Help with unresolvable domain (subdomain, actually)

Warren Kumari warren at kumari.net
Wed Mar 2 19:18:33 UTC 2011 

On Mar 2, 2011, at 1:21 PM, Mike Bernhardt wrote:

> What's really strange is that when we attempt a query, be it DIG or an
> attempt to browse tools.cisco.com, they send some sort of query back  
> to us
> from/to UDP 53

Many GSLB solutions attempt to figure out what the best location to  
serve from is by sending a query to the server that just queried  
*them* -- this allows them to figure out latency and decide which  
cluster might be closest....
I'm suspecting (although I avoid Cisco LB like the plague and so am  
not sure) that this is the cause.


The other possibility --  I ran tcpdump to see if I could see what the  
query might be I found that I was getting a FormErr response to my  
initial query, causing me to requery without DNSSEC / EDNS0 -- maybe  
you are actually not seeing a query from them, mebe its a FormErr  
response that your FW is noting?

W

wkumari at vimes:~/src/perl/IODEF$ dig +edns=0 tools.cisco.com  
@128.107.227.197

; <<>> DiG 9.7.2-P3 <<>> +edns=0 tools.cisco.com @128.107.227.197
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 41568
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;tools.cisco.com.		IN	A

;; Query time: 75 msec
;; SERVER: 128.107.227.197#53(128.107.227.197)
;; WHEN: Wed Mar  2 14:17:38 2011
;; MSG SIZE  rcvd: 33

wkumari at vimes:~/src/perl/IODEF$ dig  tools.cisco.com @128.107.227.197

; <<>> DiG 9.7.2-P3 <<>> tools.cisco.com @128.107.227.197
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54960
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;tools.cisco.com.		IN	A

;; ANSWER SECTION:
tools.cisco.com.	20	IN	A	173.37.145.8

;; Query time: 75 msec
;; SERVER: 128.107.227.197#53(128.107.227.197)
;; WHEN: Wed Mar  2 14:17:45 2011
;; MSG SIZE  rcvd: 49





> . We drop it at the firewall due to some sort of "sanity
> check" so I can't see the contents. This is in addition to the  
> SERVFAIL
> message.
>
> Although I get SERVFAIL, Kloth.net does not, even if we DIG the same  
> server:
> cax01-bb14-dcz01n-gss1.cisco.com
>> From Kloth
> ; <<>> DiG 9.3.2 <<>> @cax01-bb14-dcz01n-gss1.cisco.com  
> tools.cisco.com A
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41388
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;tools.cisco.com.		IN	A
>
> ;; ANSWER SECTION:
> tools.cisco.com.	20	IN	A	72.163.4.38
>
> ;; Query time: 131 msec
> ;; SERVER: 173.37.144.100#53(173.37.144.100)
> ;; WHEN: Wed Mar  2 19:15:04 2011
> ;; MSG SIZE  rcvd: 49
>
>> From Us
> [root at ns1 ~]# dig -b 148.165.3.10 @cax01-bb14-dcz01n-gss1.cisco.com
> tools.cisco.com
>
> ; <<>> DiG 9.4.3-P3 <<>> -b 148.165.3.10 @cax01-bb14-dcz01n- 
> gss1.cisco.com
> tools.cisco.com
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26463
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;tools.cisco.com.               IN      A
>
> ;; Query time: 45 msec
> ;; SERVER: 173.37.144.100#53(173.37.144.100)
> ;; WHEN: Wed Mar  2 10:15:31 2011
> ;; MSG SIZE  rcvd: 33
>
>
> So I wonder if the query they make is some kind of authentication  
> attempt?
>
>
> -----Original Message-----
> From: Mark Andrews [mailto:marka at isc.org]
> Sent: Tuesday, March 01, 2011 3:31 PM
> To: Kevin Darcy
> Cc: bind-users at isc.org
> Subject: Re: Help with unresolvable domain (subdomain, actually)
>
>
> In message <4D6D7268.1080305 at chrysler.com>, Kevin Darcy writes:
>> I got a trouble ticket on this too.
>>
>> From the looks of things, Cisco is using GSSes to load-balance this
>> site. GSSes return SERVFAIL if all of the resources behind the
>> load-balancer are down (which it determines via a heartbeat  
>> mechanism).
>> So I think this is a "simple" case of a website (or cluster) going  
>> down.
>> It was down earlier today, then up again, as of this writing, it is  
>> down
>> again.
>>
>> DNS doesn't really have a response code of "requested resource not
>> available", so SERVFAIL is Cisco's closest approximation. It has the
>> drawback, however, of often making other sorts of problems appear  
>> to be
>> DNS problems. That's just a cross that we DNS admins have to bear...
>>
>>                                             - Kevin
>
> Then the load balancer should return default records or 0.0.0.0/:: to
> indicate the name is good but doesn't currently have a address.
>
> Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

-- 
Eagles soar but a weasel will never get sucked into a jet engine

More information about the bind-users mailing list