Verizon Users Can't See Site

Tue Sep 14 17:32:05 UTC 2010

----- "Torsten" <toto at the-damian.de> wrote:

> Am Tue, 14 Sep 2010 08:23:03 +0200
> schrieb Torsten <toto at the-damian.de>:
> 
> > Am Tue, 14 Sep 2010 05:15:16 +0000 (UTC)
> > schrieb cyberseal at comcast.net:
> > 
> > > 
> > > 
> > > 
> > > Hello List, 
> > > 
> > > 
> > > 
> > > I've run into an issue that has me stumped for the time being.
> I'm
> > > working on a website that is hosted on a delegated subdomain. The
> > > site is www-mbclive.mbc.irides.com. The mbc.irides.com subdomain
> is
> > > delegated to two Barracuda load balancers known as
> > > dns1.mbc.irides.com and dns2.mbc.irides.com. 
> > > 
> > > 
> > > 
> > > DNS seems to work fine for the majority of our users, however, in
> > > the past week we've heard from many Verizon FIOS users that they
> are
> > > unable to visit the site due to resolution issues. One sent in a
> dig
> > > from his home computer and I was wondering why he doesn't receive
> an
> > > answer: 
> > > 
> > > 
> > > 
> > > scott$ dig @71.252.0.12 www-mbclive.mbc.irides.com 
> > > 
> > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> @71.252.0.12
> > > www-mbclive.mbc.irides.com ; (1 server found) 
> > > ;; global options: +cmd 
> > > ;; Got answer: 
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62184 
> > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
> ADDITIONAL:
> > > 0 
> > > 
> > > ;; QUESTION SECTION: 
> > > ;www-mbclive.mbc.irides.com.    IN      A 
> > > 
> > > ;; AUTHORITY SECTION: 
> > > www-mbclive.mbc.irides.com. 10  IN      SOA    
> dns1.mbc.irides.com.
> > > 1. 3600 3600 3600 3600 3600 
> > > 
> > > ;; Query time: 20 msec 
> > > ;; SERVER: 71.252.0.12#53(71.252.0.12) 
> > > ;; WHEN: Mon Sep 13 21:31:08 2010 
> > > ;; MSG SIZE  rcvd: 86 
> > > 
> > > 
> > > 
> > > Can anyone tell if there is a DNS issue on our end that may cause
> us
> > > to not play nice w/ Verizon? This issue just popped up in the
> last
> > > two weeks. Prior to that time visitors were not complaining. Any
> > > assistance is greatly appreciated. 
> > > 
> > 
> > I'm having troubles getting an answer from both dns1.mbc.irides.com
> > and dns2.mbc.irides.com for www-mbclive.mbc.irides.com.
> > 
> > A dig query freezes for about 12 seconds before returning an
> answer.
> > Maybe there's a problem with a misconfigured firewall.
> > 
> > [ts at localhost ~]$ traceroute -q 1 dns2.mbc.irides.com
> > traceroute to dns2.mbc.irides.com (209.252.251.240), 30 hops max,
> 60
> > byte packets 1  10.43.64.254 (10.43.64.254)  0.336 ms
> >  2  vl67.cr30.isham.de.easynet.net (194.64.6.252)  0.927 ms
> >  3  ge1-5.br2.isham.de.easynet.net (194.64.4.126)  0.695 ms
> >  4  ge3-0-2.gr10.isham.de.easynet.net (87.86.71.244)  0.632 ms
> >  5  te2-0-0.gr10.ixfra.de.easynet.net (87.86.77.95)  9.862 ms
> >  6  ge-5-1-4.edge3.frankfurt1.level3.net (212.162.40.77)  9.964 ms
> >  7  vlan79.csw2.Frankfurt1.Level3.net (4.68.23.126)  18.392 ms
> >  8  ae-72-72.ebr2.Frankfurt1.Level3.net (4.69.140.21)  10.387 ms
> >  9  ae-41-41.ebr2.washington1.level3.net (4.69.137.50)  98.620 ms
> > 10  ae-5-5.ebr2.washington12.level3.net (4.69.143.222)  101.159 ms
> > 11  ae-6-6.ebr2.chicago2.level3.net (4.69.148.146)  113.618 ms
> > 12  ae-22-52.car2.chicago2.level3.net (4.69.138.165)  115.322 ms
> > 13  paetec-comm.car2.chicago2.level3.net (4.71.250.34)  115.955 ms
> > 14  gi-3-1-0.core01.chcgil01.paetec.net (66.155.191.97)  139.525 ms
> > 15  po-4-0-0.core02.rochny01.paetec.net (64.80.253.217)  137.915 ms
> > 16  gi-6-0-0.edge02.rochny01.paetec.net (66.155.216.183)  140.368
> ms
> > 17  *
> > 18  *
> > 19  *
> > 20  *
> > 21  *
> > 22  *
> > 23  *
> > 24  *
> > 25  *
> > 26  *
> > 27  *
> > 28  *
> > 29  *
> > 30  *
> > 
> 
> 
> I just noticed that the problem might as well be the very short TTL
> of
> the NS A Records of 10 seconds.

Thanks Torsten, the low TTL's have to do with us using the LB's in a failover environment between two locations. Today I was given access to a Linux box on the Verizon network that is using their DNS server 71.252.0.12, which is affected by this problem. Digs and pings to www-mbclive.mbc.irides.com from this device fail. What can I do to better test and pinpoint the cause of the failure?