different answers from google's authoritative servers

Sotiris Tsimbonis stsimb at forthnet.gr
Wed Jun 1 11:34:00 UTC 2016


Hi all,

We have 3 recursive resolvers on the same subnet, and one of them is
getting different answers for the same things from google's
authoritative dns servers.

[root at syz3ns01 ~]# RESOLVERS="ns1.google.com. ns2.google.com.
ns3.google.com. ns4.google.com."
[root at syz3ns01 ~]# SITES="www.google.com. www.google.gr."
[root at syz3ns01 ~]# for resolver in ${RESOLVERS} ; do for site in
${SITES}; do echo "${resolver} ${site} $(dig +short A ${site}
@${resolver})" ; done ; done
ns1.google.com. www.google.com. 216.58.211.4
ns1.google.com. www.google.gr. 216.58.211.3
ns2.google.com. www.google.com. 216.58.211.4
ns2.google.com. www.google.gr. 216.58.211.3
ns3.google.com. www.google.com. 216.58.211.4
ns3.google.com. www.google.gr. 216.58.211.3
ns4.google.com. www.google.com. 216.58.211.4
ns4.google.com. www.google.gr. 216.58.211.3

[root at syz3ns02 ~]# RESOLVERS="ns1.google.com. ns2.google.com.
ns3.google.com. ns4.google.com."
[root at syz3ns02 ~]# SITES="www.google.com. www.google.gr."
[root at syz3ns02 ~]# for resolver in ${RESOLVERS} ; do for site in
${SITES}; do echo "${resolver} ${site} $(dig +short A ${site}
@${resolver})" ; done ; done
ns1.google.com. www.google.com. 216.58.211.36
ns1.google.com. www.google.gr. 216.58.211.35
ns2.google.com. www.google.com. 216.58.211.36
ns2.google.com. www.google.gr. 216.58.211.35
ns3.google.com. www.google.com. 216.58.211.36
ns3.google.com. www.google.gr. 216.58.211.35
ns4.google.com. www.google.com. 216.58.211.36
ns4.google.com. www.google.gr. 216.58.211.35

[root at syz3ns03 ~]# RESOLVERS="ns1.google.com. ns2.google.com.
ns3.google.com. ns4.google.com."
[root at syz3ns03 ~]# SITES="www.google.com. www.google.gr."
[root at syz3ns03 ~]# for resolver in ${RESOLVERS} ; do for site in
${SITES}; do echo "${resolver} ${site} $(dig +short A ${site}
@${resolver})" ; done ; done
ns1.google.com. www.google.com. 172.217.16.36
ns1.google.com. www.google.gr. 172.217.16.35
ns2.google.com. www.google.com. 172.217.16.36
ns2.google.com. www.google.gr. 172.217.16.35
ns3.google.com. www.google.com. 172.217.16.36
ns3.google.com. www.google.gr. 172.217.16.35
ns4.google.com. www.google.com. 172.217.16.36
ns4.google.com. www.google.gr. 172.217.16.35

The IP addresses of our servers are 84.205.252.16, 84.205.252.18 and
84.205.252.20 respectively.

The problem with the third answer set is on the users' browsers, it
produces an ssl certificate error and users cannot access google.

traceroute to google's dns servers are different on the penultimate hop
(hop 12)

[root at syz3ns01 ~]# traceroute ns3.google.com.
traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte packets
 1  syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1)  0.405 ms  0.262
ms  0.217 ms
 2  84.205.252.6 (84.205.252.6)  0.718 ms  0.504 ms  0.511 ms
 3  193.92.42.169 (193.92.42.169)  0.937 ms  1.024 ms  0.482 ms
 4  194.219.208.29 (194.219.208.29)  1.017 ms  1.004 ms  0.946 ms
     MPLS Label=757472 CoS=5 TTL=1 S=0
 5  xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193)  0.950 ms  1.063
ms  0.982 ms
 6  74.125.48.74 (74.125.48.74)  8.373 ms  8.374 ms  8.341 ms
 7  72.14.237.27 (72.14.237.27)  8.352 ms 72.14.237.189 (72.14.237.189)
12.085 ms 72.14.237.27 (72.14.237.27)  8.979 ms
 8  209.85.253.114 (209.85.253.114)  26.920 ms  26.114 ms  25.789 ms
     MPLS Label=772454 CoS=5 TTL=1 S=0
 9  216.239.58.8 (216.239.58.8)  50.816 ms 209.85.241.233
(209.85.241.233)  42.159 ms  43.461 ms
     MPLS Label=756878 CoS=5 TTL=1 S=0
10  209.85.251.178 (209.85.251.178)  45.549 ms  44.474 ms  45.682 ms
     MPLS Label=720256 CoS=5 TTL=1 S=0
11  74.125.37.103 (74.125.37.103)  39.998 ms 216.239.49.244
(216.239.49.244)  48.116 ms 74.125.37.150 (74.125.37.150)  42.865 ms
     MPLS Label=25186 CoS=5 TTL=1 S=0
12  209.85.251.231 (209.85.251.231)  39.575 ms 72.14.238.43
(72.14.238.43)  43.933 ms 209.85.242.165 (209.85.242.165)  46.748 ms
13  * *Icmp checksum is wrong
 *
14  ns3.google.com (216.239.36.10)  41.453 ms  39.987 ms  47.545 ms
[root at syz3ns01 ~]#

