[Pdns-users] CNAME NXDOMAIN problem

Francois Claire fclaire at free.fr
Thu Nov 21 13:52:23 UTC 2013 

Hi,


I'm currently testing PowerDNS recursor to see if it can be used in my 
production environment.

I've found one problem which is blocking: it's unable to resolve 
thumbs.g.ebay.com. and replies with an NXDOMAIN.


Here's the overall packet exchange for this resolution (cache is empty):
14:13:37.736863 IP A.B.C.D.59962 > W.X.Y.Z.53: 38849+ A? 
thumbs.g.ebay.com. (35)
14:13:37.740840 IP W.X.Y.Z.43796 > 192.58.128.30.53: 35832 [1au] A? 
thumbs.g.ebay.com. (54)
14:13:37.744086 IP 192.58.128.30.53 > W.X.Y.Z.43796: 35832- 0/13/16 (534)
14:13:37.749991 IP W.X.Y.Z.50992 > 192.41.162.30.53: 18765 [1au] A? 
thumbs.g.ebay.com. (54)
14:13:37.849736 IP 192.41.162.30.53 > W.X.Y.Z.50992: 18765- 0/6/7 (292)
14:13:37.853289 IP W.X.Y.Z.62858 > 66.135.215.5.53: 11952 [1au] A? 
thumbs.g.ebay.com. (54)
14:13:38.021033 IP 66.135.215.5.53 > W.X.Y.Z.62858: 11952- 0/3/4 (145)
14:13:38.023503 IP W.X.Y.Z.4994 > 66.211.167.40.53: 26515 [1au] A? 
thumbs.g.ebay.com. (54)
14:13:38.196462 IP 66.211.167.40.53 > W.X.Y.Z.4994: 26515 NXDomain*- 
0/1/1 (96)
14:13:38.198210 IP W.X.Y.Z.53 > A.B.C.D.59962: 38849 NXDomain 0/1/0 (85)

Machine A.B.C.D is the client, W.X.Y.Z the powerDNS server.

So the client asks the powerDNS recursor to resolve thumbs.g.ebay.com.:
14:13:37.736863 IP A.B.C.D.59962 > W.X.Y.Z.53: 38849+ A? 
thumbs.g.ebay.com. (35)

The powerDNS recursor starts recursion and asks a com. authoritative DNS 
server (192.58.128.30) which replies with the NS records for .ebay.com. 
zone:
14:13:37.740840 IP W.X.Y.Z.43796 > 192.58.128.30.53: 35832 [1au] A? 
thumbs.g.ebay.com. (54)
14:13:37.744086 IP 192.58.128.30.53 > W.X.Y.Z.43796: 35832- 0/13/16 (534)

The powerDNS recursor asks a ebay.com. DNS server (192.41.162.30):
14:13:37.749991 IP W.X.Y.Z.50992 > 192.41.162.30.53: 18765 [1au] A? 
thumbs.g.ebay.com. (54)
14:13:37.849736 IP 192.41.162.30.53 > W.X.Y.Z.50992: 18765- 0/6/7 (292)

Then a g.ebay.com. server (66.135.215.5):
14:13:37.853289 IP W.X.Y.Z.62858 > 66.135.215.5.53: 11952 [1au] A? 
thumbs.g.ebay.com. (54)
14:13:38.021033 IP 66.135.215.5.53 > W.X.Y.Z.62858: 11952- 0/3/4 (145)

Then finally it asks the g2.ebay.com. DNS server (66.211.167.40) to 
resolve thumbs.g.ebay.com.:
14:13:38.023503 IP W.X.Y.Z.4994 > 66.211.167.40.53: 26515 [1au] A? 
thumbs.g.ebay.com. (54)
14:13:38.196462 IP 66.211.167.40.53 > W.X.Y.Z.4994: 26515 NXDomain*- 
0/1/1 (96)

This g2.ebay.com. server answers an NXDomain, so the powerDNS recursor 
forwards this answer to the client machine:
14:13:38.198210 IP W.X.Y.Z.53 > A.B.C.D.59962: 38849 NXDomain 0/1/0 (85)




However when using dig, the g2.ebay.com. DNS server answers a CNAME record:

$ dig @66.211.167.40 thumbs.g.ebay.com

; <<>> DiG 9.8.4-P2 <<>> @66.211.167.40 thumbs.g.ebay.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58678
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;thumbs.g.ebay.com.        IN    A

;; ANSWER SECTION:
thumbs.g.ebay.com.    60    IN    CNAME c.ebay.georedirector.akadns.net.

;; Query time: 177 msec
;; SERVER: 66.211.167.40#53(66.211.167.40)
;; WHEN: Thu Nov 21 14:41:08 2013
;; MSG SIZE  rcvd: 80


And when using google's DNS 8.8.8.8, the name thumbs.g.ebay.com. 
resolves well:

$ dig @8.8.8.8 thumbs.g.ebay.com

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 thumbs.g.ebay.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19911
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;thumbs.g.ebay.com.        IN    A

;; ANSWER SECTION:
thumbs.g.ebay.com.    41    IN    CNAME c.ebay.georedirector.akadns.net.
c.ebay.georedirector.akadns.net. 1781 IN CNAME a1223.cp.akamai.net.
a1223.cp.akamai.net.    1    IN    A    46.33.69.218
a1223.cp.akamai.net.    1    IN    A    46.33.69.186
a1223.cp.akamai.net.    1    IN    A    46.33.69.201

;; Query time: 45 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Nov 21 14:48:37 2013
;; MSG SIZE  rcvd: 158


So why is the powerDNS recursor receiving an NXDomain ? Is its query 
malformed ?



To reproduce the problem is easy: just use the "dig thumbs.g.ebay.com" 
command on your pdns_recursor server.

More information about the Pdns-users mailing list