Problem NS Record with PHP DNS API

Support forum for the PHP DNS Query API
Post Reply
alex
Posts: 2
Joined: Wed Apr 13, 2011 3:59 pm

Problem NS Record with PHP DNS API

Post by alex » Wed Apr 13, 2011 4:19 pm

Hi,

Sorry for my bad english because i'm french and you know that french people doesn't like speak other language. :D

I download and test this API. When the server parmeter is "localhost" or a name server of any domain it's work well.

I want to send NS query to root DNS server to get TLD DNS but when I set the server parameter at "m.root-servers.net" (or any root DNS server) it returns 0 answer. With TLD DNS server (like "l.gtld-servers.net") it doesn't work too.

I can see Name servers in the debug mode :

"DNSQuery Class Initialised Querying: google.com -t NS @m.root-servers.net Question: google.com (type=NS/2) Header Length: 28 Bytes Read Buffer Size 488 Query Returned 0 Answers Found 1 Questions Label Offset: 19 Label com len 2 Record Type 2 Class 1 TTL 172800 Length 20 Label l.gtld-servers.net len 20 [.........] Length 4 Label Offset: 200 Label Offset: 42 Label j.gtld-servers.net len 2 Record Type 1 Class 1 TTL 172800 Length 4 Label Offset: 232 Label Offset: 42 Label k.gtld-servers.net len 2 Record Type 1 Class 1 TTL 172800 Length 4 Label Offset: 40 Label l.gtld-servers.net len 2 Record Type 1 Class 1 TTL 172800 Length 4 Label Offset: 120 Label Offset: 42 Label m.gtld-servers.net len 2 Record Type 1 Class 1 TTL 172800 Length 4 Label Offset: 216 Label Offset: 42 Label a.gtld-servers.net len 2 Record Type 28 Class 1 TTL 172800 Length 16 Returned 0 Answers"

So I thing the readrecord() doesn't work correctly. But I don't know where is the problem.

Can you help me please ? :oops: :oops:

Thank you ;)

dave
Site Admin
Posts: 260
Joined: Fri May 30, 2008 9:09 pm
Location: UK
Contact:

Re: Problem NS Record with PHP DNS API

Post by dave » Wed Apr 13, 2011 6:20 pm

Hi,

Your engish is a million times better than my french so please don't worry!

The lack of an answer from the root servers is correct. The root servers will rarely ever actually hold the NS records for a domain, they will point you to the relevant authority for that TLD and you will then need to look the NS up from there.

This is called recursive resolution - recursive because it keeps going down the DNS tree until it finds an answer. Your localhost DNS server will do this for you which is why you get an answer from it.

When you ask the root servers for the NS records for purplepixie.org they will return a blank answer section but they will return the next nameservers to try in the AUTHORITY section (probably also with the A records for these nameservers in the ADDITIONAL section).

You can see this using a tool such as dig for example dig -t ns purplepixie.org @i.root-servers.net gives the following:
; <<>> DiG 9.3.3rc2 <<>> -t ns purplepixie.org @i.root-servers.net
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58595
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12

;; QUESTION SECTION:
;purplepixie.org. IN NS

;; AUTHORITY SECTION:
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.

;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1

;; Query time: 387 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Wed Apr 13 18:07:11 2011
;; MSG SIZE rcvd: 435
So this is saying they do not have the answer but the AUTHORITY section contains servers to try the next step.

If we then do a dig -t ns purplepixie.org @a2.org.afilias-nst.info we do get the answer but once again in the AUTHORITY section (this is because the server is not authoritative for the domain, we should in theory then do another step of asking the domains own nameserver):
; <<>> DiG 9.3.3rc2 <<>> -t ns purplepixie.org @a2.org.afilias-nst.info
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46119
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;purplepixie.org. IN NS

;; AUTHORITY SECTION:
purplepixie.org. 86400 IN NS dns0.verrotech.com.
purplepixie.org. 86400 IN NS dns1.verrotech.com.

;; Query time: 241 msec
;; SERVER: 199.249.112.1#53(199.249.112.1)
;; WHEN: Wed Apr 13 18:09:24 2011
;; MSG SIZE rcvd: 84
If we then repeat once more and do a dig -t ns purplepixie.org @dns0.verrotech.com we do this time get a response in the answer section:
; <<>> DiG 9.3.3rc2 <<>> -t ns purplepixie.org @dns0.verrotech.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21648
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;purplepixie.org. IN NS

;; ANSWER SECTION:
purplepixie.org. 43200 IN NS dns1.verrotech.com.
purplepixie.org. 43200 IN NS dns0.verrotech.com.

;; ADDITIONAL SECTION:
dns0.verrotech.com. 43200 IN A 77.240.11.186
dns1.verrotech.com. 43200 IN A 77.240.11.187

;; Query time: 318 msec
;; SERVER: 77.240.11.186#53(77.240.11.186)
;; WHEN: Wed Apr 13 18:17:27 2011
;; MSG SIZE rcvd: 116
In simple terms we need to think what question we are asking. In this case it is "what are the nameservers for purplepixie.org".

The root servers will not know this hence return no answer but they will offer us the authoritative nameservers for .org in the AUTHORITY section of their response.

When we then ask the same question of these servers we get another AUTHORITY answer and then when we ask the actual DNS servers for the domain we get a response in the ANSWER section.

It just happens that a month or so back I was doing some work testing recursive DNS to try and resolve a problem with a domain and so wrote a script that does a fully-recursive lookup (for A records but can be modified) using PHPDNS.

If you would like to have a look I have uploaded it to www.purplepixie.org/davestuff/dns/dnsrr.zip.

When I run this to find the address of http://www.purplepixie.org (using php dnsrr.php http://www.purplepixie.org) the output is:
Resolving http://www.purplepixie.org
i.root-servers.net (192.36.148.17): Response with nameservers
. a0.org.afilias-nst.info (199.19.56.1): Response with nameservers
.. dns0.verrotech.com (77.240.11.186): Result: 77.240.11.188
Which shows the recursive resolution cycle with the extra step it then asks the purplepixie.org nameserver for the address of http://www.purplepixie.org.

In your debug output you can see the GTLD servers which are responsible for .com which is correct. They can then be asked for the NS servers for google.com and should give an answer.

I hope that explains the situation clearly and I apologise for the length of my reply.

Please let me know if I can provide any further help.

Cheers,

Dave.

alex
Posts: 2
Joined: Wed Apr 13, 2011 3:59 pm

Re: Problem NS Record with PHP DNS API

Post by alex » Thu Apr 14, 2011 11:24 am

Thank you for your answer. ;)

In fact that is exactly what I want my script to do. I want to make a dig command in php but I did't watch the authority section to get nameservers.

Thank you for your script because it helps me very much.

Post Reply