DNS query function that distinguishes between non-existent host and network error

With classic DNS, you can't do this. At the end of the resolver, you really can't tell if a host exists or if a network failure has occurred.

However, with DNSSEC, you really can (assuming the zone was securely signed). You will need a validation library that can do this for you, and it still won't give you accurate results for unsigned zones (of which there are unfortunately many). But for subscribed, you will get different results depending on whether the name existed or whether there was a network failure. DNSSEC contains a series of records that are used to confirm that something does not exist.

As an example, a library libval

that comes from the DNSSEC-Tools project has val_getaddrinfo () which will tell you if the result has been validated or not. If there was no answer and it has been verified and you can trust it that it really doesn’t exist. There is a sample command line application getaddr

that you can use to check the results and also to explore the code.

stackoverflow.com is unfortunately unsigned:

# getaddr wwwxxx.stackoverflow.com
Return code = -2
Validator status code = 134 (VAL_NONEXISTENT_NAME_NOCHAIN)
Error in val_getaddrinfo(): -2

      

        
        
        
      

    

And the error code indicates that (the "nochain" part). It could fail either because it didn't exist or because there were problems with the network.

But for signed zones, you get a better answer:

# getaddr wwwxxx.dnssec-tools.org
Return code = -2
Validator status code = 132 (VAL_NONEXISTENT_NAME)
Error in val_getaddrinfo(): -2

      

        
        
        
      

    

Here the status of the validator has changed and we can be sure that the address does not really exist.

Note that .com, .org and .net are all signed, which means that you can always tell if a given something.com exists (but maybe not subname.something.com).

There are other libraries that support DNSSEC, but I am most familiar with libval, so I used it above.

DNS is actually quite complex to fully understand how and why it works, and even more so when you add a secure version. There is not a simple link to the answer, but you need to read at least RFC 1034 and 1035 and understand RCODE # 3 which is NXDOMAIN and implement it returned by the solver you are asking with and there is no other answer to that. what the resolver can give you.

If you want starting points for reading, you can check:

RFC1034 Domain Names - Concepts and Features. P.V. Mockapetris. November 1987. (Format: TXT = 129180 bytes) (Obsoletes RFC0973 , RFC0882 , RFC0883 ) (Updated RFC1101 , RFC1183 , RFC1348 , RFC1876 , RFC1982 , RFC2065 , RFC2181 , RFC2308 , RFC2535 , RFC4033 , RFC4034 , RFC4035 , RFC4343 , RFC4035 , RFC4592 , RFC5936 ) (Also STD0013) (Status: STANDARD)

RFC1035 Domain Names - Implementation and Specification. P.V. Mockapetris. November 1987. (Format: TXT = 125626 bytes) (Obsoletes RFC0973 , RFC0882 , RFC0883 ) (Updated RFC1101 , RFC1183 , RFC1348 , RFC1876 , RFC1982 , RFC1995 , RFC1996 , RFC2065 , RFC2136 , RFC2181 , RFC2137 , RFC2308 , RFC2535 , RFC2845 , RFC3425 , RFC3658 , RFC4033 ,RFC4034 , RFC4035 , RFC4343 , RFC5936 , RFC5966 ) (also STD0013) (Status: STANDARD)

RFC4033 Introduction and Security Requirements for DNS. R. Arendès, R. Austin, M. Larson, D. Massy, ​​S. Rose. March 2005. (Format: TXT = 52445 bytes) (Obsoletes RFC2535 , RFC3008 , RFC3090 , RFC3445 , RFC3655 , RFC3658 , RFC3755 , RFC3757 , RFC3845 ) (Updates RFC1034 , RFC1035 , RFC2136 , RFC2181 , RFC2308 , RFC3225 , RFC3007 , RFC3597 , RFC3226 ) (Updated RFC6014) (Status: PROPOSED STANDARD)

RFC4034 Resource Records for DNS Security Extensions. R. Arendés, R. Austin, M. Larson, D. Massy, ​​S. Rose. March 2005. (Format: TXT = 63879 bytes) (Obsoletes RFC2535 , RFC3008 , RFC3090 , RFC3445 , RFC3655 , RFC3658 , RFC3755 , RFC3757 , RFC3845 ) (Updates RFC1034 , RFC1035 , RFC2136 , RFC2181 , RFC2308 , RFC3225 , RFC3007 , RFC3597 , RFC3226 ) (Updated RFC4470, RFC6014 ) (Status: PROPOSED STANDARD)

RFC4035 Protocol Modifications for DNS Security Extensions. R. Arendés, R. Austin, M. Larson, D. Massy, ​​S. Rose. March 2005. (Format: TXT = 130589 bytes) (Obsoletes RFC2535 , RFC3008 , RFC3090 , RFC3445 , RFC3655 , RFC3658 , RFC3755 , RFC3757 , RFC3845 ) (Updates RFC1034 , RFC1035 , RFC2136 , RFC2181 , RFC2308 , RFC3225 , RFC3007 , RFC3597 , RFC3226 ) (UpdatedRFC4470 , RFC6014 ) (Status: PROPOSED STANDARD)

RFC5155 DNS Security (DNSSEC) Hashed Authenticated Denial of Existence. B. Laurie, G. Sisson, R. Arendès, D. Black. March 2008. (Format: TXT = 112338 bytes) (Status: PROPOSED STANDARD)