I started recently to learn about DNS, and I got stuck when using dig command in Linux. More exactly, I'd like to see the authoritative name servers (their names or IP addresses) that hold the answers to my DNS queries and I don't know how. As you probably already know, the dig's command output has 5 sections: HEADER, QUERY, ANSWER, AUTHORITY and ADDITIONAL. The last 3 include resource records found in the reply to the DNS request send by dig. The one that interests me is the AUTHORITY section which normally should show resource records of type NS (name server) that provide information about the authoritative name servers from which the answer to the initial query is retrieved. The authoritative servers are of course different from the cache servers that can improve efficiency.
Now, my problem is that every time I call dig the answer doesn't contain any AUTHORITY records. It is possible I don't know the proper options or some other issue which I'm not aware of may occur. What could be the reasons for not getting any authority answer and what should be done in order to get it? I would put an image of the terminal but I don`t have yet 10 reputation, but the question remains.
It all depends on which nameserver you query. If you don't specify any with the
@
flag it uses the local recursive one to give you the final answer. This answer may have been computed by the recursive nameserver querying many different authoritative nameservers before coming to the answer, so there is not "one" authoritative nameserver in this scenario.If you can dig with
+trace
it will behave itself like a recursive nameserver and will show you each step of the resolution, with each authoritative nameserver being queried and its answer.It is more complicated than that. It depends which nameserver you are querying, and what query you do.
Let us use
serverfault.com
as example (and rememberdig
does anA
record type query by default), and compare between recursive nameserver, authoritative on name, authoritative on parent.Asking a recursive nameserver
No data in AUTHORITY section, as expected. A recursive nameserver is not authoritative on the data, so it just gives you the answer you request.
Asking the zone authoritative nameservers
No AUTHORITY either because you just do not need it, it is an optimization. Note that if you query the AWSDNS nameservers, you will get an AUTHORITY section, but it is not useful.
Asking the parent authoritative nameservers
Here you will always (no matter which of the above nameservers you query) get an AUTHORITY section (and no ANSWER section in fact) because these nameservers do not have the answer to your query as they are not authoritative on the name but they do know a delegation exists so they give you back in AUTHORITY the list of nameservers you should query instead.
This is all normal DNS delegation workflow.
PS:
No, don't put an image no matter what. A terminal is lines of text. Copy and paste relevant ones, AS TEXT, in any question. Absolutely do not attach a screenshot, this is bad on all aspects.
I just realized, "dig" uses implicitly the name servers found in /etc/resolv.conf. These are the ones to which "dig" sends by default any DNS query. Thus, if I type for instance "dig google.com" I don't get any authority records in the output, but if I specify a certain name server to query by its IP address, like "dig @byte.byte.byte.byte google.com", it might happen to get an answer that contains a non-zero authority section. So, as far as I can understand till now, the output of "dig" command can vary widely depending on which name server you query and if the database of that server is defined to contain an authoritative record as answer to your query then you get authority records in the reply. Hope I`m not far from truth. If you spot any mistakes or information that might be added please add a comment.