Help Parse Response to "Drill" Command?



  • Could someone help me parse the result of the drill command I used in pfSense's Diagnostics / Command Prompt page.  I'm just curious.  It's nothing vital.  I just can't figure out the flow and I'm trying to see how this Resolver "top-down" thing does its thing.

    EDIT:  Oops.  In case it helps, I'm using DNS Resolver in its default NON-Forwarding mode with DNSSEC and Harden DNSSEC turned on.

    Shell Output - drill -V5 -T www.oshkosh.com
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; .	IN	NS
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:06 2017
    ;; MSG SIZE  rcvd: 0
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 201.79.228.192.in-addr.arpa.	IN	PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:06 2017
    ;; MSG SIZE  rcvd: 0
    .	518400	IN	NS	i.root-servers.net.
    .	518400	IN	NS	b.root-servers.net.
    .	518400	IN	NS	f.root-servers.net.
    .	518400	IN	NS	h.root-servers.net.
    .	518400	IN	NS	l.root-servers.net.
    .	518400	IN	NS	j.root-servers.net.
    .	518400	IN	NS	e.root-servers.net.
    .	518400	IN	NS	a.root-servers.net.
    .	518400	IN	NS	c.root-servers.net.
    .	518400	IN	NS	d.root-servers.net.
    .	518400	IN	NS	k.root-servers.net.
    .	518400	IN	NS	m.root-servers.net.
    .	518400	IN	NS	g.root-servers.net.
    ;; Received 492 bytes from 192.228.79.201#53(b.root-servers.net.) in 29 ms
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.oshkosh.com.	IN	A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:07 2017
    ;; MSG SIZE  rcvd: 0
    com.	172800	IN	NS	j.gtld-servers.net.
    com.	172800	IN	NS	b.gtld-servers.net.
    com.	172800	IN	NS	i.gtld-servers.net.
    com.	172800	IN	NS	e.gtld-servers.net.
    com.	172800	IN	NS	g.gtld-servers.net.
    com.	172800	IN	NS	c.gtld-servers.net.
    com.	172800	IN	NS	h.gtld-servers.net.
    com.	172800	IN	NS	f.gtld-servers.net.
    com.	172800	IN	NS	a.gtld-servers.net.
    com.	172800	IN	NS	k.gtld-servers.net.
    com.	172800	IN	NS	d.gtld-servers.net.
    com.	172800	IN	NS	m.gtld-servers.net.
    com.	172800	IN	NS	l.gtld-servers.net.
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 4.36.112.192.in-addr.arpa.	IN	PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:07 2017
    ;; MSG SIZE  rcvd: 0
    ;; Received 493 bytes from 192.112.36.4#53(G.ROOT-SERVERS.NET.) in 71 ms
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.oshkosh.com.	IN	A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:07 2017
    ;; MSG SIZE  rcvd: 0
    oshkosh.com.	172800	IN	NS	dns1.idp365.net.
    oshkosh.com.	172800	IN	NS	dns2.idp365.net.
    oshkosh.com.	172800	IN	NS	dns3.idp365.net.
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 30.178.52.192.in-addr.arpa.	IN	PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:07 2017
    ;; MSG SIZE  rcvd: 0
    ;; Received 148 bytes from 192.52.178.30#53(k.gtld-servers.net.) in 168 ms
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.oshkosh.com.	IN	A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:07 2017
    ;; MSG SIZE  rcvd: 0
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.oshkosh.com.	IN	A
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:17 2017
    ;; MSG SIZE  rcvd: 0
    www.oshkosh.com.	5	IN	CNAME	www.oshkosh.com.cdn.cloudflare.net.
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
    ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 80.239.228.207.in-addr.arpa.	IN	PTR
    
    ;; ANSWER SECTION:
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; WHEN: Sat Apr 29 19:45:18 2017
    ;; MSG SIZE  rcvd: 0
    ;; Received 81 bytes from 207.228.239.80#53(dns3.idp365.net.) in 72 ms
    

  • LAYER 8 Global Moderator

    What exactly are you expecting?

    Yes www.oshkosh.com point to a cname..

