different answers from google's authoritative servers

Kevin Kretz kevin at rentec.com
Wed Jun 1 12:30:19 UTC 2016


There's also no reason to assume that the different responses have anything to do with the client network. They could, of course (with views), but that you get different responses from the same/similar IP is, again, not anything wrong. 


From: "Sotiris Tsimbonis" <stsimb at forthnet.gr> 
To: "Kevin Kretz" <kevin at rentec.com> 
Cc: bind-users at isc.org 
Sent: Wednesday, June 1, 2016 8:20:54 AM 
Subject: Re: different answers from google's authoritative servers 

On 1/6/16 15:08, Kevin Kretz wrote: 
> Whether the responses to the query work properly in the browsers is a 
> different issue. There's nothing inherently wrong with multiple and 
> different responses to queries in different subnets or regions. 
> 

True. But I'm trying to figure out why do the answers differ so much, 
when from my side everything is on the same subnet, announced as 
84.205.252.0/23 on our BGP. I would expect all of them to end up on the 
same google anycast cluster and receive the same answer (or nearly the 
same). 

Sot. 

> ------------------------------------------------------------------------ 
> *From: *"Sotiris Tsimbonis" <stsimb at forthnet.gr> 
> *To: *"Kevin Kretz" <kevin at rentec.com> 
> *Cc: *bind-users at isc.org 
> *Sent: *Wednesday, June 1, 2016 7:46:38 AM 
> *Subject: *Re: different answers from google's authoritative servers 
> 
> On 1/6/16 14:41, Kevin Kretz wrote: 
>> Sotiris, 
>> 
>> There could be multiple A records for load balancing. 
>> 
> 
> Of course, but answers of the first and second servers are on the same 
> subnet, and more importantly, work on the users' browsers. 
> 
> The third set of answers is on a completely different subnet and 
> produces ssl errors in the browsers.. Like if it's a cluster for another 
> service, region or whatever.. 
> 
> Sot. 
> 
>> ------------------------------------------------------------------------ 
>> *From: *"Sotiris Tsimbonis" <stsimb at forthnet.gr> 
>> *To: *bind-users at isc.org 
>> *Sent: *Wednesday, June 1, 2016 7:34:00 AM 
>> *Subject: *different answers from google's authoritative servers 
>> 
>> Hi all, 
>> 
>> We have 3 recursive resolvers on the same subnet, and one of them is 
>> getting different answers for the same things from google's 
>> authoritative dns servers. 
>> 
>> [root at syz3ns01 ~]# RESOLVERS="ns1.google.com. ns2.google.com. 
>> ns3.google.com. ns4.google.com." 
>> [root at syz3ns01 ~]# SITES="www.google.com. www.google.gr." 
>> [root at syz3ns01 ~]# for resolver in ${RESOLVERS} ; do for site in 
>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site} 
>> @${resolver})" ; done ; done 
>> ns1.google.com. www.google.com. 216.58.211.4 
>> ns1.google.com. www.google.gr. 216.58.211.3 
>> ns2.google.com. www.google.com. 216.58.211.4 
>> ns2.google.com. www.google.gr. 216.58.211.3 
>> ns3.google.com. www.google.com. 216.58.211.4 
>> ns3.google.com. www.google.gr. 216.58.211.3 
>> ns4.google.com. www.google.com. 216.58.211.4 
>> ns4.google.com. www.google.gr. 216.58.211.3 
>> 
>> [root at syz3ns02 ~]# RESOLVERS="ns1.google.com. ns2.google.com. 
>> ns3.google.com. ns4.google.com." 
>> [root at syz3ns02 ~]# SITES="www.google.com. www.google.gr." 
>> [root at syz3ns02 ~]# for resolver in ${RESOLVERS} ; do for site in 
