[Pdns-users] pdns-recursor and amazon cloudfront

Mario Caruso caruso at tiscali.com
Tue Dec 11 16:25:55 UTC 2012


Hello everybody,
I'd like to ask your advice on an issue that I'm having with 
my pdns-recursor; I admin four x86 servers where I 
installed pdns-recursor (standard package from debian 
squeeze 64 bit so recursor 3.2)  and two old servers 
(slackware 13.1 32 bit) where bind is running (bind was 
installed as standard slackware package bind-9.7).

All the servers are used by my company customers as 
dns resolvers ; I received a complaint because some 
customers are unable to reach some parts of the website
creativepark.it ; the issue seems to be linked to the 
resolution of the name static.creativepark.it.

If I use dig on one of the pdns servers everything seems 
to work fine eg : 

dig  +short @10.39.73.28 static.creativepark.it
d3fshx1vqqth2b.cloudfront.net.

dig  +short @10.39.73.28 d3fshx1vqqth2b.cloudfront.net.
205.251.209.51
205.251.209.149
205.251.209.198
205.251.209.91
205.251.209.171
205.251.209.210
205.251.209.81
205.251.209.6

so the hostname static.creativepark.it is a cname for a 
cloudfront "object" d3fshx1vqqth2b.cloudfront.net I 
expect that resolution on the clients will follow the cname
chain up to the end.

if I try to resolve with a different tool (nslook or host) I get 
an error because of the NXDOMAIN flag that is generated 
by the CNAME in external domain for example :

(10.39.73.28 is one of the pdns-recursor servers)
-------------------------------------------------------
host static.creativepark.it 10.39.73.28
Using domain server:
Name: 10.39.73.28
Address: 10.39.73.28#53
Aliases:

Host static.creativepark.it not found: 3(NXDOMAIN)
-------------------------------------------------------
 nslookup
> server 10.39.73.28
Default server: 10.39.73.28
Address: 10.39.73.28#53
> set nosearch
> static.creativepark.it
Server:         10.39.73.28
Address:        10.39.73.28#53

** server can't find static.creativepark.it: NXDOMAIN
-------------------------------------------------------

I thought that this was an issue just for the host and nslookup 
utilities, because they are fooled by the NXDOMAIN flag, so I 
tried to make a different test : 

I logged in a test server , edited resolv.conf to use one of the 
pdns servers and used wget to download http://static.creativepark.it
what I expected was to be able to download the page, instead 
I got another error:

 wget --no-proxy static.creativepark.it
--17:12:50--  http://static.creativepark.it/
           => `index.html'
Resolving static.creativepark.it... failed: Name or service not known.

so I changed the resolv.conf in order to use one of the bind servers and
nslookup / host/dig and even wget started to work :

(10.39.113.107 is one of the old bind resolvers)
-------------------------------------------------------
wget --no-proxy static.creativepark.it
--17:17:23--  http://static.creativepark.it/
           => `index.html'
Resolving static.creativepark.it... 205.251.209.103, 205.251.209.134, 205.251.209.148, ...
Connecting to static.creativepark.it|205.251.209.103|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 392 [text/html]
[cut]
17:17:24 (27.88 MB/s) - `index.html' saved [392/392]
-------------------------------------------------------
host static.creativepark.it 10.39.113.107
Using domain server:
Name: 10.39.113.107
Address: 10.39.113.107#53
Aliases:

static.creativepark.it is an alias for d3fshx1vqqth2b.cloudfront.net.
d3fshx1vqqth2b.cloudfront.net has address 205.251.209.58
d3fshx1vqqth2b.cloudfront.net has address 205.251.209.100
d3fshx1vqqth2b.cloudfront.net has address 205.251.209.103
d3fshx1vqqth2b.cloudfront.net has address 205.251.209.134
d3fshx1vqqth2b.cloudfront.net has address 205.251.209.148
d3fshx1vqqth2b.cloudfront.net has address 205.251.209.166
d3fshx1vqqth2b.cloudfront.net has address 205.251.209.208
d3fshx1vqqth2b.cloudfront.net has address 205.251.209.32
-------------------------------------------------------

I'm really puzzled by the situation, is there anybody that is having 
the same behaviour ? or that is aware of this weird thing with 
cloudfront ? 

btw; I tried to contact hostmaster at cloudfront.net since it is published 
into the soa record of cloudfront.net .. but apparently that address 
doesn't exist :-/

Thank you 

M.



More information about the Pdns-users mailing list