Troubleshooting nameservers(DNS) using dig

In order to find out where the domain resolving fails here are some tricks using the command dig to trace the recursion step by step till the DNS that fails to deliver the IP of the requested [sub]domain.
Reference site:
https://nsrc.org/workshops/2005/pre-SANOG-VI/bc/dns/dns2-02-dig-debug.html

Tracing a well resolving domain:

So first we start by asking one of the 13 ROOT DNS who is the authority of this requested zone: www.google.de

Command:
dig +norec @a.root-servers.net. www.google.de a

Response extract:
............... ............... ;; QUESTION SECTION: ;google.de. IN A ;; AUTHORITY SECTION: de. 172800 IN NS a.nic.de. de. 172800 IN NS f.nic.de. de. 172800 IN NS l.de.net. de. 172800 IN NS n.de.net. de. 172800 IN NS s.de.net. de. 172800 IN NS z.nic.de.

We get a list of DNS servers that are Authoritative on the ‘.de’ zone
Now we ask one of them (lets take the first one)which DNS is authoritative for ‘www.google.de’ domain.

Command:
dig +norec @a.nic.de. www.google.de a

Response extract:
...................... ...................... ;; QUESTION SECTION: ;google.de. IN A ;; AUTHORITY SECTION: google.de. 86400 IN NS ns3.google.com. google.de. 86400 IN NS ns4.google.com. google.de. 86400 IN NS ns2.google.com. google.de. 86400 IN NS ns1.google.com.

Now we ask one of them (lets take the first one)what is the IP of www.google.de domain.

dig +norec @ns3.google.com. www.google.de a

Response extract:
...................... ...................... ;; QUESTION SECTION: ;www.google.de. IN A ;; ANSWER SECTION: www.google.de. 300 IN A 173.194.35.184 www.google.de. 300 IN A 173.194.35.183 www.google.de. 300 IN A 173.194.35.191

Note that this domain has 3 IPs which will be used to do some load balancing.

Now Tracing a badly resolving domain:

Command:
dig +norec @a.root-servers.net. www.googlet.de a

Response extract:
............... ............... ;; QUESTION SECTION: ;www.googlet.de. IN A ;; AUTHORITY SECTION: de. 172800 IN NS a.nic.de. de. 172800 IN NS f.nic.de. de. 172800 IN NS l.de.net. de. 172800 IN NS n.de.net. de. 172800 IN NS s.de.net. de. 172800 IN NS z.nic.de.

We get a list of DNS servers that are Authoritative on the ‘.de’ zone
Now we ask one of them (lets take the first one)which DNS is authoritative for ‘www.googlet.de’ domain.

Command:
dig +norec @a.nic.de. www.googlet.de a

Response extract:
............... ............... ;; QUESTION SECTION: ;www.googlet.de. IN A ;; AUTHORITY SECTION: de. 7200 IN SOA f.nic.de. its.denic.de. 2012092061 7200 7200 3600000 7200

This is a typical response of a DNS that is NOT Authoritative for a domain. In a normal resolving request this is (in an normal automatic recursive search) where it would fail and not deliver an IP.

For example using the host command:

Command:
host www.googlet.de
Response:
Host www.googlet.de not found: 3(NXDOMAIN)

IT Tips and Tricks

Tracing a well resolving domain:

Now Tracing a badly resolving domain:

Like this:

Tracing a well resolving domain:

Now Tracing a badly resolving domain:

Share this:

Like this: