wiki:doc/DnsResolver/TestDnsResolving

Test DNS Resolving

This page is integral part of the parent page DNS Resolver (doc/DnsResolver), all examples & notes & documents here are related to that parent page and continuation of it.

To understand this page, you must view parent page.

  Quick navigation links for this page:
| DNS Test or Diagnostic Tools | Command Prompt / Console / Shell / Terminal | ping | NSLookup | DiG (dig) | Get DiG | Add DiG in PATH | DiG with Unicode support | Test DNS Resolving Functionality | Default DNS Resolver Test Result | Gateway/Wireshark | Using Unicode Characters in Command-Lines | Install Unicode Font | Type & Show Unicode Characters | TLDs, IDNs With Numeric Digits | Test Using TCP DNS Query | Test DNS Query On Specific DNS/Nameserver | Credits |

Goto other pages if you need a short/brief info on these:
| DNS | DNSSEC | TLD | SLD | Root Zone | IDN | NIC | LtR | LMS | Punycode | ICANN | IANA | VeriSign | PIR | Root Servers | Root Operators | Root Managers | gTLDs | ccTLDs | Public DNS Servers | Deadwood DNS Server | Deadwood Configuration | MaraDNS DNS Server | Unbound DNS Server | Unbound Configuration | BIND DNS Server | TLD Providers | Alternative Root Operators |

DNS Test or Diagnostic Tools

Make sure DNS testing utility/tool software folder locations are included inside 'PATH' system variable/container, so that, testing utility software can be used under any directory inside the 'Command Prompt' like console windows.

Goto DNS test related tool, utility, font, software modification, etc section: #Console Command Prompt, #ConEmu ConEmu, #ping ping, #NSLookup NSLookup, #DiG DiG, #DiG_with_Unicode_Support DiG (with Unicode support), #Wireshark Wireshark, #Using_Unicode Using Unicode, #Load_Unicode_Font Load Unicode Font.

Note: The 'ping', 'nslookup', web-browser etc should work when using a Deadwood (from MaraDNS) dns server/resolver, but 'dig' tool may not work. All tools should work with 'Unbound', 'BIND' dns servers/resolvers.

Command Prompt / Console / Shell / Terminal

Console or Terminal type of tool/utility software, like "Command Prompt", "Terminal", etc allows to run or to test or to diagnose various functions, devices, objects, connectivity, etc by typing commands manually using the keyborad. GUI (Graphical User Interface) software (which shows button(s), picture(s)/graphics and video(s)) often lacks various detail customization options that we need to do/use, so such need can be full-filled by using command-lines which can accept more customized options/choices that we prefer or like or want to do/use. In some area, GUI programs are more suitable, in some area Console programs are more suitable.

ping

By default, 'ping' exists in Windows. 'ping' is already in your PATH. In Windows "Command Prompt", type ping /? ⏎ to see how this tool can be used and what is the command syntax/format:


NSLookup

By default, 'nslookup' exists in Windows. 'nslookup' is already in your PATH. In "Command Prompt", type nslookup ⏎, then type help ⏎, to see how this tool can be used and what is the command syntax/format. And type exit ⏎ to get out of nslookup shell.


DiG

Windows does not include 'dig' tool by default. Get dig from Internet or Disc, (and install if necessary), or copy 'dig' inside \WINDOWS\System32 folder, or include it's folder location in PATH. In "Command Prompt", type dig -h ⏎, to see how this tool can be used and what is the command syntax/format.


Get DiG and Add DiG in PATH: One of the simple way to get 'dig' (domain information groper) on Windows would be: goto BIND server developer ISC site (https://www.isc.org/), get BIND for Windows (filename may or may not be closer to 'BINDn.n.n-Pn.zip', where n is 0~9 digit, and match provided signature file (using GnuPG) if you have right zip file or not). Decompress it. Copy all files except the 'named.exe', (or, copy at least these files: 'dig.exe', 'dig.html', 'bindevt.dll', 'libdns.dll', 'libeay32.dll', 'libisc.dll', 'libisccfg.dll', 'liblwres.dll', 'libbind9.dll' into inside C:\dig folder, (change C: to your windows drive where you installed Windows). Add path C:\dig at the end of your system PATH environment variable, by adding ";C:\dig" at the end (without double quote symbols). Press and hold Windows Flag/Logo button on keyboard and then press R once, and let go both buttons. On 'Run' window, type: sysdm.cpl and then goto 'Advanced' > 'Environment variables' > under the 'System variables' box, scroll down and find 'Path' and click on Path once > Edit > inside 'Variable value:' textbox go at the end (by pressing right arrow button or 'End' button) and then type: ;C:\dig and then press on OK button > OK > OK. To see folder locations list inside PATH, in Command Promt, type: echo %PATH%

  • [Unicode.in.CmdPrmpt], [Unicode.in.ConEmu]. DiG with Unicode support: The 'dig.exe' tool/binary in the BIND package for Windows (from isc.org site), cannot use Unicode char (at the time of my test on Aug 25, 2012), you will must have to use Unicode character's equivalent Punycode form, to resolve domain-name to IP-address. More info: List of TLDs.

    • [Unicode.in.CmdPrmpt], [Unicode.in.ConEmu]. Another way to get a 'dig' tool capable of resolving domain-names with Unicode char(s), is to install Cygwin (from here). Download their 'setup.exe' in "C:\Cygwin-Install" folder (or, download inside "%windir%\..\Cygwin-Install" folder, if that ('Cygwin-Install') folder does not exist, then create it, here %windir% variable indicating your actual location of 'Windows' folder, where 'system32' or 'system' sub-folder exist). (And also verify the 'setup.exe' file with their 'setup.exe.asc' file, using 'GnuPG' software. You must obtain .asc file at least 2 or 3 times and make sure you have changed and used a different Tor circuit each time, only use a Tor circuit which has 3 different middle nodes than what was shown last time (in 'Tor Network Map' window), and then compare if you have exact same file or not). Run the 'setup.exe' installer -> select 'Install from Internet' -> Root Directory: C:\cygwin -> All Users > choose 'C:\Cygwin-Install' as Local Package Directory -> Direct Connection -> choose one (http based) Download Site (that appears closer to your location) -> Next -> on 'Select Packages' Category stage, in category list find the "Net" Category, and click on [+] symbol on that line/row to expand it -> find the package line which shows bind: DNS utilities suite -> on that line, click once on the word 'skip' and it will change into 'Install' or change into the version # of BIND which is available at that moment -> Next -> Cygwin Intaller will show you popup window with other software or tools list, which are necessary for the 'bind' utility to work, as 'bind' depends on those -> Ok/Next -> when downloading & installation process finishes, then press on 'Finish' button. To use 'dig' from any folder location, add Cygwin's bin folder in PATH, (see next paragraph).

