On Mar 2, 2011, at 1:21 PM, Mike Bernhardt wrote:
What's really strange is that when we attempt a query, be it DIG or an
attempt to browse tools.cisco.com, they send some sort of query back
to us
from/to UDP 53
Many GSLB solutions attempt to figure out what the best location to
serve from is by sending a query to the server that just queried
*them* -- this allows them to figure out latency and decide which
cluster might be closest....
I'm suspecting (although I avoid Cisco LB like the plague and so am
not sure) that this is the cause.
The other possibility -- I ran tcpdump to see if I could see what the
query might be I found that I was getting a FormErr response to my
initial query, causing me to requery without DNSSEC / EDNS0 -- maybe
you are actually not seeing a query from them, mebe its a FormErr
response that your FW is noting?
W
wkumari@vimes:~/src/perl/IODEF$ dig +edns=0 tools.cisco.com
@128.107.227.197
; <<>> DiG 9.7.2-P3 <<>> +edns=0 tools.cisco.com @128.107.227.197
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 41568
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;tools.cisco.com. IN A
;; Query time: 75 msec
;; SERVER: 128.107.227.197#53(128.107.227.197)
;; WHEN: Wed Mar 2 14:17:38 2011
;; MSG SIZE rcvd: 33
wkumari@vimes:~/src/perl/IODEF$ dig tools.cisco.com @128.107.227.197
; <<>> DiG 9.7.2-P3 <<>> tools.cisco.com @128.107.227.197
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54960
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;tools.cisco.com. IN A
;; ANSWER SECTION:
tools.cisco.com. 20 IN A 173.37.145.8
;; Query time: 75 msec
;; SERVER: 128.107.227.197#53(128.107.227.197)
;; WHEN: Wed Mar 2 14:17:45 2011
;; MSG SIZE rcvd: 49
. We drop it at the firewall due to some sort of "sanity
check" so I can't see the contents. This is in addition to the
SERVFAIL
message.
Although I get SERVFAIL, Kloth.net does not, even if we DIG the same
server:
cax01-bb14-dcz01n-gss1.cisco.com
From Kloth
; <<>> DiG 9.3.2 <<>> @cax01-bb14-dcz01n-gss1.cisco.com
tools.cisco.com A
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41388
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;tools.cisco.com. IN A
;; ANSWER SECTION:
tools.cisco.com. 20 IN A 72.163.4.38
;; Query time: 131 msec
;; SERVER: 173.37.144.100#53(173.37.144.100)
;; WHEN: Wed Mar 2 19:15:04 2011
;; MSG SIZE rcvd: 49
From Us
[root@ns1 ~]# dig -b 148.165.3.10 @cax01-bb14-dcz01n-gss1.cisco.com
tools.cisco.com
; <<>> DiG 9.4.3-P3 <<>> -b 148.165.3.10 @cax01-bb14-dcz01n-
gss1.cisco.com
tools.cisco.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26463
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;tools.cisco.com. IN A
;; Query time: 45 msec
;; SERVER: 173.37.144.100#53(173.37.144.100)
;; WHEN: Wed Mar 2 10:15:31 2011
;; MSG SIZE rcvd: 33
So I wonder if the query they make is some kind of authentication
attempt?
-----Original Message-----
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Tuesday, March 01, 2011 3:31 PM
To: Kevin Darcy
Cc: bind-us...@isc.org
Subject: Re: Help with unresolvable domain (subdomain, actually)
In message <4d6d7268.1080...@chrysler.com>, Kevin Darcy writes:
I got a trouble ticket on this too.
From the looks of things, Cisco is using GSSes to load-balance this
site. GSSes return SERVFAIL if all of the resources behind the
load-balancer are down (which it determines via a heartbeat
mechanism).
So I think this is a "simple" case of a website (or cluster) going
down.
It was down earlier today, then up again, as of this writing, it is
down
again.
DNS doesn't really have a response code of "requested resource not
available", so SERVFAIL is Cisco's closest approximation. It has the
drawback, however, of often making other sorts of problems appear
to be
DNS problems. That's just a cross that we DNS admins have to bear...
- Kevin
Then the load balancer should return default records or 0.0.0.0/:: to
indicate the name is good but doesn't currently have a address.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Eagles soar but a weasel will never get sucked into a jet engine
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
