different answers from google's authoritative servers
Kevin Kretz
kevin at rentec.com
Wed Jun 1 13:00:30 UTC 2016
I don't know what you mean by "the wrong logical answer".
I get a different set of changing IPs when querying ns3.google.com than you, so the set you're getting likely is dependent on your IP/location.
74.125.141.99
74.125.141.106
74.125.141.103
74.125.141.105
74.125.141.147
74.125.141.104
74.125.141.99
74.125.141.103
74.125.141.147
74.125.141.105
74.125.141.104
74.125.141.106
From: "Sotiris Tsimbonis" <stsimb at forthnet.gr>
To: "Kevin Kretz" <kevin at rentec.com>
Cc: bind-users at isc.org
Sent: Wednesday, June 1, 2016 8:47:13 AM
Subject: Re: different answers from google's authoritative servers
On 1/6/16 15:30, Kevin Kretz wrote:
> There's also no reason to assume that the different responses have
> anything to do with the client network. They could, of course (with
> views), but that you get different responses from the same/similar IP
> is, again, not anything wrong.
>
True, so below is probably the visualisation of load balancing ... which
most of the times gives me "the wrong logical answer".
[root at syz3ns03 ~]# while true ; do sleep 0.1 ; echo "$(date) $(dig
+short A www.google.com. @ns3.google.com.)" ; done
...
Wed Jun 1 15:42:31 EEST 2016 172.217.16.36
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36
Wed Jun 1 15:42:32 EEST 2016 216.58.208.100
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36
Wed Jun 1 15:42:33 EEST 2016 216.58.208.100
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36
Wed Jun 1 15:42:34 EEST 2016 216.58.208.100
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36
Wed Jun 1 15:42:35 EEST 2016 172.217.16.36
...
So what I'm really trying to find out is if there's anything from my
side to influence the load balancer's decision..
Sot.
> ------------------------------------------------------------------------
> *From: *"Sotiris Tsimbonis" <stsimb at forthnet.gr>
> *To: *"Kevin Kretz" <kevin at rentec.com>
> *Cc: *bind-users at isc.org
> *Sent: *Wednesday, June 1, 2016 8:20:54 AM
> *Subject: *Re: different answers from google's authoritative servers
>
> On 1/6/16 15:08, Kevin Kretz wrote:
>> Whether the responses to the query work properly in the browsers is a
>> different issue. There's nothing inherently wrong with multiple and
>> different responses to queries in different subnets or regions.
>>
>
> True. But I'm trying to figure out why do the answers differ so much,
> when from my side everything is on the same subnet, announced as
> 84.205.252.0/23 on our BGP. I would expect all of them to end up on the
> same google anycast cluster and receive the same answer (or nearly the
> same).
>
> Sot.
>
>> ------------------------------------------------------------------------
>> *From: *"Sotiris Tsimbonis" <stsimb at forthnet.gr>
>> *To: *"Kevin Kretz" <kevin at rentec.com>
>> *Cc: *bind-users at isc.org
>> *Sent: *Wednesday, June 1, 2016 7:46:38 AM
>> *Subject: *Re: different answers from google's authoritative servers
>>
>> On 1/6/16 14:41, Kevin Kretz wrote:
>>> Sotiris,
>>>
>>> There could be multiple A records for load balancing.
>>>
>>
>> Of course, but answers of the first and second servers are on the same
>> subnet, and more importantly, work on the users' browsers.
>>
>> The third set of answers is on a completely different subnet and
>> produces ssl errors in the browsers.. Like if it's a cluster for another
>> service, region or whatever..
>>
>> Sot.
>>
>>> ------------------------------------------------------------------------
>>> *From: *"Sotiris Tsimbonis" <stsimb at forthnet.gr>
>>> *To: *bind-users at isc.org
>>> *Sent: *Wednesday, June 1, 2016 7:34:00 AM
>>> *Subject: *different answers from google's authoritative servers
>>>
>>> Hi all,
>>>
>>> We have 3 recursive resolvers on the same subnet, and one of them is
>>> getting different answers for the same things from google's
>>> authoritative dns servers.
>>>
>>> [root at syz3ns01 ~]# RESOLVERS="ns1.google.com. ns2.google.com.
>>> ns3.google.com. ns4.google.com."
>>> [root at syz3ns01 ~]# SITES="www.google.com. www.google.gr."
>>> [root at syz3ns01 ~]# for resolver in ${RESOLVERS} ; do for site in
>>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site}
>>> @${resolver})" ; done ; done
>>> ns1.google.com. www.google.com. 216.58.211.4
>>> ns1.google.com. www.google.gr. 216.58.211.3
>>> ns2.google.com. www.google.com. 216.58.211.4
>>> ns2.google.com. www.google.gr. 216.58.211.3
>>> ns3.google.com. www.google.com. 216.58.211.4
>>> ns3.google.com. www.google.gr. 216.58.211.3
>>> ns4.google.com. www.google.com. 216.58.211.4
>>> ns4.google.com. www.google.gr. 216.58.211.3
>>>
>>> [root at syz3ns02 ~]# RESOLVERS="ns1.google.com. ns2.google.com.
