0

In the process of setting up DNS for my own website I got curious about looking up a large company's DNS record. I chose facebook.com and used dnschecker.org to view their dns record. Ignoring AAAA records because the majority of people still use IPv4, I only get back 2 addresses: 31.13.71.36 and 157.240.26.35

Maybe I'm missing some technology here but each static IP can only be assigned to a single NIC at any given time. That would mean facebook is handling all IPv4 ingress and egress from their data centers through only two (very fast) machines. There's no way.

What am I missing here?

Currn Hyde
  • 11
  • 1
  • 2
  • 2
    Go to https://www.whatsmydns.net/#A/facebook.com and see how the reply depends from where you query. This is called Geolocation: the DNS reply depends on the "location" of the source to provide an IP "closer" to the requestor. Note that it is in practive not enough and/or not as simple because where the client is and where its recursive DNS server is are two different things. Also there could have been even only one IP and the same one everywhere: in that case it would have most probably been IP anycast (where a single IP is physically in different places at the same time). – Patrick Mevzek Sep 16 '21 at 04:41

2 Answers2

1

When you query a DNS server, especially for something like an A record, you don't get a complete picture of all of the set up of a site. You only get enough to satisfy your request and connect to the intended target.

It use to be possible to do additional queries and get full listings, but for security reasons, this has been disabled and deprecated for a long time.

Even before security measures reduced the amount of information you could scrape out of DNS, sites were using dynamic dns techniques to implement load balancing. Basically, when your host queries an A record for facebook, it gets one or a few answers out a large list of unknown size. Your system may cache that result, so subsequent queries give the same answer, although the source DNS server can set a timeout on that (the timeout was around 300 seconds when I checked).

So basically, when you query facebook.com, you get a random answer out of a list, and that answer could change (possibly every 300 seconds). Facebook's DNS servers could easily give a completely different answer to each client that queried them, and could even try to detect your network location to tweak the answer to give a server close to you on the network. As mentioned in the other answer, this is exactly the sort of thing that a CDN is designed to do.

user10489
  • 584
  • 1
  • 3
  • 14
  • 1
    "So basically, when you query facebook.com, you get a random answer out of a list, ". It is most probably not random. The server decides which IP address is "best" to give back to client, and most often it is based on geolocation considerations, or which ISP he is using, hence taking into account BGP level peerings and things like that. – Patrick Mevzek Sep 16 '21 at 04:42
  • "It use to be possible to do additional queries and get full listings" If you are thinking there about `AXFR` it was mostly never possible and only a configuration error when it happened. If you think about the fake `ANY` DNS query that everyone thinks mean `ALL` which it does not, this would also absolutely not guarantee to give you back all data but only what was in cache by some recursive nameserver. It is now anyway deprecated, see RFC 8482 – Patrick Mevzek Sep 16 '21 at 04:44
  • Random: I did say it could be location based. By random, I mean that the selection is not predictable by the requestor. – user10489 Sep 16 '21 at 11:23
  • Yes, at the beginning of internet, you could do a full query of DNS and it was (at least at the start) not considered a configuration error. Thanks for the RFC, I'll consider integrating that into the answer. – user10489 Sep 16 '21 at 11:24
  • "you could do a full query of DNS and it was (at least at the start) not considered a configuration error. " Not clear, you might be thinking about `AXFR` but this was **far** from being available everywhere. Quite the contrary in fact. – Patrick Mevzek Sep 16 '21 at 14:48
0

Because those IPs don't belong to a server, they point to Facebooks CDN 'Content Delivery Network'

Maybe someone else might have some knowledge on their setup but my DNS servers are reporting different IPs to you, so I dare say there are thousands that are dynamically changing all the time.

Doggins
  • 1