Can I see what happens when I run a DNS query?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite
1












My understanding is that when my computer wants to resolve a host name, it will ask the DHCP-assigned DNS servers first. If those don’t know, it goes and asks the ‘root servers’ who then defer to another server, etc.



Using dig or a similar tool, is it possible to see the string of servers that get asked, in a similar way as traceroute shows how packets travel to a certain destination!










share|improve this question

























    up vote
    3
    down vote

    favorite
    1












    My understanding is that when my computer wants to resolve a host name, it will ask the DHCP-assigned DNS servers first. If those don’t know, it goes and asks the ‘root servers’ who then defer to another server, etc.



    Using dig or a similar tool, is it possible to see the string of servers that get asked, in a similar way as traceroute shows how packets travel to a certain destination!










    share|improve this question























      up vote
      3
      down vote

      favorite
      1









      up vote
      3
      down vote

      favorite
      1






      1





      My understanding is that when my computer wants to resolve a host name, it will ask the DHCP-assigned DNS servers first. If those don’t know, it goes and asks the ‘root servers’ who then defer to another server, etc.



      Using dig or a similar tool, is it possible to see the string of servers that get asked, in a similar way as traceroute shows how packets travel to a certain destination!










      share|improve this question













      My understanding is that when my computer wants to resolve a host name, it will ask the DHCP-assigned DNS servers first. If those don’t know, it goes and asks the ‘root servers’ who then defer to another server, etc.



      Using dig or a similar tool, is it possible to see the string of servers that get asked, in a similar way as traceroute shows how packets travel to a certain destination!







      dns






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Aug 11 at 9:02









      Rob de Jonge

      1163




      1163




















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          5
          down vote













          As others have already answered, most usually a host sends a recursive query to a nominated resolver, often a local server or router, often belonging to an ISP or Google's well-known (distributed) 8.8.8.8 and 8.8.4.4. Typically it will have a couple defined, and if the first doesn't respond, it will move to the next after a timeout.



          Name resolvers are free to use whatever algorithm they like, including just ask for NS records (for com., stackexchange.com. right from the top) then an A record. And also caching, within responded time-to-live parameters.



          To find out what a particular name resolver does you'll need to monitor packets or have access to the server.



          But you can certainly do it manually if you're trying to follow a chain, such as for debugging broken delegations, missing glue records and so on.



          To resolve the A record of www.stackexchange.com:



          Find a root zone server from the list, which every resolver will have installed:
          http://www.internic.net/domain/named.root



          We pick the first one, 198.4.10.4



          Ask who to ask:



          nslookup -norecurse -query=ns www.stackexchange.com 198.41.0.4


          Root server says "Don't ask me, ask com questions ate.gtld-servers.net", and helpfully gives the address:



          Authoritative answers can be found from:
          com nameserver = e.gtld-servers.net.
          e.gtld-servers.net internet address = 192.12.94.30
          (other answers trimmed)


          Ask e.gtld-servers.net who to ask:



          nslookup -norecurse -query=ns www.stackexchange.com 192.12.94.30


          He says "don't ask me, ask stackexchange.com questions at ns-925", and helpfully gives the address.



          Non-authoritative answer:
          *** Can't find www.stackexchange.com: No answer
          Authoritative answers can be found from:
          stackexchange.com nameserver = ns-925.awsdns-51.net.
          ns-925.awsdns-51.net internet address = 205.251.195.157
          ...


          We see that ns-925 is nameserver for the domain we're after (stackexchange.com) so we ask for the A record:



          nslookup -norecurse -query=a www.stackexchange.com 205.251.195.157


          He says gives a CNAME response:



          www.stackexchange.com canonical name = stackexchange.com.


          But as it's a nameserver for that as well, it (helpfully) gave us the the A record of the CNAME record:



          Name: stackexchange.com
          Address: 151.101.129.69





          share|improve this answer






















          • Very exhaustive. Thank you so much for writing this down. What I’m trying to do is troubleshoot a connection issue for my DSL. I’m trying to make sure DNS is not the issue, if a delay in the response I get isn’t causing the slow start of connections I’m experiencing despite 20ms ping. I will play around a bit more with dig and see what I find.
            – Rob de Jonge
            Aug 11 at 12:38










          • Slow startup of TCP connections has many potential causes, but certainly DNS delays are one of them. Timing resolution at different DNS resolvers is a good place to start; also tcpdump -ttt to see where any pauses are.
            – jonathanjo
            Aug 11 at 12:41










          • That’s my day gone tomorrow! ;-) Thanks so much.
            – Rob de Jonge
            Aug 11 at 12:42

















          up vote
          3
          down vote













          A normal DNS client just queries the (DHCP or statically) assigned DNS servers. Only DNS servers usually query root servers, doing a recursive query.