>>> ns3.google.com. ns4.google.com."
>>> [root at syz3ns02 ~]# SITES="www.google.com. www.google.gr."
>>> [root at syz3ns02 ~]# for resolver in ${RESOLVERS} ; do for site in
>>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site}
>>> @${resolver})" ; done ; done
>>> ns1.google.com. www.google.com. 216.58.211.36
>>> ns1.google.com. www.google.gr. 216.58.211.35
>>> ns2.google.com. www.google.com. 216.58.211.36
>>> ns2.google.com. www.google.gr. 216.58.211.35
>>> ns3.google.com. www.google.com. 216.58.211.36
>>> ns3.google.com. www.google.gr. 216.58.211.35
>>> ns4.google.com. www.google.com. 216.58.211.36
>>> ns4.google.com. www.google.gr. 216.58.211.35
>>>
>>> [root at syz3ns03 ~]# RESOLVERS="ns1.google.com. ns2.google.com.
>>> ns3.google.com. ns4.google.com."
>>> [root at syz3ns03 ~]# SITES="www.google.com. www.google.gr."
>>> [root at syz3ns03 ~]# for resolver in ${RESOLVERS} ; do for site in
>>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site}
>>> @${resolver})" ; done ; done
>>> ns1.google.com. www.google.com. 172.217.16.36
>>> ns1.google.com. www.google.gr. 172.217.16.35
>>> ns2.google.com. www.google.com. 172.217.16.36
>>> ns2.google.com. www.google.gr. 172.217.16.35
>>> ns3.google.com. www.google.com. 172.217.16.36
>>> ns3.google.com. www.google.gr. 172.217.16.35
>>> ns4.google.com. www.google.com. 172.217.16.36
>>> ns4.google.com. www.google.gr. 172.217.16.35
>>>
>>> The IP addresses of our servers are 84.205.252.16, 84.205.252.18 and
>>> 84.205.252.20 respectively.
>>>
>>> The problem with the third answer set is on the users' browsers, it
>>> produces an ssl certificate error and users cannot access google.
>>>
>>> traceroute to google's dns servers are different on the penultimate hop
>>> (hop 12)
>>>
>>> [root at syz3ns01 ~]# traceroute ns3.google.com.
>>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte
> packets
>>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.405 ms 0.262
>>> ms 0.217 ms
>>> 2 84.205.252.6 (84.205.252.6) 0.718 ms 0.504 ms 0.511 ms
>>> 3 193.92.42.169 (193.92.42.169) 0.937 ms 1.024 ms 0.482 ms
>>> 4 194.219.208.29 (194.219.208.29) 1.017 ms 1.004 ms 0.946 ms
>>> MPLS Label=757472 CoS=5 TTL=1 S=0
>>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 0.950 ms 1.063
>>> ms 0.982 ms
>>> 6 74.125.48.74 (74.125.48.74) 8.373 ms 8.374 ms 8.341 ms
>>> 7 72.14.237.27 (72.14.237.27) 8.352 ms 72.14.237.189 (72.14.237.189)
>>> 12.085 ms 72.14.237.27 (72.14.237.27) 8.979 ms
>>> 8 209.85.253.114 (209.85.253.114) 26.920 ms 26.114 ms 25.789 ms
>>> MPLS Label=772454 CoS=5 TTL=1 S=0
>>> 9 216.239.58.8 (216.239.58.8) 50.816 ms 209.85.241.233
>>> (209.85.241.233) 42.159 ms 43.461 ms
>>> MPLS Label=756878 CoS=5 TTL=1 S=0
>>> 10 209.85.251.178 (209.85.251.178) 45.549 ms 44.474 ms 45.682 ms
>>> MPLS Label=720256 CoS=5 TTL=1 S=0
>>> 11 74.125.37.103 (74.125.37.103) 39.998 ms 216.239.49.244
>>> (216.239.49.244) 48.116 ms 74.125.37.150 (74.125.37.150) 42.865 ms
>>> MPLS Label=25186 CoS=5 TTL=1 S=0
>>> 12 209.85.251.231 (209.85.251.231) 39.575 ms 72.14.238.43
>>> (72.14.238.43) 43.933 ms 209.85.242.165 (209.85.242.165) 46.748 ms
>>> 13 * *Icmp checksum is wrong
>>> *
>>> 14 ns3.google.com (216.239.36.10) 41.453 ms 39.987 ms 47.545 ms
>>> [root at syz3ns01 ~]#
>>>
>>> [root at syz3ns02 ~]# traceroute ns3.google.com.
