different answers from google's authoritative servers

Kevin Kretz kevin at rentec.com
Wed Jun 1 11:41:46 UTC 2016 

Sotiris, 

There could be multiple A records for load balancing. 


From: "Sotiris Tsimbonis" <stsimb at forthnet.gr> 
To: bind-users at isc.org 
Sent: Wednesday, June 1, 2016 7:34:00 AM 
Subject: different answers from google's authoritative servers 

Hi all, 

We have 3 recursive resolvers on the same subnet, and one of them is 
getting different answers for the same things from google's 
authoritative dns servers. 

[root at syz3ns01 ~]# RESOLVERS="ns1.google.com. ns2.google.com. 
ns3.google.com. ns4.google.com." 
[root at syz3ns01 ~]# SITES="www.google.com. www.google.gr." 
[root at syz3ns01 ~]# for resolver in ${RESOLVERS} ; do for site in 
${SITES}; do echo "${resolver} ${site} $(dig +short A ${site} 
@${resolver})" ; done ; done 
ns1.google.com. www.google.com. 216.58.211.4 
ns1.google.com. www.google.gr. 216.58.211.3 
ns2.google.com. www.google.com. 216.58.211.4 
ns2.google.com. www.google.gr. 216.58.211.3 
ns3.google.com. www.google.com. 216.58.211.4 
ns3.google.com. www.google.gr. 216.58.211.3 
ns4.google.com. www.google.com. 216.58.211.4 
ns4.google.com. www.google.gr. 216.58.211.3 

[root at syz3ns02 ~]# RESOLVERS="ns1.google.com. ns2.google.com. 
ns3.google.com. ns4.google.com." 
[root at syz3ns02 ~]# SITES="www.google.com. www.google.gr." 
[root at syz3ns02 ~]# for resolver in ${RESOLVERS} ; do for site in 
${SITES}; do echo "${resolver} ${site} $(dig +short A ${site} 
@${resolver})" ; done ; done 
ns1.google.com. www.google.com. 216.58.211.36 
ns1.google.com. www.google.gr. 216.58.211.35 
ns2.google.com. www.google.com. 216.58.211.36 
ns2.google.com. www.google.gr. 216.58.211.35 
ns3.google.com. www.google.com. 216.58.211.36 
ns3.google.com. www.google.gr. 216.58.211.35 
ns4.google.com. www.google.com. 216.58.211.36 
ns4.google.com. www.google.gr. 216.58.211.35 

[root at syz3ns03 ~]# RESOLVERS="ns1.google.com. ns2.google.com. 
ns3.google.com. ns4.google.com." 
[root at syz3ns03 ~]# SITES="www.google.com. www.google.gr." 
[root at syz3ns03 ~]# for resolver in ${RESOLVERS} ; do for site in 
${SITES}; do echo "${resolver} ${site} $(dig +short A ${site} 
@${resolver})" ; done ; done 
ns1.google.com. www.google.com. 172.217.16.36 
ns1.google.com. www.google.gr. 172.217.16.35 
ns2.google.com. www.google.com. 172.217.16.36 
ns2.google.com. www.google.gr. 172.217.16.35 
ns3.google.com. www.google.com. 172.217.16.36 
ns3.google.com. www.google.gr. 172.217.16.35 
ns4.google.com. www.google.com. 172.217.16.36 
ns4.google.com. www.google.gr. 172.217.16.35 

The IP addresses of our servers are 84.205.252.16, 84.205.252.18 and 
84.205.252.20 respectively. 

The problem with the third answer set is on the users' browsers, it 
produces an ssl certificate error and users cannot access google. 

traceroute to google's dns servers are different on the penultimate hop 
(hop 12) 

[root at syz3ns01 ~]# traceroute ns3.google.com. 
traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte packets 
1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.405 ms 0.262 
ms 0.217 ms 
2 84.205.252.6 (84.205.252.6) 0.718 ms 0.504 ms 0.511 ms 
3 193.92.42.169 (193.92.42.169) 0.937 ms 1.024 ms 0.482 ms 
4 194.219.208.29 (194.219.208.29) 1.017 ms 1.004 ms 0.946 ms 
MPLS Label=757472 CoS=5 TTL=1 S=0 
5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 0.950 ms 1.063 
ms 0.982 ms 
6 74.125.48.74 (74.125.48.74) 8.373 ms 8.374 ms 8.341 ms 
7 72.14.237.27 (72.14.237.27) 8.352 ms 72.14.237.189 (72.14.237.189) 
12.085 ms 72.14.237.27 (72.14.237.27) 8.979 ms 
8 209.85.253.114 (209.85.253.114) 26.920 ms 26.114 ms 25.789 ms 
MPLS Label=772454 CoS=5 TTL=1 S=0 
9 216.239.58.8 (216.239.58.8) 50.816 ms 209.85.241.233 
(209.85.241.233) 42.159 ms 43.461 ms 
MPLS Label=756878 CoS=5 TTL=1 S=0 
10 209.85.251.178 (209.85.251.178) 45.549 ms 44.474 ms 45.682 ms 
MPLS Label=720256 CoS=5 TTL=1 S=0 
11 74.125.37.103 (74.125.37.103) 39.998 ms 216.239.49.244 
(216.239.49.244) 48.116 ms 74.125.37.150 (74.125.37.150) 42.865 ms 
MPLS Label=25186 CoS=5 TTL=1 S=0 
12 209.85.251.231 (209.85.251.231) 39.575 ms 72.14.238.43 
(72.14.238.43) 43.933 ms 209.85.242.165 (209.85.242.165) 46.748 ms 
13 * *Icmp checksum is wrong 
* 
14 ns3.google.com (216.239.36.10) 41.453 ms 39.987 ms 47.545 ms 
[root at syz3ns01 ~]# 

