[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Danish TPB DNS Blocks

     On Thu, 26 Nov 2009 14:18:11 -0500 Flamsmark <flamsmark@xxxxxxxxx>
wrote:
>2009/11/26 Scott Bennett <bennett@xxxxxxxxxx>
>
>> >Changing the DNS server to DNS rootservers would fix this problem.
>> >
>>      Bzzzt!!  That would eventually get an exit marked as a bad exit, too.
>> Why?  Because the root name servers serve only information in the root
>> domain and the so-called top-level domains (e.g., .com, .edu, .gov, .info,
>> .mil, country domains, and so on).  They are much, much too busy to act
>> as forwarders, so if you ask for anything that they don't serve themselves,
>> you will get a "no answers" response.
>
>
>How odd. I use the root servers on my personal machine, and have never

     Here's an example of attempting to do what you suggested.

Script started on Fri Nov 27 06:54:46 2009
mp% dig @k.root-servers.net. www.torproject.org. a

; <<>> DiG 9.3.1 <<>> @k.root-servers.net. www.torproject.org. a
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1041
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12

;; QUESTION SECTION:
;www.torproject.org.            IN      A

;; AUTHORITY SECTION:
org.                    172800  IN      NS      a0.org.afilias-nst.info.
org.                    172800  IN      NS      a2.org.afilias-nst.info.
org.                    172800  IN      NS      b0.org.afilias-nst.org.
org.                    172800  IN      NS      b2.org.afilias-nst.org.
org.                    172800  IN      NS      c0.org.afilias-nst.info.
org.                    172800  IN      NS      d0.org.afilias-nst.org.

;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN      A       199.19.56.1
a2.org.afilias-nst.info. 172800 IN      A       199.249.112.1
b0.org.afilias-nst.org. 172800  IN      A       199.19.54.1
b2.org.afilias-nst.org. 172800  IN      A       199.249.120.1
c0.org.afilias-nst.info. 172800 IN      A       199.19.53.1
d0.org.afilias-nst.org. 172800  IN      A       199.19.57.1
a0.org.afilias-nst.info. 172800 IN      AAAA    2001:500:e::1
a2.org.afilias-nst.info. 172800 IN      AAAA    2001:500:40::1
b0.org.afilias-nst.org. 172800  IN      AAAA    2001:500:c::1
b2.org.afilias-nst.org. 172800  IN      AAAA    2001:500:48::1
c0.org.afilias-nst.info. 172800 IN      AAAA    2001:500:b::1
d0.org.afilias-nst.org. 172800  IN      AAAA    2001:500:f::1

;; Query time: 63 msec
;; SERVER: 193.0.14.129#53(193.0.14.129)
;; WHEN: Fri Nov 27 06:55:07 2009
;; MSG SIZE  rcvd: 441

mp% exit
script done on Fri Nov 27 06:55:10 2009

     Notice in the example above that the answer count is zero and that no
IP address or any other information is returned in response to the request
for the A RR for www.torproject.org.

>noticed this phenomenon. If you are correct, does DNS work? How does a user
>know which DNS servers are authoritative for other blocks?
>
     The resolver library routines on your computer start--at least in
principle, though cacheing may cause a deviation from this procedure--at the
top.  After finding the addresses of one or more root servers from locally
kept data, a root (.) server is queried for the top-level domain's
authoritative name servers.  To track down the authoritative name servers for
a university in the U.S., for example, a query is sent to a root server to get
the list of authoritative name servers for the edu. domain:

Script started on Fri Nov 27 06:57:16 2009
mp% dig @k.root-servers.net. edu. ns

; <<>> DiG 9.3.1 <<>> @k.root-servers.net. edu. ns
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 813
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 8

;; QUESTION SECTION:
;edu.                           IN      NS

;; AUTHORITY SECTION:
edu.                    172800  IN      NS      a.gtld-servers.net.
edu.                    172800  IN      NS      c.gtld-servers.net.
edu.                    172800  IN      NS      d.gtld-servers.net.
edu.                    172800  IN      NS      e.gtld-servers.net.
edu.                    172800  IN      NS      f.gtld-servers.net.
edu.                    172800  IN      NS      g.gtld-servers.net.
edu.                    172800  IN      NS      l.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net.     172800  IN      A       192.5.6.30
c.gtld-servers.net.     172800  IN      A       192.26.92.30
d.gtld-servers.net.     172800  IN      A       192.31.80.30
e.gtld-servers.net.     172800  IN      A       192.12.94.30
f.gtld-servers.net.     172800  IN      A       192.35.51.30
g.gtld-servers.net.     172800  IN      A       192.42.93.30
l.gtld-servers.net.     172800  IN      A       192.41.162.30
a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30

;; Query time: 62 msec
;; SERVER: 193.0.14.129#53(193.0.14.129)
;; WHEN: Fri Nov 27 06:57:47 2009
;; MSG SIZE  rcvd: 292


Note that the list of NS RRs above comprises only a subset of the list of root
servers.  Take a look at the different list of servers authoritative for the
za. domain:

mp% dig @k.root-servers.net. za. ns

; <<>> DiG 9.3.1 <<>> @k.root-servers.net. za. ns
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1737
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 10

;; QUESTION SECTION:
;za.                            IN      NS

;; AUTHORITY SECTION:
za.                     172800  IN      NS      ns1.dns.aq.
za.                     172800  IN      NS      nsza.is.co.za.
za.                     172800  IN      NS      hippo.ru.ac.za.
za.                     172800  IN      NS      ns-za.ripe.net.
za.                     172800  IN      NS      auth00.ns.uu.net.
za.                     172800  IN      NS      ns-ext.isc.org.
za.                     172800  IN      NS      ucthpx.uct.ac.za.

;; ADDITIONAL SECTION:
ns1.dns.aq.             172800  IN      A       198.32.71.12
nsza.is.co.za.          172800  IN      A       196.4.160.27
hippo.ru.ac.za.         172800  IN      A       146.231.128.1
ns-za.ripe.net.         172800  IN      A       193.0.12.205
auth00.ns.uu.net.       172800  IN      A       198.6.1.65
ns-ext.isc.org.         172800  IN      A       204.152.184.64
ucthpx.uct.ac.za.       172800  IN      A       137.158.128.1
hippo.ru.ac.za.         172800  IN      AAAA    2001:4200:1010::1
ns-za.ripe.net.         172800  IN      AAAA    2001:610:240:0:53::193
ns-ext.isc.org.         172800  IN      AAAA    2001:4f8:0:2::13

;; Query time: 62 msec
;; SERVER: 193.0.14.129#53(193.0.14.129)
;; WHEN: Fri Nov 27 06:58:16 2009
;; MSG SIZE  rcvd: 401

mp% exit
mp% 
script done on Fri Nov 27 06:58:36 2009

     Now that the list of edu. authorities has been obtained, any one of
those may be queried for the NS RRs for a particular subdomain of edu.  Then
any of those servers may be queried for any desired RRs within that domain,
and so on down any further subdomain levels that may exist.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/