    • See #Add_DiG_in_PATH Add DiG in PATH section for how to edit Windows PATH variable, and add ;C:\cygwin\bin\;c:\cygwin\usr\sbin at the end. If ;C:\dig already exist inside the value of 'Path', then add the ;C:\cygwin\bin\;c:\cygwin\usr\sbin\ in left side of ;C:\dig location.

      Goto Top Navigation Links

Test DNS Resolving Functionality

First, Run or Open the Windows "Command Prompt" (cmd.exe).

  • Here, when we will use words, like: local DNS server, or, localhost DNS server, or, local resolver, etc, then these means and points to the 3rd party DNS server or the resolver software which is installed (using the config files from the parent doc of this page), configured and running on your own computer. By default, it listens for DNS queries made toward your computer's internal IP address, 127.0.0.1, on UDP port 53. It is also often written as, 127.0.0.1:53, or, 127.0.0.1@53
  • Before installing a 3rd party DNS resolver, do each of these below command-lines inside "Command Prompt" window, and write the command and result IP address down on a paper, or, copy all messages from "Command Prompt" window to a text/txt file. This will come in handy in the Testing phase of a DNS resolver or server installation.
     
    ping  yahoo.com ⏎
    ping  reg.for.free ⏎
    nslookup  yahoo.com ⏎
    dig  yahoo.com.  any ⏎
    dig  any  .  +dnssec  +multiline ⏎
    dig  reg.for.free.  any ⏎
    dig  dot-bit.bit.  any ⏎

  • Make sure you have already done this DNS Server network settings steps, before running below command-line tests: After installing your choice of 3rd party DNS resolver, go inside Windows Network Settings, find & open the Network/NIC Adapter which is used to connect with Internet and set 127.0.0.1 IP address as a Primary/preferred DNS Server IP address on it, and make sure there is no other IP address inside DNS settings.
  • Use 'ping' (or ping.exe) utility to test DNS resolving, if working or not. Type below command-line and then press ('Enter') button:

ping yahoo.com

A similar result like below should be shown and is expected:

  Pinging yahoo.com [98.139.183.24] with 32 bytes of data:

Reply from 98.139.183.24: bytes=32 time=321ms TTL=47
Reply from 98.139.183.24: bytes=32 time=255ms TTL=47
Reply from 98.139.183.24: bytes=32 time=109ms TTL=47
Reply from 98.139.183.24: bytes=32 time=167ms TTL=47

Ping statistics for 98.139.183.24:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 109ms, Maximum = 321ms, Average = 213ms

You can see in above result, 'ping' has successfully resolved 'yahoo.com' domain-name into it's IP address '98.139.183.24' by sending queries on local resolver's DNS port 53 (using UDP packets). After getting the IP address, it sends ICMP query packets to that IP address & receives ICMP reply back from it.

If 'ping' command fails to ping a domain-name, then try again, with one of the known IP address after the 'ping' for that domain-name, and you will see its succeeding. In such case it will indicate local DNS resolver is not working.

  • By default, 'nslookup' tool exists in Windows. Try to test using 'nslookup':
    nslookup yahoo.com

A similar result like below should be shown and is expected:

 
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
Name:    yahoo.com
Addresses: 98.138.253.109, 98.139.183.24, 72.30.38.140

A 'Non-authoritative answer' is an error message, means that your local DNS resolver has queried an external (or, has queried hierarchy-wise one step above or higher level or next level, external) (or, has queried the next, in the chain/line of external) DNS server, in an effort to resolve/find the IP address associated with the 'yahoo.com' domain-name, and received an answer for it from a cache or non-authoritative nameservers. If 'nslookup' were to connect/query directly with the actual/exact NS(nameserver) DNS server which has kept the SOA (statement of authority) authoritative record for the 'domain-name' that you have used in a nslookup command-line, then received answer would be an 'Authoritative answer', and so, no other error messages (like, 'Non-authoritative answer') will be shown above the "Name: domain-name" line. It is possible to query directly to a 'Authritative' DNS nameserver of a domain-name, if it's IP address (or hostname) is known in early, and by specifying that IP-address (or hostname) after the domain-name in the nslookup command-line. In nslookup commandline, if you specify '-querytype=NS' before a domain-name (without the quote symbols), then it will show nameserver's hostnames (not the IP-address). The 'whois' command can also be used to find the actual authoritative NS DNS Server hostnames for a domain-name. And 'dig' tool can be used to find IP address of nameservers.

NSLookup tool will return the name and IP address of the DNS server that resolved the name. It will list only the DNS server it initially connects to. If the name resolution request is forwarded to other DNS servers (in the chain, or from the heirarchy), then those servers are not listed.

  • If you have/installed Windows edition of 'dig' then you may try to test with any one of this command-line:
    dig yahoo.com. NS

A similar result like below should be shown and is expected, if you are using Deadwood / Unbound:

 
; <<>> DiG 9.3.2 <<>> yahoo.com. NS
;; global options:  printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1084
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;yahoo.com.                     IN      NS

;; ANSWER SECTION:
yahoo.com.              91263   IN      NS      
ns1.yahoo.com.
yahoo.com.              91263   IN      NS      ns5.yahoo.com.
yahoo.com.              91263   IN      NS      ns2.yahoo.com.
yahoo.com.              91263   IN      NS      ns8.yahoo.com.
yahoo.com.              91263   IN      NS      ns4.yahoo.com.
yahoo.com.              91263   IN      NS      ns3.yahoo.com.
yahoo.com.              91263   IN      NS      ns6.yahoo.com.

;; Query time: 234 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 18 00:24:05 2012
;; MSG SIZE  rcvd: 153

If you run the same command like above, again, then you will see the "Query time" value is showing a very low or 0 msec time. Because, at first time it required longer time to resolve (hostname or domain-name to it's IP address lookup), but at 2nd time, it already has the result in cache, so answer/result is given instantly.

In the above command-line the last option is "ns", which finds all DNS records which has NS bit (nameserver). The word "any" can be used for query instead of 'ns', and view all DNS records. Result may also include 'ADDITIONAL ANSWER' section, where IP address of each ns server will be listed/shown. The 'Unbound', 'BIND' resolver is able to deliver Additional section(s) to DiG.

  • If you now try this command-line:
    dig yahoo.com. any

A similar result like below should be shown and is expected:

 
; <<>> DiG 9.3.2 <<>> yahoo.com. any
;; global options:  printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1375
;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 0

;yahoo.com.                     IN      ANY

;; ANSWER SECTION:
yahoo.com.              3600    IN      A       98.139.183.24
yahoo.com.              3600    IN      A       72.30.38.140
yahoo.com.              3600    IN      A       98.138.253.109
yahoo.com.              1800    IN      MX      1 mta5.am0.yahoodns.net.
yahoo.com.              1800    IN      MX      1 mta6.am0.yahoodns.net.
yahoo.com.              1800    IN      MX      1 mta7.am0.yahoodns.net.
yahoo.com.              1800    IN      SOA     
ns1.yahoo.com. hostmaster.yahoo-inc.com. 2012081900 3600 300 1814400 600
yahoo.com.              113940  IN      NS      ns5.yahoo.com.
yahoo.com.              113940  IN      NS      ns1.yahoo.com.
yahoo.com.              113940  IN      NS      ns2.yahoo.com.
yahoo.com.              113940  IN      NS      ns3.yahoo.com.
yahoo.com.              113940  IN      NS      ns4.yahoo.com.

