*i am getting a notauth on my axfr attempt. what i am not seeing is an A ip# for the secondary dns server.*
*is this missing A record a problem i need to fix for following host cli???*
*dig @ws.linuxlighthouse.com http://ws.linuxlighthouse.com axfr linuxlighthouse.com http://linuxlighthouse.com*
; <<>> DiG 9.11.28-RedHat-9.11.28-1.fc32 <<>> @ws.linuxlighthouse.com axfr linuxlighthouse.com ; (1 server found) ;; global options: +cmd linuxlighthouse.com. 259200 IN SOA ws.linuxlighthouse.com. root.linuxlighthouse.com. 2021051603 86400 7200 3600000 172800 linuxlighthouse.com. 259200 IN A 108.220.213.121 linuxlighthouse.com. 259200 IN CAA 0 issue "letsencrypt.org" linuxlighthouse.com. 259200 IN NS ws.linuxlighthouse.com. *linuxlighthouse.com http://linuxlighthouse.com. 259200 IN NS ns2.swbell.net http://ns2.swbell.net.* ws.linuxlighthouse.com. 259200 IN A 108.220.213.121 www.linuxlighthouse.com. 259200 IN A 108.220.213.121 linuxlighthouse.com. 259200 IN SOA ws.linuxlighthouse.com. root.linuxlighthouse.com. 2021051603 86400 7200 3600000 172800 ;; Query time: 1 msec ;; SERVER: 108.220.213.121#53(108.220.213.121) ;; WHEN: Mon May 17 12:43:43 PDT 2021 ;; XFR size: 8 records (messages 1, bytes 284)
*[jackc@ws ~ $ host -t axfr ns2.swbell.net http://ns2.swbell.net ws.linuxlighthouse.com http://ws.linuxlighthouse.com* Trying "ns2.swbell.net" Using domain server: Name: ws.linuxlighthouse.com Address: 108.220.213.121#53 Aliases:
Host ns2.swbell.net not found: 9(NOTAUTH) ; Transfer failed. [jackc@ws ~ $
On 18/05/2021 03:50, Jack Craig wrote:
*i am getting a notauth on my axfr attempt. what i am not seeing is an A ip# for the secondary dns server.*
*is this missing A record a problem i need to fix for following host cli???
*dig @ws.linuxlighthouse.com http://ws.linuxlighthouse.com axfr linuxlighthouse.com http://linuxlighthouse.com*
; <<>> DiG 9.11.28-RedHat-9.11.28-1.fc32 <<>> @ws.linuxlighthouse.com http://ws.linuxlighthouse.com axfr linuxlighthouse.com http://linuxlighthouse.com ; (1 server found) ;; global options: +cmd linuxlighthouse.com http://linuxlighthouse.com. 259200 IN SOA ws.linuxlighthouse.com http://ws.linuxlighthouse.com. root.linuxlighthouse.com http://root.linuxlighthouse.com. 2021051603 86400 7200 3600000 172800 linuxlighthouse.com http://linuxlighthouse.com. 259200 IN A 108.220.213.121 linuxlighthouse.com http://linuxlighthouse.com. 259200 IN CAA 0 issue "letsencrypt.org http://letsencrypt.org" linuxlighthouse.com http://linuxlighthouse.com. 259200 IN NS ws.linuxlighthouse.com http://ws.linuxlighthouse.com. /_linuxlighthouse.com http://linuxlighthouse.com. 259200 IN NS ns2.swbell.net http://ns2.swbell.net._/ ws.linuxlighthouse.com http://ws.linuxlighthouse.com. 259200 IN A 108.220.213.121 www.linuxlighthouse.com http://www.linuxlighthouse.com. 259200 IN A 108.220.213.121 linuxlighthouse.com http://linuxlighthouse.com. 259200 IN SOA ws.linuxlighthouse.com http://ws.linuxlighthouse.com. root.linuxlighthouse.com http://root.linuxlighthouse.com. 2021051603 86400 7200 3600000 172800 ;; Query time: 1 msec ;; SERVER: 108.220.213.121#53(108.220.213.121) ;; WHEN: Mon May 17 12:43:43 PDT 2021 ;; XFR size: 8 records (messages 1, bytes 284)
[jackc@ws ~ $ host -t axfr ns2.swbell.net http://ns2.swbell.net ws.linuxlighthouse.com http://ws.linuxlighthouse.com* Trying "ns2.swbell.net http://ns2.swbell.net" Using domain server: Name: ws.linuxlighthouse.com http://ws.linuxlighthouse.com Address: 108.220.213.121#53 Aliases:
Host ns2.swbell.net http://ns2.swbell.net not found: 9(NOTAUTH) ; Transfer failed. [jackc@ws ~ $
See "man host". The server to query is the last entry on the line. So, the command should be....
