DNS Esoterica - Why you can't dig Switzerland
As part of my new job, I'm learning a lot more about the mysteries of the Domain Name System than any mortal should know I thought possible.
The humble unix dig command allows you to query all sort of DNS information. For example, to see name server records for the BBC website, you can run:
dig bbc.co.uk NS
Which will get you:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35614
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 17
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 097db2ee4c92b84982083ecf62b5b5f2007906e616035113 (good)
;; QUESTION SECTION:
;bbc.co.uk. IN NS
;; ANSWER SECTION:
bbc.co.uk. 900 IN NS ddns1.bbc.com.
bbc.co.uk. 900 IN NS dns0.bbc.co.uk.
bbc.co.uk. 900 IN NS ddns1.bbc.co.uk.
...
And a whole lot more. But you can go further down the DNS tree. What are the nameservers for .co.uk?
dig co.uk NS
And you'll get your answer. You can go one further and see the nameservers for the Top Level Domain:
dig uk NS
Which replies with:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54061
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 17
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 880427eda8ff71de2ab4f43862b5b65f95e317d29cc10a8e (good)
;; QUESTION SECTION:
;uk. IN NS
;; ANSWER SECTION:
uk. 159692 IN NS nsc.nic.uk.
uk. 159692 IN NS dns1.nic.uk.
uk. 159692 IN NS nsd.nic.uk.
...
And that works with every TLD. Countries like de, generic names like museum, and internationalised domains like 在线. All of them work!
Except Switzerland.
Switzerland's country code is ch - after the name Confoederatio Helvetica. Let's run the dig on it: dig ch NS
YAML
;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 31910 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
We have been refused and warned. But why does this only happen with Switzerland?
The blame - as with most modern ills - lies in the mid-1970s. The Bee Gees were storming the charts with "Jive Talkin'", the Rocky Horror Picture Show was gathering a cult following, and MIT scientists were causing chaos. Literally.
Chaosnet was an early network protocol designed for local networks. It was technically very clever but, sadly, never really took off.
However, it found its way into DNS records. Let's go back to the answer to dig bbc.co.uk NS:
;; ANSWER SECTION: bbc.co.uk. 900 IN NS ddns1.bbc.com.
OK, the first part is the domain name. The number is the TTL. The IN is the class. The NS says this is a nameserver record. And, finally, we get the domain of the nameserver.
But, in the class, what does IN stand for?
"Internet", obviously. Wait... Isn't the DNS on the Internet? Why do we need to specify that these DNS records are for Internet?
Well, isn't it obvious? Because you might want records of a different network. Like, for example, Chaosnet.
And if Internet is abbreviated to IN, what is Chaosnet shortened to? That's right! CH.
So, dig sees you enter ch for Switzerland, but thinks you're asking about CH for Chaosnet. And so it fails.
In order to query the records for ch we need to provide an absolutely fully-qualified domain name. It's as simple as sticking a dot at the end of the domain name:
dig ch. NS
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64932
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 11
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e19b9c23cdfa0f7bcf82750462b5c16b47744386c7974ffb (good)
;; QUESTION SECTION:
;ch. IN NS
;; ANSWER SECTION:
ch. 164894 IN NS e.nic.ch.
ch. 164894 IN NS a.nic.ch.
ch. 164894 IN NS f.nic.ch.
And there we go. A failed 1970s experiment like bell-bottoms and Betamax videos - but with much longer lasting consequences.
You can see some CH records by running like:
dig ch txt @f.root-servers.net version.bind
That will get you something like:
;; ANSWER SECTION: version.bind. 86400 CH TXT "cloudflare-f-root-20190930"
Of course, DNS doesn't only have IN and CH class records.
There's also Hesiod - HS. But you already knew that, right...?
@Edent My immediate thought was "why can you dig India then?" but when I did, the results didn't look like a country NS's results, so I dunno - maybe you can't do India either?
| Reply to original comment on hackers.town
@Edent Ah, yep, confirmed: also fails for India. To get answers for either ".in" or ".ch" you have to append the dot: "in." or "ch."
| Reply to original comment on hackers.town
DNS Esoterica – Why you can't dig SwitzerlandLink: shkspr.mobi/blog/2022/07/d…Comments: news.ycombinator.com/item?id=320946…
| Reply to original comment on twitter.com
Why you can't dig Switzerland. I love internet stuff like this. 🙂
shkspr.mobi/blog/2022/07/d…
| Reply to original comment on twitter.com
I enjoyed this DNS-related post, and more importantly, I want to get onto the chaosnet. Sounds fun.
shkspr.mobi/blog/2022/07/d…
via @edent
| Reply to original comment on twitter.com
CH still in use:
host -c ch -l ch-addr.net. dns.chaosnet.net
G says:
You have a very enjoyable writing style, thanks for sharing your curious find! I had always (wrongly) assumed "IN" was some kind of DNS set notation and just ignored it. TIL!