          You can use a packet capture of your choice and filter for UDP (TCP) source or destination port 53 to see the communication with any DNS server.



          Which servers and exact method a DNS client uses is up to the OS or the application and off-topic here.






          share|improve this answer



























            up vote
            2
            down vote













            I think you are looking for dig +trace. The following command



            dig +trace networkengineering.stackexchange.com 


            will query the root name servers (NS) for the NS of .com, then the .com NS for the NS of stackexchange and finally will get an answer for networkengineering.






            share|improve this answer




















              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "496"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f52476%2fcan-i-see-what-happens-when-i-run-a-dns-query%23new-answer', 'question_page');

              );

              Post as a guest






























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              5
              down vote













              As others have already answered, most usually a host sends a recursive query to a nominated resolver, often a local server or router, often belonging to an ISP or Google's well-known (distributed) 8.8.8.8 and 8.8.4.4. Typically it will have a couple defined, and if the first doesn't respond, it will move to the next after a timeout.



              Name resolvers are free to use whatever algorithm they like, including just ask for NS records (for com., stackexchange.com. right from the top) then an A record. And also caching, within responded time-to-live parameters.



              To find out what a particular name resolver does you'll need to monitor packets or have access to the server.



              But you can certainly do it manually if you're trying to follow a chain, such as for debugging broken delegations, missing glue records and so on.



              To resolve the A record of www.stackexchange.com:



              Find a root zone server from the list, which every resolver will have installed:
              http://www.internic.net/domain/named.root



              We pick the first one, 198.4.10.4



              Ask who to ask:



              nslookup -norecurse -query=ns www.stackexchange.com 198.41.0.4


              Root server says "Don't ask me, ask com questions ate.gtld-servers.net", and helpfully gives the address:



              Authoritative answers can be found from:
              com nameserver = e.gtld-servers.net.
              e.gtld-servers.net internet address = 192.12.94.30
              (other answers trimmed)


              Ask e.gtld-servers.net who to ask:



              nslookup -norecurse -query=ns www.stackexchange.com 192.12.94.30


              He says "don't ask me, ask stackexchange.com questions at ns-925", and helpfully gives the address.



              Non-authoritative answer:
              *** Can't find www.stackexchange.com: No answer
              Authoritative answers can be found from:
              stackexchange.com nameserver = ns-925.awsdns-51.net.
              ns-925.awsdns-51.net internet address = 205.251.195.157
              ...


              We see that ns-925 is nameserver for the domain we're after (stackexchange.com) so we ask for the A record:



              nslookup -norecurse -query=a www.stackexchange.com 205.251.195.157


              He says gives a CNAME response:



              www.stackexchange.com canonical name = stackexchange.com.


              But as it's a nameserver for that as well, it (helpfully) gave us the the A record of the CNAME record:



              Name: stackexchange.com
              Address: 151.101.129.69





              share|improve this answer






















              • Very exhaustive. Thank you so much for writing this down. What I’m trying to do is troubleshoot a connection issue for my DSL. I’m trying to make sure DNS is not the issue, if a delay in the response I get isn’t causing the slow start of connections I’m experiencing despite 20ms ping. I will play around a bit more with dig and see what I find.
                – Rob de Jonge
                Aug 11 at 12:38










              • Slow startup of TCP connections has many potential causes, but certainly DNS delays are one of them. Timing resolution at different DNS resolvers is a good place to start; also tcpdump -ttt to see where any pauses are.
                – jonathanjo
                Aug 11 at 12:41










              • That’s my day gone tomorrow! ;-) Thanks so much.
                – Rob de Jonge
                Aug 11 at 12:42














              up vote
              5
              down vote













              As others have already answered, most usually a host sends a recursive query to a nominated resolver, often a local server or router, often belonging to an ISP or Google's well-known (distributed) 8.8.8.8 and 8.8.4.4. Typically it will have a couple defined, and if the first doesn't respond, it will move to the next after a timeout.



              Name resolvers are free to use whatever algorithm they like, including just ask for NS records (for com., stackexchange.com. right from the top) then an A record. And also caching, within responded time-to-live parameters.