>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site} 
>> @${resolver})" ; done ; done 
>> ns1.google.com. www.google.com. 216.58.211.36 
>> ns1.google.com. www.google.gr. 216.58.211.35 
>> ns2.google.com. www.google.com. 216.58.211.36 
>> ns2.google.com. www.google.gr. 216.58.211.35 
>> ns3.google.com. www.google.com. 216.58.211.36 
>> ns3.google.com. www.google.gr. 216.58.211.35 
>> ns4.google.com. www.google.com. 216.58.211.36 
>> ns4.google.com. www.google.gr. 216.58.211.35 
>> 
>> [root at syz3ns03 ~]# RESOLVERS="ns1.google.com. ns2.google.com. 
>> ns3.google.com. ns4.google.com." 
>> [root at syz3ns03 ~]# SITES="www.google.com. www.google.gr." 
>> [root at syz3ns03 ~]# for resolver in ${RESOLVERS} ; do for site in 
>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site} 
>> @${resolver})" ; done ; done 
>> ns1.google.com. www.google.com. 172.217.16.36 
>> ns1.google.com. www.google.gr. 172.217.16.35 
>> ns2.google.com. www.google.com. 172.217.16.36 
>> ns2.google.com. www.google.gr. 172.217.16.35 
>> ns3.google.com. www.google.com. 172.217.16.36 
>> ns3.google.com. www.google.gr. 172.217.16.35 
>> ns4.google.com. www.google.com. 172.217.16.36 
>> ns4.google.com. www.google.gr. 172.217.16.35 
>> 
>> The IP addresses of our servers are 84.205.252.16, 84.205.252.18 and 
>> 84.205.252.20 respectively. 
>> 
>> The problem with the third answer set is on the users' browsers, it 
>> produces an ssl certificate error and users cannot access google. 
>> 
>> traceroute to google's dns servers are different on the penultimate hop 
>> (hop 12) 
>> 
>> [root at syz3ns01 ~]# traceroute ns3.google.com. 
>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte packets 
>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.405 ms 0.262 
>> ms 0.217 ms 
>> 2 84.205.252.6 (84.205.252.6) 0.718 ms 0.504 ms 0.511 ms 
>> 3 193.92.42.169 (193.92.42.169) 0.937 ms 1.024 ms 0.482 ms 
>> 4 194.219.208.29 (194.219.208.29) 1.017 ms 1.004 ms 0.946 ms 
>> MPLS Label=757472 CoS=5 TTL=1 S=0 
>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 0.950 ms 1.063 
>> ms 0.982 ms 
>> 6 74.125.48.74 (74.125.48.74) 8.373 ms 8.374 ms 8.341 ms 
>> 7 72.14.237.27 (72.14.237.27) 8.352 ms 72.14.237.189 (72.14.237.189) 
>> 12.085 ms 72.14.237.27 (72.14.237.27) 8.979 ms 
>> 8 209.85.253.114 (209.85.253.114) 26.920 ms 26.114 ms 25.789 ms 
>> MPLS Label=772454 CoS=5 TTL=1 S=0 
>> 9 216.239.58.8 (216.239.58.8) 50.816 ms 209.85.241.233 
>> (209.85.241.233) 42.159 ms 43.461 ms 
>> MPLS Label=756878 CoS=5 TTL=1 S=0 
>> 10 209.85.251.178 (209.85.251.178) 45.549 ms 44.474 ms 45.682 ms 
>> MPLS Label=720256 CoS=5 TTL=1 S=0 
>> 11 74.125.37.103 (74.125.37.103) 39.998 ms 216.239.49.244 
>> (216.239.49.244) 48.116 ms 74.125.37.150 (74.125.37.150) 42.865 ms 
>> MPLS Label=25186 CoS=5 TTL=1 S=0 
>> 12 209.85.251.231 (209.85.251.231) 39.575 ms 72.14.238.43 
>> (72.14.238.43) 43.933 ms 209.85.242.165 (209.85.242.165) 46.748 ms 
>> 13 * *Icmp checksum is wrong 
>> * 
>> 14 ns3.google.com (216.239.36.10) 41.453 ms 39.987 ms 47.545 ms 
>> [root at syz3ns01 ~]# 
>> 
>> [root at syz3ns02 ~]# traceroute ns3.google.com. 
>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte packets 
>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.232 ms 0.283 
>> ms 0.209 ms 