;; Query time: 406 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 18 22:29:05 2012
;; MSG SIZE  rcvd: 301

  • If you are using 'Unbound', 'BIND', then if you try out below command-line:
    dig any . +dnssec

A similar result like below should be shown and is expected, (if you are using DNSSEC validation capable DNS resolver):

 
; <<>> DiG 9.3.2 <<>> any . +dnssec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1951
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 19, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.                              IN      ANY

;; ANSWER SECTION:
.                       166172  IN      DNSKEY  
256 3 8 AwEAAbW4qUZUxSRqUntM9u0pvmkqRB9Z+WRPghllsekdgp8ksT5bwRBE 3xwVWJJpJgVYGvFGgLIutrGyZDJVLQX+tu+qe6HJbA8XRZsL2aA6e4MZ eD4TOUlIH/cVlof3y4gFibjwzuuondVku9ia2MSRYnrBl+LMSRftBkVa 4OvS+dij
.                       166172  IN      DNSKEY  
257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
.                       166172  IN      RRSIG   
DNSKEY 8 0 172800 20120903235959 20120820000000 19036 . CDiGE4ceJcXYtYt1V13/eo95sBDROy4YuCX965mIYUxee9UGA5bPGiCW DA8+y4ipJuWVVranhIZ9gKUrmW+hL+aGc3KAr6z+NChrQV5ufRAkDyPU AyUaM7xIMyEMhbFbCGQEPScNPsM4NROQx4J5TkKcQ5093USwH5c8hODu G5BFu54Ig/DEJY/gXeCEBPEVqQkrq4rxQVBMZ/XD2C5ZYweTqS6WR6Si m0NWvdSepwDav/DhwmQDRBVOiBANQp5+FIxUAj9DKxRHNmDBMomwiXMP iDvchtjcji1aJJPt3ZGp6U4bsPO9x2H/ymfZAKYI5K1P28V5d66P3413 T6obxg==
.                       73595   IN      SOA     
a.root-servers.net. nstld.verisign-grs.com. 2012081901 1800 900 604800 86400
.                       73595   IN      RRSIG   
SOA 8 0 86400 20120826000000 20120818230000 50398 . GkX1XoX9xfd4pGIttmtxhyl2J+ucREiMssistqY2B2jJP6/hh608N5/D cqgJK+uRJNt5GzA46PZ66OecgT+hCrZXfyzhrl7H0WaD4PZq/uhp1Cg6 NHklFW5ErgjjBw74dg1mIpEaqeop9txy1bCswr15c6Rv/eLH6DUA0Wh4 U84=
.                       126329  IN      NS      l.root-servers.net.
.                       126329  IN      NS      e.root-servers.net.
.                       126329  IN      NS      b.root-servers.net.
.                       126329  IN      NS      f.root-servers.net.
.                       126329  IN      NS      g.root-servers.net.
.                       126329  IN      NS      i.root-servers.net.
.                       126329  IN      NS      m.root-servers.net.
.                       126329  IN      NS      d.root-servers.net.
.                       126329  IN      NS      j.root-servers.net.
.                       126329  IN      NS      a.root-servers.net.
.                       126329  IN      NS      h.root-servers.net.
.                       126329  IN      NS      k.root-servers.net.
.                       126329  IN      NS      c.root-servers.net.
.                       506249  IN      RRSIG   
NS 8 0 518400 20120826000000 20120818230000 50398 . dTQyTme/OurhlQMZtUXO87DisIc+PlQmznIpyOA9Xmmcog932B/xEgMY Sw39MiQsXEixC3bK6WtO2egZcSTV1UgX/3Ug3ZIuT5y/PN7t9ZSRk4ut rnzIrcrJNkb8UKEyAXT9bTIS5JbMGWvHtgr+ivtZcK2zdjSFpwXUmQ/D ak4=

;; Query time: 4218 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 20 01:01:05 2012
;; MSG SIZE  rcvd: 228

  • While using 'Unbound', 'BIND', try this below command-line:
    dig torproject.org. any +dnssec

A result similar to below box is expected:

  ; <<>> DiG 9.9.1-P2 <<>> torproject.org. any +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42762
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 25, AUTHORITY: 0, ADDITIONAL: 19

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;torproject.org.
                        IN      ANY

