I want to find all the name servers that serve a DNS zone (suppose it's google.com). Using $dig, I tried two different queries:
$dig +trace google.com <type>
The result looks like below:I notice there are four NS records, grouped together, near the bottom of the query answers.
$dig google.com ANY
The result looks like below:There are four NS records in total, which are exactly the same as in the first answer.
Are there any other ways to get all the name servers?
I want to find all the name servers that serve a DNS zone (suppose it's google.com).
Ask any of the parent nameservers for details on delegation:
$ dig com. NS +short|head -1
j.gtld-servers.net.
$ dig @j.gtld-servers.net. google.com. NS +noall +auth
google.com. 2d IN NS ns2.google.com.
google.com. 2d IN NS ns1.google.com.
google.com. 2d IN NS ns3.google.com.
google.com. 2d IN NS ns4.google.com.
This is how the DNS works and is designed: it uses delegations with the NS record type.
But do note two things:
lame delegation can happen: you can/should ask any of the delegated nameservers for what they think are the relevant nameservers and handle differences (there shouldn't be any but suprisingly there is in many zones)
results are sets, not lists, so do not expect any stable order
dig google.com ANY
Absolutely DO NOT use ANY. It does not have the meaning of ALL despite what people thinks, and is mostly to be considered deprecated and obsolete (see https://www.rfc-editor.org/rfc/rfc8482)