    ;; ANSWER SECTION:
    www.oshkosh.com.        5      IN      CNAME  www.oshkosh.com.cdn.cloudflare.net.
    www.oshkosh.com.cdn.cloudflare.net. 300 IN A    104.16.45.4
    www.oshkosh.com.cdn.cloudflare.net. 300 IN A    104.16.44.4

    That it is a 5 second ttl seem nuts ;)  But yeah that is what it resolves too.  if you didn't do the -V5 you would an easier to read result.

    [2.4.0-BETA][root@pfsense.local.lan]/root: drill www.oshkosh.com
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 45478
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.oshkosh.com.    IN      A

    ;; ANSWER SECTION:
    www.oshkosh.com.        5      IN      CNAME  www.oshkosh.com.cdn.cloudflare.net.
    www.oshkosh.com.cdn.cloudflare.net.    103    IN      A      104.16.45.4
    www.oshkosh.com.cdn.cloudflare.net.    103    IN      A      104.16.44.4

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:

    ;; Query time: 104 msec
    ;; SERVER: 127.0.0.1
    ;; WHEN: Sun Apr 30 17:17:08 2017
    ;; MSG SIZE  rcvd: 113
    [2.4.0-BETA][root@pfsense.local.lan]/root:



  • I was just trying to see the flow from the root DNS server to wherever it got the final answer.  Something like:  asked Server A which pointed to Server B which pointed to … and then Server X provided the address.  Pure curiosity in trying to see how it worked.


  • LAYER 8 Global Moderator

    yup a dig trace is easier to read..

    dig www.oshkosh.com +trace

    ; <<>> DiG 9.11.1 <<>> www.oshkosh.com +trace
    ;; global options: +cmd
    .                      509374  IN      NS      m.root-servers.net.
    .                      509374  IN      NS      b.root-servers.net.
    .                      509374  IN      NS      c.root-servers.net.
    .                      509374  IN      NS      d.root-servers.net.
    .                      509374  IN      NS      e.root-servers.net.
    .                      509374  IN      NS      f.root-servers.net.
    .                      509374  IN      NS      g.root-servers.net.
    .                      509374  IN      NS      h.root-servers.net.
    .                      509374  IN      NS      a.root-servers.net.
    .                      509374  IN      NS      i.root-servers.net.
    .                      509374  IN      NS      j.root-servers.net.
    .                      509374  IN      NS      k.root-servers.net.
    .                      509374  IN      NS      l.root-servers.net.
    ;; Received 525 bytes from 192.168.3.10#53(192.168.3.10) in 38 ms

    com.                    172800  IN      NS      a.gtld-servers.net.
    com.                    172800  IN      NS      b.gtld-servers.net.
    com.                    172800  IN      NS      c.gtld-servers.net.
    com.                    172800  IN      NS      d.gtld-servers.net.
    com.                    172800  IN      NS      e.gtld-servers.net.
    com.                    172800  IN      NS      f.gtld-servers.net.
    com.                    172800  IN      NS      g.gtld-servers.net.
    com.                    172800  IN      NS      h.gtld-servers.net.
    com.                    172800  IN      NS      i.gtld-servers.net.
    com.                    172800  IN      NS      j.gtld-servers.net.
    com.                    172800  IN      NS      k.gtld-servers.net.
    com.                    172800  IN      NS      l.gtld-servers.net.
    com.                    172800  IN      NS      m.gtld-servers.net.
    ;; Received 867 bytes from 192.203.230.10#53(e.root-servers.net) in 15 ms

    oshkosh.com.            172800  IN      NS      dns1.idp365.net.
    oshkosh.com.            172800  IN      NS      dns2.idp365.net.
    oshkosh.com.            172800  IN      NS      dns3.idp365.net.
    ;; Received 644 bytes from 192.31.80.30#53(d.gtld-servers.net) in 16 ms

    www.oshkosh.com.        5      IN      CNAME  www.oshkosh.com.cdn.cloudflare.net.
    ;; Received 92 bytes from 207.228.239.80#53(dns3.idp365.net) in 83 ms

    I snipped out all the dnssec stuff which makes it harder to read..



  • OK.  That looks more readable.  So, the first clump is querying the root server, the second clump handles the .com suffix, and the final clump actually resolves the address.  Thanks.


Log in to reply