;; ANSWER SECTION:
torproject.org.         3600    IN      SOA     
fallax.torproject.org. hostmaster.torproject.org. 2012090501 10800 3600 604800 3600
torproject.org.         3600    IN      RRSIG   
SOA 7 2 3600 20121003121048 20120905121048 62399 torproject.org. ZzfbSF95TUhuBo1TFYM3viTX2xC10hpFPUxyT9ivneoIM3iMT3zGZEzb 4JY9i3TG7TTJ95VKPn4kySPI2N5z+enzNGarhByjtkHDGHnftHwIaHbZ kguMt5rnU09nIIV6SePVoAghe/gAMh2/Oq1E4hedB6hMFdJFSQWyWrJa rwtt45ZczVnDn33/OpUM5l20
torproject.org.         0       IN      
NSEC3PARAM 1 0 10 235326CF79B918E6
torproject.org.         0       IN      RRSIG   
NSEC3PARAM 7 2 0 20121003121048 20120905121048 62399 torproject.org. iAFxcfcTvINMds9APS7n5QePPfOMEQIEGydH6MVLN1tbc7yZhl1UDmZF VwTtqsd+B4QjIfr0gKeMGpLKoPjZ4pVqVnX+p2whmONQl8dsZJaR4Crc aAKOGlhm2FtVQmRQPBcZTYp5w5GK/FiQZXYmGJheJo4CfwZx4G/vHM5C TK5ScoCy5wcMxIanLlxISCWJ
torproject.org.         43200   IN      DNSKEY  
257 3 7 AwEAAbvj3CcjDtdryB5K0b5JHW1k+emmnmODOOqKkWhsLAZreZL9cBZd eHCuPwFsiGHTp7zTmtABzH59f69XL+L0mJzXUL3jm0029RJveRwvVXn5 T8d7ez8C+Y2f/ASOAYjN6P8iSNl9GLGoPlck7ktxSyBRtJZ8/bWCskUf olh68K1INV1CUkaOSY202UBMFwgdylONqrY3Zm/YHjzN/qhzp0i4NdY5 +uZwkkGQWEhyyhsSPaGQPvVWXxTLNwVzytFaSw==
torproject.org.         43200   IN      DNSKEY  
256 3 7 AwEAAakhmBa9GXHpENu4yRDVQoktaw2CxyCtHwuqx9WwBdg+4tDbTdUl B7QkXBtTs8owdxvp3uODRjdtgcFEz25TIOKsnvuI3kQLpDydqXsuZi6y sGZRgZBl+O5V2wCXiylG9Utr4+J/e5jSh7eSJL+FU1Acja4zxd6tj8FE x9iJNhk9BkM5X0jwQzvlLuXzdycVHw==
torproject.org.         43200   IN      DNSKEY  
256 3 7 AwEAAb8hcjhmEDuLGgSGRs6G/ofgnJjq4iutcKUMc2XMu31rcudyJJKy tgjmjOiiXzjNQDiP3/d8I0mpBYNFpR9YBYi1bbLgbuP7Cq3vL4x0IPeX ACQMUUSsf2SCFmsLFmU5MTHNz/SRZY8mDy6VKl5Fc2AcBQwSk6zsoU/B 8/ddgKuarNb4YQEM7IN+XsaEdsZS6Q==
torproject.org.         43200   IN      RRSIG   
DNSKEY 7 2 43200 20121003121048 20120905121048 27855 torproject.org. feyP+w0k2/wKkSjajbp4ixqF90h8AiEwC/asfHC2YNqD9XtvpdsZvatq b5p+n3XraJujvn0e5IjsjiyGcZ0jkgu+2yJ/zYjxp/ITEYgNPNUWy0Xl msou6Lqgyle0kp4NXvXZFb6CkwFacCcXkn4IKKe5jrV0auoJrUyWW9uf VPTqtkIHNiLHDuVrfCm8392av3+rWgmFuVfOdvth9/FkR8RS7QH5kjg3 RFdNIN1+ciPF6rVcW3y+h7+BXFoOKNS0
torproject.org.         43200   IN      RRSIG   
DNSKEY 7 2 43200 20121003121048 20120905121048 62399 torproject.org. luOGMWIFyM+bMoU7Ebtze3tFYk5d9xUGvauRAukShQFJ1XotsnLPjz5B 8dz+0GrTAxlaYui8VzH1UdCpVv4Q4Z0OUYXxMz3k+0VNfIAinA1SVXVt s4mGGi0Mo50Nwi9glZ3kIoC4K8TPd5pgf3Xi8o9JB/EhV62GSbb4H4Qh hP327qcucz0qVf/+FDqYsafI
torproject.org.         900     IN      AAAA    
2620:0:6b0:b:1a1a:0:26e5:480e
torproject.org.         900     IN      AAAA    
2620:0:6b0:b:1a1a:0:26e5:4810
torproject.org.         900     IN      AAAA    
2001:858:10f:f::1001
torproject.org.         900     IN      RRSIG   
AAAA 7 2 900 20121003121048 20120905121048 62399 torproject.org. aoo2tLT/+eYZN0IO657trLT4gYyorfeSkpCPyopQsgCUCct3gSUx6uCu 33FwUsT87dIMhq2OjZ/VWZuQMJ4IsknY/UDiXPbOwsla6B5K+l/dmYTz t0fC19uZEllIOA9PuoRDx1OnvipJHDa31wVG98X1k0GEPO0qQjFRH0xo PqYgYuVlZuHJfOU5MjkzjCHg
torproject.org.         3600    IN      MX      
10 eugeni.torproject.org.
torproject.org.         3600    IN      RRSIG   
MX 7 2 3600 20121003121048 20120905121048 62399 torproject.org. jeRE/TP/10xRiMFNaY0rNhwQ+roxNOMyL00Gj8V7z+NwPeWhEN1flz14 K7v5m/WMGHzT5jCFmeabAlDE9i5j/+pNii4C3GLLnYVQuIgiqWEyrs5K h7NK487wuMaYsPqYLUC693irIeyh4dZPNr3KNH+3pOQCuH3jrOWajDbz 2/h/V5CDqN29dhwlvbEPBzp3
torproject.org.         900     IN      A       86.59.30.36
torproject.org.         900     IN      A       38.229.72.14
torproject.org.         900     IN      A       38.229.72.16
torproject.org.         900     IN      RRSIG   
A 7 2 900 20121003121048 20120905121048 62399 torproject.org. Ekn7IYCUFbnLwcrVmH9hezUH0uUSKQNyvMbmik7VC2hOJupGk0npKFSY CXXqyZfGQMX/nBNJTE3t0C9wB08lVfpybLyEYHh0v0qHg0iO2quWgdbu 1lVpeV1nuzX3TN+crIqbNFRzLxXaOUfffB2s3oiP6QMU0xuHfDade8/o DBl0kCRNozFytmIeGFu8fZKu
torproject.org.         86400   IN      NS      ns5.torproject.org.
torproject.org.         86400   IN      NS      ns1.torproject.org.
torproject.org.         86400   IN      NS      ns4.torproject.org.
torproject.org.         86400   IN      NS      ns2.torproject.org.
torproject.org.         86400   IN      NS      ns3.torproject.org.
torproject.org.         86400   IN      RRSIG   
NS 7 2 86400 20121003121048 20120905121048 62399 torproject.org. b5Z1JZuoEgCtxx/dDX94jy0obAwuDODaGfY1ZgTzezW2nuo7q1+BHBL8 SZGueP9eHXGGJPrI8O28rGdUVLbuxeT3MOCqmvBwn03WzWk2Kz/6VxMS WgZr/ySLVm7Ryv5kd1rC+qwIwOIR83j9AVR1VKVcjvlCxxye7RboLoZ0 7PQan3WqoYs54aVdr7+ajMma