host -t axfr linuxlighthouse.com ns2.swbell.net
But I don't know why you'd want/need to do that.
First off, it would seem to me (and others) that AT&T or SW-Bell or whoever is responsible for making your secondary DNS server hasn't completed the task.
[egreshko@acer ~]$ host ws.linuxlighthouse.com ns2.swbell.net Using domain server: Name: ns2.swbell.net Address: 151.164.11.218#53 Aliases:
Host ws.linuxlighthouse.com not found: 5(REFUSED)
Says as much. It doesn't have the info to complete the request without recursion and that server is set for "no recursion".
Next, even if that server were set up as secondary server it would normally have "allow-transfer { none; };" for secondary zones. As there should be no need by anyone to request download of whole zones. Especially secondary zones.
It still puzzles me as to why you need to rely on AT&T or SW-Bell to be your secondary. Why don't you just use your registra as your secondary? You should be able to set that up on your own without help from the outside world. I know my registra allows this. If I wanted to, I could host the master DNS and let them be slaves. It would make your life so much easier as *everything* would be under your control.
On 18/05/2021 03:50, Jack Craig wrote:
*i am getting a notauth on my axfr attempt. what i am not seeing is an A ip# for the secondary dns server.*
Oh, FWIW, I have previously mentioned that since your system is quite "open" I configured a system here as a slave to your domain. My named.conf contains....
zone "greshko.com" { type master; file "greshko.com.zone"; allow-update { none; }; allow-transfer { 2001:470:66:cce::2; 192.168.0.0/16; 2001:b030:112f:0000::/56; }; };
zone "linuxlighthouse.com" { type slave; file "light.zone"; masters { 108.220.213.121; }; };
So, transfers of greshko.com are limited to the listed IPs. While linuxlighthouse.com is wide open.
So, try these to see the results.
host -t axfr linuxlighthouse.com 211.75.128.214 host -t axfr greshko.com 211.75.128.214
*whois linuxlighthouse.com http://linuxlighthouse.com | grep ^NameName Server: NS21.WORLDNIC.COM http://NS21.WORLDNIC.COMName Server: NS22.WORLDNIC.COM http://NS22.WORLDNIC.COM[jackc@ws ~ $ whois linuxlighost -t axfr linuxlighthouse.com http://linuxlighthouse.com ns21.worldnic.com http://ns21.worldnic.comTrying "linuxlighthouse.com http://linuxlighthouse.com"Using domain server:Name: ns21.worldnic.com http://ns21.worldnic.comAddress: 162.159.26.132#53Aliases: Host linuxlighthouse.com http://linuxlighthouse.com not found: 4(NOTIMP)* *; Transfer failed.*
*[jackc@ws ~ $ host -t axfr linuxlighthouse.com http://linuxlighthouse.com ns22.worldnic.com http://ns22.worldnic.comTrying "linuxlighthouse.com http://linuxlighthouse.com"Using domain server:Name: ns22.worldnic.com http://ns22.worldnic.comAddress: 162.159.27.77#53Aliases: Host linuxlighthouse.com http://linuxlighthouse.com not found: 4(NOTIMP)* *; Transfer failed.*
*something i dont get, if my registrar provides glue references for primary & secondary domain dns servers,* *what purpose is served by anything in my host's named.conf (et al) having any reference to my domain if it's not* *accessible/useful?*
*i had thought that i should provide the primary server and my hosting service provided secondary, but*
*that leaves only the secondary os i have only 1 responding *
*Thx, jackc...*
On Mon, May 17, 2021 at 5:31 PM Ed Greshko ed.greshko@greshko.com wrote:
On 18/05/2021 03:50, Jack Craig wrote:
*i am getting a notauth on my axfr attempt. what i am not seeing is an
A ip# for the secondary dns server.*
Oh, FWIW, I have previously mentioned that since your system is quite "open" I configured a system here as a slave to your domain. My named.conf contains....
