NsGlueTest - Name Server Glue Test
This module is designed to test zone delegation and analyze resolver behavior when nameserver glue records differ between the child zone and the parent zone.
The module returns a sample A record with an IPv4 address from the TEST-NET-1 range. The response also includes authoritative data — an NS record in the authority section and a corresponding glue A record in the additional section, pointing to the nameserver’s IP address.
This module allows the client to specify which nameserver glue should be included in the response. The list of available nameservers can be configured in the PolarDNS configuration file polardns.toml.
Category: Cache poisoning
Format
nsgluetest<INDEX>.sub.yourdomain.com
Where:
- The
<INDEX>parameter specifies which nameserver glue to include in the response. The list of nameservers for each zone is configurable in the PolarDNS configuration file.
Examples
In the following examples, we configured in the main PolarDNS configuration file that the sub.yourdomain.com zone is delegated to an external nameserver. In the child zone’s PolarDNS configuration, we intentionally specified multiple different nameservers managing this zone.
Now, by sending the following query to the parent zone’s nameserver, we observe that the subdomain is delegated and managed by another nameserver:
# dig nsgluetest0.sub.yourdomain.com @127.0.0.1 ; <<>> DiG 9.20.7-1-Debian <<>> nsgluetest0.sub.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31722 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;nsgluetest0.sub.yourdomain.com. IN A ;; AUTHORITY SECTION: sub.yourdomain.com. 60 IN NS ns.sub.yourdomain.com. ;; ADDITIONAL SECTION: ns.sub.yourdomain.com. 60 IN A 10.211.55.2 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Jul 01 10:43:51 +04 2025 ;; MSG SIZE rcvd: 138
We can see that the sub.yourdomain.com zone is managed by ns.sub.yourdomain.com at 10.211.55.2.
When we query the designated nameserver directly, it returns the response and reaffirms its authority over the zone by including authoritative data — namely the NS and A (glue) records:
# dig nsgluetest0.sub.yourdomain.com @10.211.55.2 ; <<>> DiG 9.20.7-1-Debian <<>> nsgluetest0.sub.yourdomain.com @10.211.55.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25141 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;nsgluetest0.sub.yourdomain.com. IN A ;; ANSWER SECTION: nsgluetest0.sub.yourdomain.com. 60 IN A 2.3.4.5 ;; AUTHORITY SECTION: sub.yourdomain.com. 60 IN NS ns.sub.yourdomain.com. ;; ADDITIONAL SECTION: ns.sub.yourdomain.com. 60 IN A 10.211.55.2 ;; Query time: 8 msec ;; SERVER: 10.211.55.2#53(10.211.55.2) (UDP) ;; WHEN: Tue Jul 01 10:47:10 +04 2025 ;; MSG SIZE rcvd: 154
We can see that the authoritative zone information matches that provided by the parent nameserver.
Next, we request the inclusion of the second nameserver — intentionally misconfigured in the child zone's PolarDNS configuration file — as glue. The response still includes the answer but presents conflicting authoritative information for the zone:
# dig nsgluetest1.sub.yourdomain.com @10.211.55.2 ; <<>> DiG 9.20.7-1-Debian <<>> nsgluetest1.sub.yourdomain.com @10.211.55.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31351 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;nsgluetest1.sub.yourdomain.com. IN A ;; ANSWER SECTION: nsgluetest1.sub.yourdomain.com. 60 IN A 2.3.4.5 ;; AUTHORITY SECTION: sub.yourdomain.com. 60 IN NS ns.sub.yourdomain.com. ;; ADDITIONAL SECTION: ns.sub.yourdomain.com. 60 IN A 6.6.6.6 ;; Query time: 8 msec ;; SERVER: 10.211.55.2#53(10.211.55.2) (UDP) ;; WHEN: Tue Jul 01 10:47:12 +04 2025 ;; MSG SIZE rcvd: 154
Here, we observe that the sub.yourdomain.com zone is indicated as being managed by ns.sub.yourdomain.com at 6.6.6.6, which conflicts with the information provided by the parent zone. This inconsistency may potentially confuse the resolver.
From the same category
- InjA - A Record Injection
- InjAaaa - AAAA Record Injection
- InjCname - CNAME Record Injection
- InjDname - DNAME Record Injection
- InjMx - MX Record Injection
- InjNs - NS Record Injection
- InjPtr - PTR Record Injection