[Mimedefang] Net::DNS referral section for a Domain?

Fri Nov 14 14:54:45 EST 2014

On 2014-11-13 23:44 , Kevin A. McGrail wrote:
> Trying to do some checks on spam by nameservers but I can't figure out how to find the referral nameservers for a domain from the root servers.

You need to figure out what the root name servers for a TLD are, first. It depends a bit on how thorough you want to be.

Something like this would probably work:

  my ($tld) = $fqdn =~ /\.([\w-]+)\.?$/;
  $resolver ||= Net::DNS::Resolver->new();
  my $answer = $resolver->send($tld, "NS");
  if ( $answer and $answer->header->rcode eq 'NOERROR' ) {
     @tld_nameserver = map { $_->nsdname }
                       grep { $_->type eq 'NS' }
                       $answer->answer;
  }
  else {
    # TLD doesn't exist...
  }

That will give you the nameservers of a TLD, given an FQDN. At least, in every case that I'm aware of. There's a slim possibility that a TLD is actually served by the root name servers, in which case you get nothing querying for the name servers of that TLD. If you want to tackle that case, you have to first get the root name servers ( $resolver->send(".", "NS") ), then specifically ask one of those name servers for the FQDN, without the recursion flag. You'd get back a first level nameservers as a reference in the authority section.

If you want to get any further, it's going to be a bit of a hassle. You either have to keep chasing after each NS reference using non-recursive queries, or use something like the publicsuffix.org project to determine the appropriate "top level" domain. But both cases will likely give you another answer as to what "the" nameservers of a domain are, and it depends on what you are looking for, what the "right" answer is.

> This snippet gets the SOA records which don't have to agree with whois, for example:

Err... SOA? I think you mean "NS" records.

> ns3.pccc.com
> ns.2rad.net
> ns.pccc.com
> ns2.pccc.com
> 
> But perhaps it's because our system will check and the servers are authoritative.
> 
> What we want is the equivalent of a dig +trace referral record which would be:
> 
> ;; Received 486 bytes from 198.41.0.4#53(a.root-servers.net) in 9 ms
> 
> pccc.com.               172800  IN      NS      ns.pccc.com.
> pccc.com.               172800  IN      NS      ns2.pccc.com.
> pccc.com.               172800  IN      NS      ns3.pccc.com.

That difference is caused by the fact that your registrar only lists {ns,ns2,ns3}.pccc.com as name servers, while those name servers also list ns.2rad.net. So you'd see that extra name server depending on whether the caching name servers where you're sending the queries, previously queried that domain. Normally, domains wouldn't exhibit this sort of behaviour (and if you want my advice - drop the extra nameserver, it'll only cause confusion).

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
"Any sufficiently advanced incompetence is indistinguishable from malice."
    - Grey's Law

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 971 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20141114/9146bd24/attachment-0003.sig>