TranslateProject/sources/tech/20220111 How to find a domain-s authoritative nameservers.md
DarkSun fa2d7dd32e 选题[tech]: 20220111 How to find a domain's authoritative nameservers
sources/tech/20220111 How to find a domain-s authoritative nameservers.md
2022-01-12 05:03:01 +08:00

8.9 KiB
Raw Permalink Blame History

How to find a domain's authoritative nameservers

Heres a very quick “how to” post on how to find your domains authoritative nameserver.

Im writing this because if you made a DNS update and it didnt work, there are 2 options:

  1. Your authoritative nameserver doesnt have the correct record
  2. Your authoritative nameserver does have the correct record, but an old record is cached and you need to wait for the cache to expire

To be able to tell which one is happening (do you need to make a change, or do you just need to wait?), you need to be able to find your domains authoritative nameserver and query it to see what records it has.

But when I looked up “how to find a domains authoritative nameserver” to see what advice was out there, I found a lot of different methods being mentioned, some of which can give you the wrong answer.

So lets walk through a way to find your domains authoritative nameservers thats guaranteed to always give you the correct answer. Ill also explain why some of the other methods arent always accurate.

first, an easy but less accurate way

If you definitely havent updated your authoritative DNS server in the last week or so, a very easy way to find it is to run dig +short ns DOMAIN


    $ dig +short ns jvns.ca
    art.ns.cloudflare.com.
    roxy.ns.cloudflare.com.

In this case, we get the correct answer. Great!

But if you have updated your authoritative DNS server in the last few days (maybe because you just registered the domain!), that can give you an inaccurate answer. So heres the slightly more complicated way thats guaranteed to always give you the correct answer.

step 1: query a root nameserver

Were going to look up the authoritative nameserver for jvns.ca in this example.

No matter what domain were looking up, we need to start with the root nameservers. h.root-servers.net is one of the 13 DNS root nameservers, and dig @h.root-servers.net means “send the query to h.root-servers.net”.


    $ dig @h.root-servers.net jvns.ca
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42165
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ;; QUESTION SECTION:
    ;jvns.ca.           IN  A

    ;; AUTHORITY SECTION: <------------ this is the section we're interested in
    ca.         172800  IN  NS  c.ca-servers.ca. <------- we'll use this record
    ca.         172800  IN  NS  j.ca-servers.ca.
    ca.         172800  IN  NS  x.ca-servers.ca.
    ca.         172800  IN  NS  any.ca-servers.ca.

    ;; ADDITIONAL SECTION:
    c.ca-servers.ca.    172800  IN  A   185.159.196.2
    j.ca-servers.ca.    172800  IN  A   198.182.167.1
    x.ca-servers.ca.    172800  IN  A   199.253.250.68
    any.ca-servers.ca.  172800  IN  A   199.4.144.2
    c.ca-servers.ca.    172800  IN  AAAA    2620:10a:8053::2
    j.ca-servers.ca.    172800  IN  AAAA    2001:500:83::1
    x.ca-servers.ca.    172800  IN  AAAA    2620:10a:80ba::68
    any.ca-servers.ca.  172800  IN  AAAA    2001:500:a7::2

    ;; Query time: 96 msec
    ;; SERVER: 198.97.190.53#53(198.97.190.53)
    ;; WHEN: Tue Jan 11 08:30:57 EST 2022
    ;; MSG SIZE  rcvd: 289

The answer were looking for is this line in the “AUTHORITY SECTION”:


    ca.          172800  IN  NS  c.ca-servers.ca.

It doesnt matter which line in this section you pick, you can use any of them. I just picked the first one.

This tells us the server we need to talk to in step 2: c.ca-servers.ca.

step 2: query the .ca nameservers

Now we run dig @c.ca-servers.ca jvns.ca


    $ dig @c.ca-servers.ca jvns.ca
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24920
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ;; QUESTION SECTION:
    ;jvns.ca.           IN  A

    ;; AUTHORITY SECTION: <------------ this is the section we're interested in
    jvns.ca.        86400   IN  NS  art.ns.cloudflare.com. <---- we'll use this record
    jvns.ca.        86400   IN  NS  roxy.ns.cloudflare.com.