zone "greshko.com" { type master; file "greshko.com.zone"; allow-update { none; }; allow-transfer { 2001:470:66:cce::2; 192.168.0.0/16; 2001:b030:112f:0000::/56; }; };
zone "linuxlighthouse.com" { type slave; file "light.zone"; masters { 108.220.213.121; }; };
So, transfers of greshko.com are limited to the listed IPs. While linuxlighthouse.com is wide open.
So, try these to see the results.
host -t axfr linuxlighthouse.com 211.75.128.214 host -t axfr greshko.com 211.75.128.214
-- Remind me to ignore comments which aren't germane to the thread. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Sun, 2021-06-06 at 11:54 -0700, Jack Craig wrote:
something i dont get, if my registrar provides glue references for primary & secondary domain dns servers, what purpose is served by anything in my host's named.conf (et al) having any reference to my domain if it's not accessible/useful?
i had thought that i should provide the primary server and my hosting service provided secondary, but that leaves only the secondary os i have only 1 responding
The internet, at large, will always use your primary server. If it can't, it'll try your secondary server. Both of those servers are accessed by name, not numerical IP address, and those names have to be in some public DNS records, so people can find the IP addresses for them to connect to them.
A glue record is a helping hand to find your primary server, when nothing else gives information about it.
e.g. I try to look up linuxlighthouse.com. My system will find the root server for .com, then it will ask it who holds the records for linuxlighthose.com, get told ns.linuxlighthouse.com and then query whoever that was, for its IP address.
The big gotcha is that .com will say linuxlighthouse.com is handled by a particular nameserver by that nameserver's *name* not its IP.
So the person trying to find linuxlighthouse.com first has to find the IP for ns.linuxlighthouse.com. If the only server that knows that IP is ns.linuxlighthouse.com, itself, outsiders have no way to find out the IP of the nameserver to connect to it.
Having your primary server as yourself, answering queries for itself, and nobody outside knowing it's IP to be able query it, is the quandary you find yourself in.
How do you spell dictionary? Dunno, go look it up in the dictionary...
Hence, the glue record. Querying .com will say ns.linuxlighthouse.com is handled by the holder of that gluerecord, we'll call it example.com (your registrar or other service provider). Your registrar will have records that everyone else can lookup, so they can find example.com's IP address. Now people can connect to your example.com registrar, your registrar's DNS server's glue record will give them the numerical IP of your ns.linuxlighthouse.com DNS server that they couldn't look up directly. And, then, after all that, they can find your DNS server and query it about linuxlighthouse.com.
This is like borrowing $5 from someone who wants a favour from a third party before they'll give you it, and that third party wants a favour from a fourth party before they'll do the third party's favour, rinse, lather, repeat...
In all seriousness, you're really doing this the hardest way possible. I would let your registrar be your primary and secondary DNS servers (they'll have more than one server), and have your IP addresses programmed into them. The public can query them. And just run your own name server for your own internal addresses, and for learning how things work.
Your registar does not require you to run a DNS server to give them the information. The DNS records will be programmed directly into their DNS server. Either by them, manually, or automatically when you registered the domain name, or you'll have some webpage interface to enter and edit details.
On 6/7/21 7:49 AM, Tim via users wrote:
The internet, at large, will always use your primary server. If it can't, it'll try your secondary server. Both of those servers are accessed by name, not numerical IP address, and those names have to be in some public DNS records, so people can find the IP addresses for them to connect to them.
No. DNS servers are always accessed by IP address, never by name. Trying to access a DNS server by name would just create an endless loop of trying to resolve addresses as you can't get the server's address without using DNS to get the IP address. To quote Professor Harold Hill, "Now think, boys, think!"
