Help Parse Response to "Drill" Command?
-
Could someone help me parse the result of the drill command I used in pfSense's Diagnostics / Command Prompt page. I'm just curious. It's nothing vital. I just can't figure out the flow and I'm trying to see how this Resolver "top-down" thing does its thing.
EDIT: Oops. In case it helps, I'm using DNS Resolver in its default NON-Forwarding mode with DNSSEC and Harden DNSSEC turned on.
Shell Output - drill -V5 -T www.oshkosh.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; . IN NS ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Sat Apr 29 19:45:06 2017 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 201.79.228.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Sat Apr 29 19:45:06 2017 ;; MSG SIZE rcvd: 0 . 518400 IN NS i.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS a.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS g.root-servers.net. ;; Received 492 bytes from 192.228.79.201#53(b.root-servers.net.) in 29 ms ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.oshkosh.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Sat Apr 29 19:45:07 2017 ;; MSG SIZE rcvd: 0 com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 4.36.112.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Sat Apr 29 19:45:07 2017 ;; MSG SIZE rcvd: 0 ;; Received 493 bytes from 192.112.36.4#53(G.ROOT-SERVERS.NET.) in 71 ms ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.oshkosh.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Sat Apr 29 19:45:07 2017 ;; MSG SIZE rcvd: 0 oshkosh.com. 172800 IN NS dns1.idp365.net. oshkosh.com. 172800 IN NS dns2.idp365.net. oshkosh.com. 172800 IN NS dns3.idp365.net. ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 30.178.52.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Sat Apr 29 19:45:07 2017 ;; MSG SIZE rcvd: 0 ;; Received 148 bytes from 192.52.178.30#53(k.gtld-servers.net.) in 168 ms ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.oshkosh.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Sat Apr 29 19:45:07 2017 ;; MSG SIZE rcvd: 0 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.oshkosh.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Sat Apr 29 19:45:17 2017 ;; MSG SIZE rcvd: 0 www.oshkosh.com. 5 IN CNAME www.oshkosh.com.cdn.cloudflare.net. ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 80.239.228.207.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Sat Apr 29 19:45:18 2017 ;; MSG SIZE rcvd: 0 ;; Received 81 bytes from 207.228.239.80#53(dns3.idp365.net.) in 72 ms
-
What exactly are you expecting?
Yes www.oshkosh.com point to a cname..
;; ANSWER SECTION:
www.oshkosh.com. 5 IN CNAME www.oshkosh.com.cdn.cloudflare.net.
www.oshkosh.com.cdn.cloudflare.net. 300 IN A 104.16.45.4
www.oshkosh.com.cdn.cloudflare.net. 300 IN A 104.16.44.4That it is a 5 second ttl seem nuts ;) But yeah that is what it resolves too. if you didn't do the -V5 you would an easier to read result.
[2.4.0-BETA][root@pfsense.local.lan]/root: drill www.oshkosh.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 45478
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.oshkosh.com. IN A;; ANSWER SECTION:
www.oshkosh.com. 5 IN CNAME www.oshkosh.com.cdn.cloudflare.net.
www.oshkosh.com.cdn.cloudflare.net. 103 IN A 104.16.45.4
www.oshkosh.com.cdn.cloudflare.net. 103 IN A 104.16.44.4;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 104 msec
;; SERVER: 127.0.0.1
;; WHEN: Sun Apr 30 17:17:08 2017
;; MSG SIZE rcvd: 113
[2.4.0-BETA][root@pfsense.local.lan]/root: -
I was just trying to see the flow from the root DNS server to wherever it got the final answer. Something like: asked Server A which pointed to Server B which pointed to … and then Server X provided the address. Pure curiosity in trying to see how it worked.
-
yup a dig trace is easier to read..
dig www.oshkosh.com +trace
; <<>> DiG 9.11.1 <<>> www.oshkosh.com +trace
;; global options: +cmd
. 509374 IN NS m.root-servers.net.
. 509374 IN NS b.root-servers.net.
. 509374 IN NS c.root-servers.net.
. 509374 IN NS d.root-servers.net.
. 509374 IN NS e.root-servers.net.
. 509374 IN NS f.root-servers.net.
. 509374 IN NS g.root-servers.net.
. 509374 IN NS h.root-servers.net.
. 509374 IN NS a.root-servers.net.
. 509374 IN NS i.root-servers.net.
. 509374 IN NS j.root-servers.net.
. 509374 IN NS k.root-servers.net.
. 509374 IN NS l.root-servers.net.
;; Received 525 bytes from 192.168.3.10#53(192.168.3.10) in 38 mscom. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 867 bytes from 192.203.230.10#53(e.root-servers.net) in 15 msoshkosh.com. 172800 IN NS dns1.idp365.net.
oshkosh.com. 172800 IN NS dns2.idp365.net.
oshkosh.com. 172800 IN NS dns3.idp365.net.
;; Received 644 bytes from 192.31.80.30#53(d.gtld-servers.net) in 16 mswww.oshkosh.com. 5 IN CNAME www.oshkosh.com.cdn.cloudflare.net.
;; Received 92 bytes from 207.228.239.80#53(dns3.idp365.net) in 83 msI snipped out all the dnssec stuff which makes it harder to read..
-
OK. That looks more readable. So, the first clump is querying the root server, the second clump handles the .com suffix, and the final clump actually resolves the address. Thanks.