Skip to main content

DNS response and error types

In this post we explore common DNS response codes.

We will cover the following responses:

  • NOERROR
  • SERVFAIL
  • NXDOMAIN
  • NODATA
  • REFUSED

Throughout article we’ll refer to the following RFCs:

Response Codes - RCODEs

The DNS RCODES are best defined in RFC2316.  They signify what type of response was sent by the server.

“RCODE   Response code - this four bit field is undefined in requests and set in responses.”  

The table below shows the summary of the currently defined RCODEs.

Mnemonic Val Description
NOERROR 0 No error condition.
FORMERR 1 The name server was unable to interpret the request due to a format error.
SERVFAIL 2 The name server encountered an internal failure while processing this request, for example an operating system error or a forwarding timeout.
NXDOMAIN 3 Some name that ought to exist, does not exist.
NOTIMP 4 The name server does not support the specified Opcode.
REFUSED 5 The name server refuses to perform the specified operation for policy or security reasons.
YXDOMAIN 6 Some name that ought not to exist, does exist.
YXRRSET 7 Some RRset that ought not to exist, does exist.
NXRRSET 8 Some RRset that ought to exist, does not exist.
NOTAUTH 9 The server is not authoritative for the zone named in the Zone Section.
NOTZONE 10 A name used in the Prerequisite or Update Section is not within the zone denoted by the Zone Section.


Extended DNS Errors

RFC8914 proposes to implement more specific error codes. The existing SERVFAIL and REFUSED error responses are vague and in many cases don’t indicate what is the actual reason for the error.

NOERROR - RCODE 0

No error simply means that the handling DNS server did not encounter any errors and that the requested domain name exists. This however doesn’t mean that the requested resource record exists as we will see in the section on NODATA responses.

As we can see in the sample dig output below, the status is NOERROR , the ANSWER is 4 and the response in fact contains 4 A records.

dig A securesenses.net @8.8.8.8
; <<>> DiG 9.10.6 <<>> A securesenses.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46189
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;securesenses.net.        IN    A
;; ANSWER SECTION:
securesenses.net.    1800    IN    A    216.239.36.21
securesenses.net.    1800    IN    A    216.239.38.21
securesenses.net.    1800    IN    A    216.239.34.21
securesenses.net.    1800    IN    A    216.239.32.21


Examining the response packet we can see that the RCODE - in Wireshark called Reply Code - is 0.

DNS Error types noerror

SERVFAIL - RCODE 2

This response type indicates some unidentified error on the server side. For example some recursive resolvers (potentially incorrectly) return SERVFAIL response when handling an iterative query. We can easily simulate it using dig with the +norecurse flag.

dig www.securesenses.net @8.8.8.8  +norecurse     
; <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33028
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1


As seen above the status is SERVFAIL. We can confirm the same in the response packet.

DNS Error types Servfail

NXDOMAIN - RCODE 3

This response code is very common. It signifies that the requested domain name does not exist in the zone. In the example dig output below, we can see that the status is NXDOMAIN and the ANSWER is 0.

dig A nonexistent.securesenses.net @8.8.8.8
; <<>> DiG 9.10.6 <<>> A nonexistent.securesenses.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4073
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nonexistent.securesenses.net.    IN    A
;; AUTHORITY SECTION:
securesenses.net.    300    IN    SOA    ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 6 21600 3600 259200 300


By examining the received response packet we confirm the reply code is 3 and the resource record count is 0.

DNS Error types nxdomain

NODATA

Server returns NODATA response when a DNS client requests a domain name that exists but is of a different type than the requested one.  NODATA is not a real response type. It does not have its own RCODE. The RCODE in NODATA responses is set to NOERROR. This type of response it best defined in RFC2308. The RFC defines it as follows:

"NODATA" - a pseudo RCODE which indicates that the name is valid, for the given class, but are no records of the given type.  A NODATA response has to be inferred from the answer.

