Skip to main content
Skip table of contents

2560 - Tracing DNS Delegation with Dig

Scenario

In this lab, you will trace DNS delegation for the domain name shopping.ddi.ninja using the dig +trace command. You will observe the delegation path and interpret the responses returned by each name server along the way.

Estimate Completion Time

  • 15 to 20 minutes

Requirements

  • Access to the online tool Dig Web Interface or a system with the dig command-line tool installed and internet access

Course References

  • 1306: How does DNS Lookup Work?

Tasks

We suggest using the Dig Web Interface for this lab, as the Dig tool may not be installed on all machines. If you already have Dig installed on your system, you may use Command Prompt or Terminal to complete this lab.

Task 1: Perform a DNS Trace

Use the Dig Web Interface to trace the DNS delegation for shopping.ddi.ninja

Task 2: Interpretation of DNS Delegation Output

Interpret the DNS delegation output to understand how DNS queries are processed at various levels, from root servers to authoritative name servers.


Solutions

Task 1 Solution: Perform a DNS Trace

You can trace DNS delegation using one of the following methods:

Using Dig Web Interface:

  1. Access Dig Web Interface using a web browser.

  2. Enter shopping.ddi.ninja in the "Hostnames or IP addresses" field.

  3. Select A in the "Type" dropdown.

  4. Under the "Nameservers" field, select the Resolver option. From the dropdown, select Default to use the default resolver.

  5. Enable the Colorize output, Stats, and Trace options.

  6. Click Dig.

    image-20240816-133047.png

Using Terminal (Linux and macOS):

  1. Open the terminal on your system.

    • Linux: Press Ctrl + Alt + T to open the terminal.

    • macOS: Press Command + Space, type Terminal, and press Enter.

  2. Run the following command: dig shopping.ddi.ninja. A +trace +multi +nocrypto

Using Command Prompt (Windows):

  1. Open the Command Prompt by pressing Win + R, typing cmd, and pressing Enter.

  2. If you have dig installed, run the following command: dig shopping.ddi.ninja. A +trace +multi +nocrypto

This command will output the trace, showing each step in the DNS delegation process when the dig utility is used from the command line. Below is an example of the trace output:

CODE
% dig shopping.ddi.ninja. A +trace +multi +nocrypto 

; <<>> DiG 9.10.6 <<>> shopping.ddi.ninja. A +trace +multi +nocrypto
;; global options: +cmd
.			3091 IN	NS e.root-servers.net.
.			3091 IN	NS f.root-servers.net.
.			3091 IN	NS g.root-servers.net.
.			3091 IN	NS h.root-servers.net.
.			3091 IN	NS i.root-servers.net.
.			3091 IN	NS j.root-servers.net.
.			3091 IN	NS k.root-servers.net.
.			3091 IN	NS l.root-servers.net.
.			3091 IN	NS m.root-servers.net.
.			3091 IN	NS a.root-servers.net.
.			3091 IN	NS b.root-servers.net.
.			3091 IN	NS c.root-servers.net.
.			3091 IN	NS d.root-servers.net.
.			3091 IN	RRSIG NS 8 0 518400 (
				20240818170000 20240805160000 20038 .
				[omitted] )
;; Received 717 bytes from 127.0.0.2#53(127.0.0.2) in 44 ms

ninja.			172800 IN NS v0n0.nic.ninja.
ninja.			172800 IN NS v0n1.nic.ninja.
ninja.			172800 IN NS v0n2.nic.ninja.
ninja.			172800 IN NS v0n3.nic.ninja.
ninja.			172800 IN NS v2n0.nic.ninja.
ninja.			172800 IN NS v2n1.nic.ninja.
ninja.			86400 IN DS 46082 8 2 (
				[omitted] )
ninja.			86400 IN RRSIG DS 8 1 86400 (
				20240819050000 20240806040000 20038 .
				[omitted] )
;; Received 764 bytes from 170.247.170.2#53(b.root-servers.net) in 28 ms

