An NXDOMAIN response means there are no records, of any DNS type, for the requested domain name. A NODATA response means there are records for the requested domain name, but none of them match the record type in your request.
At OpenDNS we want to help prepare everyone for the coming dual-stacked (meaning hosts will have both IPv4 and IPv6 addresses) world. In my previous post I discussed some of the issues that come from use searching domains with a dual stack host. In this post I’ll be going over exactly what DNS responses of NXDOMAIN vs NODATA mean, and why this it is important for people running dual-stacked machines to understand.
There is a common misconception about what an authoritative server is actually trying to tell you when you receive an NXDOMAIN response. The NXDOMAIN response is meant to imply that there are no records, of any request type, for the requested domain name.
Effectively, it’s the authority’s way of saying: “I have no information about this domain, regardless of what type of information you’re looking for”. The slightly different, but similar response of NODATA is meant to imply, there is no information, of the requested type, for the requested domain name. This is effectively like the authority saying: “I have information about the requested domain, but none of that information matches the specific type of information you’ve asked for”.
A good example of when a NODATA response is used is when requesting the A (IPv4) record for “www.ipv6.awfulhak.org”. The host www.ipv6.awfulhak.org is used for testing IPv6 enabled computers, specifically because it’s authoritative server only contain a AAAA (IPv6) record for that hostname.
# dig a www.ipv6.awfulhak.org ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1888 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;www.ipv6.awfulhak.org.INA
;; AUTHORITY SECTION: ipv6.awfulhak.org.180INSOAns0.ipv6.Awfulhak.org. brian.Awfulhak.org. 2014051800 28800 1800 3600000 180
From the output we can see that our status code is “noerror”, and there is no answer section, this is dig’s way of showing a NODATA response. We’re getting this response because the authority server has some records for the host “www.ipv6.awfulhak.org”, just no records of type “A”. Now compare that output to running a dig for “does-not-exist.awfulhak.org”, a host which doesn’t exist (has no records in the authority at all).
# dig a does-not-exist.awfulhak.org ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59249 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;does-not-exist.awfulhak.org.INA
;; AUTHORITY SECTION: awfulhak.org.1800INSOAns2.knigma.org. brian.Awfulhak.org. 2014052400 28800 1800 3600000 1800
Because the name server has no entires, of any type, for the host “does-not-exist.awfulhak.org”, we get the NXDOMAIN error code.
“So why is this important to dual-stacked machines?”
When working in a dual-stacked network you’ll find many types of network configurations, some hosts with IPv4 addresses only, some with IPv6 only, and some with both. Often when debugging DNS, people will run “dig <hostname>” without considering what type of DNS record matter to their hosts. By default dig sends requests for A (IPv4) records, so if the hostname you’re querying for only has IPv6 records, you won’t see an answer section or an NXDOMAIN error code (because it is actually a NODATA response). This is now your cue to query for other (most likely AAAA) records.
Hopefully now you have a greater understanding of NXDOMAIN vs NODATA, and you can spot the difference when debugging DNS issues in a dual-stacked network.
Click for more information about Cisco DNS security.