;; ADDITIONAL SECTION:
eugeni.torproject.org.  3600    IN      A       38.229.72.13
eugeni.torproject.org.  3600    IN      AAAA    
2620:0:6b0:b:1a1a:0:26e5:480d
ns1.torproject.org.     86400   IN      A       38.229.72.12
ns1.torproject.org.     86400   IN      AAAA    
2620:0:6b0:b:1a1a:0:26e5:480c
ns2.torproject.org.     86400   IN      A       86.59.21.37
ns2.torproject.org.     86400   IN      AAAA    2001:858:10f:6::2
ns3.torproject.org.     86400   IN      A       93.95.226.146
ns4.torproject.org.     86400   IN      A       82.195.75.101
ns4.torproject.org.     86400   IN      AAAA    
2001:41b8:202:deb:213:21ff:fe20:1426
ns5.torproject.org.     86400   IN      A       46.4.123.73
ns5.torproject.org.     86400   IN      AAAA    
2a01:4f8:141:2442:708:708:0:2
eugeni.torproject.org.  3600    IN      RRSIG   
A 7 3 3600 20121003121048 20120905121048 62399 torproject.org. a18Pv4bezTfnvGvspgZEjT5u2agtM2iqT6VIuK36J7q2q+yic3WuoE5F wOlo5gWIAPz7D9C4RwHbvhoyh0u7vkQKnsYcczA5E9xUeru3kfxdtdkW C1fIO8wX3xjAc7uPPn8wkBo8AIdtmDghyq7mR3bAfWhBGQ0zbOR+Sqm2 ckttABwywzHmKrzGRy6dOK/U
eugeni.torproject.org.  3600    IN      RRSIG   
AAAA 7 3 3600 20121003121048 20120905121048 62399 torproject.org. heL5Xmtdmf9V6neBEhwG8zdc1iRFofRTurZFPRuXbWxXBs6WH3rIdceZ 5LKqESFAxTmw8W5cFOLUSZK6JqsgCbn9BK8Pi+V3plbS6ismEvqLKutt Hv7NLfPL7PBiMrqK8lFYOabQDWEYFDhMXDCpjWwhsSXijaH21+kffxK1 DaK/5vy74xIu10FUd5+hMVgz
ns1.torproject.org.     86400   IN      RRSIG   
A 7 3 86400 20121003121048 20120905121048 62399 torproject.org. brVuA1wIwxNcsC9fEOuB/VPKCyUoQ/r63Xy0P6x2gU3nruZVAOU+wmWD Bx1NjcpAs+KLjDMNLMhPOC/kL3aSyVcczG+Oj1ULdrOuU2EdD4WlBZPU p9sH6rMVR9PUp5KeKbvlHZ3hvNklyUyJ9NiJbcVnvfdnWosq6uihEOY+ eKJUKH72tcGBpWs2WEu67HQr
ns1.torproject.org.     86400   IN      RRSIG   
AAAA 7 3 86400 20121003121048 20120905121048 62399 torproject.org. VHcTcRFkqLTbhR6of6eRk/x9sufRXIw5dBHsf2mDUaU7odJ0KmPXyzK3 Dh0ACW6lmpCh5+UAZ+jpW4UgWyROBOgGPuPq3Xsh1zZSe7TXzXMMeT9m 55VIUpaLWYU4rqGlEGJOYbDPWa967OQV2MXN0n5qzLjHvIk/Bx3DJiqb 0sKREg9a7szg4GjGU5vo5cc3
ns2.torproject.org.     86400   IN      RRSIG   
A 7 3 86400 20121003121048 20120905121048 62399 torproject.org. pe58ccXSr096y7QIjLkEtiYzb8seqwp4MYE4kcKa0PeSUevIt173gGKK fu0dqmiXESKO+c5vCK83grAaA4jpVnYH9kgJYTznQ+QJdoPT/ubRKv6D 2fOw1jXAKjUZZvvlzk3UpP3jwEA7OmGseahirZbprb967Qj4MGpCqxCY 8o2n1AqmY043nENHNOqFDsYv
ns2.torproject.org.     86400   IN      RRSIG   
AAAA 7 3 86400 20121003121048 20120905121048 62399 torproject.org. lr20K2LKZu6NuHyCFXgnSvSXFd2l01Urj+KQ0yFFOjadyQGD7hVoyjDX QlLQ9J7ByIpSf1gsldKk9WvGiQheMWpqLRoGQgetziSdHVQZFj4OZUCz iGKw/bTAAwydAQ1TVi+F9YgwMXCxtBy46EOmnp6ocsrKcuCgdenUAu6W emLhvBmPJfeK24lO73Hzk9c7
ns3.torproject.org.     86400   IN      RRSIG   
A 7 3 86400 20121003121048 20120905121048 62399 torproject.org. oCGVoUZW5WZ9wJP5ecjzFEVjrugonS+pGfkf2aI50Bff4CPJOmQuQyIV 1e31nr/k/t19uzks0z8G8B6m+RaFe3zY4VIMz9dHCRa5jhpLMj2R/qWw QElPgn1w8hTVUS2oA7CtUkutrio1JD1qNVmvyHN5C0Sj2Z7f7JY9PNuv IOtt+GNWrWU7xHJHUpCoqPfc

;; Query time: 2281 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Sep  8 04:01:05 2012
;; MSG SIZE  rcvd: 4041

  • Gateway/Wireshark: If you want to be 100% sure, that any .onion TLD based domain-name or hostname to it's IP address conversion query, is not reaching outside to your ISP's DNS or to any other DNS (other than the local resolver), (instead of going via Tor network), you will have to use 'Wireshark' network packet/traffic monitoring software on a 2nd computer which will work as a "Gateway" computer for your network and other computers under it. Alternatively, if previous test steps and next test steps are working (or showing messages very similar to the result shown inside the "expected" boxes), then that will also indicate that DNS is not leaking.
    In your network, set & configure another (a 2nd) computer as your Gateway computer which can connect to Internet (via your physical router network device or your ISP provided modem network device). And for example, lets say, it has (or configured with) IP address 192.168.0.2. Then install 'Wireshark' inside this gateway computer. Run it. Set it to show 'DNS' or filter with 'DNS', to see any DNS related network traffic packets. The computer where you just installed your 3rd party DNS server (for example, like 'Deadwood', 'Unbound', 'BIND', etc) to block or check DNS leak, on that computer, change the "Default Gateway" IP address, into wireshark gateway computer's IP address 192.168.0.2. When you will try to ping/nslookup/dig for any *.onion hostname, then Wireshark on gateway computer will not show anything if your 3rd party DNS server is blocking DNS leaks successfully, or else, you will see the .onion related DNS query appearing on Wireshark, so DNS is leaking.
  • On "Command Prompt" window, to test/query the onion host 'idnxcnkne4qt76tg.onion' of TorProject.org, type:

ping idnxcnkne4qt76tg.onion

A similar result like below should be shown and is expected:

  Ping request could not find host idnxcnkne4qt76tg.onion. Please check the name and try again.

  • Try to test/query below command-line:
    nslookup idnxcnkne4qt76tg.onion

A similar result like below should be shown and is expected, if you are using 'Deadwood' DNS resolver:

 
Server:  localhost
Address:  127.0.0.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to localhost timed-out

A similar result like below should be shown and is expected, if you are using DNS resolver like 'Unbound', 'BIND':

 
Server:  localhost
Address:  127.0.0.1

*** localhost can't find idnxcnkne4qt76tg.onion: Query refused.

When a DNS name resolver refuses to process the DNS query request made by 'nslookup', then this "Query refused" error message is shown.