              To find out what a particular name resolver does you'll need to monitor packets or have access to the server.



              But you can certainly do it manually if you're trying to follow a chain, such as for debugging broken delegations, missing glue records and so on.



              To resolve the A record of www.stackexchange.com:



              Find a root zone server from the list, which every resolver will have installed:
              http://www.internic.net/domain/named.root



              We pick the first one, 198.4.10.4



              Ask who to ask:



              nslookup -norecurse -query=ns www.stackexchange.com 198.41.0.4


              Root server says "Don't ask me, ask com questions ate.gtld-servers.net", and helpfully gives the address:



              Authoritative answers can be found from:
              com nameserver = e.gtld-servers.net.
              e.gtld-servers.net internet address = 192.12.94.30
              (other answers trimmed)


              Ask e.gtld-servers.net who to ask:



              nslookup -norecurse -query=ns www.stackexchange.com 192.12.94.30


              He says "don't ask me, ask stackexchange.com questions at ns-925", and helpfully gives the address.



              Non-authoritative answer:
              *** Can't find www.stackexchange.com: No answer
              Authoritative answers can be found from:
              stackexchange.com nameserver = ns-925.awsdns-51.net.
              ns-925.awsdns-51.net internet address = 205.251.195.157
              ...


              We see that ns-925 is nameserver for the domain we're after (stackexchange.com) so we ask for the A record:



              nslookup -norecurse -query=a www.stackexchange.com 205.251.195.157


              He says gives a CNAME response:



              www.stackexchange.com canonical name = stackexchange.com.


              But as it's a nameserver for that as well, it (helpfully) gave us the the A record of the CNAME record:



              Name: stackexchange.com
              Address: 151.101.129.69





              share|improve this answer






















              • Very exhaustive. Thank you so much for writing this down. What I’m trying to do is troubleshoot a connection issue for my DSL. I’m trying to make sure DNS is not the issue, if a delay in the response I get isn’t causing the slow start of connections I’m experiencing despite 20ms ping. I will play around a bit more with dig and see what I find.
                – Rob de Jonge
                Aug 11 at 12:38










              • Slow startup of TCP connections has many potential causes, but certainly DNS delays are one of them. Timing resolution at different DNS resolvers is a good place to start; also tcpdump -ttt to see where any pauses are.
                – jonathanjo
                Aug 11 at 12:41










              • That’s my day gone tomorrow! ;-) Thanks so much.
                – Rob de Jonge
                Aug 11 at 12:42












              up vote
              5
              down vote










              up vote
              5
              down vote









              As others have already answered, most usually a host sends a recursive query to a nominated resolver, often a local server or router, often belonging to an ISP or Google's well-known (distributed) 8.8.8.8 and 8.8.4.4. Typically it will have a couple defined, and if the first doesn't respond, it will move to the next after a timeout.



              Name resolvers are free to use whatever algorithm they like, including just ask for NS records (for com., stackexchange.com. right from the top) then an A record. And also caching, within responded time-to-live parameters.



              To find out what a particular name resolver does you'll need to monitor packets or have access to the server.



              But you can certainly do it manually if you're trying to follow a chain, such as for debugging broken delegations, missing glue records and so on.



              To resolve the A record of www.stackexchange.com:



              Find a root zone server from the list, which every resolver will have installed:
              http://www.internic.net/domain/named.root



              We pick the first one, 198.4.10.4



              Ask who to ask:



              nslookup -norecurse -query=ns www.stackexchange.com 198.41.0.4


              Root server says "Don't ask me, ask com questions ate.gtld-servers.net", and helpfully gives the address:



              Authoritative answers can be found from:
              com nameserver = e.gtld-servers.net.
              e.gtld-servers.net internet address = 192.12.94.30
              (other answers trimmed)


              Ask e.gtld-servers.net who to ask:



              nslookup -norecurse -query=ns www.stackexchange.com 192.12.94.30


              He says "don't ask me, ask stackexchange.com questions at ns-925", and helpfully gives the address.



              Non-authoritative answer:
              *** Can't find www.stackexchange.com: No answer
              Authoritative answers can be found from:
              stackexchange.com nameserver = ns-925.awsdns-51.net.
              ns-925.awsdns-51.net internet address = 205.251.195.157
              ...


