Help with unresolvable domain (subdomain, actually)

Mike Bernhardt bernhardt at bart.gov
Wed Mar 2 18:21:41 UTC 2011


What's really strange is that when we attempt a query, be it DIG or an
attempt to browse tools.cisco.com, they send some sort of query back to us
from/to UDP 53. We drop it at the firewall due to some sort of "sanity
check" so I can't see the contents. This is in addition to the SERVFAIL
message.

Although I get SERVFAIL, Kloth.net does not, even if we DIG the same server:
cax01-bb14-dcz01n-gss1.cisco.com
>From Kloth
; <<>> DiG 9.3.2 <<>> @cax01-bb14-dcz01n-gss1.cisco.com tools.cisco.com A
 ; (1 server found)
 ;; global options:  printcmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41388
 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;tools.cisco.com.		IN	A
 
 ;; ANSWER SECTION:
 tools.cisco.com.	20	IN	A	72.163.4.38
 
 ;; Query time: 131 msec
 ;; SERVER: 173.37.144.100#53(173.37.144.100)
 ;; WHEN: Wed Mar  2 19:15:04 2011
 ;; MSG SIZE  rcvd: 49

>From Us
[root at ns1 ~]# dig -b 148.165.3.10 @cax01-bb14-dcz01n-gss1.cisco.com
tools.cisco.com 

; <<>> DiG 9.4.3-P3 <<>> -b 148.165.3.10 @cax01-bb14-dcz01n-gss1.cisco.com
tools.cisco.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26463
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;tools.cisco.com.               IN      A

;; Query time: 45 msec
;; SERVER: 173.37.144.100#53(173.37.144.100)
;; WHEN: Wed Mar  2 10:15:31 2011
;; MSG SIZE  rcvd: 33


So I wonder if the query they make is some kind of authentication attempt?


-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org] 
Sent: Tuesday, March 01, 2011 3:31 PM
To: Kevin Darcy
Cc: bind-users at isc.org
Subject: Re: Help with unresolvable domain (subdomain, actually)


In message <4D6D7268.1080305 at chrysler.com>, Kevin Darcy writes:
> I got a trouble ticket on this too.
> 
>  From the looks of things, Cisco is using GSSes to load-balance this 
> site. GSSes return SERVFAIL if all of the resources behind the 
> load-balancer are down (which it determines via a heartbeat mechanism). 
> So I think this is a "simple" case of a website (or cluster) going down. 
> It was down earlier today, then up again, as of this writing, it is down 
> again.
> 
> DNS doesn't really have a response code of "requested resource not 
> available", so SERVFAIL is Cisco's closest approximation. It has the 
> drawback, however, of often making other sorts of problems appear to be 
> DNS problems. That's just a cross that we DNS admins have to bear...
>                                                                          
>                                              - Kevin

Then the load balancer should return default records or 0.0.0.0/:: to
indicate the name is good but doesn't currently have a address.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org





More information about the bind-users mailing list