[Pdns-users] CNAME NXDOMAIN problem

Aki Tuomi cmouse at youzen.ext.b2.fi
Thu Nov 21 14:26:05 UTC 2013 

Hi!

Can you please try with trace?

rec_control trace-regex ebay.com

This will generate lots of logs, so remember to turn it off.

Aki

On Thu, Nov 21, 2013 at 02:52:23PM +0100, Francois Claire wrote:
> Hi,
> 
> 
> I'm currently testing PowerDNS recursor to see if it can be used in
> my production environment.
> 
> I've found one problem which is blocking: it's unable to resolve
> thumbs.g.ebay.com. and replies with an NXDOMAIN.
> 
> 
> Here's the overall packet exchange for this resolution (cache is empty):
> 14:13:37.736863 IP A.B.C.D.59962 > W.X.Y.Z.53: 38849+ A?
> thumbs.g.ebay.com. (35)
> 14:13:37.740840 IP W.X.Y.Z.43796 > 192.58.128.30.53: 35832 [1au] A?
> thumbs.g.ebay.com. (54)
> 14:13:37.744086 IP 192.58.128.30.53 > W.X.Y.Z.43796: 35832- 0/13/16 (534)
> 14:13:37.749991 IP W.X.Y.Z.50992 > 192.41.162.30.53: 18765 [1au] A?
> thumbs.g.ebay.com. (54)
> 14:13:37.849736 IP 192.41.162.30.53 > W.X.Y.Z.50992: 18765- 0/6/7 (292)
> 14:13:37.853289 IP W.X.Y.Z.62858 > 66.135.215.5.53: 11952 [1au] A?
> thumbs.g.ebay.com. (54)
> 14:13:38.021033 IP 66.135.215.5.53 > W.X.Y.Z.62858: 11952- 0/3/4 (145)
> 14:13:38.023503 IP W.X.Y.Z.4994 > 66.211.167.40.53: 26515 [1au] A?
> thumbs.g.ebay.com. (54)
> 14:13:38.196462 IP 66.211.167.40.53 > W.X.Y.Z.4994: 26515 NXDomain*-
> 0/1/1 (96)
> 14:13:38.198210 IP W.X.Y.Z.53 > A.B.C.D.59962: 38849 NXDomain 0/1/0 (85)
> 
> Machine A.B.C.D is the client, W.X.Y.Z the powerDNS server.
> 
> So the client asks the powerDNS recursor to resolve thumbs.g.ebay.com.:
> 14:13:37.736863 IP A.B.C.D.59962 > W.X.Y.Z.53: 38849+ A?
> thumbs.g.ebay.com. (35)
> 
> The powerDNS recursor starts recursion and asks a com. authoritative
> DNS server (192.58.128.30) which replies with the NS records for
> .ebay.com. zone:
> 14:13:37.740840 IP W.X.Y.Z.43796 > 192.58.128.30.53: 35832 [1au] A?
> thumbs.g.ebay.com. (54)
> 14:13:37.744086 IP 192.58.128.30.53 > W.X.Y.Z.43796: 35832- 0/13/16 (534)
> 
> The powerDNS recursor asks a ebay.com. DNS server (192.41.162.30):
> 14:13:37.749991 IP W.X.Y.Z.50992 > 192.41.162.30.53: 18765 [1au] A?
> thumbs.g.ebay.com. (54)
> 14:13:37.849736 IP 192.41.162.30.53 > W.X.Y.Z.50992: 18765- 0/6/7 (292)
> 
> Then a g.ebay.com. server (66.135.215.5):
> 14:13:37.853289 IP W.X.Y.Z.62858 > 66.135.215.5.53: 11952 [1au] A?
> thumbs.g.ebay.com. (54)
> 14:13:38.021033 IP 66.135.215.5.53 > W.X.Y.Z.62858: 11952- 0/3/4 (145)
> 
> Then finally it asks the g2.ebay.com. DNS server (66.211.167.40) to
> resolve thumbs.g.ebay.com.:
> 14:13:38.023503 IP W.X.Y.Z.4994 > 66.211.167.40.53: 26515 [1au] A?
> thumbs.g.ebay.com. (54)
> 14:13:38.196462 IP 66.211.167.40.53 > W.X.Y.Z.4994: 26515 NXDomain*-
> 0/1/1 (96)
> 
> This g2.ebay.com. server answers an NXDomain, so the powerDNS
> recursor forwards this answer to the client machine:
> 14:13:38.198210 IP W.X.Y.Z.53 > A.B.C.D.59962: 38849 NXDomain 0/1/0 (85)
> 
> 
> 
> 
> However when using dig, the g2.ebay.com. DNS server answers a CNAME record:
> 
> $ dig @66.211.167.40 thumbs.g.ebay.com
> 
> ; <<>> DiG 9.8.4-P2 <<>> @66.211.167.40 thumbs.g.ebay.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58678
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;thumbs.g.ebay.com.        IN    A
> 
> ;; ANSWER SECTION:
> thumbs.g.ebay.com.    60    IN    CNAME c.ebay.georedirector.akadns.net.
> 
> ;; Query time: 177 msec
> ;; SERVER: 66.211.167.40#53(66.211.167.40)
> ;; WHEN: Thu Nov 21 14:41:08 2013
> ;; MSG SIZE  rcvd: 80
> 
> 
> And when using google's DNS 8.8.8.8, the name thumbs.g.ebay.com.
> resolves well:
> 
> $ dig @8.8.8.8 thumbs.g.ebay.com
> 
> ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 thumbs.g.ebay.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19911
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;thumbs.g.ebay.com.        IN    A
> 
> ;; ANSWER SECTION:
> thumbs.g.ebay.com.    41    IN    CNAME c.ebay.georedirector.akadns.net.
> c.ebay.georedirector.akadns.net. 1781 IN CNAME a1223.cp.akamai.net.
> a1223.cp.akamai.net.    1    IN    A    46.33.69.218
> a1223.cp.akamai.net.    1    IN    A    46.33.69.186
> a1223.cp.akamai.net.    1    IN    A    46.33.69.201
> 
> ;; Query time: 45 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Thu Nov 21 14:48:37 2013
> ;; MSG SIZE  rcvd: 158
> 
> 
> So why is the powerDNS recursor receiving an NXDomain ? Is its query
> malformed ?
> 
> 
> 
> To reproduce the problem is easy: just use the "dig
> thumbs.g.ebay.com" command on your pdns_recursor server.
> 
> 
> 
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20131121/7ff37246/attachment-0001.sig>

More information about the Pdns-users mailing list