3

I'm using a DNS issue I've run into to help me understand DNS resolution better. I can't seem to figure out the inconsistency I'm seeing when resolving www.fandompost.com. At the top of my query list is OpenDNS. When queried they will return an appropriate ip. Next in the list is our internal DNS server. It does return useful information but not a usable IP. Lastly is me querying the authoritative NS. Still, as opposed to OpenDNS, the final result is no usable IP. Is there something I / we have done wrong with our internal DNS server that causes our server to fail where OpenDNS is successful?

> www.fandompost.com.
Server:  [208.67.222.222]
Address:  208.67.222.222

------------
SendRequest(), len 36
    HEADER:
        opcode = QUERY, id = 45, rcode = NOERROR
        header flags:  query
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.fandompost.com, type = A, class = IN

------------
------------
Got answer (119 bytes):
    HEADER:
        opcode = QUERY, id = 45, rcode = NOERROR
        header flags:  response, recursion avail.
        questions = 1,  answers = 3,  authority records = 0,  additional = 0

    QUESTIONS:
        www.fandompost.com, type = A, class = IN
    ANSWERS:
    ->  www.fandompost.com
        type = CNAME, class = IN, dlen = 39
        canonical name = www.fandompost.com.cdn.cloudflare.net
        ttl = 0 (0 secs)
    ->  www.fandompost.com.cdn.cloudflare.net
        type = A, class = IN, dlen = 4
        internet address = 108.162.206.239
        ttl = 0 (0 secs)
    ->  www.fandompost.com.cdn.cloudflare.net
        type = A, class = IN, dlen = 4
        internet address = 108.162.205.239
        ttl = 0 (0 secs)

------------
Non-authoritative answer:
------------
SendRequest(), len 36
    HEADER:
        opcode = QUERY, id = 46, rcode = NOERROR
        header flags:  query
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.fandompost.com, type = AAAA, class = IN

------------
------------
Got answer (36 bytes):
    HEADER:
        opcode = QUERY, id = 46, rcode = SERVFAIL
        header flags:  response, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.fandompost.com, type = AAAA, class = IN

------------
Name:    www.fandompost.com.cdn.cloudflare.net
Addresses:  108.162.206.239
          108.162.205.239
Aliases:  www.fandompost.com

> www.fandompost.com.
Server:  [192.168.1.101]
Address:  192.168.1.101

------------
SendRequest(), len 36
    HEADER:
        opcode = QUERY, id = 48, rcode = NOERROR
        header flags:  query
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.fandompost.com, type = A, class = IN

------------
------------
Got answer (162 bytes):
    HEADER:
        opcode = QUERY, id = 48, rcode = NOERROR
        header flags:  response, recursion avail.
        questions = 1,  answers = 0,  authority records = 3,  additional = 3

    QUESTIONS:
        www.fandompost.com, type = A, class = IN
    AUTHORITY RECORDS:
    ->  fandompost.com
        type = NS, class = IN, dlen = 16
        nameserver = ns1.dreamhost.com
        ttl = 84200 (23 hours 23 mins 20 secs)
    ->  fandompost.com
        type = NS, class = IN, dlen = 6
        nameserver = ns2.dreamhost.com
        ttl = 84200 (23 hours 23 mins 20 secs)
    ->  fandompost.com
        type = NS, class = IN, dlen = 6
        nameserver = ns3.dreamhost.com
        ttl = 84200 (23 hours 23 mins 20 secs)
    ADDITIONAL RECORDS:
    ->  ns1.dreamhost.com
        type = A, class = IN, dlen = 4
        internet address = 66.33.206.206
        ttl = 84581 (23 hours 29 mins 41 secs)
    ->  ns2.dreamhost.com
        type = A, class = IN, dlen = 4
        internet address = 208.97.182.10
        ttl = 84581 (23 hours 29 mins 41 secs)
    ->  ns3.dreamhost.com
        type = A, class = IN, dlen = 4
        internet address = 66.33.216.216
        ttl = 84581 (23 hours 29 mins 41 secs)

------------
------------
SendRequest(), len 36
    HEADER:
        opcode = QUERY, id = 49, rcode = NOERROR
        header flags:  query
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.fandompost.com, type = AAAA, class = IN

