerability. Compare for example [https://cwe.mitre.org/data/definitions/276.html CWE-276: incorrect default permissions].</div> Justus