On 6/7/21 6:49 AM, Tim via users wrote:
On Sun, 2021-06-06 at 11:54 -0700, Jack Craig wrote:
something i dont get, if my registrar provides glue references for primary & secondary domain dns servers, what purpose is served by anything in my host's named.conf (et al) having any reference to my domain if it's not accessible/useful?
i had thought that i should provide the primary server and my hosting service provided secondary, but that leaves only the secondary os i have only 1 responding
The internet, at large, will always use your primary server.
<snip/>
Hi Tim,
Are you sure about that? If I query the gtld-servers.net. for my domains I always receive my two nameservers but they are in random order. Typically the first record received is used for a search followed by the second record received. In that sense, the first record received is primary in the search order, the next, secondary, and so on. Since they arrive in a random order there is no such thing as a fixed primary or secondary. A dnsadmin may refer to the server they manage as primary, but that is primary only to the dnsadmin for referential purposes.
To the best of my knowledge the SOA contains the name of the AXFR server (the master or primary source for zone data) and recipients of the zone data are referred to as clients or secondaries.
Perhaps a lot of the confusion comes from the dual uses of the term:
primary in search order (which is random) primary source for zone data (which is fixed by an SOA)
To make matters more confusing there are more complex setups where the zone masters are also clients making them both primary and secondary.
On 07/06/2021 02:54, Jack Craig wrote:
/[jackc@ws ~ $ host -t axfr linuxlighthouse.com http://linuxlighthouse.com ns22.worldnic.com http://ns22.worldnic.com Trying "linuxlighthouse.com http://linuxlighthouse.com" Using domain server: Name: ns22.worldnic.com http://ns22.worldnic.com Address: 162.159.27.77#53 Aliases:
Host linuxlighthouse.com http://linuxlighthouse.com not found: 4(NOTIMP) / /; Transfer failed./
*something i dont get, if my registrar provides glue references for primary & secondary domain dns servers,* *what purpose is served by anything in my host's named.conf (et al) having any reference to my domain if it's not* *accessible/useful?*
*i had thought that i should provide the primary server and my hosting service provided secondary, but* *that leaves only the secondary os i have only 1 responding *
I feel you are making your life more complex/difficult than it need be. This is especially the case when your network is comprised of minimal IP addresses and public facing hosts.
It seems you want to have your DNS server as the master (using more specific terms now) while having your registra's servers be slaves. This is generally not what people do. They let the registra deal with having both master and slaves and don't run a DNS server. On some occasions they have the registra as the master, plus slaves, and they run a slave copy locally for internal use. It is not often that people run a master DNS server with their registra running slaves. That is what I think you're attempting to do.
I frankly don't see any value in that.
However, if that is what you're wanting to do then your discussions should be with your registra on how to configure their side to accommodate your wishes. My registra allows for this and actually covers the topic in various articles in the "Knowledge Base". They also include caveats about this configuration as it renders some of the services they provide customers unusable by them.
Another reason for consulting your registra is to be certain of their configuration. An example would be what I found out with my registra when I wanted to have a slave copy locally. I assumed that I could do a zone transfer from any of their public DNS servers. That was not the case. They have a specific server for customers to use from which to request the transfers.
On 08/06/2021 02:10, Mike Wright wrote:
Perhaps a lot of the confusion comes from the dual uses of the term:
primary in search order (which is random) primary source for zone data (which is fixed by an SOA)
To make matters more confusing there are more complex setups where the zone masters are also clients making them both primary and secondary.
I would state that somewhat differently. (And while, yes, violating my goal of not introducing tangents in threads seeking answers.)
I would say that confusion arises when terms are used interchangeably when they shouldn't be. This often happens when the meaning of the terms are understood based on context. The confusion can be worse when the individual with different subject matter knowledge are involved in the conversation.
Anyway, I feel it would be helpful to use terms in a more consistent and "proper" manner.
primary/secondary should be used when discussing name resolution. The "old school" way of thinking about this would be the order in which DNS servers are listed in /etc/resolv.conf. The first entry being primary with subsequent entries being secondary.
master/slave should be used when speaking of the data held in DNS servers. That would coincide with the terms used in, for example, the "zone type" declaration within the named.conf file of bind.
Thanks Tim,
If you aren't a teacher, you are missing an academic calling!
Thanks again!
