How to find an IP of web server using nslookup
This is for educational purposes only. I'm currently learning about DNS, and every source I've read told pretty much this:
Assuming no cache hits at all, when asked to resolve a domain name, the DNS resolver will first contact a root name server, which will point him to a TLD name server, which will point him to the name server which is authoritative for the domain he's looking for.
Now, in my home laptop, my OS is pre-configured to use some DNS server, which I guess belongs to my ISP, and when I query something using nslookup, I immediately get the response.
I'm trying to imitate the behavior of a DNS resolver using nslookup. How can I do this?
Ok I know the domain names (and also IP addresses) of the root name servers. How do I go on from there?
My guess is that the DNS resolver, when contacting the root server, is asking for a A record, but when I try to do the same query, I get:
> www.google.com e.root-servers.net
Server: e.root-servers.net
Addresses: 2001:500:a8::e
192.203.230.10
*** e.root-servers.net can't find www.google.com: No response from server
Solution 1:
I'm not sure nslookup is the tool for the job. "dig" is probably better. Indeed you can see the whole workings of an authorative lookup and all steps with dig with a simple command -
dig +trace www.google.com
If you have to use nslookup, We can do it like this -
dig
Returns the names of the TLD servers, ie [a-m].root-servers.net. (if you don't want to use dig or don't know these and need to do it from first principles, these are hard coded into recursive DNS servers, so you would need to look at their config or find a trusted source)
We can then query this server and ask for the .com ns record like so -
nslookup -type=ns com. a.root-servers.net
(I think you can leave out the . after com. - that end bit signifies its an absolute, not relative query). This returns a list of the .com nameservers -
;; Truncated, retrying in TCP mode.
Server: a.root-servers.net
Address: 198.41.0.4#53
Non-authoritative answer:
*** Can't find com: No answer
Authoritative answers can be found from:
com nameserver = e.gtld-servers.net.
com nameserver = b.gtld-servers.net.
com nameserver = j.gtld-servers.net.
com nameserver = m.gtld-servers.net.
com nameserver = i.gtld-servers.net.
com nameserver = f.gtld-servers.net.
com nameserver = a.gtld-servers.net.
com nameserver = g.gtld-servers.net.
com nameserver = h.gtld-servers.net.
com nameserver = l.gtld-servers.net.
com nameserver = k.gtld-servers.net.
com nameserver = c.gtld-servers.net.
com nameserver = d.gtld-servers.net.
e.gtld-servers.net internet address = 192.12.94.30
e.gtld-servers.net has AAAA address 2001:502:1ca1::30
b.gtld-servers.net internet address = 192.33.14.30
b.gtld-servers.net has AAAA address 2001:503:231d::2:30
j.gtld-servers.net internet address = 192.48.79.30
j.gtld-servers.net has AAAA address 2001:502:7094::30
m.gtld-servers.net internet address = 192.55.83.30
m.gtld-servers.net has AAAA address 2001:501:b1f9::30
i.gtld-servers.net internet address = 192.43.172.30
i.gtld-servers.net has AAAA address 2001:503:39c1::30
f.gtld-servers.net internet address = 192.35.51.30
f.gtld-servers.net has AAAA address 2001:503:d414::30
a.gtld-servers.net internet address = 192.5.6.30
a.gtld-servers.net has AAAA address 2001:503:a83e::2:30
g.gtld-servers.net internet address = 192.42.93.30
g.gtld-servers.net has AAAA address 2001:503:eea3::30
h.gtld-servers.net internet address = 192.54.112.30
h.gtld-servers.net has AAAA address 2001:502:8cc::30
l.gtld-servers.net internet address = 192.41.162.30
l.gtld-servers.net has AAAA address 2001:500:d937::30
k.gtld-servers.net internet address = 192.52.178.30
k.gtld-servers.net has AAAA address 2001:503:d2d::30
c.gtld-servers.net internet address = 192.26.92.30
c.gtld-servers.net has AAAA address 2001:503:83eb::30
d.gtld-servers.net internet address = 192.31.80.30
d.gtld-servers.net has AAAA address 2001:500:856e::30
We can now repeat the same request from one of the "com" tld nameservers to get googls server -
nslookup -type=ns google.com. a.gtld-servers.net
which returns
Server: a.gtld-servers.net
Address: 192.5.6.30#53
Non-authoritative answer:
*** Can't find google.com.: No answer
Authoritative answers can be found from:
google.com nameserver = ns2.google.com.
google.com nameserver = ns1.google.com.
google.com nameserver = ns3.google.com.
google.com nameserver = ns4.google.com.
ns2.google.com has AAAA address 2001:4860:4802:34::a
ns2.google.com internet address = 216.239.34.10
ns1.google.com has AAAA address 2001:4860:4802:32::a
ns1.google.com internet address = 216.239.32.10
ns3.google.com has AAAA address 2001:4860:4802:36::a
ns3.google.com internet address = 216.239.36.10
ns4.google.com has AAAA address 2001:4860:4802:38::a
ns4.google.com internet address = 216.239.38.10
This record is interesting because it specifices the IP addresses for nsX.google.com (This is called a glue record, and is coded into the .com nameserver in this case, because otherwise there is a problem that you need nsX.google.com to find google.com, but first you need to find google.com to get to nsX.google.com...)
Lastly we can query one of Googles nameservers and get its address:
nslookup www.google.com. 216.239.32.10
Our answer:
Server: 216.239.32.10
Address: 216.239.32.10#53
Name: www.google.com
Address: 142.250.66.228
Name: www.google.com
Address: 2404:6800:4006:810::2004
Solution 2:
If you are querying the root servers, then it should be for com. You then issue another lookup for google.com against one of the returned IP addresses. Then you can finally lookup www.google.com for a server from that final list.
What you are doing is asking the root server to recursively search for www.google.com, something which they are not set up for, they will only return the tld's.