[BALUG-Talk] test DNS that returns SERVFAIL? ... ! :-)
Michael Paoli
Michael.Paoli@cal.berkeley.edu
Mon Apr 13 10:14:35 UTC 2020
test DNS that returns SERVFAIL? ... ! :-)
For when one may want a target DNS domain to test against that will
generally return SERVFAIL ... I didn't super easily find one out there,
so ... (at least for now) created one.
... on the master (IPs for the MNAME in SOA are on this host)
$ hostname
balug-sf-lug-v2.balug.org
$ dig +noall +answer +multiline balug.org. SOA | awk '{if(NR==1)print $5;}'
ns0.balug.org.
$ dig +short ns0.balug.org. A ns0.balug.org. AAAA
96.86.170.229
2001:470:1f05:19e::2
$ ip a s | egrep 'inet.*(96\.86\.170\.229|2001:470:1f05:19e::2)'
inet 96.86.170.229/29 brd 96.86.170.231 scope global eth0
inet6 2001:470:1f05:19e::2/64 scope global
$
So, add RR:
# nsupdate -l << \.
update add servfail.balug.org. 300 IN NS servfail.balug.org.
send
.
#
Ah yes, I'm quite starting to get used to and like/prefer dynamic DNS
update. Significantly more goof-resistant, and most of the time I don't
even have to think about the zone serial number. Which reminds me,
I do still want to add some version "control" (tracking) ... driven via
cron, so I'll at least have periodic snapshots of changes (since no
longer using ye olde manual method & manual version control). For
more recent changes, and fine-grained history of changes, logs cover
that quite well. But for the longer historical record ... wee bit 'o
gap presently to fill on that.
Automation is generally a good thing. :-)
And with no other (explicit - some DNSSEC automagic bits may be added
but we'll ignore those presently) RRs for that domain.
So, we then typically get, e.g.:
$ dig +noall +answer +comments servfail.balug.org.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26642
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
$
Note that not all flavors of query against servfail.balug.org. will
return SERVFAIL:
$ dig +noall +norecurse +answer +authority +comments @ns0.balug.org.
servfail.balug.org.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20976
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; AUTHORITY SECTION:
servfail.balug.org. 300 IN NS servfail.balug.org.
$
But in general, trying to do a recursive query on the domain for most RR
types, will give SERVFAIL. (Useful for testing, ...)
More information about the BALUG-Talk
mailing list