  • Now try below 'dig' command-line:
    dig idnxcnkne4qt76tg.onion. any

A similar result like below should be shown and is expected, if you are using 'Deadwood' DNS resolver:

 
; <<>> DiG 9.3.2 <<>> idnxcnkne4qt76tg.onion. any
;; global options:  printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 907
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;idnxcnkne4qt76tg.onion.                IN      ANY

;; Query time: 2078 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 18 00:33:05 2012
;; MSG SIZE  rcvd: 40

The 'SERVFAIL' status shown above is indicating, DNS resolving process has failed for 'idnxcnkne4qt76tg.onion' hostname.

A similar result like below should be shown for above dig command and is expected, if you are using DNS resolver similar to 'Unbound', 'BIND':

 
; <<>> DiG 9.3.2 <<>> idnxcnkne4qt76tg.onion. any
;; global options:  printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1808
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;idnxcnkne4qt76tg.onion.                IN      ANY

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 18 21:11:05 2012
;; MSG SIZE  rcvd: 40

When a DNS name server refuses to process the DNS query request made by 'dig', then this "REFUSED" status message is shown by 'dig'.

  • Results like below are NOT expected, indicating some configuration error, or other external side error.

dig google.com. any
If you see a result similar to below, then there is a error. Such result is not expected:

 
; <<>> DiG 9.3.2 <<>> google.com. any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 678
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1

;; QUESTION SECTION:
;google.com.                    IN      ANY

;; AUTHORITY SECTION:
com.
                    15566   IN      NS      
e.gtld-servers.net.
com.                    15566   IN      NS      l.gtld-servers.net.
com.                    15566   IN      NS      j.gtld-servers.net.
com.                    15566   IN      NS      g.gtld-servers.net.
com.                    15566   IN      NS      h.gtld-servers.net.
com.                    15566   IN      NS      a.gtld-servers.net.
com.                    15566   IN      NS      d.gtld-servers.net.
com.                    15566   IN      NS      m.gtld-servers.net.
com.                    15566   IN      NS      c.gtld-servers.net.
com.                    15566   IN      NS      b.gtld-servers.net.
com.                    15566   IN      NS      f.gtld-servers.net.
com.                    15566   IN      NS      i.gtld-servers.net.
com.                    15566   IN      NS      k.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net.      166748  IN       A        192.5.6.30
a.gtld-servers.net.      166748  IN       AAAA     2001:503:a83e::2:30
b.gtld-servers.net.      166748  IN       A        192.33.14.30
b.gtld-servers.net.      166748  IN       AAAA     2001:503:231d::2:30
c.gtld-servers.net.      166748  IN       A        192.26.92.30
d.gtld-servers.net.      166748  IN       A        192.31.80.30
e.gtld-servers.net.      166748  IN       A        192.12.94.30
f.gtld-servers.net.      166748  IN       A        192.35.51.30
g.gtld-servers.net.      166748  IN       A        192.42.93.30
h.gtld-servers.net.      166748  IN       A        192.54.112.30
i.gtld-servers.net.      166748  IN       A        192.43.172.30
j.gtld-servers.net.      166748  IN       A        192.48.79.30
k.gtld-servers.net.      166748  IN       A        192.52.178.30
l.gtld-servers.net.      166748  IN       A        192.41.162.30

;; Query time: 250 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 18 23:50:05 2012
;; MSG SIZE  rcvd: 500

Note that in above result, the bold faced word (com.) under 'AUTHORITY SECTION', suppose to show google.com. and then it's IP address after the A or nameserver hostname after the NS. This type of error usually indicating that DNS Server which was queried, did not sent back answer for google.com, instead it has sent back other root server's address where to look for it. So pay attention on caching, recursive DNS Servers which are specified after the name: "." commandline (which is next to forward-zone: command), and use one or set of very trustworthy and suitable DNS servers only. You will most likely have to test out with different DNS servers to get desired results, because some ISPs and other entities are known to alter and interfere with such DNS traffics.

  • If above results marked with 'expected' are not shown, then somehwere there is a mistake or mis-configuration in DNS resolver or related software.
  • Also check with your web-browser software (like, Internet Exporer, Firefox, etc) if you can view various webpages which starts with 'http', and also check if you can load/view webpages which starts with 'https', properly or not. And if you use local Email client software (like, Outlook Express, Thunderbird, etc), then check, if you can send & receive, do both or not.
  • [Unicode.in.CmdPrmpt], [Unicode.in.ConEmu]. Using Unicode Characters in Command-Lines: You will need a 'DiG' tool capable of processing Unicode characters and supports Unicode, follow #DiG_with_Unicode_Support DiG with Unicode support section. If you want to use non-English Unicode characters in 'Command Prompt' then follow [Unicode.in.CmdPrmpt] marked or tagged sections. You can alternatively use "ComEmu" for Unicode, then follow [Unicode.in.ConEmu] tagged or marked sections, or you can also Skip these sections, and goto next section (#Type_Unicode Type Unicode).

    • [Unicode.in.CmdPrmpt], [Unicode.in.ConEmu]. There are TLDs, domain-names, hostnames which can be queried by using special characters (other than English) from other writing languages/scripts, (writing languages also known as 'scripts'). These special characters uses Unicode. You may go and/or follow further into the link for more info: Internationalized Domain Name (IDN), IDN ccTLDs. IDN & IDN ccTLDs are stored in the DNS servers as ASCII strings using 'Punycode' transcription (which starts with ".xn--" ASCII codes). Application or tool which can send DNS queries and receive answer, not all but some of them are able to convert Unicode characters into 'Punycode' form before sending query to DNS servers, if Unicode character is present in a domain-name. 'Punycode' form can be used by almost all apps/tools, as it is in very simple (alpha-numeric) ASCII form, but very hard to memorise. UTF-8 based Percent Encoding can also be used, but also hard to remember.

    • [Unicode.in.CmdPrmpt]. Unicode in Command Prompt: To use Unicode characters with 'Command Prompt' window, following next steps are necessary: Set font to 'Lucida Console'. With mouse, Right Click on the 'Command Prompt' window menu bar > click on Properties. In 'Properties' window, goto 'Font' tab > click on 'Lucida Console' > click on OK (See below how to add Uncode fonts in the font list). 'Lucida Console' font may support in showing and in using a very limited set of Unicode characters. (See few paragraphs below, how to use Alt+UnicodeHexCodePoint (in #Type_Unicode Type Unicode section) for typing Unicode characters). In 'Command Prompt' window, first type: chcp and press ('Enter'), then write down your default active Code Page code # and then change your Code Page settings or encoding from '437' (en_US) into '65001' (UTF-8), type below command-line & then press ('Enter') button:
      chcp 65001
      

    • [Unicode.in.CmdPrmpt]. Unicode Font for Command Prompt: If 'Lucida Console' font was not enough for your need or your script(writing language), then you will need to add at least one more TrueType monospaced or fixed width or console font, which includes large set of 'Unicode' glyphs or at least supports your desired language scripts / character-set.

