Quering Root Domain

hruodr · Thursday at 9:41 AM

Is this normal?!

Code:

# drill @8.8.8.8 . NS
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 37605
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; .    IN      NS

;; ANSWER SECTION:
.       0       IN      A       192.168.0.1

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 1 msec
;; SERVER: 8.8.8.8
;; WHEN: Thu Jun 18 08:40:44 2026
;; MSG SIZE  rcvd: 33

With tcp:

Code:

# drill -t @8.8.8.8 . NS
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 11673
;; flags: qr rd ra ; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; .    IN      NS

;; ANSWER SECTION:
.       87203   IN      NS      a.root-servers.net.
.       87203   IN      NS      k.root-servers.net.
.       87203   IN      NS      d.root-servers.net.
.       87203   IN      NS      h.root-servers.net.
.       87203   IN      NS      e.root-servers.net.
.       87203   IN      NS      l.root-servers.net.
.       87203   IN      NS      b.root-servers.net.
.       87203   IN      NS      m.root-servers.net.
.       87203   IN      NS      j.root-servers.net.
.       87203   IN      NS      f.root-servers.net.
.       87203   IN      NS      c.root-servers.net.
.       87203   IN      NS      i.root-servers.net.
.       87203   IN      NS      g.root-servers.net.

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 116 msec
;; SERVER: 8.8.8.8
;; WHEN: Thu Jun 18 08:41:24 2026
;; MSG SIZE  rcvd: 228

With host

Code:

# host -t NS . 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

 has address 192.168.0.1

# host -t NS . localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:

 name server c.root-servers.net.
 name server d.root-servers.net.
 name server e.root-servers.net.
 name server f.root-servers.net.
 name server g.root-servers.net.
 name server h.root-servers.net.
 name server i.root-servers.net.
 name server j.root-servers.net.
 name server k.root-servers.net.
 name server l.root-servers.net.
 name server m.root-servers.net.
 name server a.root-servers.net.
 name server b.root-servers.net.

fff2024g · Thursday at 2:04 PM

Code:

dig @8.8.8.8 . NS

; <<>> DiG 9.20.23 <<>> @8.8.8.8 . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41981
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       87203   IN      NS      m.root-servers.net.
.                       87203   IN      NS      j.root-servers.net.
.                       87203   IN      NS      c.root-servers.net.
.                       87203   IN      NS      b.root-servers.net.
.                       87203   IN      NS      f.root-servers.net.
.                       87203   IN      NS      h.root-servers.net.
.                       87203   IN      NS      d.root-servers.net.
.                       87203   IN      NS      k.root-servers.net.
.                       87203   IN      NS      a.root-servers.net.
.                       87203   IN      NS      i.root-servers.net.
.                       87203   IN      NS      l.root-servers.net.
.                       87203   IN      NS      e.root-servers.net.
.                       87203   IN      NS      g.root-servers.net.

;; Query time: 206 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Thu Jun 18 21:03:04 CST 2026
;; MSG SIZE  rcvd: 239

hruodr · Thursday at 2:16 PM

fff2024g said:
dig @8.8.8.8 . NS

And what does drill @8.8.8.8 . NS in your computer?

Alain De Vos · Thursday at 2:19 PM

Seems ok for me.
Could try to use local unbound ?

hruodr · Thursday at 2:27 PM

Alain De Vos said:
Seems ok for me.
Could try to use local unbound ?

In my original post you see what unbound gives (host -t NS . localhost).

What seems OK for you?!

fff2024g · Friday at 6:20 AM

Code:

game@work2:~ $ drill @8.8.8.8 . NS
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 37370
;; flags: qr rd ra ; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; .    IN      NS

;; ANSWER SECTION:
.       87203   IN      NS      a.root-servers.net.
.       87203   IN      NS      g.root-servers.net.
.       87203   IN      NS      c.root-servers.net.
.       87203   IN      NS      b.root-servers.net.
.       87203   IN      NS      k.root-servers.net.
.       87203   IN      NS      l.root-servers.net.
.       87203   IN      NS      f.root-servers.net.
.       87203   IN      NS      h.root-servers.net.
.       87203   IN      NS      m.root-servers.net.
.       87203   IN      NS      i.root-servers.net.
.       87203   IN      NS      e.root-servers.net.
.       87203   IN      NS      d.root-servers.net.
.       87203   IN      NS      j.root-servers.net.

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 230 msec
;; SERVER: 8.8.8.8
;; WHEN: Fri Jun 19 13:20:22 2026
;; MSG SIZE  rcvd: 228

hruodr · Friday at 8:26 AM

Strange, why in my case shows my router.

SirDice · Friday at 10:13 AM

hruodr said:
my router

What kind of router is it? One of those all-in-one things supplied by the ISP?

sko · Friday at 10:23 AM

hruodr said:
Strange, why in my case shows my router.

DNS hijacking by the ISP and/or their provided plastic router.

hruodr · Friday at 7:44 PM

SirDice said:
What kind of router is it? One of those all-in-one things supplied by the ISP?

Tenda 4G06 Router 4G VoLTE

I can prove later with other router.

sko said:
DNS hijacking by the ISP and/or their provided plastic router.

My resolv.conf points to 127.0.0.1 with unbound on it.
In my router I did not put a DNS server.
And look:

Code:

# drill @192.168.0.1 . NS
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25029
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; .    IN      NS

;; ANSWER SECTION:
.       0       IN      A       192.168.0.1

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 7 msec
;; SERVER: 192.168.0.1
;; WHEN: Fri Jun 19 18:45:03 2026
;; MSG SIZE  rcvd: 33

It has clearly an embedded DNS:

Code:

# drill @192.168.0.1 web.de 
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 42469
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; web.de.      IN      A

;; ANSWER SECTION:
web.de. 37      IN      A       82.165.229.138
web.de. 37      IN      A       82.165.229.83

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 75 msec
;; SERVER: 192.168.0.1
;; WHEN: Fri Jun 19 18:48:53 2026
;; MSG SIZE  rcvd: 56

hruodr · Friday at 8:00 PM

It is a LTE router, it mentions an IP of the provider, is it forwarding it?

And why is unbound (more or less) working if it gives false DNS servers for root?

How do I test if it is hijacking? Who, the router or the mobile internet provider (lycamobile)?

I ask for NS records and it answers with an A record. That is sure not the answer of google:

https://dns.google/resolve?name=.&type=NS

Quering Root Domain

Administrator