Interrogating DNS Records

30th November 2015

DNS records, as many of you will already know, are commonly used to translate a human readable address into an IP address. This means that instead of visiting a website by typing in it's IP address you can just type in the easy to remember DNS address. I won't talk too much about how DNS records work here, but if you want to know more then you can read the awesome and easy to understand how DNS works commic.

In this post I will be looking at different tools that can be used to find out more about a DNS record, and what kinds of results they return. I won't be looking at the tools in great detail, but enough to get you started when looking up DNS records.

whois

For a while now I have mostly relied on using the whois tool to find out more about a DNS address, so I thought I would talk about it first. This has mostly worked and produced valid results, but when I actually sat down and found the right tools for the job I found that whois really isn't suited for that sort of task. The whois command has it's place in the DNS tool suite, but it is really suited for finding out more information about the organisation behind the address and not about the DNS record itself. The tool is usually installed on most platforms as a default (even Windows), but you might have to install it separately on some Linux systems ('sudo apt-get install whois' should be enough for Debian builds). There are also a great number of online whois tools available so finding one to run isn't difficult.

The process of running a whois query is pretty simple but there are one or two things to watch out for. On the command line you can type this to get information about a domain name.

whois domain.tld

This will return loads of output about the owner of the address, but usually not much else. This largely depends on the organisation running the top level domain (TLD), which in the case of .co.uk domains is Nominet. You might notice that although we now know the IP addresses of the DNS name servers we still aren't clear where the website is hosted. Where whois starts to fail is when you are looking for information about the DNS record itself and not the registrant. Here is an example of running whois against the domain bbc.co.uk.

  1. $ whois bbc.co.uk
  2.  
  3. Domain name:
  4. bbc.co.uk
  5.  
  6. Registrant:
  7. British Broadcasting Corporation
  8.  
  9. Registrant type:
  10. UK Corporation by Royal Charter
  11.  
  12. Registrant's address:
  13. British Broadcasting Corporation
  14. Broadcasting House
  15. Portland Place
  16. London
  17. W1A 1AA
  18. United Kingdom
  19.  
  20. Data validation:
  21. Nominet was able to match the registrant's name and address against a 3rd party data source on 12-Jun-2014
  22.  
  23. Registrar:
  24. British Broadcasting Corporation [Tag = BBC]
  25. URL: http://www.bbc.co.uk
  26.  
  27. Relevant dates:
  28. Registered on: before Aug-1996
  29. Expiry date: 13-Dec-2016
  30. Last updated: 12-Nov-2015
  31.  
  32. Registration status:
  33. Registered until expiry date.
  34.  
  35. Name servers:
  36. ns3.bbc.co.uk 156.154.66.17 2610:a1:1015::17
  37. ns3.bbc.net.uk
  38. ns4.bbc.co.uk 156.154.67.17 2001:502:4612::17
  39. ns4.bbc.net.uk
  40.  
  41. WHOIS lookup made at 21:14:50 16-Nov-2015
  42.  
  43. --
  44. This WHOIS information is provided for free by Nominet UK the central registry
  45. for .uk domain names. This information and the .uk WHOIS are:
  46.  
  47. Copyright Nominet UK 1996 - 2015.
  48.  
  49. You may not access the .uk WHOIS or use any data from it except as permitted
  50. by the terms of use available in full at http://www.nominet.uk/whoisterms,
  51. which includes restrictions on: (A) use of the data for advertising, or its
  52. repackaging, recompilation, redistribution or reuse (B) obscuring, removing
  53. or hiding any or all of this notice and (C) exceeding query rate or volume
  54. limits. The data is provided on an 'as-is' basis and may lag behind the
  55. register. Access may be withdrawn or restricted at any time.

When starting out with DNS lookup using whois you will probably have entered the whole address (i.e. including the www at the start) and encountered an error. This is because the address is not converted into just the domain name and as a result the domain "www.bbc" is queried against the Nominet .co.uk database. If you've used whois in the past then you've probably seen this error message like this at least once.

