Photo of Terence Eden. He has a beard and is smiling.

DNS Esoterica - Why you can't dig Switzerland

· 21 comments · 750 words · Viewed ~33,565 times.

As part of my new job, I'm learning a lot more about the mysteries of the Domain Name System than any mortal should know I thought possible.

The humble unix dig command allows you to query all sort of DNS information. For example, to see name server records for the BBC website, you can run:

dig bbc.co.uk NS

Which will get you:

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35614

;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 17



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1232

; COOKIE: 097db2ee4c92b84982083ecf62b5b5f2007906e616035113 (good)

;; QUESTION SECTION:

;bbc.co.uk.         IN  NS



;; ANSWER SECTION:

bbc.co.uk.      900 IN  NS  ddns1.bbc.com.

bbc.co.uk.      900 IN  NS  dns0.bbc.co.uk.

bbc.co.uk.      900 IN  NS  ddns1.bbc.co.uk.

...

And a whole lot more. But you can go further down the DNS tree. What are the nameservers for .co.uk?

dig co.uk NS

And you'll get your answer. You can go one further and see the nameservers for the Top Level Domain:

dig uk NS

Which replies with:

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54061

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 17



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1232

; COOKIE: 880427eda8ff71de2ab4f43862b5b65f95e317d29cc10a8e (good)

;; QUESTION SECTION:

;uk.                IN  NS



;; ANSWER SECTION:

uk.         159692  IN  NS  nsc.nic.uk.

uk.         159692  IN  NS  dns1.nic.uk.

uk.         159692  IN  NS  nsd.nic.uk.

...

And that works with every TLD. Countries like de, generic names like museum, and internationalised domains like 在线. All of them work!

Except Switzerland.

Switzerland's country code is ch - after the name Confoederatio Helvetica. Let's run the dig on it: dig ch NS

 YAML;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 31910

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; WARNING: recursion requested but not available

We have been refused and warned. But why does this only happen with Switzerland?

The blame - as with most modern ills - lies in the mid-1970s. The Bee Gees were storming the charts with "Jive Talkin'", the Rocky Horror Picture Show was gathering a cult following, and MIT scientists were causing chaos. Literally.

Chaosnet was an early network protocol designed for local networks. It was technically very clever but, sadly, never really took off.

However, it found its way into DNS records. Let's go back to the answer to dig bbc.co.uk NS:

 YAML;; ANSWER SECTION:

bbc.co.uk.      900 IN  NS  ddns1.bbc.com.

OK, the first part is the domain name. The number is the TTL. The IN is the class. The NS says this is a nameserver record. And, finally, we get the domain of the nameserver.

But, in the class, what does IN stand for?

"Internet", obviously. Wait... Isn't the DNS on the Internet? Why do we need to specify that these DNS records are for Internet?

Well, isn't it obvious? Because you might want records of a different network. Like, for example, Chaosnet.

And if Internet is abbreviated to IN, what is Chaosnet shortened to? That's right! CH.

So, dig sees you enter ch for Switzerland, but thinks you're asking about CH for Chaosnet. And so it fails.

In order to query the records for ch we need to provide an absolutely fully-qualified domain name. It's as simple as sticking a dot at the end of the domain name:

dig ch. NS

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64932

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 11



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1232

; COOKIE: e19b9c23cdfa0f7bcf82750462b5c16b47744386c7974ffb (good)

;; QUESTION SECTION:

;ch.                IN  NS



;; ANSWER SECTION:

ch.         164894  IN  NS  e.nic.ch.

ch.         164894  IN  NS  a.nic.ch.

ch.         164894  IN  NS  f.nic.ch.

And there we go. A failed 1970s experiment like bell-bottoms and Betamax videos - but with much longer lasting consequences.

You can see some CH records by running like:

dig ch txt @f.root-servers.net version.bind

That will get you something like:

 YAML;; ANSWER SECTION:

version.bind.       86400   CH  TXT "cloudflare-f-root-20190930"

Of course, DNS doesn't only have IN and CH class records.

There's also Hesiod - HS. But you already knew that, right...?

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

21 thoughts on “DNS Esoterica - Why you can't dig Switzerland”

  7. G says:

    You have a very enjoyable writing style, thanks for sharing your curious find! I had always (wrongly) assumed "IN" was some kind of DNS set notation and just ignored it. TIL!
    Reply

  9. Zane Thomas says:

    The reason for all this is that the root servers are identified by the character '.' (dot, period) All software I'm aware of (other than really down in the weeds dns code) conveniently implies and/or adds the dot for you. The server hierarchy is actually like this . com org net and others duckduckgo etc A request of the A record for duckduckgo is actually dig duckduckgo.com.
    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">