ddi.ninja.		3600 IN	NS kochab.techblue.io.
ddi.ninja.		3600 IN	NS mimosa.techblue.io.
ddi.ninja.		3600 IN	NS pollux.techblue.io.
ddi.ninja.		3600 IN	NS castor.techblue.io.
5tp114rg535tp80r8qpe7mhes2orqd7s.ninja.	3600 IN	NSEC3 1 1 0 73 (
				5TSFHCSCD4S5N3HFOFDMSUD5GS59NHTE
				NS SOA RRSIG DNSKEY NSEC3PARAM )
5tp114rg535tp80r8qpe7mhes2orqd7s.ninja.	3600 IN	RRSIG NSEC3 8 2 3600 (
				20240827135656 20240806125656 58014 ninja.
				[omitted] )
ln2ucok3mhagn588s087hp4s54ja1n9l.ninja.	3600 IN	NSEC3 1 1 0 73 (
				LNT48S8A1QIEHT5F5UL76MJ6N5KPH6FL
				NS DS RRSIG )
ln2ucok3mhagn588s087hp4s54ja1n9l.ninja.	3600 IN	RRSIG NSEC3 8 2 3600 (
				20240822154146 20240801144146 58014 ninja.
				[omitted] )
;; Received 633 bytes from 65.22.21.4#53(v0n1.nic.ninja) in 35 ms

shopping.ddi.ninja.	3600 IN	A 172.31.53.28
shopping.ddi.ninja.	3600 IN	A 172.31.53.30
shopping.ddi.ninja.	3600 IN	A 172.31.53.31
;; Received 95 bytes from 45.120.106.133#53(mimosa.techblue.io) in 255 ms

When using the Dig Web Interface, the tool directs the query by default to one of the quad9 DNS servers (9.9.9.9 or 9.9.9.10), from which the root server list is retrieved.

CODE
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16.tuxcare.els1 <<>> +additional +trace shopping.ddi.ninja. @9.9.9.10
;; global options: +cmd
.			1597	IN	NS	g.root-servers.net.
.			1597	IN	NS	i.root-servers.net.
.			1597	IN	NS	e.root-servers.net.
.			1597	IN	NS	f.root-servers.net.
.			1597	IN	NS	l.root-servers.net.
.			1597	IN	NS	m.root-servers.net.
.			1597	IN	NS	h.root-servers.net.
.			1597	IN	NS	j.root-servers.net.
.			1597	IN	NS	d.root-servers.net.
.			1597	IN	NS	a.root-servers.net.
.			1597	IN	NS	c.root-servers.net.
.			1597	IN	NS	b.root-servers.net.
.			1597	IN	NS	k.root-servers.net.
.			1597	IN	RRSIG	NS 8 0 518400 20240907170000 20240825160000 20038 . yYmN/Amos7GAQxGjiZGDwoAOcNOVPVGgBRqFwkwDKxxM/gjQJHYUBOOi s/cZcfb2CbBtjkYZq4YMGcUADWuA7TLGzHignWtIS6rm3dSK26VxRzou 0Uc9zlLM4GNLtFx6B0kOU/mbvM5T0rx3Hmu1b0eatQllVJj61835yAES 50/nirbe7mbCGUTPTP0mSxO0GdJ7Kxr70l7rsVHbP9RXjjmYxdWtACz2 E0g58GDspRLmfOf43st9sMEv1p/lFJt3X39tgFBjY9HvHUgIvz1jOcmR RLuh7l48V+0qkJyNZ9mBRZuzVMHTlkh8v249Vq/wg/mzbHjE9LsmcUYp SCxDRQ==
;; Received 525 bytes from 9.9.9.10#53(9.9.9.10) in 1 ms