------------
------------
Got answer (162 bytes):
    HEADER:
        opcode = QUERY, id = 49, rcode = NOERROR
        header flags:  response, recursion avail.
        questions = 1,  answers = 0,  authority records = 3,  additional = 3

    QUESTIONS:
        www.fandompost.com, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  fandompost.com
        type = NS, class = IN, dlen = 16
        nameserver = ns2.dreamhost.com
        ttl = 84200 (23 hours 23 mins 20 secs)
    ->  fandompost.com
        type = NS, class = IN, dlen = 6
        nameserver = ns3.dreamhost.com
        ttl = 84200 (23 hours 23 mins 20 secs)
    ->  fandompost.com
        type = NS, class = IN, dlen = 6
        nameserver = ns1.dreamhost.com
        ttl = 84200 (23 hours 23 mins 20 secs)
    ADDITIONAL RECORDS:
    ->  ns2.dreamhost.com
        type = A, class = IN, dlen = 4
        internet address = 208.97.182.10
        ttl = 84581 (23 hours 29 mins 41 secs)
    ->  ns3.dreamhost.com
        type = A, class = IN, dlen = 4
        internet address = 66.33.216.216
        ttl = 84581 (23 hours 29 mins 41 secs)
    ->  ns1.dreamhost.com
        type = A, class = IN, dlen = 4
        internet address = 66.33.206.206
        ttl = 84581 (23 hours 29 mins 41 secs)

------------
Name:    www.fandompost.com
Served by:
- ns1.dreamhost.com
          66.33.206.206
          fandompost.com
- ns2.dreamhost.com
          208.97.182.10
          fandompost.com
- ns3.dreamhost.com
          66.33.216.216
          fandompost.com

> www.fandompost.com.
Server:  [66.33.206.206]
Address:  66.33.206.206

------------
SendRequest(), len 36
    HEADER:
        opcode = QUERY, id = 51, rcode = NOERROR
        header flags:  query
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.fandompost.com, type = A, class = IN

------------
------------
Got answer (148 bytes):
    HEADER:
        opcode = QUERY, id = 51, rcode = NXDOMAIN
        header flags:  response, auth. answer
        questions = 1,  answers = 1,  authority records = 1,  additional = 0

    QUESTIONS:
        www.fandompost.com, type = A, class = IN
    ANSWERS:
    ->  www.fandompost.com
        type = CNAME, class = IN, dlen = 39
        canonical name = www.fandompost.com.cdn.cloudflare.net
        ttl = 300 (5 mins)
    AUTHORITY RECORDS:
    ->  cloudflare.net
        type = SOA, class = IN, dlen = 49
        ttl = 14400 (4 hours)
        primary name server = ns1.dreamhost.com
        responsible mail addr = hostmaster.dreamhost.com
        serial  = 2014071000
        refresh = 14908 (4 hours 8 mins 28 secs)
        retry   = 1800 (30 mins)
        expire  = 1814400 (21 days)
        default TTL = 14400 (4 hours)

------------
------------
SendRequest(), len 36
    HEADER:
        opcode = QUERY, id = 52, rcode = NOERROR
        header flags:  query
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.fandompost.com, type = AAAA, class = IN

------------
------------
Got answer (148 bytes):
    HEADER:
        opcode = QUERY, id = 52, rcode = NXDOMAIN
        header flags:  response, auth. answer
        questions = 1,  answers = 1,  authority records = 1,  additional = 0

    QUESTIONS:
        www.fandompost.com, type = AAAA, class = IN
    ANSWERS:
    ->  www.fandompost.com
        type = CNAME, class = IN, dlen = 39
        canonical name = www.fandompost.com.cdn.cloudflare.net
        ttl = 300 (5 mins)
    AUTHORITY RECORDS:
    ->  cloudflare.net
        type = SOA, class = IN, dlen = 49
        ttl = 14400 (4 hours)
        primary name server = ns1.dreamhost.com
        responsible mail addr = hostmaster.dreamhost.com
        serial  = 2014071000
        refresh = 14908 (4 hours 8 mins 28 secs)
        retry   = 1800 (30 mins)
        expire  = 1814400 (21 days)
        default TTL = 14400 (4 hours)

------------
*** [66.33.206.206] can't find www.fandompost.com.: Non-existent domain


