In this post we explore common DNS response codes.
We will cover the following responses:
- NOERROR
- SERVFAIL
- NXDOMAIN
- NODATA
- REFUSED
Throughout article we’ll refer to the following RFCs:
- RFC 1034 - DOMAIN NAMES - CONCEPTS AND FACILITIES
- RFC 2308 - Negative Caching of DNS Queries (DNS NCACHE)
- RFC 2136 - Dynamic Updates in the Domain Name System (DNS UPDATE)
- RFC 8914 - Extended DNS Errors
Response Codes - RCODEs
The DNS RCODES are best defined in RFC2316. They signify what type of response was sent by the server.
“RCODE Response code - this four bit field is undefined in requests and set in responses.”
The table below shows the summary of the currently defined RCODEs.
Mnemonic | Val | Description |
---|---|---|
NOERROR | 0 | No error condition. |
FORMERR | 1 | The name server was unable to interpret the request due to a format error. |
SERVFAIL | 2 | The name server encountered an internal failure while processing this request, for example an operating system error or a forwarding timeout. |
NXDOMAIN | 3 | Some name that ought to exist, does not exist. |
NOTIMP | 4 | The name server does not support the specified Opcode. |
REFUSED | 5 | The name server refuses to perform the specified operation for policy or security reasons. |
YXDOMAIN | 6 | Some name that ought not to exist, does exist. |
YXRRSET | 7 | Some RRset that ought not to exist, does exist. |
NXRRSET | 8 | Some RRset that ought to exist, does not exist. |
NOTAUTH | 9 | The server is not authoritative for the zone named in the Zone Section. |
NOTZONE | 10 | A name used in the Prerequisite or Update Section is not within the zone denoted by the Zone Section. |
Extended DNS Errors
RFC8914 proposes to implement more specific error codes. The existing SERVFAIL and REFUSED error responses are vague and in many cases don’t indicate what is the actual reason for the error.
NOERROR - RCODE 0
No error simply means that the handling DNS server did not encounter any errors and that the requested domain name
exists. This however doesn’t mean that the requested resource record exists as we will see in the section on NODATA
responses.
As we can see in the sample dig output below, the status is NOERROR , the ANSWER is 4 and the
response in fact contains 4 A records.
dig A securesenses.net @8.8.8.8
; <<>> DiG 9.10.6
<<>> A securesenses.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;;
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46189
;;
flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL:
1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION
SECTION:
;securesenses.net. IN A
;;
ANSWER SECTION:
securesenses.net. 1800 IN
A 216.239.36.21
securesenses.net. 1800
IN A 216.239.38.21
securesenses.net.
1800 IN A
216.239.34.21
securesenses.net. 1800 IN
A 216.239.32.21
Examining the response packet we can see that the
RCODE - in Wireshark called Reply Code - is 0.
SERVFAIL - RCODE 2
This response type indicates some unidentified error on the server side. For example some recursive resolvers
(potentially incorrectly) return SERVFAIL response when handling an iterative query. We can easily simulate it using
dig with the +norecurse flag.
dig
www.securesenses.net @8.8.8.8 +norecurse
; <<>> DiG 9.10.6
<<>> www.securesenses.net @8.8.8.8 +norecurse
;; global options: +cmd
;; Got
answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL,
id: 33028
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
As
seen above the status is SERVFAIL. We can confirm the same in the response packet.
NXDOMAIN - RCODE 3
This response code is very common. It signifies that the requested domain name does not exist in the zone. In the
example dig output below, we can see that the status is NXDOMAIN and the ANSWER is 0.
dig A nonexistent.securesenses.net
@8.8.8.8
; <<>> DiG 9.10.6 <<>> A nonexistent.securesenses.net @8.8.8.8
;;
global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4073
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
;
EDNS: version: 0, flags:; udp: 512
;; QUESTION
SECTION:
;nonexistent.securesenses.net. IN A
;; AUTHORITY
SECTION:
securesenses.net. 300 IN
SOA ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 6 21600 3600 259200
300
By examining the received response packet we confirm the reply code is 3 and
the resource record count is 0.
Server returns NODATA response when a DNS client requests a domain name that exists but is of a different type than
the requested one. NODATA is not a real response type. It does not have its own RCODE. The RCODE in NODATA
responses is set to NOERROR. This type of response it best defined in RFC2308. The RFC defines it as
follows:
"NODATA" - a pseudo RCODE which indicates that the name is valid, for the given class, but
are no records of the given type. A NODATA response has to be inferred from the answer.
In
the example below, we use dig to explicitly request A record for nodata-test.securesenses.net record. The
nodata-test.securesenses.net record exists but the record type is AAAA and not A as requested.
dig A
nodata-test.securesenses.net @8.8.8.8
; <<>> DiG 9.10.6 <<>> A
nodata-test.securesenses.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;;
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32128
;;
flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION
SECTION:
;nodata-test.securesenses.net. IN A
;; AUTHORITY
SECTION:
securesenses.net. 300 IN
SOA ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 6 21600 3600 259200
300
As seen above the status is NOERROR and ANSWER is 0. Reviewing the response
packet we can confirm the answer doesn’t contain any resource records.
There is nothing in dig or Wireshark to explicitly tell us this is a NODATA response. We infer it based on the status
being 0 and answers being 0 .
Difference between NXDOMAIN and NODATA DNS responses
To summarise these two response types:
- NXDOMAIN means the requested name does not exists
- NODATA means the requested domain exists but is of a different RTYPE
REFUSED - RCODE 5
DNS servers use REFUSED response code to indicate that they are not allowed to perform the requested operation based
on policy. The examples include:
- Query received from a network range that is not allowed
- Query received from a blacklisted IP address
- Query for a blacklisted DNS record
- Recursive query sent to a non-recursive server
We can again simulate it by issuing an iteraritve query to a deifferent recursive resolver.
dig www.securesenses.net @88.156.64.21
+norecurse
; <<>> DiG 9.10.6 <<>> www.securesenses.net @88.156.64.21
+norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY,
status: REFUSED, id: 22875
;; flags: qr; QUERY: 1, ANSWER: 0,
AUTHORITY: 0, ADDITIONAL: 1
As we can see different servers return different responses for the same type of queries. In the above example the
server returned REFUSED - as it should. In the example in the SERVFAIL section, the server returned the failure
response for the same type of condition (iterative query against a recursive resolver).
Comments
Post a Comment