RPZ and www.rackspace.com
David A. Evans
Evans_David_A at cat.com
Wed May 7 15:19:37 UTC 2014
I've done some more troubleshooting with info from people that
responded directly to me and not to the list. This can be reproduced
without any RPZ loaded by mimicking the behavior of the RPZ lookups
required to validate NSDNAME lines.
Issue these 'digs' within 30 second of each other.
dig www.wip.rackspace.com
www.wip.rackspace.com. 30 IN A 173.203.44.116
dig www.wip.rackspace.com NS
(NXDOMAIN)
dig www.wip.rackspace.com
(NXDOMAIN)
I think this is another case of miss configured load balancers.
Shouldn't the NS record lookup respond with a NODATA response and not
NXDOMAIN?
That still doesn't really answer why a site as big as
www.rackspace.com isn't getting hit with support issues on their web site.
It only took us about 4 hours into our first production day with
NSDNAME's in our RPZ to get a call about www.rackspace.com not loading.
David A. Evans
Enterprise IP/DNS Management
Network Infrastructure Tools and Services
Evans_David_A at cat.com
From: "David A. Evans" <Evans_David_A at cat.com>
To: bind-users at lists.isc.org
Date: 05/07/2014 09:11 AM
Subject: RPZ and www.rackspace.com
Sent by: bind-users-bounces at lists.isc.org
CATERPILLAR SECURITY ALERT: The email address in the sender line does not
match the account that sent the email. This can be an indication of
phishing. Do not click links or open attachments unless you are certain it
is from a safe source. Learn more at security.cat.com/phishing
We have just enabled RPZ with some NSDNAME checks and are seeing
an issue resolving www.rackspace.com.
The first lookup is successful and returns both the CNAME and the
A record. The second query, within a second of the first, will only
return the CNAME. It will only return the CNAME until the TTL of the A
record times out. The first query, when it actually has to go out and do
recursion will always work. Answering from cache will always fail. When
you inspect the cache during the time that it is only returning the CNAME,
the record in cache is "www.wip.rackspace.com type ANY NXDOMAIN". This
only happens with RPZ's enabled and query hitting a RPZ zone with a
NSDNAME line. Turning off RPZ or whitelisting the lookup via RPZ before
it hits a RPZ with NSDNAME allows the query to be successful 100% of the
time.
Can anyone else verify this behavior? What is going on with
www.rackspace.com? If this is a miss configuration on Rackspace's DNS
servers how are they not getting hit with support calls like crazy?
dig @redacted.cat.com www.rackspace.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @redacted.cat.com
www.rackspace.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30337
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.rackspace.com. IN A
;; ANSWER SECTION:
www.rackspace.com. 300 IN CNAME www.wip.rackspace.com.
www.wip.rackspace.com. 30 IN A 173.203.44.116
;; Query time: 193 msec
;; SERVER: redacted
;; WHEN: Wed May 7 08:53:08 2014
;; MSG SIZE rcvd: 73
dig @redacted.cat.com www.rackspace.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @redacted.cat.com
www.rackspace.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25905
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.rackspace.com. IN A
;; ANSWER SECTION:
www.rackspace.com. 298 IN CNAME www.wip.rackspace.com.
;; AUTHORITY SECTION:
wip.rackspace.com. 58 IN SOA www-gtm-ord1.rackspace.com.
hostmaster.305181-GTM1.rackspace.com. 86 10800 3600 604800 60
;; Query time: 2 msec
;; SERVER: redacted
;; WHEN: Wed May 7 08:53:10 2014
;; MSG SIZE rcvd: 129
David A. Evans
Enterprise IP/DNS Management
Network Infrastructure Tools and Services
Evans_David_A at cat.com _______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140507/bfb60252/attachment-0001.html>
More information about the bind-users
mailing list