In the example below, we use dig to explicitly request A record for nodata-test.securesenses.net record. The nodata-test.securesenses.net record exists but the record type is AAAA and not A as requested.  

dig A nodata-test.securesenses.net @8.8.8.8
; <<>> DiG 9.10.6 <<>> A nodata-test.securesenses.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32128
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nodata-test.securesenses.net.    IN    A
;; AUTHORITY SECTION:
securesenses.net.    300    IN    SOA    ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 6 21600 3600 259200 300


As seen above the status is NOERROR and ANSWER is 0. Reviewing the response packet we can confirm the answer doesn’t contain any resource records.

DNS Error types nodata

There is nothing in dig or Wireshark to explicitly tell us this is a NODATA response. We infer it based on the status being 0 and answers being 0 .

Difference between NXDOMAIN and NODATA DNS responses

To summarise these two response types:

  • NXDOMAIN means the requested name does not exists
  • NODATA means the requested domain exists but is of a different RTYPE

REFUSED - RCODE 5

DNS servers use REFUSED response code to indicate that they are not allowed to perform the requested operation based on policy. The examples include:

  • Query received from a network range that is not allowed
  • Query received from a blacklisted IP address
  • Query for a blacklisted DNS record
  • Recursive query sent to a non-recursive server

We can again simulate it by issuing an iteraritve query to a deifferent recursive resolver.

dig www.securesenses.net @88.156.64.21  +norecurse
; <<>> DiG 9.10.6 <<>> www.securesenses.net @88.156.64.21 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 22875
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 

DNS Error types refused

As we can see different servers return different responses for the same type of queries. In the above example the server returned REFUSED - as it should. In the example in the SERVFAIL section, the server returned the failure response for the same type of condition (iterative query against a recursive resolver).

Comments

Popular posts from this blog

x.509 Certificates - Critical vs non-critical extensions

Extensions are used to associate additional information with the user or the key.  Each certificate extension has three attributes - extnID, critical, extnValue extnID - Extension ID - an OID that specifies the format and definitions of the extension critical - Critical flag - Boolean value extnValue - Extension value  Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application. In Windows, critical extensions are marked with a yellow exclamation mark,  View certificate extensions using OpenSSL: # openssl x509 -inform pem -in cert.pem -text -noout (output abbreviated)         X509v3 extensions:             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Subject Key Identifier

Cisco ASA Certificate Revocation Checking

ASA supports status verification using CRLs and OCSP. CRL can be retrieved using HTTP, LDAP or SCEP. Revocation checking using CRL: Over HTTP: ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2 ciscoasa(config-ca-trustpoint)# revocation-check crl ciscoasa(config-ca-crl)# protocol http By default ASA will use address listed in CDP extension of the certificate that is being validated.  To override default behaviour we need to add the following in the CRL configuration context. ciscoasa(config-ca-crl)# policy static ciscoasa(config-ca-crl)# url 1 http://cdpurl.kp.local/crl.crl Over LDAP: Certificate I'm using for this lab, doesn't have LDAP address in its CDP extension. Therefore I'm using "policy static"  to specify LDAP URL where CRL can be retrieved.  ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2 ciscoasa(config-ca-trustpoint)# revocation-check crl ciscoasa(config-ca-trustpoint)# crl configure ciscoasa

Count number of lines - 'findstr'

How do I count number of lines in a command output? findstr /r/n "^" | find /c ":" Above commands will display number of lines output by whatever command (well, nearly whatever) you specify in the front.  For example:  C:\>ping localhost | findstr /r/n "^" | find /c ":" FINDSTR: // ignored 12 This comes handy if you want to find out how many OUs you have in Active Directory: dsquery ou  -limit 0 | findstr /r/n "^" | find /c ":" How many user accounts there are: dsquery user -limit 0 | findstr /r/n "^" | find /c ":" Computers: dsquery computer -limit | findstr /r/n "^" | find /c ":"