-1

Our domain registrar allows us to either make use of our own DNS servers or to use theirs (configuring DNS entries in their web interface); I suppose this is a common situation.

We have opted to set up our own DNS servers. Now, the registrar's DNS servers (which are no longer authoritative) return a response containing, among other entries, an A record pointing to a "getting started" webpage for the web hosting service they offer. So in fact their DNS server returns incorrect information.

Example DNS lookups and answers

To hopefully make this easier to follow, assume:

  • I've registered example.com at MyRegistrar.com
  • I've set up ns1.mydomain.com as the (authoritative) name server for example.com
  • ns1.myregistrar.com is one of MyRegistrar.com's name servers
  • I'm hosting the site for example.com on a server with address 1.2.3.4
  • A "getting started" landing page for MyRegistrar.com is served from 9.8.7.6

The expected, valid response for dig -t any example.com is then (abridged):

;; ANSWER SECTION:
example.com. 99999  IN  A   1.2.3.4.

;; AUTHORITY SECTION:
example.com. 9999   IN  NS  ns1.mydomain.com.

;; ADDITIONAL SECTION:
ns1.mydomain.com.   99999   IN  A   1.2.3.1.

However, when querying MyRegistrar.com using dig -t any @ns1.myregistrar.com example.com, I'm getting the following invalid response:

;; ANSWER SECTION:
example.com. 99999  IN  SOA ns1.myregistrar.com. 1 14400 3600 604800 3600
example.com. 9999   IN  A   9.8.7.6.
example.com. 99999  IN  NS  ns1.myregistrar.com.

;; ADDITIONAL SECTION:
ns1.myregistrar.com.    600 IN  A   9.8.7.1.

When querying specifically for MX records with dig -t mx @ns1.myregistrar.com example.com, I even get an authority section in the response (the answer section is empty as there are no MX records):

;; QUESTION SECTION:
;example.com.   IN  MX

;; AUTHORITY SECTION:
example.com. 3600   IN  SOA ns1.myregistrar.com. 1 14400 3600 604800 3600

Wrapping up...

This is of course no problem in practice, because normal DNS queries won't be directed at ns1.myregistrar.com. But just as a matter of interest, is MyRegistrar.com's name server operating in accordance with RFCs?

I've browsed documentation and RFCs for what information DNS servers are required / allowed to include in their responses (and in particular if they are allowed to completely deviate from the authoritative response), but haven't been able to find anything relevant. Any pointers would be greatly appreciated.

Oliphaunt
  • 119
  • 4
  • 2
    'Authoritative' means that the DNS server has been configured with a zone containing records for a domain. It doesn't necessarily mean that the DNS server is the _correct_ one. – Michael Hampton Jan 03 '18 at 16:22

1 Answers1

1

Unless DNSSEC is implemented, there is no proof that any DNS response contains accurate data.

'Authority' is a combination of:

  • The server believing it has a full copy of the DNS zone (ie. it is a master or slave for that zone, not just a recursive cache)
  • The parent DNS zone delegating authority for your DNS zone/domain to your servers (this is what your registrar's web interface controls)
  • The zone itself containing an SOA record referring to that server
  • The zone containing NS entries for master and slaves that host a full copy of the zone

If the server believes it has authority, but the DNS infrastructure doesn't have any record of that server for this zone, then nothing should query it - thus incorrect records don't matter -- so long as you don't use any hosting within that provider which may be hard-configured to use their own DNS servers.

CGretski
  • 111
  • 2