  1. $ whois www.bbc.co.uk
  2.  
  3. Error for "www.bbc.co.uk".
  4.  
  5. This domain cannot be registered because it contravenes the Nominet UK
  6. naming rules. The reason is:
  7. the domain name contains too many parts.
  8.  
  9. WHOIS lookup made at 21:15:16 16-Nov-2015
  10.  
  11. --
  12. This WHOIS information is provided for free by Nominet UK the central registry
  13. for .uk domain names. This information and the .uk WHOIS are:
  14.  
  15. Copyright Nominet UK 1996 - 2015.
  16.  
  17. You may not access the .uk WHOIS or use any data from it except as permitted
  18. by the terms of use available in full at http://www.nominet.uk/whoisterms,
  19. which includes restrictions on: (A) use of the data for advertising, or its
  20. repackaging, recompilation, redistribution or reuse (B) obscuring, removing
  21. or hiding any or all of this notice and (C) exceeding query rate or volume
  22. limits. The data is provided on an 'as-is' basis and may lag behind the
  23. register. Access may be withdrawn or restricted at any time.

For that reason it is important to enter the correct domain name address, without any subdomain string present.

host

As the name suggests, host is a simple utility for performing DNS lookups and is normally used to convert domain names into IP addresses, and visa versa. By default, the host command will return a top line breakdown of the DNS records found for a particular address, which normally translates as the web host. When I first started looking for other tools beside the usual whois query I quickly found out about host and haven't looked back. The tool is perhaps the simplest of the DNS lookup tools in that by default is just prints out the addresses the DNS entry and little else. The tool is available on most Linux platforms (including OSX), but it is simple enough to install if it isn't there. host is used in the following way.

host domain.tld

Here is an example of using host to find out more about the DNS address www.bbc.co.uk.

  1. $ host www.bbc.co.uk
  2. www.bbc.co.uk is an alias for www.bbc.net.uk.
  3. www.bbc.net.uk has address 212.58.244.71
  4. www.bbc.net.uk has address 212.58.244.70

You can also get host to return the entire result of the DNS query by using the -a flag.

  1. $ host -a www.bbc.co.uk
  2. Trying "www.bbc.co.uk"
  3. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39383
  4. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  5.  
  6. ;; QUESTION SECTION:
  7. ;www.bbc.co.uk. IN ANY
  8.  
  9. ;; ANSWER SECTION:
  10. www.bbc.co.uk. 211 IN CNAME www.bbc.net.uk.
  11.  
  12. Received 57 bytes from 192.168.1.254#53 in 34 ms

The above response shows the query that was sent to the DNS server, followed by the answer to the query (under the ANSWER SECTION text). This shows that the address www.bbc.co.uk is actually a CNAME for the address www.bbc.net.uk and that by doing another DNS lookup we can find the root IP address. The basic host command also probes this address to find the root IP address of the host. The number (211 in this case) after the address is the time to live (or TTL) of the address.

As I mentioned above, you can also use host to find out more about an IP address by simply replacing the DNS address with an IP address. Here we convert one of the above web servers into a DNS address.

  1. $ host 212.58.244.71
  2. 71.244.58.212.in-addr.arpa domain name pointer bbc-vip116.telhc.bbc.co.uk.

dig

dig or (domain information groper) is another utility that can be used to interrogate DNS name servers. This is more of a network administration tool that can be used to directly query DNS servers and doesn't really have much in the way of niceties. The default dig command works in much the same way as the host command with the -a flag. The tool is part of the dnsutils package on Debian builds and part of the bind-utils package on Redhat platforms. dig can be used in the following way.

dig domain.tld

Here is a normal dig query run against the address www.bbc.co.uk.

