While filtering on
Domain Name System (DNS) queries in the
Wireshark
packet capture tool with a
filter
of udp.port==53 on a
MacBook Pro
laptop running
OS X El
Capitan (10.11.6), I saw a lot of "Stanard query response refused"
replies in the "Info" field for responses from the DNS server. When
I expanded the "flags" section of the DNS response for those replies
from the DNS server, I saw "Reply code: Refused (5)" for some IP
address lookups, though other DNS queries were being answered with
an IP address.
Using the uname command
uname -n in a
Terminal window to view the laptop's node name,
I could see that the queries that were being refused were for queries
on the host name for the laptop itself.
$ uname -n GSSLA15122293 $
When I used the host command in a Terminal window to check an IP lookup on a fully qualified domain name (FQDN), I saw an expected response, but when I attempted to look up the IP address using just the host name for the laptop, I could see that the issue was due to the built-in DNS server that was in use on the Netgear wireless router, to which the laptop was connected by Wi-Fi at that moment, not being authoritative for the domain name associated with the laptop, which explained why it was returning responses to the DNS queries with a reply code of 5, which indicates the query was refused.
$ host -v stackoverflow.com Trying "stackoverflow.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 763 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;stackoverflow.com. IN A ;; ANSWER SECTION: stackoverflow.com. 52 IN A 151.101.1.69 stackoverflow.com. 52 IN A 151.101.193.69 stackoverflow.com. 52 IN A 151.101.129.69 stackoverflow.com. 52 IN A 151.101.65.69 ;; AUTHORITY SECTION: stackoverflow.com. 116687 IN NS ns-358.awsdns-44.com. stackoverflow.com. 116687 IN NS ns-cloud-e1.googledomains.com. stackoverflow.com. 116687 IN NS ns-cloud-e2.googledomains.com. stackoverflow.com. 116687 IN NS ns-1033.awsdns-01.org. Received 231 bytes from 192.168.2.1#53 in 31 ms Trying "stackoverflow.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18850 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;stackoverflow.com. IN AAAA ;; AUTHORITY SECTION: stackoverflow.com. 774 IN SOA ns-1033.awsdns-01.org. awsdns-ho stmaster.amazon.com. 1 7200 900 1209600 86400 Received 117 bytes from 192.168.2.1#53 in 20 ms Trying "stackoverflow.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18213 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;stackoverflow.com. IN MX ;; ANSWER SECTION: stackoverflow.com. 300 IN MX 5 alt1.aspmx.l.google.com. stackoverflow.com. 300 IN MX 5 alt2.aspmx.l.google.com. stackoverflow.com. 300 IN MX 1 aspmx.l.google.com. stackoverflow.com. 300 IN MX 10 alt3.aspmx.l.google.com. stackoverflow.com. 300 IN MX 10 alt4.aspmx.l.google.com. ;; AUTHORITY SECTION: stackoverflow.com. 116687 IN NS ns-cloud-e2.googledomains.com. stackoverflow.com. 116687 IN NS ns-1033.awsdns-01.org. stackoverflow.com. 116687 IN NS ns-358.awsdns-44.com. stackoverflow.com. 116687 IN NS ns-cloud-e1.googledomains.com. Received 282 bytes from 192.168.2.1#53 in 94 ms $ host -v GSSLA15122293 Trying "GSSLA15122293.abc.example.com" Trying "GSSLA15122293.asfc.example.com" Trying "GSSLA15122293.example.com" Trying "GSSLA15122293" Host GSSLA15122293 not found: 3(NXDOMAIN) Received 106 bytes from 192.168.2.1#53 in 30 ms $
Once I was back on the wireless network where the laptop usually resides,
where it was using the DNS servers for that network, the host -v
GSSLA15122293 command returned the IP address for the laptop.
Related articles