    ;; Query time: 26 msec
    ;; SERVER: 185.159.196.2#53(185.159.196.2)
    ;; WHEN: Tue Jan 11 08:32:44 EST 2022
    ;; MSG SIZE  rcvd: 90

Same as last time: the answer were looking for is this line in the “AUTHORITY SECTION”:


    jvns.ca.     86400   IN  NS  art.ns.cloudflare.com.

Again, it doesnt matter which line in this section you pick, you can use any of them. I just picked the first one.

success! we know the authoritative nameserver!

The authoritative nameserver for jvns.ca is art.ns.cloudflare.com.. Now you can now query art.ns.cloudflare.com. directly to see what DNS records it has for jvns.ca.


    $ dig @art.ns.cloudflare.com. jvns.ca
    jvns.ca.        292 IN  A   172.64.80.1

Nice, it worked.

this is exactly whats happening behind the scenes when you make a DNS query

The reason I like this method is that it mimics whats happening behind the scenes when you make a DNS query. When Googles DNS resolver 8.8.8.8. looks up jvns.ca, the server it queries to to get jvns.cas authoritative nameserver is c.ca-servers.net (or one of the other options, like j.ca-servers.ca. or x.ca-servers.ca.)

Because this method uses the exact same information source as a real DNS query, youre guaranteed to get a correct answer every time.

Often in practice I skip step 1 because I remember that the answer for .ca domains is c.ca-servers.net, so I can skip straight to step 2.

this is useful to do when youre updating your nameservers

When I update my nameservers with my domain registrar, they dont actually update the authoritative nameserver right away. It takes a while, maybe an hour. So I like to go through these steps to check if my registrar has actually updated my authoritative nameserver yet.

other ways to get a domains authoritative nameserver

Here are a few other ways you can get the authoritative nameserver for a domain and why I didnt recommend them as the main method.

dig +trace jvns.ca

This does the exact same thing so it will always give you the right answer, but the output is a bit confusing to read so Im a bit more hesitant to recommend it.

dig ns jvns.ca

This will usually give you the right answer, but there are 2 reasons it might be wrong:

  1. You might get an old cached record
  2. The NS record you get doesnt come from the same place as it does when we do the method described in this post. In this example, instead of getting a NS record from c.ca-servers.net, dig ns jvns.ca will give you an NS record from art.ns.cloudflare.com. In practice usually these are the exact same thing, but in some weird edge cases they might not be.

dig soa jvns.ca

You can also find nameservers in the SOA record!


    $ dig SOA jvns.ca
    jvns.ca.   3600    IN    SOA    art.ns.cloudflare.com. dns.cloudflare.com. 2267173366 10000 2400 604800 3600
                                    ^^^^^^^^^^^^^^^^^^^^^
                                        here it is

This will usually give the right answer, there are 2 reasons it might be wrong, similarly to the NS record:

  1. This response comes from your authoritative nameserver. So if youre in the middle of updating your nameserver, you might get the wrong answer because your DNS resolver sent the request to the old nameserver.
  2. Your authoritative nameserver could be returning a SOA record which doesnt have the correct nameserver for some reason

whois jvns.ca

This will usually give you the right answer, but it might be an old cached version.

Heres what this looks like on my machine for this example: (it gives us the right answer)


    $ whois jvns.ca | grep 'Name Server'
    Name Server: art.ns.cloudflare.com
    Name Server: roxy.ns.cloudflare.com

thats all!

I hope this helps some of you debug your DNS issues!


via: https://jvns.ca/blog/2022/01/11/how-to-find-a-domain-s-authoritative-nameserver/

作者:Julia Evans 选题:lujun9972 译者:译者ID 校对:校对者ID

本文由 LCTT 原创编译,Linux中国 荣誉推出