GavinHollinger.com

So DNS is a distributed database with many different people controlling various parts. Your DNS or RDNS is having problems and you want to see where the delegation is breaking. dig +trace to the rescue!

This and many other dig examples at: http://www.madboa.com/geek/dig/

$ dig -x 8.8.8.8 +trace

; <<>> DiG 9.7.0-P1 <<>> -x 8.8.8.8 +trace
;; global options: +cmd
. 518400 IN NS g.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS k.root-servers.net.
;; Received 228 bytes from 127.0.0.1#53(127.0.0.1) in 150 ms

in-addr.arpa. 172800 IN NS c.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS e.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS f.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS d.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS a.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS b.in-addr-servers.arpa.
;; Received 414 bytes from 192.58.128.30#53(j.root-servers.net) in 104 ms

8.in-addr.arpa. 86400 IN NS ns1.level3.net.
8.in-addr.arpa. 86400 IN NS ns2.level3.net.
;; Received 84 bytes from 196.216.169.10#53(c.in-addr-servers.arpa) in 360 ms

8.8.8.in-addr.arpa. 3600 IN NS ns2.google.com.
8.8.8.in-addr.arpa. 3600 IN NS ns4.google.com.
8.8.8.in-addr.arpa. 3600 IN NS ns3.google.com.
8.8.8.in-addr.arpa. 3600 IN NS ns1.google.com.
;; Received 120 bytes from 209.244.0.1#53(ns1.level3.net) in 84 ms

8.8.8.8.in-addr.arpa. 86400 IN PTR google-public-dns-a.google.com.
;; Received 82 bytes from 216.239.32.10#53(ns1.google.com) in 99 ms

$ dig google-public-dns-a.google.com +trace

; <<>> DiG 9.7.0-P1 <<>> google-public-dns-a.google.com +trace

;; global options: +cmd

. 518400 IN NS c.root-servers.net.

. 518400 IN NS e.root-servers.net.

. 518400 IN NS i.root-servers.net.

. 518400 IN NS k.root-servers.net.

. 518400 IN NS g.root-servers.net.

. 518400 IN NS b.root-servers.net.

. 518400 IN NS h.root-servers.net.

. 518400 IN NS l.root-servers.net.

. 518400 IN NS a.root-servers.net.

. 518400 IN NS j.root-servers.net.

. 518400 IN NS d.root-servers.net.

. 518400 IN NS f.root-servers.net.

. 518400 IN NS m.root-servers.net.

;; Received 228 bytes from 127.0.0.1#53(127.0.0.1) in 170 ms

com. 172800 IN NS i.gtld-servers.net.

com. 172800 IN NS g.gtld-servers.net.

com. 172800 IN NS d.gtld-servers.net.

com. 172800 IN NS m.gtld-servers.net.

com. 172800 IN NS c.gtld-servers.net.

com. 172800 IN NS b.gtld-servers.net.

com. 172800 IN NS e.gtld-servers.net.

com. 172800 IN NS k.gtld-servers.net.

com. 172800 IN NS l.gtld-servers.net.

com. 172800 IN NS a.gtld-servers.net.

com. 172800 IN NS j.gtld-servers.net.

com. 172800 IN NS h.gtld-servers.net.

com. 172800 IN NS f.gtld-servers.net.

;; Received 504 bytes from 198.41.0.4#53(a.root-servers.net) in 129 ms

google.com. 172800 IN NS ns2.google.com.

google.com. 172800 IN NS ns1.google.com.

google.com. 172800 IN NS ns3.google.com.

google.com. 172800 IN NS ns4.google.com.

;; Received 184 bytes from 192.43.172.30#53(i.gtld-servers.net) in 202 ms

google-public-dns-a.google.com. 86400 IN A 8.8.8.8

;; Received 64 bytes from 216.239.38.10#53(ns4.google.com) in 84 ms

So I own several domains that spamers like to forge and I do not like that. Most of them are hosted on Google Apps. This is the short version of how to make most of the forged spam get properly discarded. http://www.dkim.org/ http://www.openspf.org/ http://dmarc.org/overview.html 1. Generate the domain key for your domain http://support.google.com/a/bin/answer.py?answer=174126 2. Add the public domain key to the DNS records for your domain, so that recipients can retrieve it for decrypting the DKIM header. http://support.google.com/a/bin/answer.py?answer=173535 google._domainkey 3600 IN TXT "v=DKIM1; k=rsa; p=MIGf...Really...Long...AQAB" 3. Turn on authentication to begin adding the DKIM header to outgoing mail messages. http://support.google.com/a/bin/answer.py?answer=180504 4. Create an SPF record http://support.google.com/a/bin/answer.py?hl=en&answer=33786 YourDomain.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all" 5. Tell people you put dkim on all messages and to discard everything that does not have one. _adsp._domainkey 3600 IN TXT "dkim=discardable" 6. Publish your DMARC record. Depending on how busy your domain is, you will need to adjust your reporting. http://support.google.com/a/bin/answer.py?hl=en&answer=2466563 _dmarc 3600 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected];" Check it all out: dig -t TXT _dmarc.gavinhollinger.com @ns1.5sn.com dig -t TXT google._domainkey.gavinhollinger.com @ns2.5sn.com dig -t TXT _adsp._domainkey.gavinhollinger.com dig -t TXT gavinhollinger.com http://www.port25.com/support/authentication-center/email-verification/ Send an email to [email protected] Wait for responce: SPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham

GavinHollinger.com

Pages

dig +trace

Reducing spam for other people via SPF DMARC DKIM and Google Apps