Our domain registrar allows us to either make use of our own DNS servers or to use theirs (configuring DNS entries in their web interface); I suppose this is a common situation.
We have opted to set up our own DNS servers. Now, the registrar’s DNS servers (which are no longer authoritative) return a response containing, among other entries, an
Arecord pointing to a “getting started” webpage for the web hosting service they offer. So in fact their DNS server returns incorrect information.Example DNS lookups and answers
To hopefully make this easier to follow, assume:
- I’ve registered
example.comat MyRegistrar.com- I’ve set up
ns1.mydomain.comas the (authoritative) name server forexample.comns1.myregistrar.comis one of MyRegistrar.com’s name servers- I’m hosting the site for
example.comon a server with address1.2.3.4- A “getting started” landing page for MyRegistrar.com is served from
9.8.7.6The expected, valid response for
dig -t any example.comis then (abridged):;; ANSWER SECTION: example.com. 99999 IN A 1.2.3.4. ;; AUTHORITY SECTION: example.com. 9999 IN NS ns1.mydomain.com. ;; ADDITIONAL SECTION: ns1.mydomain.com. 99999 IN A 1.2.3.1.However, when querying MyRegistrar.com using
dig -t any @ns1.myregistrar.com example.com, I’m getting the following invalid response:;; ANSWER SECTION: example.com. 99999 IN SOA ns1.myregistrar.com. 1 14400 3600 604800 3600 example.com. 9999 IN A 9.8.7.6. example.com. 99999 IN NS ns1.myregistrar.com. ;; ADDITIONAL SECTION: ns1.myregistrar.com. 600 IN A 9.8.7.1.When querying specifically for
MXrecords withdig -t mx @ns1.myregistrar.com example.com, I even get an authority section in the response (the answer section is empty as there are noMXrecords):;; QUESTION SECTION: ;example.com. IN MX ;; AUTHORITY SECTION: example.com. 3600 IN SOA ns1.myregistrar.com. 1 14400 3600 604800 3600Wrapping up…
This is of course no problem in practice, because normal DNS queries won’t be directed at
ns1.myregistrar.com. But just as a matter of interest, is MyRegistrar.com’s name server operating in accordance with RFCs?I’ve browsed documentation and RFCs for what information DNS servers are required / allowed to include in their responses (and in particular if they are allowed to completely deviate from the authoritative response), but haven’t been able to find anything relevant. Any pointers would be greatly appreciated.
Answer
Unless DNSSEC is implemented, there is no proof that any DNS response contains accurate data.
‘Authority’ is a combination of:
- The server believing it has a full copy of the DNS zone (ie. it is a master or slave for that zone, not just a recursive cache)
- The parent DNS zone delegating authority for your DNS zone/domain to your servers (this is what your registrar’s web interface controls)
- The zone itself containing an SOA record referring to that server
- The zone containing NS entries for master and slaves that host a full copy of the zone
If the server believes it has authority, but the DNS infrastructure doesn’t have any record of that server for this zone, then nothing should query it – thus incorrect records don’t matter — so long as you don’t use any hosting within that provider which may be hard-configured to use their own DNS servers.
Attribution
Source : Link , Question Author : Oliphaunt , Answer Author : CGretski