ninja.			172800	IN	NS	v0n0.nic.ninja.
ninja.			172800	IN	NS	v0n1.nic.ninja.
ninja.			172800	IN	NS	v0n2.nic.ninja.
ninja.			172800	IN	NS	v0n3.nic.ninja.
ninja.			172800	IN	NS	v2n0.nic.ninja.
ninja.			172800	IN	NS	v2n1.nic.ninja.
ninja.			86400	IN	DS	46082 8 2 C8F816A7A575BDB2F997F682AAB2653BA2CB5EDDB69B036A30742A33 BEFAF141
ninja.			86400	IN	RRSIG	DS 8 1 86400 20240908050000 20240826040000 20038 . CrBaN5Pqrl0z1PAaUjvr2oX0LPY68FOZP//UFivHXzALcAZdovbtbf0j 6CwdAoskp0/WdEw2tdQujFgtFlui18fjzkAjkGmPmlzQi2plRagE9S7I +p+5rr0q2pOHzkmVVBY7PWQXEtZ54kQrubFQ6yeZrY/QnWIX1RJb91ck b2kEqaN7Fb7LGJszpEVvtohnD5YNcwCT9XvalwW+qji3seiUvDU0QAYG 9pmnCExd5u9klAYVAiKDFozRAKPfA5e0yN/JkCGxORFnMAexsOOW7zC9 ymG2lHws9SwOwcpgv/txTThBV0F7IOo6o0uvrWaUGWW6LZoFT7ImUbwt ZSBYwg==
;; Received 764 bytes from 199.7.91.13#53(d.root-servers.net) in 1 ms

ddi.ninja.		3600	IN	NS	mimosa.techblue.io.
ddi.ninja.		3600	IN	NS	pollux.techblue.io.
ddi.ninja.		3600	IN	NS	kochab.techblue.io.
ddi.ninja.		3600	IN	NS	castor.techblue.io.
5tp114rg535tp80r8qpe7mhes2orqd7s.ninja.	3600 IN	NSEC3 1 1 0 73 5TSFHCSCD4S5N3HFOFDMSUD5GS59NHTE NS SOA RRSIG DNSKEY NSEC3PARAM
5tp114rg535tp80r8qpe7mhes2orqd7s.ninja.	3600 IN	RRSIG NSEC3 8 2 3600 20240916154738 20240826144738 58014 ninja. W1wCSf0TIZmT93loZvqTb7o2EjA4nMiNb8bqbek+pX3dvsQd4Svr8Jsc 3MsR7l6DXQV63axe9Uq2sFN1gnr/QNOiFGgJZtGnSltJ4UgDyE0qfhlO dAjQebx3iOIoh+KB1NV7qO/1wxwrA+t6RYTLuT7RBRKtdUvwR3FG0ARc 01E=
ln2ucok3mhagn588s087hp4s54ja1n9l.ninja.	3600 IN	NSEC3 1 1 0 73 LNT48S8A1QIEHT5F5UL76MJ6N5KPH6FL NS DS RRSIG
ln2ucok3mhagn588s087hp4s54ja1n9l.ninja.	3600 IN	RRSIG NSEC3 8 2 3600 20240915155245 20240825145245 58014 ninja. Y882Ga9Mgo+7trFqS+bNE3j6eZ1y/Z4jpJHsDG/9OTHBIJur9tT9J9bA oH4qSl77o1+utf7rT7Cjb+wTH4j83TzN86qedhut+8qJPY0BkePtRTVz E8KNyoR53f5UmIAggo2vTDIu3A4uXP8JL/jP898j1M2B427iAA9BSQAN JOw=
;; Received 633 bytes from 65.22.21.4#53(v0n1.nic.ninja) in 253 ms

shopping.ddi.ninja.	3600	IN	A	172.31.53.31
shopping.ddi.ninja.	3600	IN	A	172.31.53.28
shopping.ddi.ninja.	3600	IN	A	172.31.53.30
;; Received 95 bytes from 45.120.106.133#53(mimosa.techblue.io) in 230 ms


