dig trace fails with Google Public DNS

[Liam Hennessy]

Hello,

Recently, this command stopped working:

dig @8.8.8.8 +trace example.com

For several years, it would show responses from the root and gtld servers, and the authoritative server for the domain.

Around the start of February 2024, it stopped working.

The full output is now like this:

dig @8.8.8.8 +trace example.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 +trace example.com
; (1 server found)
;; global options: +cmd
;; Received 28 bytes from 8.8.8.8#53(8.8.8.8) in 3 ms

Those tests were run on a server hosted by DigitalOcean.

When I run the same command on Google Cloud Shell, I get the full response:

$ dig @8.8.8.8 +trace example.com

; <<>> DiG 9.16.44-Debian <<>> @8.8.8.8 +trace example.com
; (1 server found)
;; global options: +cmd
.                       87203   IN      NS      a.root-servers.net.
.                       87203   IN      NS      b.root-servers.net.
.                       87203   IN      NS      c.root-servers.net.
.                       87203   IN      NS      d.root-servers.net.
.                       87203   IN      NS      e.root-servers.net.
.                       87203   IN      NS      f.root-servers.net.
.                       87203   IN      NS      g.root-servers.net.
.                       87203   IN      NS      h.root-servers.net.
.                       87203   IN      NS      i.root-servers.net.
.                       87203   IN      NS      j.root-servers.net.
.                       87203   IN      NS      k.root-servers.net.
.                       87203   IN      NS      l.root-servers.net.
.                       87203   IN      NS      m.root-servers.net.
.                       87203   IN      RRSIG   NS 8 0 518400 20240305050000 20240221040000 30903 . 4avQ9VY+GVAyloxcfhz9wPDe1pWMPp1B1W6zDkL/WWP8KKKHpcS6VRsn I37xId9cj6Uvrmrg5aJJZmgVSH7cdLOOoqEvLl3tR+64NLSV3rUQOyoo e0a4/M/qyCXuHaAwsR9vrWOIE6xdlxpCkDJkUXXEslXR66wbbsPyaTmL Dc5K5Bmp/mM9YQ04r4tEIu6/ZDkz38AUo+ASSaW+Q4nuyJvAahw7CIFV Djr+iAoib0qv+D54AsoGnSHgk+PJ1aqJF1zXokVq3TNjOyTKP1+uFvQA 8GMlxTLrE9RFU2/vFt9uOcXTIxenmqPIolXES9HmDXvl0oPmUArhFB6y EB9+Rw==
;; Received 525 bytes from 8.8.8.8#53(8.8.8.8) in 17 ms

com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com.                    86400   IN      RRSIG   DS 8 1 86400 20240305050000 20240221040000 30903 . UnjmGqRQYd/+aIcJb5CycVMqQTOXre+tHutR9lQ0SEgDMEGn6lKOjBN4 qzf+D4ZeVi2fnokdCic0CrcUtUAq3WqJCMjfzDmJcQClt3VXWo8WVyN9 1jHV+uJSf3sAQ1fD8SAi5sbc5Sm3j8emHqWZiuGq1ONMZk4gktXKLD0M /JZ9PvXTpJ8E4sxPyUAGr8lKd6cJW+rHL/7aaTU5vf/kV6rSx/LCdD1y dkVjPGdBVkYPYhHk5K2s/AOZ6xTb1HwHxGFiBus2xn6JvsnOvr4X0Zh3 gkKxCTbK/fZ2n4s/Nr29yTUP6n24FDv4Zcy5dEDXs1Ksmn4lmSbMF2Wu vI1RJQ==
;; Received 1171 bytes from 192.5.5.241#53(f.root-servers.net) in 7 ms