On Mon, Jun 7, 2021 at 6:49 AM Tim via users users@lists.fedoraproject.org wrote:
On Sun, 2021-06-06 at 11:54 -0700, Jack Craig wrote:
something i dont get, if my registrar provides glue references for primary & secondary domain dns servers, what purpose is served by anything in my host's named.conf (et al) having any reference to my domain if it's not accessible/useful?
i had thought that i should provide the primary server and my hosting service provided secondary, but that leaves only the secondary os i have only 1 responding
The internet, at large, will always use your primary server. If it can't, it'll try your secondary server. Both of those servers are accessed by name, not numerical IP address, and those names have to be in some public DNS records, so people can find the IP addresses for them to connect to them.
A glue record is a helping hand to find your primary server, when nothing else gives information about it.
e.g. I try to look up linuxlighthouse.com. My system will find the root server for .com, then it will ask it who holds the records for linuxlighthose.com, get told ns.linuxlighthouse.com and then query whoever that was, for its IP address.
The big gotcha is that .com will say linuxlighthouse.com is handled by a particular nameserver by that nameserver's *name* not its IP.
So the person trying to find linuxlighthouse.com first has to find the IP for ns.linuxlighthouse.com. If the only server that knows that IP is ns.linuxlighthouse.com, itself, outsiders have no way to find out the IP of the nameserver to connect to it.
Having your primary server as yourself, answering queries for itself, and nobody outside knowing it's IP to be able query it, is the quandary you find yourself in.
How do you spell dictionary? Dunno, go look it up in the dictionary...
Hence, the glue record. Querying .com will say ns.linuxlighthouse.com is handled by the holder of that gluerecord, we'll call it example.com (your registrar or other service provider). Your registrar will have records that everyone else can lookup, so they can find example.com's IP address. Now people can connect to your example.com registrar, your registrar's DNS server's glue record will give them the numerical IP of your ns.linuxlighthouse.com DNS server that they couldn't look up directly. And, then, after all that, they can find your DNS server and query it about linuxlighthouse.com.
This is like borrowing $5 from someone who wants a favour from a third party before they'll give you it, and that third party wants a favour from a fourth party before they'll do the third party's favour, rinse, lather, repeat...
In all seriousness, you're really doing this the hardest way possible. I would let your registrar be your primary and secondary DNS servers (they'll have more than one server), and have your IP addresses programmed into them. The public can query them. And just run your own name server for your own internal addresses, and for learning how things work.
Your registar does not require you to run a DNS server to give them the information. The DNS records will be programmed directly into their DNS server. Either by them, manually, or automatically when you registered the domain name, or you'll have some webpage interface to enter and edit details.
--
uname -rsvp Linux 3.10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Thanks for all your advice; you are right!
I'll let the registrar do what they are already being paid to do.
I really appreciate your guidance, jackc...
On Mon, Jun 7, 2021 at 2:28 PM Ed Greshko ed.greshko@greshko.com wrote:
On 08/06/2021 02:10, Mike Wright wrote:
Perhaps a lot of the confusion comes from the dual uses of the term:
primary in search order (which is random) primary source for zone data (which is fixed by an SOA)
To make matters more confusing there are more complex setups where the
zone masters are also clients making them both primary and secondary.
I would state that somewhat differently. (And while, yes, violating my goal of not introducing tangents in threads seeking answers.)
I would say that confusion arises when terms are used interchangeably when they shouldn't be. This often happens when the meaning of the terms are understood based on context. The confusion can be worse when the individual with different subject matter knowledge are involved in the conversation.
Anyway, I feel it would be helpful to use terms in a more consistent and "proper" manner.
primary/secondary should be used when discussing name resolution. The "old school" way of thinking about this would be the order in which DNS servers are listed in /etc/resolv.conf. The first entry being primary with subsequent entries being secondary.
master/slave should be used when speaking of the data held in DNS servers. That would coincide with the terms used in, for example, the "zone type" declaration within the named.conf file of bind.
