When managing DNS infrastructure, administrators often need to verify which authoritative nameserver actually provided a specific DNS response. This becomes particularly important when:
- Comparing records between master and slave servers
- Troubleshooting propagation issues
- Validating DNS changes across infrastructure
The typical dig output shows the recursive resolver that answered your query (usually your local caching server), not the authoritative source:
dig example.com +short +identify
93.184.216.34 from server 192.168.1.1 in 1 ms.
Here, 192.168.1.1 is just your local resolver, not the authoritative nameserver.
The most reliable method is using dig +trace which shows the entire resolution chain:
dig example.com +trace
; <<>> DiG 9.16.1 <<>> example.com +trace
;; global options: +cmd
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
;; Received 525 bytes from 192.168.1.1#53(192.168.1.1) in 4 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
;; Received 1174 bytes from 198.41.0.4#53(a.root-servers.net) in 32 ms
example.com. 172800 IN NS a.iana-servers.net.
example.com. 172800 IN NS b.iana-servers.net.
;; Received 661 bytes from 192.5.6.30#53(a.gtld-servers.net) in 48 ms
example.com. 86400 IN A 93.184.216.34
;; Received 56 bytes from 199.43.135.53#53(a.iana-servers.net) in 40 ms
The last response (from 199.43.135.53) comes from the authoritative nameserver.
For domains with their own zone files, +nssearch shows all authoritative servers:
dig example.com +nssearch
SOA sns.dns.icann.org. noc.dns.icann.org. 2018050821 7200 3600 1209600 3600 from server 199.43.135.53 in 108 ms.
SOA sns.dns.icann.org. noc.dns.icann.org. 2018050821 7200 3600 1209600 3600 from server 199.43.133.53 in 160 ms.
Important caveats to remember:
+nssearchonly works for domains, not subdomains- Some DNS providers may mask authoritative servers
- IPv6 servers might not respond in all cases
For regular checks between master and slave, use this bash script:
#!/bin/bash
DOMAIN="example.com"
echo "Checking authoritative servers for $DOMAIN"
echo "========================================"
dig $DOMAIN +nssearch | awk '/from server/ {print $NF}' | while read server
do
echo -n "Records from $server: "
dig @$server $DOMAIN ANY +short | wc -l
done
Modern DNS systems may return different answers based on the client's subnet. To test this:
dig example.com +subnet=192.0.2.0/24 +trace
When troubleshooting DNS configurations or verifying changes between master and slave servers, administrators often need to determine exactly which authoritative nameserver provided a particular DNS response. The standard dig output shows the recursive resolver's IP (typically your local caching server) rather than the authoritative source.
The most comprehensive approach uses DNS tracing:
dig example.com +trace +nodnssecThis reveals the complete resolution path:
; <<>> DiG 9.16.1-Ubuntu <<>> example.com +trace +nodnssec
;; global options: +cmd
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
;; Received 525 bytes from 192.168.1.1#53(192.168.1.1) in 4 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
;; Received 1174 bytes from 198.41.0.4#53(a.root-servers.net) in 32 ms
example.com. 172800 IN NS a.iana-servers.net.
example.com. 172800 IN NS b.iana-servers.net.
;; Received 1145 bytes from 192.5.6.30#53(a.gtld-servers.net) in 28 ms
example.com. 86400 IN A 93.184.216.34
;; Received 60 bytes from 199.43.135.53#53(a.iana-servers.net) in 24 ms
For Zone Transfers (When Permitted)
dig @ns1.example.com example.com AXFRChecking Specific Nameservers Directly
dig @a.iana-servers.net example.com +short- Many TLDs now implement DNS response rate limiting
- Cloud-based DNS providers may obscure backend infrastructure
- DNSSEC validation adds complexity to trace interpretation
This bash script compares responses from all authoritative servers:
#!/bin/bash
DOMAIN="example.com"
for ns in $(dig +short NS $DOMAIN); do
echo "=== Querying $ns ==="
dig @$ns $DOMAIN +short
echo "---------------------"
done