Help Parse Response to "Drill" Command?


  • Could someone help me parse the result of the drill command I used in pfSense's Diagnostics / Command Prompt page.  I'm just curious.  It's nothing vital.  I just can't figure out the flow and I'm trying to see how this Resolver "top-down" thing does its thing.

    EDIT:  Oops.  In case it helps, I'm using DNS Resolver in its default NON-Forwarding mode with DNSSEC and Harden DNSSEC turned on.

    Shell Output - drill -V5 -T www.oshkosh.com
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; .	IN	NS
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:06 2017
    ;; MSG SIZE  rcvd: 0
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 201.79.228.192.in-addr.arpa.	IN	PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:06 2017
    ;; MSG SIZE  rcvd: 0
    .	518400	IN	NS	i.root-servers.net.
    .	518400	IN	NS	b.root-servers.net.
    .	518400	IN	NS	f.root-servers.net.
    .	518400	IN	NS	h.root-servers.net.
    .	518400	IN	NS	l.root-servers.net.
    .	518400	IN	NS	j.root-servers.net.
    .	518400	IN	NS	e.root-servers.net.
    .	518400	IN	NS	a.root-servers.net.
    .	518400	IN	NS	c.root-servers.net.
    .	518400	IN	NS	d.root-servers.net.
    .	518400	IN	NS	k.root-servers.net.
    .	518400	IN	NS	m.root-servers.net.
    .	518400	IN	NS	g.root-servers.net.
    ;; Received 492 bytes from 192.228.79.201#53(b.root-servers.net.) in 29 ms
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.oshkosh.com.	IN	A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:07 2017
    ;; MSG SIZE  rcvd: 0
    com.	172800	IN	NS	j.gtld-servers.net.
    com.	172800	IN	NS	b.gtld-servers.net.
    com.	172800	IN	NS	i.gtld-servers.net.
    com.	172800	IN	NS	e.gtld-servers.net.
    com.	172800	IN	NS	g.gtld-servers.net.
    com.	172800	IN	NS	c.gtld-servers.net.
    com.	172800	IN	NS	h.gtld-servers.net.
    com.	172800	IN	NS	f.gtld-servers.net.
    com.	172800	IN	NS	a.gtld-servers.net.
    com.	172800	IN	NS	k.gtld-servers.net.
    com.	172800	IN	NS	d.gtld-servers.net.
    com.	172800	IN	NS	m.gtld-servers.net.
    com.	172800	IN	NS	l.gtld-servers.net.
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 4.36.112.192.in-addr.arpa.	IN	PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:07 2017
    ;; MSG SIZE  rcvd: 0
    ;; Received 493 bytes from 192.112.36.4#53(G.ROOT-SERVERS.NET.) in 71 ms
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.oshkosh.com.	IN	A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:07 2017
    ;; MSG SIZE  rcvd: 0
    oshkosh.com.	172800	IN	NS	dns1.idp365.net.
    oshkosh.com.	172800	IN	NS	dns2.idp365.net.
    oshkosh.com.	172800	IN	NS	dns3.idp365.net.
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 30.178.52.192.in-addr.arpa.	IN	PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:07 2017
    ;; MSG SIZE  rcvd: 0
    ;; Received 148 bytes from 192.52.178.30#53(k.gtld-servers.net.) in 168 ms
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.oshkosh.com.	IN	A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:07 2017
    ;; MSG SIZE  rcvd: 0
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.oshkosh.com.	IN	A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:17 2017
    ;; MSG SIZE  rcvd: 0
    www.oshkosh.com.	5	IN	CNAME	www.oshkosh.com.cdn.cloudflare.net.
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 80.239.228.207.in-addr.arpa.	IN	PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:18 2017
    ;; MSG SIZE  rcvd: 0
    ;; Received 81 bytes from 207.228.239.80#53(dns3.idp365.net.) in 72 ms
    
  • LAYER 8 Global Moderator

    What exactly are you expecting?

    Yes www.oshkosh.com point to a cname..

