This page looks best with JavaScript enabled

Obtaining SOA servers from a reverse DNS record

 ·  🎃 kr0m

When reverse DNS resolution fails, it is necessary to locate the SOA servers to debug the problem and check their configuration.

In this article, we will learn how to do it using some simple dig commands.

We query the reverse resolution of an IP:

dig -x 1.1.1.1

; <<>> DiG 9.16.20 <<>> -x 1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21950
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;1.1.1.1.in-addr.arpa.		IN	PTR

;; ANSWER SECTION:
1.1.1.1.in-addr.arpa.	884	IN	PTR	one.one.one.one.

;; Query time: 17 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 17 14:02:08 CEST 2021
;; MSG SIZE  rcvd: 78

We can see that the response is:

1.1.1.1.in-addr.arpa.	884	IN	PTR	one.one.one.one.

Now let’s do it with the +trace option:

dig -x 1.1.1.1 +trace

; <<>> DiG 9.16.20 <<>> -x 1.1.1.1 +trace
;; global options: +cmd
.			22039	IN	NS	h.root-servers.net.
.			22039	IN	NS	a.root-servers.net.
.			22039	IN	NS	e.root-servers.net.
.			22039	IN	NS	c.root-servers.net.
.			22039	IN	NS	l.root-servers.net.
.			22039	IN	NS	g.root-servers.net.
.			22039	IN	NS	k.root-servers.net.
.			22039	IN	NS	j.root-servers.net.
.			22039	IN	NS	b.root-servers.net.
.			22039	IN	NS	i.root-servers.net.
.			22039	IN	NS	f.root-servers.net.
.			22039	IN	NS	d.root-servers.net.
.			22039	IN	NS	m.root-servers.net.
.			22039	IN	RRSIG	NS 8 0 518400 20210929170000 20210916160000 26838 . YJg1f+J5EWxuDQ7ymn7qbKdqQ2XyxyYGlSNLuOtH/a9ojiEdFEq/ekoC 6D2uB77L5pJa8XZLA41e6jud6+Jm4mt2KLk9Q0duS1u3uNtXPMUwHPZH jcXVO5Mem9AQxELMlEi6mdy07dN95MiRsqB3SBvpInZaEY+9UO33Lix/ f3YM1xF7w8fKqapo5TvgHPrvSLztrZmcucClpqDPwdhTEhP6P6LLUElZ maw6ZvI8egn+fRC4NXpyWNu4Yut0OaNzmxR1RPuswez/aj+8FTfImXkm 5UX10D+NghntNZh5LB2B81a0ht81Yb2VzVQZp8eLysPdVu/ZHeNkC/7e tklyYw==
;; Received 525 bytes from 8.8.8.8#53(8.8.8.8) in 17 ms

in-addr.arpa.		172800	IN	NS	a.in-addr-servers.arpa.
in-addr.arpa.		172800	IN	NS	b.in-addr-servers.arpa.
in-addr.arpa.		172800	IN	NS	c.in-addr-servers.arpa.
in-addr.arpa.		172800	IN	NS	d.in-addr-servers.arpa.
in-addr.arpa.		172800	IN	NS	e.in-addr-servers.arpa.
in-addr.arpa.		172800	IN	NS	f.in-addr-servers.arpa.
in-addr.arpa.		86400	IN	DS	47054 8 2 5CAFCCEC201D1933B4C9F6A9C8F51E51F3B39979058AC21B8DF1B1F2 81CBC6F2
in-addr.arpa.		86400	IN	DS	53696 8 2 13E5501C56B20394DA921B51412D48B7089C5EB6957A7C58553C4D4D 424F04DF
in-addr.arpa.		86400	IN	DS	63982 8 2 AAF4FB5D213EF25AE44679032EBE3514C487D7ABD99D7F5FEC3383D0 30733C73
in-addr.arpa.		86400	IN	RRSIG	DS 8 2 86400 20210930000000 20210916230000 13711 arpa. nEd68FftaAjBAlDTUhpmZ8C1LsbJVYFsXvuZOjwso6ALwSj0aWT75ewH 0HpQb+qeJIpHMlcWHLt/SFf0S7iyN2Q+SUQ6DWvWWQbygz+8LPEX3GeU bGgiG8qQiK6JG4C01uen6XTynBVzOqDAeiAnFT0Ld02873P7W5fOC4jA 0yAQbP82vf1QcvWWCx2u80kLf1iiZTkD/Wd3Xf4g8t2/qNQ5OAX3c2+r 2uXK8Evr06LoMg6dItb29oUAbymRqYPZPCUj8v+R/1b8QudrMro7CVYX +YnKcWkavQWbnl2BPWoZibf8a0wTMwHnzTZhWrbYmWGf1rSoklPGlkzy u1zjug==
;; Received 861 bytes from 192.58.128.30#53(j.root-servers.net) in 18 ms

