DNS and Authoritative Servers

Hey everyone, I've noticed that when I do a dig command, I don't get any authoritative records back. For example a dig to cnn.com just yields:

;; QUESTION SECTION:
;cnn.com.            IN    A

;; ANSWER SECTION:
cnn.com.        300    IN    A    157.166.226.25
cnn.com.        300    IN    A    157.166.226.26

At first I thought it was because my caching server already had it, but I tried a multitude of sites, and none return any authoritative records. How is this?
Even with the +authority switch it doesn't return anything. Is it possible the ISP can block this ? That was my first thought, or is there something else at play?

I recall seeing all sorts of records using nslookup, especially with debug 2. You have to do query type SOA for start of authority. (You get details on your default or specified DNS server, too, first.)

$ nslookup -query=SOA -d2 bankofamerica.com

Other nslookup versions use '-qt' for '-query'.

Thanks for the response. I guess I"ll use nslookup. I was aware of this tool, but always assumed that dig had more functionality to cover stuff like this. I guess not...

dig commands shows authoritative answer

                                                
dig cnn.com

; <<>> DiG 9.9.4 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27430
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com.            IN    A

;; ANSWER SECTION:
cnn.com.        300    IN    A    157.166.226.26
cnn.com.        300    IN    A    157.166.226.25

;; AUTHORITY SECTION:
cnn.com.        172800    IN    NS    ns1 .p42.dynect.net.
cnn.com.        172800    IN    NS    ns2 .p42.dynect.net.
cnn.com.        172800    IN    NS    ns3. timewarner.net.
cnn.com.        172800    IN    NS    ns1 .timewarner.net.

;; ADDITIONAL SECTION:
ns1.p42.dynect .net.    86400    IN    A    208.78.70.42
ns1.p42.dynect. net.    300    IN    AAAA    2001:500:90:1::42
ns1.timewarner. net.    172800    IN    A    204.74.108.238
ns2.p42.dynect. net.    86400    IN    A    204.13.250.42
ns3.timewarner. net.    172800    IN    A    199.7.68.238

;; Query time: 190 msec
;; SERVER: 10.30.74.3#53(10.30.74.3)
;; WHEN: Sat Nov 30 17:48:21 EET 2013
;; MSG SIZE  rcvd: 257

that's so bizzare...this is my output..

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60915
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cnn.com.            IN    A

;; ANSWER SECTION:
cnn.com.        23    IN    A    157.166.226.25
cnn.com.        23    IN    A    157.166.226.26

;; Query time: 17 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sat Nov 30 13:14:22 2013
;; MSG SIZE  rcvd: 57

I don't know why we get two drastically different outputs

Probably because the dns server you are asking, isn't recursive.

So how does one know they contact a recursive server? and how would you purposefully contact one instead of a non-recursive dns server?

Is it luck of the draw? because you did exactly the same command as I did, but got the dns results back with the authority..something i've tried multiple times, but just end up getting the basic return

There are two types of dns server responses: authoritative and recursive. An internet root server has all of the known IP's cached and updates them constantly. This is analogous to an NTP Level 0 server, if that helps. These root servers are always considered authoritative. Your ISP's dns is mostly recursive - i.e., it goes out and queries another dns server to get an authoritative answer.

Your ISP's dns is authoritative for nodes in its own domain (domain controller or a forest root). dns servers that are authoritative for certain domains advertise them to the outside world, i.e. internet root servers.

nslookup --type=SOA

will work in Linux as you require. I would consult the dig docset for whatever options it supports.

Want recursion is a client request attribute. A server can do with 'go ash him' but a basic DNS gethostbyname library routine just wants the final answer. I suppose a DNS server might exist that can be configured to forward requests with recursion wanted. It would have a more meager cache, but if it is sharing a slow connection, it gets a quicker answer from a better connected correspondent DNS server up the chain. An absolute root server (com, net,org) might refuse to do recursion -- they are too busy as it is. Google 'DNS Recursion' and lo and behold, Disable Recursion on the DNS Server | Microsoft Learn it is an anti-DenialOfService trick to not accept recursive requests. In this case, no simple clients can connect, just other DNS servers, so you need a ring of recursion-enabled DNS servers around your simple clients. A caching no-domain DNS server is a nice thing to have as locally as possible, so you can keep asking for the same host (or address or other query) and get a local, cached answer quickly. The DNS service to support your domain (or your addresses in their pseudo domain) is really a completely separate function from a DNS server to answer queries about other domains. Caching is a dual edged sword, though, as it can be poisoned. Hackers send an unsolicited packet with bad information as if responding to a request, and the DNS server accepts and saves it. That seems a worse problem then Denial Of Service from queries to domains with infinite loops of redirection.

If there are no cache hits, a query, recursive or not, will eventually go to the authoritative source. However, any DNS server on your query's path may have a non-authoritative answer in cache to any of the multiple queries needed to finally answer your query: a.b.c.d may go to d, c.d, b.c.d to get a.b.c.d in the end.