    • [Unicode.in.CmdPrmpt], [Unicode.in.ConEmu]. Install Unicode Font: Search for, download and install Unicode fonts, for example, 'DejaVu Sans Mono' (from here), 'FreeMono' (included inside 'GNU Freefont', aka Free UCS Outline Fonts, from here), 'Everson Mono Terminal' or 'Everson Mono Unicode' (from here), . In 'Windows Explorer', goto C:\WINDOWS\Fonts folder, or goto %SystemRoot%\Fonts folder, (if you cannot view 'Fonts' folder then goto 'Folder Options' > View > select 'Show hidden files and folders' > remove the 'tick'/'check' mark from 'Hide extensions for known file types' option > click on OK). Decompress downloaded font zip/gz file (by using 7-zip sofwtare) to get TTF, OTF, TTC etc font files. Select & copy your desired all font files *.ttf, *.otf, *.ttc, etc and then paste those files inside %SystemRoot%\Fonts folder to install those fonts.

    • [Unicode.in.ConEmu]. Alternative Console Software: You can either use other alternative 'Console' or 'Terminal' type of software like ConEmu, to overcome the limitations of Windows default console program "Command Prompt" (cmd.exe), or, you can apply Windows registry hacks and other tricks or other Console software to make the Unicode work.

      • [Unicode.in.ConEmu]. If you will be using 'ConEmu', then you should install 'GNU Unifont' (from here), or load other large Unicode font mentioned in Unicode Font, that is able to show your desired writing language/script. After installing ConEmu, goto 'Settings', change all 'Font' related settings into your desired font name, which you installed. (If you will be using GNU Unifont ('unifont') then use 'Standard' anti-aliasing, unselect 'Monospace', goto 'Features' > 'Colors' > 'Standard colors' > change 'Text:Auto' into 'Text:#15').

    • [Unicode.in.CmdPrmpt]. Add Unicode Font in 'Command Prompt': Press & hold the Windows Logo/Flag key/button on keyboard, press R key/button once, and then release both keys. On 'Run' window, after typing regedit press ('Enter') key once or click on OK button. 'Registry Editor' window will appear. (Warning: It is very very dangerous to use this program, you must be very very careful not to delete/erase or accidentally drag something to somewhere else). In 'Registry Editor' window, browse to this registry location:
        My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Console\TrueTypeFont

      • [Unicode.in.CmdPrmpt]. Click on or select the above 'TrueTypeFont' location in 'Registry Editor's left side pane are (or in tree-list). Then right click on an empty area of right side pane/area, select New > String value. A new entry "New Value #1" will appear under 'Name' column. If an entry 00 did not exist previously, then rename that "New Value #1" into 00 (two zeroes). Right click on that newly created entry 00, click on 'Modify'. In 'Edit String' window, write a desired Unicode font name, inside the 'Value data:' textbox/field. You must write a font name here which must exist in the font list located in this below registry location, (from below registry location, copy font name shown under 'Name' column, without the (Font Type) portion shown inside first braces):
          My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Fonts

      • [Unicode.in.CmdPrmpt]. To add more additional fonts, repeat like previous steps: by adding an extra 0 (zero) at the end of a new entry name, each time. A 3rd entry should look like 000, a 4th entry should look like 0000 and so on.

      • [Unicode.in.CmdPrmpt]. Now 'Log Off' and re-login back (into your Windows, using your choice of user account/profile), or, restart Windows (and re-login). Start 'Command Prompt' again, and right click on the 'Command Prompt' window's menu bar > select 'Properties'. In 'Properties' window, goto 'Font' tab > select or click on 'DejaVu Sans Mono' > click on OK. Type chcp 65001 and press ('Enter').

      • [Unicode.in.CmdPrmpt], [Unicode.in.ConEmu]. Now you can either copy/paste 'Unicode' characters from webpages, or, copy/paste characters from a "Character Map" (a Font Explorer type of utility), or change Keyboard key/button layout into your desired writing language/script using 'Input Method Editor', and start typing unicode directly.

    • [Unicode.in.CmdPrmpt], [Unicode.in.ConEmu]. Type & Show Unicode Characters: First, goto this Windows registry location and click on 'Input Method' or select it:
      My Computer\HKEY_CURRENT_USER\Control Panel\Input Method\
      
      In above location on right side pane/area, right click on an empty area, select 'New' > 'String value'. Then a new entry "New Value #1" will appear under the 'Name' column. Rename it to "EnableHexNumpad" and press ('Enter'). Right click on 'EnableHexNumpad' > Modify > type 1 inside 'Value data:' textbox. Move your (blinking) cursor where you want to type a unicode char, (or use mouse pointer arrow and click on the position where you want to type a Unicode char). Press & hold onto 'Alt' key/button, press '+' key once on numeric keypad area, and then type in your desired Unicode character's hex codepoint (using the main letter keys and any of the number keys), then release 'Alt' key/button, then it will send one Unicode character (based on your hex code) where your cursor was. But remembering hex codepoints are not easier. Other Alternative Options: You can use or enable 'Input Method' based language/script utility software to change keyboard keys/buttons layout and mode, into a different language and type/show Unicode characters on 'Command Prompt' directly, or you can use font glyph/character viewer/explorer type of software like 'Character Map' (included with Windows) to visually see Unicode characters and then 'click' on desired Unicode character(s) or 'copy' your desired Unicode character(s), and then 'paste' inside 'Command Prompt'.

    • [Unicode.in.CmdPrmpt], [Unicode.in.ConEmu]. Example query: query for a domain-name which has Unicode characters in it, and also query using it's equivalent Punycode.

      • IDN TLD ".中国" (means a non-latin or non-english character based TLD portion of a domain-name/web-site), it is used at the end side of a domain-name/web-site-name. This ".中国" portion is shown in Unicode form, it is more understandable and meaningful for users who will visit/use/type it. It means ".china". And the actual code which is used by DNS servers is ".xn--fiqs8s" (shown as TLD form) or DNS servers uses "xn-fiqs8s." (as TLD in zone form, for using it with test tools, or to use in configuration files, etc), this "xn--fiqs8s" code is known as Punycode form. Web-browser, DNS/stub Resolver, etc which are IDN compliant, can convert the ("中国") Unicode portion into it's equivalent Punycode form, and then sends it to DNS Servers as a DNS query/question, if DNS server has appropriate answer record(s) then it sends answer back, then, DNS/stub Resolver, Web-Browser, etc which are IDN compliant software, can re-convert the Punycode form back into it's equivalent Unicode form, and then shows it to us. To view Unicode characters (which are non-english / non-latin) shown on this webpage properly in your Web browser software, change it's Default Encoding Character settings, into "Unicode (UTF-8)". (For example, in Firefox, goto Tools > Content > Fonts & Colors > Advanced > Character Encoding > Default Char Enc: > and change this option's value into "Unicode (UTF-8)" > OK > OK). After previous steps, press F5 key/button or click on refresh (circular arrow) or press Ctrl+R while staying on this webpage, if Unicode characters are still not appearing or not viewable then your system does not have a font with required glyph/character, so you need to install a large unicode font or multiple unicode fonts.