              We see that ns-925 is nameserver for the domain we're after (stackexchange.com) so we ask for the A record:



              nslookup -norecurse -query=a www.stackexchange.com 205.251.195.157


              He says gives a CNAME response:



              www.stackexchange.com canonical name = stackexchange.com.


              But as it's a nameserver for that as well, it (helpfully) gave us the the A record of the CNAME record:



              Name: stackexchange.com
              Address: 151.101.129.69





              share|improve this answer














              As others have already answered, most usually a host sends a recursive query to a nominated resolver, often a local server or router, often belonging to an ISP or Google's well-known (distributed) 8.8.8.8 and 8.8.4.4. Typically it will have a couple defined, and if the first doesn't respond, it will move to the next after a timeout.



              Name resolvers are free to use whatever algorithm they like, including just ask for NS records (for com., stackexchange.com. right from the top) then an A record. And also caching, within responded time-to-live parameters.



              To find out what a particular name resolver does you'll need to monitor packets or have access to the server.



              But you can certainly do it manually if you're trying to follow a chain, such as for debugging broken delegations, missing glue records and so on.



              To resolve the A record of www.stackexchange.com:



              Find a root zone server from the list, which every resolver will have installed:
              http://www.internic.net/domain/named.root



              We pick the first one, 198.4.10.4



              Ask who to ask:



              nslookup -norecurse -query=ns www.stackexchange.com 198.41.0.4


              Root server says "Don't ask me, ask com questions ate.gtld-servers.net", and helpfully gives the address:



              Authoritative answers can be found from:
              com nameserver = e.gtld-servers.net.
              e.gtld-servers.net internet address = 192.12.94.30
              (other answers trimmed)


              Ask e.gtld-servers.net who to ask:



              nslookup -norecurse -query=ns www.stackexchange.com 192.12.94.30


              He says "don't ask me, ask stackexchange.com questions at ns-925", and helpfully gives the address.



              Non-authoritative answer:
              *** Can't find www.stackexchange.com: No answer
              Authoritative answers can be found from:
              stackexchange.com nameserver = ns-925.awsdns-51.net.
              ns-925.awsdns-51.net internet address = 205.251.195.157
              ...


              We see that ns-925 is nameserver for the domain we're after (stackexchange.com) so we ask for the A record:



              nslookup -norecurse -query=a www.stackexchange.com 205.251.195.157


              He says gives a CNAME response:



              www.stackexchange.com canonical name = stackexchange.com.


              But as it's a nameserver for that as well, it (helpfully) gave us the the A record of the CNAME record:



              Name: stackexchange.com
              Address: 151.101.129.69






              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Aug 11 at 18:53

























              answered Aug 11 at 12:33









              jonathanjo

              5,490323




              5,490323











              • Very exhaustive. Thank you so much for writing this down. What I’m trying to do is troubleshoot a connection issue for my DSL. I’m trying to make sure DNS is not the issue, if a delay in the response I get isn’t causing the slow start of connections I’m experiencing despite 20ms ping. I will play around a bit more with dig and see what I find.
                – Rob de Jonge
                Aug 11 at 12:38










              • Slow startup of TCP connections has many potential causes, but certainly DNS delays are one of them. Timing resolution at different DNS resolvers is a good place to start; also tcpdump -ttt to see where any pauses are.
                – jonathanjo
                Aug 11 at 12:41










              • That’s my day gone tomorrow! ;-) Thanks so much.
                – Rob de Jonge
                Aug 11 at 12:42
















              • Very exhaustive. Thank you so much for writing this down. What I’m trying to do is troubleshoot a connection issue for my DSL. I’m trying to make sure DNS is not the issue, if a delay in the response I get isn’t causing the slow start of connections I’m experiencing despite 20ms ping. I will play around a bit more with dig and see what I find.
                – Rob de Jonge
                Aug 11 at 12:38










              • Slow startup of TCP connections has many potential causes, but certainly DNS delays are one of them. Timing resolution at different DNS resolvers is a good place to start; also tcpdump -ttt to see where any pauses are.
                – jonathanjo
                Aug 11 at 12:41










              • That’s my day gone tomorrow! ;-) Thanks so much.
                – Rob de Jonge
                Aug 11 at 12:42















              Very exhaustive. Thank you so much for writing this down. What I’m trying to do is troubleshoot a connection issue for my DSL. I’m trying to make sure DNS is not the issue, if a delay in the response I get isn’t causing the slow start of connections I’m experiencing despite 20ms ping. I will play around a bit more with dig and see what I find.
              – Rob de Jonge
              Aug 11 at 12:38