example.com.            172800  IN      NS      a.iana-servers.net.
example.com.            172800  IN      NS      b.iana-servers.net.
example.com.            86400   IN      DS      370 13 2 BE74359954660069D5C63D200C39F5603827D7DD02B56F120EE9F3A8 6764247C
example.com.            86400   IN      RRSIG   DS 13 2 86400 20240225064122 20240218053122 4534 com. 0QSAVNX+83S3tWMhvf935zkq5Umz6MxdMBuJid4q6fywI8RD3FQikADm zwrCZ7W435/RRyI8HK2mHVvi+xes0A==
;; Received 235 bytes from 192.33.14.30#53(b.gtld-servers.net) in 68 ms

example.com.            86400   IN      A       93.184.216.34
example.com.            86400   IN      RRSIG   A 13 2 86400 20240308033759 20240216101000 2684 example.com. 3nELlO8OMYxQ59CEvy1cA1Yqz9DiyRxywX9ySLIVfLCYoOIF3uVmdvBn 9ZuZU9zY0ghHFN7XbmWrjnwHvHvo/w==
example.com.            86400   IN      NS      a.iana-servers.net.
example.com.            86400   IN      NS      b.iana-servers.net.
example.com.            86400   IN      RRSIG   NS 13 2 86400 20240308214515 20240216101000 2684 example.com. T/extkxwGtIxtWzRrwUCGiPjJ9QS9RAyd6lJu02e36PJQdrwk/qipcfw ZvbUKRLdo6lsoltuG4c7zTMV7ChxUg==
;; Received 318 bytes from 199.43.133.53#53(b.iana-servers.net) in 32 ms

Has Google changed something? As far as I understand, the first step of that command would be to ask 8.8.8.8 for a list of the root servers, and it seems as though that step is not working when requested from my server.

If I change the IP address Cloudflare's 1.1.1.1 I get the full response.

If I run the command on Google Cloud Shell, I get the full response.

But from other sources, such as my servers and my Macbook, I get an empty response.

Any ideas?

Kind regards,

Liam

[Matt Nordhoff]

Before version 9.15.1, `dig +trace` did not set the Recursion Desired bit in the root NS query. In other words, it's basically doing `dig +norecurse . ns @dns.google` instead of `dig . ns @dns.google`.

Recursive resolvers will not respond usefully to non-recursive queries if they don't have the response cached; some block them entirely because they're only useful for `dig +trace` and cache snooping.

Google Public DNS seems to be responding inconsistently to non-RD queries now:

$ dig +norecurse . ns @dns.google

; <<>> DiG 9.19.21-1+ubuntu20.04.1+deb.sury.org+2-Ubuntu <<>> +norecurse . ns @dns.google
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65106
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;.                              IN      NS

;; Query time: 4 msec
;; SERVER: 2001:4860:4860::8844#53(dns.google) (UDP)
;; WHEN: Tue Feb 27 01:37:53 UTC 2024
;; MSG SIZE  rcvd: 28

$ dig +norecurse com ns @dns.google

; <<>> DiG 9.19.21-1+ubuntu20.04.1+deb.sury.org+2-Ubuntu <<>> +norecurse com ns @dns.google
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42622
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;com.                           IN      NS

;; Query time: 4 msec
;; SERVER: 2001:4860:4860::8844#53(dns.google) (UDP)
;; WHEN: Tue Feb 27 01:38:18 UTC 2024
;; MSG SIZE  rcvd: 32

$ dig +norecurse example.com ns @dns.google

; <<>> DiG 9.19.21-1+ubuntu20.04.1+deb.sury.org+2-Ubuntu <<>> +norecurse example.com ns @dns.google
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7483
;; flags: qr ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.                   IN      NS

;; ANSWER SECTION:
example.com.            15494   IN      NS      a.iana-servers.net.
example.com.            15494   IN      NS      b.iana-servers.net.

;; Query time: 4 msec
;; SERVER: 2001:4860:4860::8844#53(dns.google) (UDP)
;; WHEN: Tue Feb 27 01:38:23 UTC 2024
;; MSG SIZE  rcvd: 88

(That was in ATL, if anyone is curious.)

Your Google Cloud Shell server has dig 9.16.44, so it will work regardless.

[I don't know how to do plain text in Google Groups.]