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

> www.fandompost.com.cdn.cloudflare.net.
Server:  [66.33.206.206]
Address:  66.33.206.206

------------
SendRequest(), len 55
    HEADER:
        opcode = QUERY, id = 55, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.fandompost.com.cdn.cloudflare.net, type = A, class = IN

------------
------------
Got answer (119 bytes):
    HEADER:
        opcode = QUERY, id = 55, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        www.fandompost.com.cdn.cloudflare.net, type = A, class = IN
    AUTHORITY RECORDS:
    ->  cloudflare.net
        type = SOA, class = IN, dlen = 52
        ttl = 14400 (4 hours)
        primary name server = ns1.dreamhost.com
        responsible mail addr = hostmaster.dreamhost.com
        serial  = 2014071000
        refresh = 14908 (4 hours 8 mins 28 secs)
        retry   = 1800 (30 mins)
        expire  = 1814400 (21 days)
        default TTL = 14400 (4 hours)

------------
------------
SendRequest(), len 55
    HEADER:
        opcode = QUERY, id = 56, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.fandompost.com.cdn.cloudflare.net, type = AAAA, class = IN

------------
------------
Got answer (119 bytes):
    HEADER:
        opcode = QUERY, id = 56, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        www.fandompost.com.cdn.cloudflare.net, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  cloudflare.net
        type = SOA, class = IN, dlen = 52
        ttl = 14400 (4 hours)
        primary name server = ns1.dreamhost.com
        responsible mail addr = hostmaster.dreamhost.com
        serial  = 2014071000
        refresh = 14908 (4 hours 8 mins 28 secs)
        retry   = 1800 (30 mins)
        expire  = 1814400 (21 days)
        default TTL = 14400 (4 hours)

------------
*** [66.33.206.206] can't find www.fandompost.com.cdn.cloudflare.net.: Non-exist
ent domain
Andrew B
  • 32,588
  • 12
  • 93
  • 131
Digital ink
  • 500
  • 1
  • 10
  • 23
  • 3
    Those all look normal and correct. Are you actually having a problem somewhere? – Michael Hampton Apr 14 '15 at 17:40
  • The code block here will collapse long code blocks, so you don't have to worry about a 'wall of text' that much. Ideally questions here should be complete enough to still be useful if any links go away. Pastebin stuff seems to go away relatively quickly. I moved your pastebin content onto this site. – Zoredache Apr 14 '15 at 18:50
  • I've reformatted this slightly to split up the three sets of transactions. It takes up more screen space, but this formatting is much faster for DNS admins to process. – Andrew B Apr 14 '15 at 19:41
  • @MichaelHampton Yes I am. On my workstation that domain does not resolve to a usable IP. I was testing with ping, a browser, and with nslookup. The failure is on our local network using our DNS server. I used OpenDNS as a second source but its not a part of our normal DNS server set in use here. I'm confused if the logs look normal why my workstation fails to resolve then. – Digital ink Apr 14 '15 at 20:22
  • Also, Is it normal for the two sources I queried to give different results? Or is it that I haven't tested appropriately with dreamhost to get the result that OpenDNS gave? – Digital ink Apr 14 '15 at 20:26
  • I notice the output of `dig @66.33.206.206 www.fandompost.com` contains `;; WARNING: recursion requested but not available`. This means you can't test to the final IP addresses if it requires a lookup to a domain not on those servers like www.fandompost.com.cdn.cloudflare.net. There is nothing wrong with running the name server with recursive queries turned off - it just means end clients should not directly use them when trying to resolve all names. – Brian Apr 14 '15 at 20:12
  • Shoot. That is me not testing correctly then. I thought I "set norecurse" before doing that. I was trying to test as if I was our local server to see what response it would be getting. DNS servers don't ever ask for recursion right? – Digital ink Apr 14 '15 at 20:24
  • If you ask a specific DNS server to do all lookup work and that server is set to not allow recursion (common for public facing DNS servers) it can't serve results for any domains it does not host. That would include anything from cloudflare.net – Brian Apr 14 '15 at 20:27
  • The warning is just a warning in this particular case. Since Donovan is asking for a zone that the server considers itself authoritative for, it's still providing an answer. The NXDOMAIN returned here doesn't change regardless of whether the recursion desired bit is set on the request. If this *were* a problem, I'd expect the response to be REFUSED. – Andrew B Apr 14 '15 at 20:29

1 Answers1

3

First, let's compare the three response cases.