>>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte
> packets
>>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.232 ms 0.283
>>> ms 0.209 ms
>>> 2 84.205.252.6 (84.205.252.6) 0.688 ms 0.535 ms 0.455 ms
>>> 3 193.92.42.169 (193.92.42.169) 1.715 ms 0.835 ms 0.726 ms
>>> 4 194.219.208.29 (194.219.208.29) 1.248 ms 0.876 ms 0.773 ms
>>> MPLS Label=757472 CoS=5 TTL=1 S=0
>>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 0.755 ms 1.047
>>> ms 0.944 ms
>>> 6 74.125.48.74 (74.125.48.74) 8.331 ms 8.546 ms 8.328 ms
>>> 7 72.14.237.189 (72.14.237.189) 12.286 ms 72.14.237.27 (72.14.237.27)
>>> 5.935 ms 72.14.237.189 (72.14.237.189) 13.211 ms
>>> 8 209.85.253.114 (209.85.253.114) 22.488 ms 209.85.240.160
>>> (209.85.240.160) 25.713 ms 26.401 ms
>>> MPLS Label=554255 CoS=5 TTL=1 S=0
>>> 9 216.239.57.244 (216.239.57.244) 41.070 ms 209.85.241.233
>>> (209.85.241.233) 34.822 ms 209.85.242.79 (209.85.242.79) 38.180 ms
>>> MPLS Label=27780 CoS=5 TTL=1 S=0
>>> 10 209.85.251.178 (209.85.251.178) 36.262 ms 66.249.95.39
>>> (66.249.95.39) 44.744 ms 209.85.143.25 (209.85.143.25) 43.497 ms
>>> MPLS Label=25688 CoS=5 TTL=1 S=0
>>> 11 216.239.49.240 (216.239.49.240) 42.459 ms 216.239.49.244
>>> (216.239.49.244) 42.738 ms 39.587 ms
>>> MPLS Label=731306 CoS=5 TTL=1 S=0
>>> 12 72.14.238.215 (72.14.238.215) 46.858 ms 216.239.51.147
>>> (216.239.51.147) 48.715 ms 209.85.246.164 (209.85.246.164) 86.761 ms
>>> Icmp checksum is wrong
>>> 13 * * *
>>> 14 ns3.google.com (216.239.36.10) 48.178 ms 48.106 ms 48.157 ms
>>> [root at syz3ns02 ~]#
>>>
>>> [root at syz3ns03 ~]# traceroute ns3.google.com.
>>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte
> packets
>>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.297 ms 0.393
>>> ms 0.447 ms
>>> 2 84.205.252.6 (84.205.252.6) 0.454 ms 0.574 ms 0.751 ms
>>> 3 193.92.42.169 (193.92.42.169) 0.938 ms 0.823 ms 0.733 ms
>>> 4 194.219.208.29 (194.219.208.29) 1.260 ms 0.766 ms 1.267 ms
>>> MPLS Label=757472 CoS=5 TTL=1 S=0
>>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 15.388 ms 1.248
>>> ms 1.446 ms
>>> 6 74.125.48.74 (74.125.48.74) 5.410 ms 5.378 ms 5.435 ms
>>> 7 72.14.237.27 (72.14.237.27) 12.224 ms 12.309 ms 72.14.237.189
>>> (72.14.237.189) 5.354 ms
>>> 8 209.85.240.160 (209.85.240.160) 22.422 ms 35.365 ms 22.601 ms
>>> MPLS Label=536927 CoS=5 TTL=1 S=0
>>> 9 216.239.57.244 (216.239.57.244) 43.196 ms 209.85.242.79
>>> (209.85.242.79) 40.263 ms 216.239.57.244 (216.239.57.244) 43.387 ms
>>> MPLS Label=27555 CoS=5 TTL=1 S=0
>>> 10 209.85.251.178 (209.85.251.178) 41.581 ms 209.85.143.25
>>> (209.85.143.25) 36.869 ms 66.249.95.39 (66.249.95.39) 44.804 ms
>>> MPLS Label=24801 CoS=5 TTL=1 S=0
>>> 11 216.239.49.244 (216.239.49.244) 44.189 ms 74.125.37.154
>>> (74.125.37.154) 47.331 ms 216.239.49.244 (216.239.49.244) 48.582 ms
>>> MPLS Label=549098 CoS=5 TTL=1 S=0
>>> 12 209.85.246.135 (209.85.246.135) 47.964 ms 209.85.251.231
>>> (209.85.251.231) 42.683 ms 72.14.238.215 (72.14.238.215) 43.525 ms
>>> 13 * * *
>>> 14 ns3.google.com (216.239.36.10) 49.559 ms 48.009 ms 48.148 ms
>>> [root at syz3ns03 ~]#
>>>
>>> Any ideas please?
>>> Sot.
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160601/ee57082d/attachment-0001.html>
More information about the bind-users
mailing list