[root at syz3ns02 ~]# traceroute ns3.google.com.
traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte packets
 1  syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1)  0.232 ms  0.283
ms  0.209 ms
 2  84.205.252.6 (84.205.252.6)  0.688 ms  0.535 ms  0.455 ms
 3  193.92.42.169 (193.92.42.169)  1.715 ms  0.835 ms  0.726 ms
 4  194.219.208.29 (194.219.208.29)  1.248 ms  0.876 ms  0.773 ms
     MPLS Label=757472 CoS=5 TTL=1 S=0
 5  xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193)  0.755 ms  1.047
ms  0.944 ms
 6  74.125.48.74 (74.125.48.74)  8.331 ms  8.546 ms  8.328 ms
 7  72.14.237.189 (72.14.237.189)  12.286 ms 72.14.237.27 (72.14.237.27)
 5.935 ms 72.14.237.189 (72.14.237.189)  13.211 ms
 8  209.85.253.114 (209.85.253.114)  22.488 ms 209.85.240.160
(209.85.240.160)  25.713 ms  26.401 ms
     MPLS Label=554255 CoS=5 TTL=1 S=0
 9  216.239.57.244 (216.239.57.244)  41.070 ms 209.85.241.233
(209.85.241.233)  34.822 ms 209.85.242.79 (209.85.242.79)  38.180 ms
     MPLS Label=27780 CoS=5 TTL=1 S=0
10  209.85.251.178 (209.85.251.178)  36.262 ms 66.249.95.39
(66.249.95.39)  44.744 ms 209.85.143.25 (209.85.143.25)  43.497 ms
     MPLS Label=25688 CoS=5 TTL=1 S=0
11  216.239.49.240 (216.239.49.240)  42.459 ms 216.239.49.244
(216.239.49.244)  42.738 ms  39.587 ms
     MPLS Label=731306 CoS=5 TTL=1 S=0
12  72.14.238.215 (72.14.238.215)  46.858 ms 216.239.51.147
(216.239.51.147)  48.715 ms 209.85.246.164 (209.85.246.164)  86.761 ms
Icmp checksum is wrong
13  * * *
14  ns3.google.com (216.239.36.10)  48.178 ms  48.106 ms  48.157 ms
[root at syz3ns02 ~]#

[root at syz3ns03 ~]# traceroute ns3.google.com.
traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte packets
 1  syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1)  0.297 ms  0.393
ms  0.447 ms
 2  84.205.252.6 (84.205.252.6)  0.454 ms  0.574 ms  0.751 ms
 3  193.92.42.169 (193.92.42.169)  0.938 ms  0.823 ms  0.733 ms
 4  194.219.208.29 (194.219.208.29)  1.260 ms  0.766 ms  1.267 ms
     MPLS Label=757472 CoS=5 TTL=1 S=0
 5  xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193)  15.388 ms  1.248
ms  1.446 ms
 6  74.125.48.74 (74.125.48.74)  5.410 ms  5.378 ms  5.435 ms
 7  72.14.237.27 (72.14.237.27)  12.224 ms  12.309 ms 72.14.237.189
(72.14.237.189)  5.354 ms
 8  209.85.240.160 (209.85.240.160)  22.422 ms  35.365 ms  22.601 ms
     MPLS Label=536927 CoS=5 TTL=1 S=0
 9  216.239.57.244 (216.239.57.244)  43.196 ms 209.85.242.79
(209.85.242.79)  40.263 ms 216.239.57.244 (216.239.57.244)  43.387 ms
     MPLS Label=27555 CoS=5 TTL=1 S=0
10  209.85.251.178 (209.85.251.178)  41.581 ms 209.85.143.25
(209.85.143.25)  36.869 ms 66.249.95.39 (66.249.95.39)  44.804 ms
     MPLS Label=24801 CoS=5 TTL=1 S=0
11  216.239.49.244 (216.239.49.244)  44.189 ms 74.125.37.154
(74.125.37.154)  47.331 ms 216.239.49.244 (216.239.49.244)  48.582 ms
     MPLS Label=549098 CoS=5 TTL=1 S=0
12  209.85.246.135 (209.85.246.135)  47.964 ms 209.85.251.231
(209.85.251.231)  42.683 ms 72.14.238.215 (72.14.238.215)  43.525 ms
13  * * *
14  ns3.google.com (216.239.36.10)  49.559 ms  48.009 ms  48.148 ms
[root at syz3ns03 ~]#

Any ideas please?
Sot.


More information about the bind-users mailing list