  1. $ dig www.bbc.co.uk
  2.  
  3. ; <<>> DiG 9.8.3-P1 <<>> www.bbc.co.uk
  4. ;; global options: +cmd
  5. ;; Got answer:
  6. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64114
  7. ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
  8.  
  9. ;; QUESTION SECTION:
  10. ;www.bbc.co.uk. IN A
  11.  
  12. ;; ANSWER SECTION:
  13. www.bbc.co.uk. 44 IN CNAME www.bbc.net.uk.
  14. www.bbc.net.uk. 56 IN A 212.58.244.70
  15. www.bbc.net.uk. 56 IN A 212.58.244.71
  16.  
  17. ;; Query time: 110 msec
  18. ;; SERVER: 192.168.1.254#53(192.168.1.254)
  19. ;; WHEN: Sun Nov 22 18:56:03 2015
  20. ;; MSG SIZE rcvd: 89

The output of the dig command can look initially complex, but it is really just a picture of the query to the DNS server, the answer received, and some additional query statistics. As can be seen above the tool also follows any CNAME records to their ultimate IP addresses, which means we don't need to further investigate the DNS records to find that information. This tool is therefore a good alternative to host but produces complex output as a default.

nslookup

nslookup is a program that can be used to query Internet domain name servers. The good thing about this tool is that it is commonly available on almost all operating systems and as such it is commonly used by Windows administrators. The tool is part of the dnsutils package on Debian builds and part of the bind-utils package on Redhat platforms. nslookup can be used in the following way.

nslookup domain.tld

Here is an example of running nslookup on the DNS address www.bbc.co.uk.

  1. $ nslookup www.bbc.co.uk
  2. Server: 192.168.1.254
  3. Address: 192.168.1.254#53
  4.  
  5. Non-authoritative answer:
  6. www.bbc.co.uk canonical name = www.bbc.net.uk.
  7. Name: www.bbc.net.uk
  8. Address: 212.58.244.26
  9. Name: www.bbc.net.uk
  10. Address: 212.58.244.27

The first thing in this response is the address of my wireless router (192.168.1.254), which is where the request is routed through (hence the name). The rest of the output here describes the fact that the www.bbc.co.uk address is a CNAME, which points to the two www.bbc.net.uk hosts. Be careful when running nslookup that you also include some arguments as it will drop you into an interactive mode. This isn't a bad thing in general, but for people not used to the tool it can be a bit of a surprise.

From all of these tools we can see that the BBC run some form of load balanced solution for their website, which makes sense as I'm sure it deals with lots of traffic.

Global DNS Propagation

All of these tools are good for inspecting DNS records from a single place, but DNS addresses have a habit of being cached all over the world. This effectively means that when you update a DNS record it might be up to a day before everyone in the world sees that change. This is called global propagation. There are ways around this, like lowering the Time To Live (TTL) value for the DNS entry so that it is cached for less time, which allows the DNS records to be updated more quickly.

One way to test for this global is to run your DNS queries from different parts of the world. For most of us this isn't a feasible, but sites like whatsmydns allow you to view the DNS records from multiple name servers around the world. The whatsmydns site has enabled me to check the global DNS propagation on a DNS change and manage client expectations.

Finding Other Sub-Domains

We know that the BBC have a www sub-domain as we have been testing this above, but how do we go about finding all sub-domains for a DNS entry? The short answer here is that you can't, unless you are authorised to do so. If you own a DNS server then you can craft DNS queries that will return all sub-domains, but without this authorisation it isn't possible.

There is an alternative though. By asking Wolfram Alpha about domains we can find out if any other sub-domains exist. These subdomains are public domain, but that's all we are looking for really. To search for subdomains on Wolfram Alpha, do the following.

  • Visit Wolfram Alpha and run a search for the domain in question. In our example we search for www.bbc.co.uk.
  • Under the title of Web statistics for all of bbc.co.uk: click on the link Subdomains
  • You will now be presented with a list of subdomains for the bbc.co.uk domain. This includes news.bbc.co.uk and play.bbc.co.uk

DNS Monitoring

For some reason I have seen an increase in DNS issues that has caused downtime to sites that I manage. This might be something simple like a misconfigured DNS entry, but I have also seen DNS services be completely unavailable. Either way, the fact that the DNS record is so important to the site being available means that spotting problems quickly is crucial. The tools I've talked about above are important when troubleshooting and investigating DNS records but you'll want to employ some form of monitoring tool as well as these. The pingdom tool will not only monitor your web hosts, but will also monitor your DNS records. This way, you can easily spot problems and move in the right direction to correct them. With pingdom in place it is easy to correctly see where the problem lies straight away and make movements to fix it, rather than getting a message that the site is down and then having to investigate the problem first before deciding on an action.

Add new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.