Why do the DNS records authoritative name servers frequently give different results than cached name servers if "ANY" records are requested?
The authoritative name servers seem to consistently provide more records than the cache--for example returning MX or TXT records when the caching name server will only return these records if they are explicitly requested.
For example, on my home (OS X) system, the difference between the following two commands
$ dig -t ANY +noall +nottl +answer microsoft.com
$ dig -t ANY +noall +nottl +answer microsoft.com @ns1.msft.net
is that the first only returns the NS records; the second adds in MX, SOA and TXT. However on a separate Linux system, with a completely different DNS setup, the only records "missing" are MX and SOA.
You're hiding the answer from yourself with the
digoptions that remove information from the output, specifically TTL in this case.If we look at the full answer section:
We can see that not all records have the same TTL, which in turn means they will be evicted from the cache of the caching resolver server at different times.
This in combination with how the
ANYquery type was defined means that it's quite possible (and valid) to get only what is currently left in the cache as the response.As a result of this behavior, QTYPE
*akaANYisn't to be relied on for an accurate listing of all records if there are caching servers involved. It's mostly useful in troubleshooting (and, I would only consider it useful even then if you have a good understanding of whatANYmeans).