dig +trace to find all the forwarders?
Kevin Darcy
kcd at chrysler.com
Mon Apr 26 20:13:50 UTC 2010
On 4/25/2010 12:01 AM, Josh Kuo wrote:
>
> You need administrative access to see the overides to the normal
> resolution
> process.
>
>
> Just so I understand this completely, by administrative access you
> mean I need to be able to log in to each of the resolvers (not
> administrative access on my local workstation to do a 'sudo dig
> example.net <http://example.net> a +trace'), correct?
+trace only shows the workings of the standard iterative-resolution
algorithm, as if your local resolver, starting with only hardcoded
information about the root zone, were doing all of the work necessary to
obtain the requested information using *non-recursive* queries to trace
the delegation chain(s).
However, if you send *recursive* queries, essentially giving some other
resolver _carte_blanche_ to resolve the name any way it feels fit, then
+trace isn't going to tell you diddly about whatever
algorithm/configuration the other resolver might be using to get the
information for you. It's basically a "black box" as far as you're
concerned -- queries in, responses out. You don't know how or where it
got the information.
>
> A follow up question to that... is it even possible to perform such a
> trace (revealing all resolvers) with the DNS protocol? Or is this
> purely a designed limitation of dig?
>
Feel free to propose an equivalent layer to the DNS protocol as ICMP is
to IP/TCP/UDP and get all of the DNS implementations out there to
support the new protocol extension.
Then it might be possible to write a program analogous to "traceroute"
for DNS.
- Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100426/5e06e2ff/attachment.html>
More information about the bind-users
mailing list