DNS Esoterica – Why you can't dig Switzerland : programming said on :
This Article was mentioned on reddit.com
| Reply to original comment on
Zane Thomas says:
The reason for all this is that the root servers are identified by the character '.' (dot, period) All software I'm aware of (other than really down in the weeds dns code) conveniently implies and/or adds the dot for you.
The server hierarchy is actually like this
.
com org net and others
duckduckgo etc
A request of the A record for duckduckgo is actually
dig duckduckgo.com.
This just amuses me...
For years I am trying to explain to people why certain usages of HTTP are not meant to be on HTTP, but people don't really look at the internet history to learn, or history in general
So I am left with "Ah, right, that, LOL"
shkspr.mobi/blog/2022/07/d…
| Reply to original comment on twitter.com
在 Hacker News 上看到「DNS Esoterica - Why you can't dig Switzerland」這篇,裡面提到 dig 的 "feature"。拿來查
tw的 NS 會這樣下:$ dig tw ns結果會是列出所有的 NS server:;; ANSWER SECTION:tw. 3600 IN NS h.dns.tw.tw. 3600 IN NS a.dns.tw.tw. 3600 IN NS g.dns.tw.tw. 3600 IN NS d.dns.tw.tw. 3600 IN NS anytld.apnic.net.tw. 3600 IN NS f.dns.tw.tw. 3600 IN NS b.dns.tw.tw. 3600 IN NS e.dns.tw.tw. 3600 IN NS c.dns.tw.tw. 3600 IN NS ns.twnic.net.照著作者說的,uk的dig uk ns可以得到類似的結果:;; ANSWER SECTION:uk. 86400 IN NS dns1.nic.uk.uk. 86400 IN NS dns4.nic.uk.uk. 86400 IN NS nsa.nic.uk.uk. 86400 IN NS nsb.nic.uk.uk. 86400 IN NS nsc.nic.uk.uk. 86400 IN NS nsd.nic.uk.uk. 86400 IN NS dns3.nic.uk.uk. 86400 IN NS dns2.nic.uk.但如果你下dig ch ns就會出現錯誤,像是這樣:; <<>> DiG 9.16.1-Ubuntu <<>> ch ns;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 5019;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;. CH NS
;; Query time: 0 msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Fri Jul 15 06:54:24 CST 2022;; MSG SIZE rcvd: 28原因是因為
CH這個關鍵字是 Chaosnet 的縮寫,而被特殊解讀:要避開這個解讀需要加上一個 dot (
.),採用 FQDN 的方式列出:dig ch. ns就會得到正確的結果:;; ANSWER SECTION:ch. 86400 IN NS a.nic.ch.ch. 86400 IN NS b.nic.ch.ch. 86400 IN NS f.nic.ch.ch. 86400 IN NS d.nic.ch.ch. 86400 IN NS e.nic.ch.另外的方式是dig -c IN -t NS ch,透過參數的方式讓 dig 不會誤會。<em>Related</em>| Reply to original comment on blog.gslin.org
なぜ "dig jp NS" は日本のネームサーバを返すのに、"dig ch NS" はスイスのネームサーバを返さないのか? digはインターネット(IN)以外のアドレスも受け付ける仕様になっており、"CH" はChaosnetを意味する。終端のピリオドを入れて "dig ch. NS" とやると正常に動く。shkspr.mobi/blog/2022/07/d…
| Reply to original comment on twitter.com
DNS 비사 - 왜 스위스(ch)는 dig 할 수 없을까? | GeekNews said on :
This Article was mentioned on news.hada.io
| Reply to original comment on
@Edent That was really interesting!I use dig a lot. So it was neat to learn a bit more about it too. Next, I’m going to read about Chaosnet! 😄
| Reply to original comment on mastodon.social
This is such a weird thing:
| Reply to original comment on twitter.com
If you read this as "DNS Erotica", you'll be disappointed, even though it's a very interesting post.
If you actually want DNS Erotica, dig the TXT records for neilzone.co.uk.
_
| Reply to original comment on twitter.com
You're probably too young to have attended the Interop conferences & exhibitions at Olympia in the early 80s about connecting the different networks which were around back then?
| Reply to original comment on twitter.com
Further proof that complex systems are not designed so much as grown.shkspr.mobi/blog/2022/07/d…
| Reply to original comment on twitter.com
Chaosnet is normally where the meta records for the DNS server live - usually just the version and authors.
| Reply to original comment on twitter.com
Funny to think that for a quirk of history we could all be talking about how we'd got a bad chaosnet connection etc.
| Reply to original comment on twitter.com
10 IPv4 Companion Protocols — An Introduction to Computer Networks, desktop edition 2.0.10 said on :
This Article was mentioned on intronetworks.cs.luc.edu
| Reply to original comment on
More comments on Mastodon.