Skip to main content
Understanding the DNS resolution path
Updated over a year ago

When troubleshooting an issue with DNS, it is often helpful to understand what DNS servers are involved in resolving a query. Dig allows you to see this using the +trace flag. This will cause Dig to show you all of the servers that were queried, and the answers they gave, while resolving the name. One added benefit to the +trace flag is that it does not use DNS caching, making it ideal for checking minute by minute DNS changes

If you want to know the full resolution path for a DNS name, you can use the below command. Due to the length of the output, the path will be documented in blue below:

dig google._domainkey.valimail.com TXT +trace

Start with the Internet Root Servers

; <<>> DiG 9.10.6 <<>> google._domainkey.valimail.com TXT +trace

;; global options: +cmd

. 518400 IN NS a.root-servers.net.

. 518400 IN NS b.root-servers.net.

<snip>

;; Received 239 bytes from 208.67.222.222#53(208.67.222.222) in 24 ms

Root server responds with names of .com servers

com. 172800 IN NS f.gtld-servers.net.

com. 172800 IN NS h.gtld-servers.net.

<snip>

The .com server responses are signed with DNSSEC. The DNSSEC related data is below:

E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766

com. 86400 IN RRSIG DS 8 1 86400 20190423170000 20190410160000 25266 . bhd3T6pgzXG6P3XMIuO8PQUdu5yGzIs20dt7SLKK7AtpF4SBMNlisANG 69THoYQQUHpzHHiY1+jGuTs//Q0SofzfEFZ1M1+Fb7ME7OJBTXIouffU VIutiT45CdULzkfWjMr352FvVdl4gyzr9MmdDi+jN/GlaCoLD0fxzgNH Axgel4vDq4q4gyJkWNNz+/tim1SAqn/L1vRFSLli32boKlN9ghlUY3Ek W1m/Z3WZF+3DNRPK0HgAeM/HecKE5+yZDc4WstqJiVxusfKekeV1hkb9 iPJnLXrn9SD5Ce5kly0irIo1gTjowFmxMDfzo7op9lAUTu1NMKaCCupj Y2mPrQ==

;; Received 1190 bytes from 192.36.148.17#53(i.root-servers.net) in 271 ms

As part or the response, the .com server returns the names of the Name server records for valimail.com

CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM

CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190417044557 20190410033557 16883 com. JVHb16O0saKxJmvQzRDnIr6TtXda7SlBMNQX1nxQNrGaIiujeHiYoEaA w+9BH+TYid80XXzyZZ24Gfmz84hP5M5dJ0Sgfe5oCDddzJmXR4uFdflm l69ITKpjVivdhUdffeKEZG6ywxiIAnANYbHPxcaS1jrpG/uQcQWggt6s 1yo=

FCLUPOHNAPA51400RLV4H8H7MHCJJGJC.com. 86400 IN NSEC3 1 1 0 - FCLVANAT57BK9591DHN39D2L0C2GE8F4 NS DS RRSIG

FCLUPOHNAPA51400RLV4H8H7MHCJJGJC.com. 86400 IN RRSIG NSEC3 8 2 86400 20190417042545 20190410031545 16883 com. U3xGc004tZS1Yp/iyTkxGUWDoQLGJ/VbjJDZ8yF2ycGkTVLfQhO5eZzj /pC5BsHlBfTNopCkJtkpHpCXI7LihNYbbK4wPld3e3gM+lCq6yqqEBP7 wwcS4ztU+sebj1NcN9ZM05avmbxXOp911qgD8q5a012YroEoLIS7IQuJ tbU=

;; Received 697 bytes from 192.54.112.30#53(h.gtld-servers.net) in 47 ms

valimail.com servers return a Name Server record for _domainkey.valimail.com

_domainkey.valimail.com. 300 IN NS ns.vali.email.

;; Received 86 bytes from 205.251.192.220#53(ns-220.awsdns-27.com) in 150 ms

ns.vali.email returns the requested TXT record for google._domainkey.valimail.com

google._domainkey.valimail.com. 1800 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCF3d34YC3Mok7+J6KFWOHx0zoTwvnIlxPQLMu2dZ6kOK43g7QZcq0/nMnVKBds7dqgyn7eZ/CafhOHVFhSFOFbtaGOwJB4+eW4g4nz40TeMRYmY9TJMYLwQvbOKaP0Zq7D0eYvGPCgqI5mjZ3IrA6Rt/yA5gsOJ36IQOq79w2++QIDAQAB"

;; Received 336 bytes from 54.191.44.95#53(ns.vali.email) in 29 ms

Did this answer your question?