  • First case (resolver1.opendns.com/208.67.222.222): Response code of NOERROR. Looks good: one non-authoritative answer.
  • Second case (192.168.1.101): Response code of NOERROR. Zero answers. Authority section is present, which suggests that there is no problem communicating with the upstream DNS server. (not a firewall issue)
  • Third case (ns1.dreamhost.com/66.33.206.206): Response code of NXDOMAIN. One answer with "auth answer" (AA) flag set: www.fandompost.com.cdn.cloudflare.net.

The third one is interesting. An authoritative answer is returned, one record is in the ANSWER section, but the response code is NXDOMAIN. Normally you'd expect to see a response code of NOERROR in this case: an authoritative nameserver typically isn't going to attempt to recursively resolve the CNAME for you.

Take another look at the authority section for that answer: 

ANSWERS:
->  www.fandompost.com
    type = CNAME, class = IN, dlen = 39
    canonical name = www.fandompost.com.cdn.cloudflare.net
    ttl = 300 (5 mins)
AUTHORITY RECORDS:
->  cloudflare.net
    type = SOA, class = IN, dlen = 49
    ttl = 14400 (4 hours)
    primary name server = ns1.dreamhost.com

See the "primary name server"? This cloudflare.net zone was served from ns1.dreamhost.com, apparently. A quick scrape of my own confirms this:

$ dig @ns1.dreamhost.com +norecurse fandompost.com cloudflare.net SOA | grep -E 'HEADER|flags'
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11600
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32367
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

The aa flag is present for both SOA queries. The reason why you get a NXDOMAIN response from ns1.dreamhost.com is because that nameserver is trying to resolve www.fandompost.com.cdn.cloudflare.net. for you since it considers itself authoritative for that domain as well, and the record appears to be missing. Why does Dreamhost have a cloudflare.net. zone? Ask Dreamhost. This NXDOMAIN rcode doesn't appear to be presenting a problem for most recursive resolvers; I haven't stared at the RFCs for this in awhile, but my best guess is that they're ignoring that response code and working with the answer that was returned.

This finally brings us to your question: is there a problem with your DNS server? It's hard to say without knowing the software that you're using. I can say that BIND and Windows DNS have no problem with this configuration, and it's possible that your software is handling the NXDOMAIN differently than those two implementations.

Andrew B
  • 32,588
  • 12
  • 93
  • 131
  • Thank you very much for the explanation. Our DNS server is Microsoft's DNS on a Win2K3 domain controller. Our local DNS is not public. In normal operations ( this being using Chrome on Win8.1 Pro ) would my query to the local DNS server ask for recursion? I seem to remember reading that it would. That would mean our server would try to take the next step of asking dreamhost to resolve www.fandompost.com instead of replying to my workstation correct? – Digital ink Apr 14 '15 at 20:38
  • Yes, you're correct on both counts. Your workstation's resolver library will be sending recursive queries by default, and the Microsoft DNS server will be talking to the upstream DNS servers on your behalf. The problem would be occurring somewhere between the two and your workstation is completely out of the picture. – Andrew B Apr 14 '15 at 20:44
  • I've edited the answer to make it clearer that I'm talking about the NXDOMAIN response coming from Dreamhost, not your DNS server. I still have no explanation for why my company's Windows DNS servers can resolve this with no problem compared to yours. – Andrew B Apr 14 '15 at 20:52
  • If you think that part is odd I don't feel so bad about being stumped by this then. Thanks much. – Digital ink Apr 14 '15 at 22:29
  • I took things one step further and performed a non recursive query to cloudflare's DNS servers. They do return the expected IP address. I wonder if this is a failure of my DNS server to somehow use the response from dreamhost to then ask cloudflare for an answer. – Digital ink Apr 15 '15 at 00:25
  • Just a quick update to this issue. We were able to install Microsoft's DNS server on a Server 2012 VM and test it. That server does return a usable IP where as both of the Microsoft DNS servers running on our Win2K3 production servers do not. Not sure if its a config issue still but in 6 months it wont mater as we have a pending migration anyway. – Digital ink Apr 22 '15 at 16:45