DNS Failures

D

We use DNS a lot in email, particularly for authentication, so diagnosing why DNS isn’t returning what we expect it to is a pretty common challenge. And DNS responses aren’t exactly the clearest thing to understand.

There are two types of DNS server we need to know about. When we publish DNS records for our own domain we add them to a nameserver that is authoritative for our domain. It’s the server that the rest of the Internet asks about DNS records for our domains. But when we ask about a DNS record we usually ask our local recursive resolver – it does all the hard work to find the authoritative server for the domain we asked about, gets the answer and passes it back to us. (It’ll also remember that answer for a while, so if it’s asked the same question again it doesn’t have to do all the work and can just return the answer it got last time).

When we ask a question to DNS we typically ask about a pair of things together. They are a hostname, such as www.aol.com or turscar.ie, and a resource record type, such as MX or A or TXT.

The answer we get consists of a response code, and a list or zero or more resource records in the Answer section that are answers to our question. (There’ll also often be other resource records that aren’t answers to our question, rather they’re there to help our recursive resolver find the right authoritative server. They’re very useful when diagnosing DNS issues, but we’re not going to talk about them here).

There are four common DNS response codes: NOERROR, NXDOMAIN, SERVFAIL and REFUSED. Or sometimes a DNS server doesn’t respond at all and the query just times out. What do they mean?

NOERROR

NOERROR is the response code you’re usually hoping for. It means that there are resource records of some type that match the hostname we asked for.

But the answer section will only contain answer resource records that match the hostname and the record type we asked for.

If we look up an A record for www.turscar.ie we get a NOERROR response, with one answer in the answer section. Sure enough, that’s the IP address of one of our webservers. There is an A record for www.turscar.ie.

But if we look up a TXT record for www.turscar.ie we get a NOERROR response with zero answers in the answer section. There is no TXT record for www.turscar.ie (but we know there are records with the same hostname and different record types).

What does the hostname and record type matching mean, exactly? It means that the hostname of the question and the hostname of the answer must be identical (but case-insensitively, so TURscar.IE matches turscar.ie) and it means that the record type of the answer must be a sensible answer to the record type of the question. An exact match – an A answer to an A question or an MX answer to an MX question – is always a sensible answer, but a CNAME answer is a sensible match to any question. (A CNAME is the way DNS can say “ask for this other hostname instead” in an answer).

Getting multiple answers to a question is pretty common, for example Gmail’s MX records.

NXDOMAIN

NXDOMAIN means that there is no answer matching our question, and that there’s no answer matching any question with the same hostname.

There’s no such host as gopher.turscar.ie.

NXDOMAIN doesn’t mean “I don’t know” or “I couldn’t find an answer”. It means that the authoritative nameserver for the domain says the hostname doesn’t exist.

REFUSED

REFUSED means that the nameserver understood your question, but declined to answer it for policy reasons. The most common reason for that is that you’re asking an authoritative server for a hostname in a domain it doesn’t believe it’s authoritative for.

SERVFAIL

SERVFAIL means … something went wrong. You’ll sometimes get this for malformed requests, or a nameserver where something’s broken, but the most common reason for it is when you asked your local recursive resolver a question and it failed to get any answer at all from the authoritative server.

So if the authoritative servers for a domain are down, or the domain registration is pointing at domain servers that don’t exist, or it’s pointing at nameservers that aren’t authoritative for the domain the query will time out. Your recursive resolver eventually returns a SERVFAIL response to you to tell you that “something went wrong with DNS” and you can’t have an answer.

Other neat DNS things

We have some tools that let you query DNS via a web interface, with sharable URLs.

mess with dns is a DNS sandbox that lets you set up DNS on a throwaway domain, query it and see what answers you get. Created by Julia, who also has a great zine about DNS, amongst many other geeky things.

About the author

2 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Nice summary, I have one niggle — it’s possible to get NOERROR and no records for every query for a name, if there are records at a subname. For example, _domainkey.example.com probably has no records at all, but a subname like selector1._domainkey.example.com has a TXT record.
    We can save the acronym ENT for the advanced seminar.

By steve

Recent Posts

Archives

Follow Us