Task 2 Solution: Interpreting the DNS Delegation Output

When performing the dig +trace query, the DNS query is sent to multiple servers in sequence as the resolver traces the path of delegation from the root to the authoritative name servers for the requested domain. Let's break down the output and explain each section:

Section A: Root Servers

CODE
.			3091 IN	NS e.root-servers.net.
.			3091 IN	NS f.root-servers.net.
.			3091 IN	NS g.root-servers.net.
.			3091 IN	NS h.root-servers.net.
.			3091 IN	NS i.root-servers.net.
.			3091 IN	NS j.root-servers.net.
.			3091 IN	NS k.root-servers.net.
.			3091 IN	NS l.root-servers.net.
.			3091 IN	NS m.root-servers.net.
.			3091 IN	NS a.root-servers.net.
.			3091 IN	NS b.root-servers.net.
.			3091 IN	NS c.root-servers.net.
.			3091 IN	NS d.root-servers.net.
...
;; Received 717 bytes from 127.0.0.2#53(127.0.0.2) in 44 ms

The query starts by contacting the root DNS servers. In this case, the root server list is retrieved from the localhost’s root hints file. It returns a list of 13 NS records, each representing a root name server (e.g., a.root-servers.net, b.root-servers.net, m.root-servers.net., etc.).

Section B: TLD (ninja.) Servers

CODE
ninja.			172800 IN NS v0n0.nic.ninja.
ninja.			172800 IN NS v0n1.nic.ninja.
ninja.			172800 IN NS v0n2.nic.ninja.
ninja.			172800 IN NS v0n3.nic.ninja.
ninja.			172800 IN NS v2n0.nic.ninja.
ninja.			172800 IN NS v2n1.nic.ninja.
...
;; Received 764 bytes from 170.247.170.2#53(b.root-servers.net) in 28 ms

Now the trace continues by querying one of the root name servers from the list (in this case, b.root-servers.net). The root server returns a referral to the authoritative name servers for the ninja. TLD. The response contains NS records for authoritative servers (e.g., v0n2.nic.ninja, v0n0.nic.ninja, etc.), which are responsible for handling domains under the ninja. top-level domain (TLD).

Section C: Second-Level Domain (ddi.ninja.) Servers

CODE
ddi.ninja.		3600 IN	NS kochab.techblue.io.
ddi.ninja.		3600 IN	NS mimosa.techblue.io.
ddi.ninja.		3600 IN	NS pollux.techblue.io.
ddi.ninja.		3600 IN	NS castor.techblue.io.
...
;; Received 633 bytes from 65.22.21.4#53(v0n1.nic.ninja) in 35 ms

The trace now queries one of the authoritative name servers for the ninja. TLD (e.g., v0n1.nic.ninja). These name servers return another referral, this time providing the authoritative name servers for the second-level domain ddi.ninja. The listed NS records (e.g., pollux.techblue.io, mimosa.techblue.io) are authoritative for all DNS queries for the ddi.ninja. domain.

Section D: Final Resolution for shopping.ddi.ninja.

CODE
shopping.ddi.ninja.	3600 IN	A 172.31.53.28
shopping.ddi.ninja.	3600 IN	A 172.31.53.30
shopping.ddi.ninja.	3600 IN	A 172.31.53.31
;; Received 95 bytes from 45.120.106.133#53(mimosa.techblue.io) in 255 ms

The following iterative query is sent to one of the authoritative name servers for the ddi.ninja domain, specifically mimosa.techblue.io. The server responds with the A records for shopping.ddi.ninja., returning the corresponding IP addresses (172.31.53.31, 172.31.53.28, and 172.31.53.30). This response is an authoritative answer, meaning this server holds the final resolution for the domain query, and no further referrals are needed.

Subscribers can access advanced labs like 3521 and 3531 to deepen their understanding of DNS troubleshooting. These labs provide hands-on experience with real-world DNS issues, such as diagnosing delegation failures and addressing server response errors. Students can work on problems like misconfigured DNS records, unreachable name servers, and other common DNS errors.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.