Forcing the dig tool to return us answers from the root servers

When doing a dig over some site (i.e. www.nasa.gov) from different online dig tool sites(in this case, http://networking.ringofsaturn.com/Tools/dig.php and http://www.kloth.net/services/dig.php), I've noticed their answers are different. I guess this must mean that the answers each one of them is getting is not from root dns servers but from local ones, instead (for example, their ISPs).

What I'd like to know is how to force the dig tool to return the info from the root servers itself. Is it possible, at all?

Thanks

Solution 1:

To get authoritative information using dig you usually use a combination of +trace and @server. For example, if I want authorative information about www.google.com I would do it like this:

# dig +trace NS google.com

; <<>> DiG 9.4.2-P2 <<>> +trace NS google.com
;; global options:  printcmd
.                       3600000 IN      NS      L.ROOT-SERVERS.NET.
.                       3600000 IN      NS      M.ROOT-SERVERS.NET.
.                       3600000 IN      NS      D.ROOT-SERVERS.NET.
.                       3600000 IN      NS      I.ROOT-SERVERS.NET.
.                       3600000 IN      NS      H.ROOT-SERVERS.NET.
.                       3600000 IN      NS      F.ROOT-SERVERS.NET.
.                       3600000 IN      NS      C.ROOT-SERVERS.NET.
.                       3600000 IN      NS      G.ROOT-SERVERS.NET.
.                       3600000 IN      NS      B.ROOT-SERVERS.NET.
.                       3600000 IN      NS      K.ROOT-SERVERS.NET.
.                       3600000 IN      NS      E.ROOT-SERVERS.NET.
.                       3600000 IN      NS      A.ROOT-SERVERS.NET.
.                       3600000 IN      NS      J.ROOT-SERVERS.NET.
;; Received 244 bytes from 192.168.0.42#53(192.168.0.42) in 3 ms

com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
;; Received 488 bytes from 128.8.10.90#53(D.ROOT-SERVERS.NET) in 129 ms

google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns3.google.com.
google.com.             172800  IN      NS      ns4.google.com.
;; Received 164 bytes from 192.31.80.30#53(d.gtld-servers.net) in 149 ms

google.com.             345600  IN      NS      ns4.google.com.
google.com.             345600  IN      NS      ns3.google.com.
google.com.             345600  IN      NS      ns2.google.com.
google.com.             345600  IN      NS      ns1.google.com.
;; Received 164 bytes from 216.239.32.10#53(ns1.google.com) in 32 ms

Now I have the nameservers that are listed for google.com, as well as the IP address of one of them. I can ask this nameserver directly for the records:

# dig www.google.com @216.239.32.10

; <<>> DiG 9.4.2-P2 <<>> www.google.com @216.239.32.10
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24224
;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         604800  IN      CNAME   www.l.google.com.
www.l.google.com.       300     IN      A       209.85.148.104
www.l.google.com.       300     IN      A       209.85.148.103
www.l.google.com.       300     IN      A       209.85.148.99
www.l.google.com.       300     IN      A       209.85.148.105
www.l.google.com.       300     IN      A       209.85.148.106
www.l.google.com.       300     IN      A       209.85.148.147

;; Query time: 34 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Fri Apr 29 15:22:40 2011
;; MSG SIZE  rcvd: 148

Solution 2:

Root servers don't answer queries for second-level domains. gTLD servers don't answer queries for second-level domains (other than returning the name servers for second-level domains). The authoratative name servers for the second-level domain answer queries for that second-level domain. You can query a gTLD to find the name servers for a specific domain and then query those name servers for resource records in that domain.

Root Servers

---------------->gTLD Servers

---------------------------------->Authorataive Name Servers

--------------------------------------------------------------------->Resource Records

Solution 3:

Root servers should never be asked a recursive query (i.e.) for a server.example.tld, only about the servers handling the top level domains (.tld in the example).

However I think, that what you mean you want an answer from an authoritative server. In order to do that do:

1) Ask for NS i.e. name server field, instead of A -- IPv4 address, for domain nasa.gov

2) Change the server field to one of servers obtained in point 1).

3) Ask the question about address of www.nasa.gov.

The same procedure works for any other domain, of course.

The procedure works for a CLI dig and with http://www.kloth.net/services/dig.php interface.