Outsourced Clue

Providing big company technology recommendations to the masses

Archive for the ‘dig’ tag

Supporting “dig +trace” using an Unbound recursive/caching DNS server

without comments

dig +trace example.com is an extremely useful debugging tool with DNS.  It will walk the delegation path, showing the answer each authoritative DNS server in the path handed out, helping you track down some obscure DNS errors.  For example, here is a dig +trace for “outsourcedclue.com”.

 

; <<>> DiG 9.6.0-P1 <<>> +trace outsourcedclue.com
;; global options: +cmd
.			518073	IN	NS	F.ROOT-SERVERS.NET.
.			518073	IN	NS	M.ROOT-SERVERS.NET.
.			518073	IN	NS	B.ROOT-SERVERS.NET.
.			518073	IN	NS	D.ROOT-SERVERS.NET.
.			518073	IN	NS	K.ROOT-SERVERS.NET.
.			518073	IN	NS	A.ROOT-SERVERS.NET.
.			518073	IN	NS	H.ROOT-SERVERS.NET.
.			518073	IN	NS	J.ROOT-SERVERS.NET.
.			518073	IN	NS	E.ROOT-SERVERS.NET.
.			518073	IN	NS	L.ROOT-SERVERS.NET.
.			518073	IN	NS	C.ROOT-SERVERS.NET.
.			518073	IN	NS	G.ROOT-SERVERS.NET.
.			518073	IN	NS	I.ROOT-SERVERS.NET.
;; Received 512 bytes from 10.1.11.1#53(10.1.11.1) in 1 ms

com.			172800	IN	NS	I.GTLD-SERVERS.NET.
com.			172800	IN	NS	H.GTLD-SERVERS.NET.
com.			172800	IN	NS	J.GTLD-SERVERS.NET.
com.			172800	IN	NS	G.GTLD-SERVERS.NET.
com.			172800	IN	NS	F.GTLD-SERVERS.NET.
com.			172800	IN	NS	B.GTLD-SERVERS.NET.
com.			172800	IN	NS	A.GTLD-SERVERS.NET.
com.			172800	IN	NS	D.GTLD-SERVERS.NET.
com.			172800	IN	NS	L.GTLD-SERVERS.NET.
com.			172800	IN	NS	E.GTLD-SERVERS.NET.
com.			172800	IN	NS	M.GTLD-SERVERS.NET.
com.			172800	IN	NS	C.GTLD-SERVERS.NET.
com.			172800	IN	NS	K.GTLD-SERVERS.NET.
;; Received 496 bytes from 202.12.27.33#53(M.ROOT-SERVERS.NET) in 147 ms

outsourcedclue.com.	172800	IN	NS	ns1.softlayer.com.
outsourcedclue.com.	172800	IN	NS	ns2.softlayer.com.
;; Received 170 bytes from 192.35.51.30#53(F.GTLD-SERVERS.NET) in 45 ms

outsourcedclue.com.	86400	IN	A	208.43.45.4
outsourcedclue.com.	86400	IN	NS	ns2.softlayer.com.
outsourcedclue.com.	86400	IN	NS	ns1.softlayer.com.
;; Received 98 bytes from 67.228.255.5#53(ns2.softlayer.com) in 42 ms

 

I use Unbound as my recursive/caching DNS server of choice, and one day I noticed it didn’t support “dig +trace”.  Distraught, I dug in why.  Talking to a buddy, he suggested perhaps Unbound wasn’t allowing non-recursive queries, that +trace relies on.  So digging into the documentation, I discovered the allow_snoop option of the access-control directive.  So for example, if in your config file looks like this:

server:
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: 10.1.11.0/24 allow

 

just add the following directive to support “dig +trace” from the IP’s needed:

  access-control: 10.1.11.0/24 allow_snoop

Now you can dig +trace to your hearts content!

Written by sleach

April 13th, 2009 at 4:59 pm

Posted in DNS, Troubleshooting

Tagged with , , ,