Conversation

Notices

1. Embed this notice
   sahilister (sahil@toots.sahilister.in)'s status on Thursday, 02-Jan-2025 19:32:59 JST sahilister

   Okay a DNS question, while checking name server for aws.amazon.com, I get:

   ```
   aws.amazon.com. 4092 IN CNAME tp.8e49140c2-frontier.amazon.com.
   tp.8e49140c2-frontier.amazon.com. 46 IN CNAME dr49lng3n1n2s.cloudfront.net.
   dr49lng3n1n2s.cloudfront.net. 12 IN A 108.158.61.79
   ...

   ```

   If I understand correctly, NS for aws.amazon.com is a chain of CNAME(s) to actual NS domain?

   #dns #amazon #aws

   • Embed this notice
     sahilister (sahil@toots.sahilister.in)'s status on Thursday, 02-Jan-2025 19:33:35 JST sahilister

     in reply to

     The query I ran was `dig ns aws.amazon.com`

   • Embed this notice
     sahilister (sahil@toots.sahilister.in)'s status on Friday, 03-Jan-2025 05:03:20 JST sahilister

     in reply to

     • Jing Luo

     @jing seems to work fine without -t as well.

     IG dig understands it's a query type.

   • Embed this notice
     Jing Luo (jing@mastodon.jing.lgbt)'s status on Friday, 03-Jan-2025 05:03:21 JST Jing Luo

     in reply to

     @sahil shouldnt it be `dig -t ns aws.amazon.com`

   • Embed this notice
     sahilister (sahil@toots.sahilister.in)'s status on Friday, 03-Jan-2025 17:12:41 JST sahilister

     in reply to

     • Patrick Mevzek

     @pmevzek ah! that explains it, thank you!

   • Embed this notice
     Patrick Mevzek (pmevzek@framapiaf.org)'s status on Friday, 03-Jan-2025 17:12:42 JST Patrick Mevzek

     in reply to

     @sahil "If I understand correctly, NS for aws.amazon.com is a chain of CNAME(s) to actual NS domain?". No. It tells you `aws.amazon.com` has NO `NS` records, because it is a CNAME, and CNAME can not coexist with anything else. It then tells you the final destination of the CNAME, as there are 2, aka `dr49lng3n1n2s.cloudfront.net.` and then tells you that this name is delegated because it has `NS` records. So `aws.amazon.com` is not delegated (has no NS records), just pointed out externally.

   • Embed this notice
     John Kristoff (jtk@infosec.exchange)'s status on Friday, 03-Jan-2025 17:59:11 JST John Kristoff

     in reply to

     @sahil No. The NS RRset for aws.amazon.com (at this writing and from my vantage point) is:

     ns-106.awsdns-13.com.
     ns-1402.awsdns-47.org.
     ns-1860.awsdns-40.co.uk.
     ns-905.awsdns-49.net.

     That happens to be the same set for tp.8e49140c2-frontier.amazon.com, which is where your dig ns aws.amazon.com query would have stopped.

     aws.amazon.com and tp.8e49140c2-frontier.amazon.com. both happen to be CNAMEs that ultimately lead to dr49lng3n1n2s.cloudfront.net. Those three strung together make up a chain. All coincidentally have the same authoritative server set at present.

     You say "actual NS domain". It might help to further explain if you say what you think the "domain" is in this case.

   • Embed this notice
     sahilister (sahil@toots.sahilister.in)'s status on Friday, 03-Jan-2025 17:59:41 JST sahilister

     in reply to

     • John Kristoff

     @jtk with "actual NS domain" I meant the authoritative NS in this case, *.awsdns* domains.

     As mentioned https://framapiaf.org/@pmevzek/113759344972541770 (in thread), one can't have NS for a CNAME (which looks right now that I think of it).