[dns-operations] How to avoid minimal-responses queries?

Thu Sep 15 17:13:06 UTC 2016

On Wed, 14 Sep 2016, Kaio Rafael wrote:
> I have been monitoring Fast-Flux domains and sometimes I've got DIG
> output missing fields such as Authority and Additional. Additional
> field is very useful under my research.
>
> Is there any way to force DIG to get full DNS response without sending
> additional NS queries?

As others have noted: no.

Dig is a tool. It is reporting, as accurately as possible, what it is
seeing. Is there a way to force dig to get a full response? Dig *is*
showing you the full response.

So by full you are meaning that the Authority and Additional sections are
populated, and you're assuming "complete". Yes: complete. Even if they're
populated, that's not a guarantee of completeness.

If you want completeness, then you need to test that assumption and you
won't be able to do that without issuing additional queries. When you do
so, you may find out that portions of the internet (or at least the DNS)
are broken or at least misconfigured, or simply don't do what you want.

In general, if you want what you want, you need to run your own server.
You can't run the rest of the world's authoritative servers, you have no
control over that.

However you can run your own recursive resolver, and depending on the
nameserver implementation you choose in order to do that, you will have
varying degrees of control over the "completeness" of the responses it
generates (i.e. back to dig). You will also have access to log files with
varying degrees of information about the level of brokenness which is
being seen. You may also have the ability to examine/dump its cache (as
well as issue dig requests to do so).

Before we leave this topic, let's briefly mention RD and ANY.

ANY is a synthetic/wildcard query, and if you follow this mailing list you
will know that some operators block it. In any case the semantics of ANY
are orthogonal to what you desire: ANY will try to get records of any type
to put into the Answer section, it does not address the Additional or
Authority sections. The behavior of ANY when directed at recursive/caching
resolvers rather than authority servers may be surprising: it may only
return what the cache knows about.

Recursion may or may not be supported by an authoritative server (really
it's a separate functionality), although in reality an authoritative
server which supports recursion is an authoritative + recursive server
(two logical functions in one). The whole purpose of recursive servers is
to do recursion (and cache the responses) of course. But interesting
things happen when you play with the RD flag in queries directed to
recursive servers: this is a really convenient way to query for what's
cached, at least against a server which you control.

--

Fred Morris