- Recursive query
- Iterative query
In a recursive query, the DNS resolver will respond with the final result, best answer it has or an error message. How it responds depends on what kind of DNS server it is. A recursive resolver will respond with the final IP address (or set of IPs). A non-recursive DNS server (Root or GTLD) will respond with the best answer it has.
In an iterative query, the DNS resolver is required to provide the best answer it has. Assuming the queried record is not in the server’s cache, the DNS client will receive the referral to the next DNS server in the resolution path.
Recursive query
DNS resolvers that are used by the DNS clients are referred to as “recursive resolvers”. Their purpose is to handle the queries, return the final resolution result and cache the response.
When a DNS client queries a recursive DNS resolver it receives the IP address (or an error). Recursive query is default for dig, we don't need any flags to simulate it.
dig www.securesenses.net @8.8.8.8
; <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63739
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.securesenses.net. IN A
;; ANSWER SECTION:
www.securesenses.net. 1800 IN CNAME ghs.google.com.
ghs.google.com. 300 IN A 142.250.75.19
The response shows that the DNS resolver is recursive ("Recursion available" bit is set). The response contains the intermediary CNAME and the final A record.
Iterative query
We can use dig with +norecurse flag to issue an iterative query. An iterative query will have the "Recursion desired" bit disabled as shown below:
Most public DNS resolvers will reject iterative queries. In the examples below we query two different DNS resolvers and receive two different error messages. First resolver returns "Refused" error, the second one responds with "Server failure" error. For a detailed explanation of the errors response see DNS response and error types.
; <<>> DiG 9.10.6 <<>> www.securesenses.net @88.156.64.21 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 22875
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
; <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33028
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Root server (l.root-servers.net.)
; <<>> DiG 9.10.6 <<>> www.securesenses.net @199.7.83.42 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26582
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.securesenses.net. IN A
;; AUTHORITY SECTION:
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
GTLD server (l.gtld-servers.net.)
; <<>> DiG 9.10.6 <<>> www.securesenses.net @192.41.162.30 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4978
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.securesenses.net. IN A
;; AUTHORITY SECTION:
securesenses.net. 172800 IN NS ns-cloud-e1.googledomains.com.
securesenses.net. 172800 IN NS ns-cloud-e2.googledomains.com.
securesenses.net. 172800 IN NS ns-cloud-e3.googledomains.com.
securesenses.net. 172800 IN NS ns-cloud-e4.googledomains.com.
Recursive query against a non-recursive server
See the full resultion path using dig +trace
;; global options: +cmd
. 23937 IN NS m.root-servers.net.
. 23937 IN NS b.root-servers.net.
net. 172800 IN NS e.gtld-servers.net.
securesenses.net. 172800 IN NS ns-cloud-e2.googledomains.com.
securesenses.net. 172800 IN NS ns-cloud-e3.googledomains.com.
securesenses.net. 172800 IN NS ns-cloud-e4.googledomains.com.
Comments
Post a Comment