        If you run this command-line dig 中国. any +dnssec then result should be similar like below and is expected:
          ; <<>> DiG 9.9.1-P2 <<>> 中国. any +dnssec
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10970
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
        
        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags: do; udp: 4096
        ;; QUESTION SECTION:
        ;中国.                            IN      ANY
        
        ;; ANSWER SECTION:
        中国.                     7200    IN      SOA     
        h.dns.cn. root.cnnic.cn. 2013026409 3600 900 604800 3600
        中国.                     7200    IN      NS      k.dns.cn.
        中国.                     7200    IN      NS      l.dns.cn.
        中国.                     7200    IN      NS      h.dns.cn.
        中国.                     7200    IN      NS      i.dns.cn.
        中国.                     7200    IN      NS      j.dns.cn.
        
        ;; Query time: 4000 msec
        ;; SERVER: 127.0.0.1#53(127.0.0.1)
        ;; WHEN: Tue Aug 27 00:20:05 2012
        ;; MSG SIZE  rcvd: 172

        The bold faced TLD 中国. in above result box will be changed into xn--fiqs8s. (and the id value will also change) when you will try above command's punycode equivalent like this dig xn--fiqs8s. any +dnssec in dig command-line. If punycode form works and Unicode form does not, then you are not using a 'dig' capable of processing Unicode conversion.
  • Use TLDs, IDNs Which Has Numeric Digits: Windows, by default refuses to resolve numeric TLD (it means, Windows refuses to resolve domain-names which has .N at end, here N is a numeric digit). If you will be using such a TLD which has numbers/digits, only then follow below step:

    • Click on "Start" menu, then in "Run" or "Execute" (of Windows XP) or in "Search" (of Windows Vista/Seven/7/8), type regedit and press ('Enter'). Goto/browse to this below registry location, and click on 'Parameters' in left side/pane:
        My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

      In 'Edit' menu, select 'New' and click on 'DWORD' value. Type 'ScreenBadTlds' (without the single quote symbols) and press ('Enter'). Right-click on ScreenBadTlds, and then click on 'Edit'. In data area, type 0 and click OK. Close the Registry editor. Either restart your computer (if required), (or Log-off from your Windows account, and re-login back).
  • Test out TLDs supported by other Alternative Root operators, after you finish installing a 3rd Party DNS resolver, and then after loading your choice of config file (from parent webpage of this webpage), type these below commands and press ('Enter') one by one:
      dig  geek.  any ⏎ (one of the OpenNIC TLD).
    dig  ita.  any ⏎ (one of the CesidianRoot TLD).
    dig  42.  any ⏎ (TLD from 42registry.org).
    dig  ti.  any ⏎ (one of the New-Nations.net TLD).
    dig  ovh.  any ⏎ (TLD from ovh.co.uk).
    dig  bit.  any ⏎ (TLD from dot-bit.org).
    dig  sundial.  any ⏎ (one of the Unifiedroot TLD).
    dig  xn--e1apq.  any ⏎ (one of the i-DNS.net TLD).
    dig  нет.  any ⏎ (TLD in Unicode form, same as above i-DNS punycode form TLD, russian .net TLD).

    In parent page of this article, inside the DNS resolver's config file, you will find domain-name/hostname for TLDs from different root operators, which you can use with 'ping', 'nslookup', 'dig', web-browser, etc for test.

    If your results do not have "Status: NOERROR" each time, then, may be there are some mis-configurations in config file, or, name servers were changed by TLD operator, or, server are currently down/off, etc. Actual reason will depend on what answer you get and related software configuration and/or hardware connection related matters. When you try to resolve a TLD for 1st time, resolving process may take bit longer, so you may receive a "SERVFAIL" or "connection timed out; no servers could be reached" etc error messages. Wait & try again for 2nd time, then you should receive a "NOERROR" & related correct answer/records.
  • Everytime you restart DNS resolver, you may also have to restart your web-browser, email-client software to be sure those are not using older mis-configured values.
  • Test Using TCP DNS Query: When you have enabled using TCP traffic for resolving DNS in DNS Server/Resolver, and When you want to force 'dig' to use TCP DNS (instead of default UDP DNS), then, in 'dig' command-line add +tcp option at the end. See next section's example which uses +tcp option. For this +tcp option to work successfully, you will have to pre-configure your DNS Server to allow TCP DNS query, see Unbound Tweak sections: this, and if you want to always connect with DNS/nameserver using TCP traffic, then configure your DNS Server further like this.
  • Test DNS Query On Specific DNS/Nameserver: If you want to query for DNS info using 'dig' tool via using a very specific DNS/nameserver, then you can do so, by specifying that DNS/nameserver's ip address or hostname right after the 'dig' word in command-line and by using a leading '@' (at) symbol in front of the nameserver. Few examples:
      # find info on 'AAAA' DNS records for www.v6.facebook.com domain, by using the 192.168.40.1 DNS/nameserver:
    dig @192.168.40.1 www.v6.facebook.com. AAAA

    # Do above query using DNSsec validation:
    dig @192.168.40.1 www.v6.facebook.com. AAAA +dnssec

    # Do above query via using TCP enabled DNS traffic:
    dig @192.168.40.1 www.v6.facebook.com. AAAA +dnssec +tcp

    Goto Top Navigation Links

Credits

By Bry8Star. Copyright (c) 2012 Bry8Star (bry8star a.t yahoo d.o.t com).

Disclaimer: If you make mistake in following, any of these "general" steps/guidelines mentioned here in these article, it will NOT be good at all for your system, so be warned, search for each word which you don't understand, on Bing / Yahoo / Google search engine sites and search in documents and books, before actually following any of these steps. Instruction writer(s) has(/have) tested and found these steps to be effective on his/her(/their) computer's OS + software + hardware + internal-network + external-network, etc environment + configuration + settings + features + restrictions, etc combinations. These factors cannot be 100% same on your case. Instruction writers are assuming, users who will follow these steps are familiar with these steps, at least have done such once or twice before and very recently, effectively and correctly. Instruction writer will not be (and cannot be held) responsible in any way for your mistakes, or for your lack of experties, or for your lack of understanding, or for your lack of not following these general instructions, or for not converting them to a practical level in correct manner for your case, or for not learning effectively more on these, or for not realizing the patterns to suit/modify with/for your case, or for any conflict or for any type of any loss which may or will occur with any current or any future component / event / etc. Everything is changing all the time, so you will need to improve & adopt better solution(s) which suits you, your need(s), that is your responsibility. Adopt such solution(s) which is(/are) (or will be) better for majority, or will meet your goals. Adopt which works, discard which does not.

Last modified 5 years ago Last modified on Sep 17, 2012, 1:22:24 PM