[root at syz3ns02 ~]# traceroute ns3.google.com. 
traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte packets 
1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.232 ms 0.283 
ms 0.209 ms 
2 84.205.252.6 (84.205.252.6) 0.688 ms 0.535 ms 0.455 ms 
3 193.92.42.169 (193.92.42.169) 1.715 ms 0.835 ms 0.726 ms 
4 194.219.208.29 (194.219.208.29) 1.248 ms 0.876 ms 0.773 ms 
MPLS Label=757472 CoS=5 TTL=1 S=0 
5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 0.755 ms 1.047 
ms 0.944 ms 
6 74.125.48.74 (74.125.48.74) 8.331 ms 8.546 ms 8.328 ms 
7 72.14.237.189 (72.14.237.189) 12.286 ms 72.14.237.27 (72.14.237.27) 
5.935 ms 72.14.237.189 (72.14.237.189) 13.211 ms 
8 209.85.253.114 (209.85.253.114) 22.488 ms 209.85.240.160 
(209.85.240.160) 25.713 ms 26.401 ms 
MPLS Label=554255 CoS=5 TTL=1 S=0 
9 216.239.57.244 (216.239.57.244) 41.070 ms 209.85.241.233 
(209.85.241.233) 34.822 ms 209.85.242.79 (209.85.242.79) 38.180 ms 
MPLS Label=27780 CoS=5 TTL=1 S=0 
10 209.85.251.178 (209.85.251.178) 36.262 ms 66.249.95.39 
(66.249.95.39) 44.744 ms 209.85.143.25 (209.85.143.25) 43.497 ms 
MPLS Label=25688 CoS=5 TTL=1 S=0 
11 216.239.49.240 (216.239.49.240) 42.459 ms 216.239.49.244 
(216.239.49.244) 42.738 ms 39.587 ms 
MPLS Label=731306 CoS=5 TTL=1 S=0 
12 72.14.238.215 (72.14.238.215) 46.858 ms 216.239.51.147 
(216.239.51.147) 48.715 ms 209.85.246.164 (209.85.246.164) 86.761 ms 
Icmp checksum is wrong 
13 * * * 
14 ns3.google.com (216.239.36.10) 48.178 ms 48.106 ms 48.157 ms 
[root at syz3ns02 ~]# 

[root at syz3ns03 ~]# traceroute ns3.google.com. 
traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte packets 
1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.297 ms 0.393 
ms 0.447 ms 
2 84.205.252.6 (84.205.252.6) 0.454 ms 0.574 ms 0.751 ms 
3 193.92.42.169 (193.92.42.169) 0.938 ms 0.823 ms 0.733 ms 
4 194.219.208.29 (194.219.208.29) 1.260 ms 0.766 ms 1.267 ms 
MPLS Label=757472 CoS=5 TTL=1 S=0 
5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 15.388 ms 1.248 
ms 1.446 ms 
6 74.125.48.74 (74.125.48.74) 5.410 ms 5.378 ms 5.435 ms 
7 72.14.237.27 (72.14.237.27) 12.224 ms 12.309 ms 72.14.237.189 
(72.14.237.189) 5.354 ms 
8 209.85.240.160 (209.85.240.160) 22.422 ms 35.365 ms 22.601 ms 
MPLS Label=536927 CoS=5 TTL=1 S=0 
9 216.239.57.244 (216.239.57.244) 43.196 ms 209.85.242.79 
(209.85.242.79) 40.263 ms 216.239.57.244 (216.239.57.244) 43.387 ms 
MPLS Label=27555 CoS=5 TTL=1 S=0 
10 209.85.251.178 (209.85.251.178) 41.581 ms 209.85.143.25 
(209.85.143.25) 36.869 ms 66.249.95.39 (66.249.95.39) 44.804 ms 
MPLS Label=24801 CoS=5 TTL=1 S=0 
11 216.239.49.244 (216.239.49.244) 44.189 ms 74.125.37.154 
(74.125.37.154) 47.331 ms 216.239.49.244 (216.239.49.244) 48.582 ms 
MPLS Label=549098 CoS=5 TTL=1 S=0 
12 209.85.246.135 (209.85.246.135) 47.964 ms 209.85.251.231 
(209.85.251.231) 42.683 ms 72.14.238.215 (72.14.238.215) 43.525 ms 
13 * * * 
14 ns3.google.com (216.239.36.10) 49.559 ms 48.009 ms 48.148 ms 
[root at syz3ns03 ~]# 

Any ideas please? 
Sot. 
_______________________________________________ 
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list 

bind-users mailing list 
bind-users at lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160601/3bc4b7b3/attachment-0001.html>

More information about the bind-users mailing list