>> 2 84.205.252.6 (84.205.252.6) 0.688 ms 0.535 ms 0.455 ms 
>> 3 193.92.42.169 (193.92.42.169) 1.715 ms 0.835 ms 0.726 ms 
>> 4 194.219.208.29 (194.219.208.29) 1.248 ms 0.876 ms 0.773 ms 
>> MPLS Label=757472 CoS=5 TTL=1 S=0 
>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 0.755 ms 1.047 
>> ms 0.944 ms 
>> 6 74.125.48.74 (74.125.48.74) 8.331 ms 8.546 ms 8.328 ms 
>> 7 72.14.237.189 (72.14.237.189) 12.286 ms 72.14.237.27 (72.14.237.27) 
>> 5.935 ms 72.14.237.189 (72.14.237.189) 13.211 ms 
>> 8 209.85.253.114 (209.85.253.114) 22.488 ms 209.85.240.160 
>> (209.85.240.160) 25.713 ms 26.401 ms 
>> MPLS Label=554255 CoS=5 TTL=1 S=0 
>> 9 216.239.57.244 (216.239.57.244) 41.070 ms 209.85.241.233 
>> (209.85.241.233) 34.822 ms 209.85.242.79 (209.85.242.79) 38.180 ms 
>> MPLS Label=27780 CoS=5 TTL=1 S=0 
>> 10 209.85.251.178 (209.85.251.178) 36.262 ms 66.249.95.39 
>> (66.249.95.39) 44.744 ms 209.85.143.25 (209.85.143.25) 43.497 ms 
>> MPLS Label=25688 CoS=5 TTL=1 S=0 
>> 11 216.239.49.240 (216.239.49.240) 42.459 ms 216.239.49.244 
>> (216.239.49.244) 42.738 ms 39.587 ms 
>> MPLS Label=731306 CoS=5 TTL=1 S=0 
>> 12 72.14.238.215 (72.14.238.215) 46.858 ms 216.239.51.147 
>> (216.239.51.147) 48.715 ms 209.85.246.164 (209.85.246.164) 86.761 ms 
>> Icmp checksum is wrong 
>> 13 * * * 
>> 14 ns3.google.com (216.239.36.10) 48.178 ms 48.106 ms 48.157 ms 
>> [root at syz3ns02 ~]# 
>> 
>> [root at syz3ns03 ~]# traceroute ns3.google.com. 
>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte packets 
>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.297 ms 0.393 
>> ms 0.447 ms 
>> 2 84.205.252.6 (84.205.252.6) 0.454 ms 0.574 ms 0.751 ms 
>> 3 193.92.42.169 (193.92.42.169) 0.938 ms 0.823 ms 0.733 ms 
>> 4 194.219.208.29 (194.219.208.29) 1.260 ms 0.766 ms 1.267 ms 
>> MPLS Label=757472 CoS=5 TTL=1 S=0 
>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 15.388 ms 1.248 
>> ms 1.446 ms 
>> 6 74.125.48.74 (74.125.48.74) 5.410 ms 5.378 ms 5.435 ms 
>> 7 72.14.237.27 (72.14.237.27) 12.224 ms 12.309 ms 72.14.237.189 
>> (72.14.237.189) 5.354 ms 
>> 8 209.85.240.160 (209.85.240.160) 22.422 ms 35.365 ms 22.601 ms 
>> MPLS Label=536927 CoS=5 TTL=1 S=0 
>> 9 216.239.57.244 (216.239.57.244) 43.196 ms 209.85.242.79 
>> (209.85.242.79) 40.263 ms 216.239.57.244 (216.239.57.244) 43.387 ms 
>> MPLS Label=27555 CoS=5 TTL=1 S=0 
>> 10 209.85.251.178 (209.85.251.178) 41.581 ms 209.85.143.25 
>> (209.85.143.25) 36.869 ms 66.249.95.39 (66.249.95.39) 44.804 ms 
>> MPLS Label=24801 CoS=5 TTL=1 S=0 
>> 11 216.239.49.244 (216.239.49.244) 44.189 ms 74.125.37.154 
>> (74.125.37.154) 47.331 ms 216.239.49.244 (216.239.49.244) 48.582 ms 
>> MPLS Label=549098 CoS=5 TTL=1 S=0 
>> 12 209.85.246.135 (209.85.246.135) 47.964 ms 209.85.251.231 
>> (209.85.251.231) 42.683 ms 72.14.238.215 (72.14.238.215) 43.525 ms 
>> 13 * * * 
>> 14 ns3.google.com (216.239.36.10) 49.559 ms 48.009 ms 48.148 ms 
>> [root at syz3ns03 ~]# 
>> 
>> Any ideas please? 
>> Sot. 
>> _______________________________________________ 
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list 
>> 
>> bind-users mailing list 
>> bind-users at lists.isc.org 
>> https://lists.isc.org/mailman/listinfo/bind-users 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160601/1b4d1afb/attachment.html>


More information about the bind-users mailing list