              Very exhaustive. Thank you so much for writing this down. What I’m trying to do is troubleshoot a connection issue for my DSL. I’m trying to make sure DNS is not the issue, if a delay in the response I get isn’t causing the slow start of connections I’m experiencing despite 20ms ping. I will play around a bit more with dig and see what I find.
              – Rob de Jonge
              Aug 11 at 12:38












              Slow startup of TCP connections has many potential causes, but certainly DNS delays are one of them. Timing resolution at different DNS resolvers is a good place to start; also tcpdump -ttt to see where any pauses are.
              – jonathanjo
              Aug 11 at 12:41




              Slow startup of TCP connections has many potential causes, but certainly DNS delays are one of them. Timing resolution at different DNS resolvers is a good place to start; also tcpdump -ttt to see where any pauses are.
              – jonathanjo
              Aug 11 at 12:41












              That’s my day gone tomorrow! ;-) Thanks so much.
              – Rob de Jonge
              Aug 11 at 12:42




              That’s my day gone tomorrow! ;-) Thanks so much.
              – Rob de Jonge
              Aug 11 at 12:42










              up vote
              3
              down vote













              A normal DNS client just queries the (DHCP or statically) assigned DNS servers. Only DNS servers usually query root servers, doing a recursive query.



              You can use a packet capture of your choice and filter for UDP (TCP) source or destination port 53 to see the communication with any DNS server.



              Which servers and exact method a DNS client uses is up to the OS or the application and off-topic here.






              share|improve this answer
























                up vote
                3
                down vote













                A normal DNS client just queries the (DHCP or statically) assigned DNS servers. Only DNS servers usually query root servers, doing a recursive query.



                You can use a packet capture of your choice and filter for UDP (TCP) source or destination port 53 to see the communication with any DNS server.



                Which servers and exact method a DNS client uses is up to the OS or the application and off-topic here.






                share|improve this answer






















                  up vote
                  3
                  down vote










                  up vote
                  3
                  down vote









                  A normal DNS client just queries the (DHCP or statically) assigned DNS servers. Only DNS servers usually query root servers, doing a recursive query.



                  You can use a packet capture of your choice and filter for UDP (TCP) source or destination port 53 to see the communication with any DNS server.



                  Which servers and exact method a DNS client uses is up to the OS or the application and off-topic here.






                  share|improve this answer












                  A normal DNS client just queries the (DHCP or statically) assigned DNS servers. Only DNS servers usually query root servers, doing a recursive query.



                  You can use a packet capture of your choice and filter for UDP (TCP) source or destination port 53 to see the communication with any DNS server.



                  Which servers and exact method a DNS client uses is up to the OS or the application and off-topic here.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Aug 11 at 9:50









                  Zac67

                  19.4k21047




                  19.4k21047




















                      up vote
                      2
                      down vote













                      I think you are looking for dig +trace. The following command



                      dig +trace networkengineering.stackexchange.com 


                      will query the root name servers (NS) for the NS of .com, then the .com NS for the NS of stackexchange and finally will get an answer for networkengineering.






                      share|improve this answer
























                        up vote
                        2
                        down vote













                        I think you are looking for dig +trace. The following command



                        dig +trace networkengineering.stackexchange.com 


                        will query the root name servers (NS) for the NS of .com, then the .com NS for the NS of stackexchange and finally will get an answer for networkengineering.






                        share|improve this answer






















                          up vote
                          2
                          down vote










                          up vote
                          2
                          down vote









                          I think you are looking for dig +trace. The following command



                          dig +trace networkengineering.stackexchange.com 


                          will query the root name servers (NS) for the NS of .com, then the .com NS for the NS of stackexchange and finally will get an answer for networkengineering.






                          share|improve this answer












                          I think you are looking for dig +trace. The following command



                          dig +trace networkengineering.stackexchange.com 


                          will query the root name servers (NS) for the NS of .com, then the .com NS for the NS of stackexchange and finally will get an answer for networkengineering.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Aug 11 at 11:33









                          Jens Link

                          3,52911315




                          3,52911315



























                               

                              draft saved


                              draft discarded















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f52476%2fcan-i-see-what-happens-when-i-run-a-dns-query%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Popular posts from this blog

                              How to check contact read email or not when send email to Individual?

                              Displaying single band from multi-band raster using QGIS

                              How many registers does an x86_64 CPU actually have?