Home / server / Questions / 1013839
Accepted
Romeo Mihalcea
Asked: 2020-04-24 11:36:12 +0800 CST

Route53 NS record not showing up

  • 772

I have this setup where I'm using a droplet to resolve some DNS requests so it acts as a nameserver for a subdomain: check.farm.test.com

The server works ok and receives traffic so, somehow, the NS record seems to be effective. The problem is that I cannot query it in dig or any other tool.

Here's my setup:

test.com.           NS      ns-312.awsdns-43.com. 
check.test.com.     NS      ns.test.com
ns.test.com.        A       123.132.231.312

My custom DNS server is sitting at 123.132.231.312 and receives traffic when anything.check.test.com is accessed but dig check.test.com NS shows nothing. With +trace I get connection timed out; no servers could be reached. The G-suite toolbox dig tool shows:

opcode QUERY
rcode SERVFAIL
flags QR RD RA
;QUESTION
check.dnsleak.dnsadblock.com. IN NS
;ANSWER
;AUTHORITY
;ADDITIONAL```
domain-name-system amazon-web-services amazon-route53

1 Answers

  1. Best Answer

    The delegation NS and glue A records look to be ok:

    ;; AUTHORITY SECTION:
check.dnsleak.dnsadblock.com. 300 IN    NS      ns.dnsleak.dnsadblock.com.

;; ADDITIONAL SECTION:
ns.dnsleak.dnsadblock.com. 300  IN      A       167.172.164.97

    Your custom DNS server (no small undertaking!), however, is not responding to queries properly.
    Do not expect it to work in any reliable fashion until it responds in a standards compliant manner, and at least serves the minimal data that must exist in any zone (in addition to whatever data you actually want).
    Bare minimum zone: SOA + NS at the zone apex.

    Look at this response for example:

    $ dig @167.172.164.97 check.dnsleak.dnsadblock.com NS +norec

; <<>> DiG 9.11.14-RedHat-9.11.14-2.fc31 <<>> @167.172.164.97 check.dnsleak.dnsadblock.com NS +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19163
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;check.dnsleak.dnsadblock.com.  IN      NS

;; ANSWER SECTION:
check.dnsleak.dnsadblock.com. 60 IN     A       167.172.164.97

;; Query time: 1 msec
;; SERVER: 167.172.164.97#53(167.172.164.97)
;; WHEN: Thu Apr 23 20:06:55 UTC 2020
;; MSG SIZE  rcvd: 90

$

    Some things are immediately apparent:

    • This server does not actually serve responses that are relevant to the questions it receives. Instead, it seems to always respond with an A record for the name the client sent!? This misbehavior both leads to very strange situations where the answer is entirely irrelevant, and also causes side-effects like complete failure when looking up things that must exist like check.dnsleak.dnsadblock.com NS.

    • You have delegated the check.dnsleak.dnsadblock.com zone to this server, so it ought to be authoritative. But for whatever reason it doesn't set the aa flag as expected.

    I would guess that there are many more issues remaining to be found, these are just the glaring issues that I noticed looking at the response to my first queries.

    Overall, do consider the amount of work it will take to actually construct a working nameserver, also whether you could instead build your service on top of an already proven implementation.

    • 0