UNIX System Administration Handbook - Evi Nemeth [285]
host provides terse-but-friendly output by default, but it can be made more verbose with the -v option (although not as verbose as dig). It expects the domain you are querying to end in a dot. If you look up a relative name, host first tries appending the domains in your resolv.conf file; if none of them work, it simply appends the dot.
% host amazon.com.
amazon.com has address 208.216.182.15
amazon.com mail is handled (pri=10) by service-4.amazon.com
amazon.com mail is handled (pri=10) by service-5.amazon.com
When testing a new configuration, be sure that you look up data for both local and remote hosts. If you can access a host by IP address but not by name, DNS is probably the culprit.
Lame delegations
When you apply for a domain name, you are asking for a part of the DNS naming tree to be delegated to your primary name server and your DNS administrator. If you never use the domain or you change the name servers without updating the parent domain’s glue records, a “lame delegation” results.
The effects of a lame delegation can be very bad. If a user tries to contact a host in your lame domain, your name server will refuse the query. DNS will retry the query several hundred times, pummeling both your master server and the root servers. In one log file that was 3.5MB (at level info) after almost a week, over one-third of the entries were lame delegations. Of those, 16% involved queries to the root servers, presumably for nonexistent domains. One persistent user queried the root servers for tokyotopless.net hundreds of times. Sigh. Here is an example:
Jan 29 05:34:52 ipn.caida.org named[223]: Lame server on 'www.games.net' (in
'GAMES.net'?): [207.82.198.150].53 'NS2.EXODUS.net'
Here’s how we’d track down the problem with dig; we truncated some of dig’s verbose output:
% dig www.games.net.
;; ...
;; QUESTIONS:
;; www.games.net, type = A, class = IN
;; ANSWERS:
www.games.net. 3600 A 209.1.23.92
;; AUTHORITY RECORDS:
games.net. 3600 NS ns.exodus.net.
games.net. 3600 NS ns2.exodus.net.
games.net. 3600 NS ns.pcworld.com.
;; ADDITIONAL RECORDS: ...
The first query at the local server returns the address record for www.games.net and a list of authoritative servers.
The server at ns.exodus.net worked fine when we queried it (not shown), but ns2.exodus.net is another story:
% dig @ns2.exodus.net www.games.net.
;; QUESTIONS:
;; www.games.net, type = A, class = IN
;; AUTHORITY RECORDS:
net. 244362 NS F.GTLD-SERVERS.net.
net. 244362 NS J.GTLD-SERVERS.net.
net. 244362 NS K.GTLD-SERVERS.net.
net. 244362 NS A.GTLD-SERVERS.net.
;; ...
ns2 is listed as an authoritative server for the domain, but it returns no records and refers us to the servers for the net top-level domain. Therefore, we can conclude that ns2.exodus.net is configured incorrectly.
16.15 LOOSE ENDS
This section includes a few loose ends and examples that should have come earlier in the chapter, but for which we just couldn’t find the right place. We collect them here, in no particular order.
The hints file
The hints file primes named’s cache with information about the servers of the root domain. Putting the root servers in the cache bootstraps the lookup process for all other names. If you don’t provide a hints file, BIND 9 uses a list of root servers hardwired into its code and will be able to load the root zone anyway. All earlier versions of BIND require a hints file. (If you supply a hints file for BIND 9, it overrides the hardwired hints.)
The root name servers change from time to time, but it’s easier to track them down than it used to be because they are all assigned hostnames in the root-servers.net domain. Use the sample file below for reference only.
If you already have access to a system with a running name server, you can have dig contact