    ;; ANSWER SECTION:
    www.oshkosh.com.        5      IN      CNAME  www.oshkosh.com.cdn.cloudflare.net.
    www.oshkosh.com.cdn.cloudflare.net. 300 IN A    104.16.45.4
    www.oshkosh.com.cdn.cloudflare.net. 300 IN A    104.16.44.4

    That it is a 5 second ttl seem nuts ;)  But yeah that is what it resolves too.  if you didn't do the -V5 you would an easier to read result.

    [2.4.0-BETA][root@pfsense.local.lan]/root: drill www.oshkosh.com
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 45478
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.oshkosh.com.    IN      A

    ;; ANSWER SECTION:
    www.oshkosh.com.        5      IN      CNAME  www.oshkosh.com.cdn.cloudflare.net.
    www.oshkosh.com.cdn.cloudflare.net.    103    IN      A      104.16.45.4
    www.oshkosh.com.cdn.cloudflare.net.    103    IN      A      104.16.44.4

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:

    ;; Query time: 104 msec
    ;; SERVER: 127.0.0.1
    ;; WHEN: Sun Apr 30 17:17:08 2017
    ;; MSG SIZE  rcvd: 113
    [2.4.0-BETA][root@pfsense.local.lan]/root:


  • I was just trying to see the flow from the root DNS server to wherever it got the final answer.  Something like:  asked Server A which pointed to Server B which pointed to … and then Server X provided the address.  Pure curiosity in trying to see how it worked.

  • LAYER 8 Global Moderator

    yup a dig trace is easier to read..

    dig www.oshkosh.com +trace

    ; <<>> DiG 9.11.1 <<>> www.oshkosh.com +trace
    ;; global options: +cmd
    .                      509374  IN      NS      m.root-servers.net.
    .                      509374  IN      NS      b.root-servers.net.
    .                      509374  IN      NS      c.root-servers.net.
    .                      509374  IN      NS      d.root-servers.net.
    .                      509374  IN      NS      e.root-servers.net.
    .                      509374  IN      NS      f.root-servers.net.
    .                      509374  IN      NS      g.root-servers.net.
    .                      509374  IN      NS      h.root-servers.net.
    .                      509374  IN      NS      a.root-servers.net.
    .                      509374  IN      NS      i.root-servers.net.
    .                      509374  IN      NS      j.root-servers.net.
    .                      509374  IN      NS      k.root-servers.net.
    .                      509374  IN      NS      l.root-servers.net.
    ;; Received 525 bytes from 192.168.3.10#53(192.168.3.10) in 38 ms

    com.                    172800  IN      NS      a.gtld-servers.net.
    com.                    172800  IN      NS      b.gtld-servers.net.
    com.                    172800  IN      NS      c.gtld-servers.net.
    com.                    172800  IN      NS      d.gtld-servers.net.
    com.                    172800  IN      NS      e.gtld-servers.net.
    com.                    172800  IN      NS      f.gtld-servers.net.
    com.                    172800  IN      NS      g.gtld-servers.net.
    com.                    172800  IN      NS      h.gtld-servers.net.
    com.                    172800  IN      NS      i.gtld-servers.net.
    com.                    172800  IN      NS      j.gtld-servers.net.
    com.                    172800  IN      NS      k.gtld-servers.net.
    com.                    172800  IN      NS      l.gtld-servers.net.
    com.                    172800  IN      NS      m.gtld-servers.net.
    ;; Received 867 bytes from 192.203.230.10#53(e.root-servers.net) in 15 ms

    oshkosh.com.            172800  IN      NS      dns1.idp365.net.
    oshkosh.com.            172800  IN      NS      dns2.idp365.net.
    oshkosh.com.            172800  IN      NS      dns3.idp365.net.
    ;; Received 644 bytes from 192.31.80.30#53(d.gtld-servers.net) in 16 ms

    www.oshkosh.com.        5      IN      CNAME  www.oshkosh.com.cdn.cloudflare.net.
    ;; Received 92 bytes from 207.228.239.80#53(dns3.idp365.net) in 83 ms

    I snipped out all the dnssec stuff which makes it harder to read..


  • OK.  That looks more readable.  So, the first clump is querying the root server, the second clump handles the .com suffix, and the final clump actually resolves the address.  Thanks.