1.in-addr.arpa.		86400	IN	NS	apnic.authdns.ripe.net.
1.in-addr.arpa.		86400	IN	NS	apnic1.dnsnode.net.
1.in-addr.arpa.		86400	IN	NS	rirns.arin.net.
1.in-addr.arpa.		86400	IN	NS	ns3.lacnic.net.
1.in-addr.arpa.		86400	IN	NS	ns2.apnic.net.
1.in-addr.arpa.		86400	IN	DS	23004 13 2 3582737862817D55F8F7473BC58E620CFD4A0E1EF88F05C42C963113 3E32E894
1.in-addr.arpa.		86400	IN	RRSIG	DS 8 3 86400 20210923124555 20210902133611 54586 in-addr.arpa. Jm+SgiuYHgYhbNi8zVqaKBd9jzh+GBQ7xzXZTcCZEqH83UWPrs5lg/lQ UDYEvBwFL2tjwhXF47mhFg0A4c/z5rMRK2kXMtPStkQKIrj1D7V+YLHv GvhbGI2/jz44VQ2Eg/5GgPGO1iZ8to89LzSnn0fLfXhk5r6W+rqOSLAG nl4=
;; Received 462 bytes from 200.10.60.53#53(d.in-addr-servers.arpa) in 227 ms

1.1.1.in-addr.arpa.	86400	IN	NS	ns7.cloudflare.com.
1.1.1.in-addr.arpa.	86400	IN	NS	ns3.cloudflare.com.
pe4hvt59qb8a0lcsq5qlhgv2d7f0c6li.1.in-addr.arpa. 3600 IN NSEC3 1 0 5 529FD8D571478867 PECMHRIAVCLDLK0RGCS8TRK1AE2OD2CA NS
pe4hvt59qb8a0lcsq5qlhgv2d7f0c6li.1.in-addr.arpa. 3600 IN RRSIG NSEC3 13 4 3600 20211001181842 20210916164842 44089 1.in-addr.arpa. 2ZIFATvS7bDJk0P3jezYGkZ5sW4nKC0VoxvhH4HhSXvh0VsuR8O7IQYL ZXF6FlfnON4Lbsxxz7M0GLqZRIotbQ==
;; Received 305 bytes from 193.0.9.9#53(apnic.authdns.ripe.net) in 50 ms

1.1.1.1.in-addr.arpa.	1800	IN	PTR	one.one.one.one.
;; Received 78 bytes from 162.159.6.6#53(ns7.cloudflare.com) in 19 ms

We see that the two SOA servers are:

1.1.1.in-addr.arpa.	86400	IN	NS	ns7.cloudflare.com.
1.1.1.in-addr.arpa.	86400	IN	NS	ns3.cloudflare.com.

Dig could have chosen either of the two to make the final request, but it has opted for:

;; Received 78 bytes from 162.159.6.6#53(ns7.cloudflare.com) in 19 ms
If you liked the article, you can treat me to a RedBull here