-- Remind me to ignore comments which aren't germane to the thread.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 07/06/2021 21:49, Tim via users wrote:
On Sun, 2021-06-06 at 11:54 -0700, Jack Craig wrote:
something i dont get, if my registrar provides glue references for primary & secondary domain dns servers, what purpose is served by anything in my host's named.conf (et al) having any reference to my domain if it's not accessible/useful?
i had thought that i should provide the primary server and my hosting service provided secondary, but that leaves only the secondary os i have only 1 responding
The internet, at large, will always use your primary server. If it can't, it'll try your secondary server.
I'm not certain what you mean by the use of "primary" in that statement. But I don't think it is actually accurate in any event.
On 2 different system that have been recently rebooted, haven't done a lookup on a given host, so they have no cached entry I get the following results.
System A
linuxlighthouse.com. 7200 IN A 208.91.197.27 ;; Received 64 bytes from 162.159.27.77#53(ns22.worldnic.com) in 222 ms
Sytem B
linuxlighthouse.com. 7200 IN A 208.91.197.27 ;; Received 64 bytes from 162.159.26.132#53(ns21.worldnic.com) in 201 ms
And, actually, if you run the same dig multiple times on each system you'll get either one of the 2. (Not 100% sure what option in my dig command causes TTL to be ignored, probalby +trace)
Tim:
The internet, at large, will always use your primary server. If it can't, it'll try your secondary server.
Ed Greshko:
I'm not certain what you mean by the use of "primary" in that statement. But I don't think it is actually accurate in any event.
It's probably an out-of-date concept, now. When I registered my domain, years ago, they referred to their name servers as primary and secondary.
Most services will have several DNS servers. They may consider one of theirs the best, since for some reason it's faster, or bigger, or runs on better hardware if they didn't build identical systems, or they configure their network to favour it. ISPs were like that. They'd tell you to use /this/ one preferentially.
Or, it could be that what they call their "primary" one is the one that you're allowed to enter your data into, and the other(s) will extract your data from their main one.
In any case, the message really is that you should have multiple DNS servers, ones that you don't have to run yourself.
It was always recommended that you have at least two. But you often see some major sites will have at least four name servers. Though I've seen a few comments that there's little point in having massive redundancy in answer DNS queries about you, but only one webserver hosting your site.
Tim:
Both of those servers are accessed by name, not numerical IP address, and those names have to be in some public DNS records, so people can find the IP addresses for them to connect to them.
Joe Zeff:
No. DNS servers are always accessed by IP address, never by name. Trying to access a DNS server by name would just create an endless loop of trying to resolve addresses as you can't get the server's address without using DNS to get the IP address.
That was the point I was making about glue records. I did say it was chicken and egg. But let's go through that with a real world example:
I want the numerical IP for google:
$ dig google.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30708 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A
;; ANSWER SECTION: google.com. 300 IN A 142.250.70.238
And I get told it's 142.250.70.238 (for me, right now). Further down in the results of that query we find out who was holding the data:
;; AUTHORITY SECTION: google.com. 1176 IN NS ns3.google.com. google.com. 1176 IN NS ns1.google.com. google.com. 1176 IN NS ns2.google.com. google.com. 1176 IN NS ns4.google.com.
Any one of four name servers, and ... they're identified by name. If we want to connect to them, we have to do something else to find out their IP. That info's provided in the next set of data from the same query:
;; ADDITIONAL SECTION: ns2.google.com. 1176 IN A 216.239.34.10 ns1.google.com. 1176 IN A 216.239.32.10 ns3.google.com. 1176 IN A 216.239.36.10 ns4.google.com. 1176 IN A 216.239.38.10
;; Query time: 109 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jun 08 23:11:16 ACST 2021 ;; MSG SIZE rcvd: 191
A bit surprisingly, it's four name servers in the same network. But with google being that big, they probably have enough capacity that they don't need to spread their records far and wide.
It's the same in BIND zone files, the first line of the record lists the start-of-authority, and it lists the name server by name. A bit further down there's a NS record, that lists the name server by name. Much further down in all the records for the zone there'll be the A record for the name server.
It was why the original poster couldn't answer any external queries some time last year, I think was when the thread started. The thing that identified their authoritative name server was itself, isolated from the rest of the world.
-
Ed Greshko -
Jack Craig -
Joe Zeff -
Mike Wright -
Tim