Strange behavior of ping response

Question

So we have an AWS Account with our DNS Servers running in it which resolve our on-prem instances.

When i ping an on-prem server, this is the response i get back:

ping myServer.example.com
PING myServer.example.com (xx.xx.xx.xx) 56(84) bytes of data.
64 bytes from ip-xx.xx.xx.xx.ec2.internal (xx.xx.xx.xx): icmp_seq=1 ttl=123 time=10.4 ms
64 bytes from ip-xx.xx.xx.xx.ec2.internal (xx.xx.xx.xx): icmp_seq=2 ttl=123 time=10.3 ms
64 bytes from ip-xx.xx.xx.xx.ec2.internal (xx.xx.xx.xx): icmp_seq=3 ttl=123 time=10.5 ms

This server resides within our data center but for some reason the response comes back as reply from ec2.internal (AWS DNS Name)

This is what I was expecting it to return:

ping myServer.example.com
PING myServer.example.com (xx.xx.xx.xx) 56(84) bytes of data.
64 bytes from xx.xx.xx.xx (xx.xx.xx.xx): icmp_seq=1 ttl=123 time=10.4 ms
64 bytes from xx.xx.xx.xx (xx.xx.xx.xx): icmp_seq=2 ttl=123 time=10.3 ms
64 bytes from xx.xx.xx.xx (xx.xx.xx.xx): icmp_seq=3 ttl=123 time=10.5 ms

Did I miss some kind of setting on my DNS server that is causing this behavior or this is normal?

Firstly, you have [wrongly obfuscated your FQDNs](http://meta.serverfault.com/questions/963/what-information-should-i-include-or-obfuscate-in-my-posts). Secondly, this question will be difficult to answer without the actual information being left untouched. — MadHatter, Dec 20 '16 at 22:32
I'm voting to close this question as off-topic because it is unanswerable in it's present form. — joeqwerty, Dec 20 '16 at 22:41
Actually, the information here is almost sufficient in this case: `ip-x-x-x-x.ec2.internal` tells most of the story quite predictably. The clarification that is needed is this: what precisely does "*with our DNS Servers running in it*" mean? — Michael - sqlbot, Dec 21 '16 at 01:15
_"with our DNS Servers running in it"_ means I have 2 Windows Server 2012 R2 EC2 instances with _DNS Server_ role installed in them. — Asdfg, Dec 21 '16 at 02:04

score 1 · Answer 1 · answered Dec 21 '16 at 02:09

Although it isn't clear exactly what you mean by "with our DNS Servers running in it" (they could be "running" but we don't know what services they actually provide) -- but based on the observed behavior, I suspect you are not using them as DNS resolvers and thus they are not a factor here... or if you are, they're handing off upstream queries to the VPC resolver.

If enableDnsHostnames and enableDnsSupport are enabled in the VPC, the AWS-provided DNS resolver will automatically resolve any RFC-1918 address into this format:

A private (internal) DNS hostname resolves to the private IPv4 address of the instance, and takes the form ip-private-ipv4-address.ec2.internal for the us-east-1 region, and ip-private-ipv4-address.region.compute.internal for other regions (where private.ipv4.address is the reverse lookup IP address).

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-dns.html

The documentation refers to "the private IPv4 address of the instance," but in fact any private IP address resolves similarly -- it need not be related to an EC2 instance. It doesn't matter where that private IP address is, or whether it "is" anywhere at all, as long as the DNS query originates inside the VPC, uses the AWS resolver, and is for private (RFC-1918) IP address.

$ dig -x 192.168.1.1 # -x tells dig we want a reverse-DNS lookup

;; ANSWER SECTION:
1.1.168.192.in-addr.arpa. 40    IN      PTR     ip-192-168-1-1.ec2.internal.

$ dig ip-192-168-1-1.ec2.internal

;; ANSWER SECTION:
ip-192-168-1-1.ec2.internal. 19 IN      A       192.168.1.1

Note that the VPC where I ran these is actually in the 10.x.x.x space. There is no 192.168.x.x anywhere in my route tables or network, yet this is an RFC-1918 address, so it works.

But why don't you see the "real" hostname?

Reverse DNS ("the name of an address") is not, by necessity of design, correlated to forward DNS ("the address of a name").

If database.example.com resolves to the A record 10.1.2.3, it is not necessarily true that 10.1.1.10 also resolves to the PTR record database.example.com. That requires two different entries, in two different DNS zones (or a DNS server that does this for you).

The forward entry is, of course, database.example.com..

The reverse entry formed from the IPv4 address with the octets reversed, 3.2.1.10.in-addr.arpa., where in-addr.arpa. is the special domain globally reserved for this purpose. The -x option to dig, above, does this rewriting for you so you don't have to say dig 1.1.168.192.in-addr.arpa PTR.

Unless the instances in your VPC are using your own DNS resolvers -- not the VPC-provided resolver -- this is standard, expected behavior. While it would be possible to "correct" it (by deploying your own DNS resolvers with authoritative data for portions of in-addr.arpa then making a change to the DHCP Option Set of the VPC so that the instances use them instead of the internal mechanism), this is ill-advised, since it introduces new points of failure -- specifically, your DNS resolvers -- into the picture, unnecessarily, making all of your EC2 instances dependent on those machines for all their DNS lookups. Of course, if you already have this, it may simply be the case that you need an x.x.in-addr-arpa zone, there, to handle the reverse resolution of the VPC address space.

But this divide between forward and reverse DNS is the explanation of what you see. ping is, deliberately, not showing you the name it used to find the address it is pinging. It's showing you the name it receives when it looks up the pointer record for the responding IP address, in order to identify that IP address.

The server that I am pinging resides in our data center and is not an EC2 instance but the ping response makes it look like it is an EC2 instance. DNS servers that I have as an EC2 instance has conditional forwarders for RFC1918 IP ranges that send the query to our On-Prem DNS Server. — Asdfg, Dec 21 '16 at 02:20
*"DNS servers that I have as an EC2 instance has conditional forwarders for RFC1918 IP ranges that send the query to our On-Prem DNS Server."* This implies that they are not working correctly, or that your instances are not actually using them for DNS resolution. "*The server that I am pinging resides in our data center and is not an EC2 instance*" Understood. The VPC resolver will answer any RFC-1918 query it receives, as shown in my example, 192.168.1.1 resolves this way for me yet I have absolutely no 192.168.x.x anywhere at all, VPC or on-premise. — Michael - sqlbot, Dec 21 '16 at 02:32
Well, they are working as nslookup gives me correct answer and resolves to the right IP address. It probably is some kind of tweak I need to do to get this working as I am expecting it to work. — Asdfg, Dec 21 '16 at 02:37
`nslookup` gives you the correct *reverse* address when run from an EC2 instance against the address of an on-premise machine's IP address? `nslookup 10.1.2.3` for example? — Michael - sqlbot, Dec 21 '16 at 02:45
As I mentioned, this is not a name → number issue, it is a number → name issue. Unrelated to lookups on the hostname giving you the correct IP address. — Michael - sqlbot, Dec 21 '16 at 02:47
Can you add an example of that nslookup response into the question, using the same target that exhibits the ping behavior above? — Michael - sqlbot, Dec 21 '16 at 07:53

Strange behavior of ping response

1 Answers1