different answers from google's authoritative servers

Kevin Kretz kevin at rentec.com
Wed Jun 1 13:00:30 UTC 2016


I don't know what you mean by "the wrong logical answer". 

I get a different set of changing IPs when querying ns3.google.com than you, so the set you're getting likely is dependent on your IP/location. 


74.125.141.99 
74.125.141.106 
74.125.141.103 
74.125.141.105 
74.125.141.147 
74.125.141.104 

74.125.141.99 
74.125.141.103 
74.125.141.147 
74.125.141.105 
74.125.141.104 
74.125.141.106 

From: "Sotiris Tsimbonis" <stsimb at forthnet.gr> 
To: "Kevin Kretz" <kevin at rentec.com> 
Cc: bind-users at isc.org 
Sent: Wednesday, June 1, 2016 8:47:13 AM 
Subject: Re: different answers from google's authoritative servers 

On 1/6/16 15:30, Kevin Kretz wrote: 
> There's also no reason to assume that the different responses have 
> anything to do with the client network. They could, of course (with 
> views), but that you get different responses from the same/similar IP 
> is, again, not anything wrong. 
> 

True, so below is probably the visualisation of load balancing ... which 
most of the times gives me "the wrong logical answer". 

[root at syz3ns03 ~]# while true ; do sleep 0.1 ; echo "$(date) $(dig 
+short A www.google.com. @ns3.google.com.)" ; done 
... 
Wed Jun 1 15:42:31 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:32 EEST 2016 216.58.208.100 
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:33 EEST 2016 216.58.208.100 
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:34 EEST 2016 216.58.208.100 
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
Wed Jun 1 15:42:35 EEST 2016 172.217.16.36 
... 

So what I'm really trying to find out is if there's anything from my 
side to influence the load balancer's decision.. 

Sot. 

> ------------------------------------------------------------------------ 
> *From: *"Sotiris Tsimbonis" <stsimb at forthnet.gr> 
> *To: *"Kevin Kretz" <kevin at rentec.com> 
> *Cc: *bind-users at isc.org 
> *Sent: *Wednesday, June 1, 2016 8:20:54 AM 
> *Subject: *Re: different answers from google's authoritative servers 
> 
> On 1/6/16 15:08, Kevin Kretz wrote: 
>> Whether the responses to the query work properly in the browsers is a 
>> different issue. There's nothing inherently wrong with multiple and 
>> different responses to queries in different subnets or regions. 
>> 
> 
> True. But I'm trying to figure out why do the answers differ so much, 
> when from my side everything is on the same subnet, announced as 
> 84.205.252.0/23 on our BGP. I would expect all of them to end up on the 
> same google anycast cluster and receive the same answer (or nearly the 
> same). 
> 
> Sot. 
> 
>> ------------------------------------------------------------------------ 
>> *From: *"Sotiris Tsimbonis" <stsimb at forthnet.gr> 
>> *To: *"Kevin Kretz" <kevin at rentec.com> 
>> *Cc: *bind-users at isc.org 
>> *Sent: *Wednesday, June 1, 2016 7:46:38 AM 
>> *Subject: *Re: different answers from google's authoritative servers 
>> 
>> On 1/6/16 14:41, Kevin Kretz wrote: 
>>> Sotiris, 
>>> 
>>> There could be multiple A records for load balancing. 
>>> 
>> 
>> Of course, but answers of the first and second servers are on the same 
>> subnet, and more importantly, work on the users' browsers. 
>> 
>> The third set of answers is on a completely different subnet and 
>> produces ssl errors in the browsers.. Like if it's a cluster for another 
>> service, region or whatever.. 
>> 
>> Sot. 
>> 
>>> ------------------------------------------------------------------------ 
>>> *From: *"Sotiris Tsimbonis" <stsimb at forthnet.gr> 
>>> *To: *bind-users at isc.org 
>>> *Sent: *Wednesday, June 1, 2016 7:34:00 AM 
>>> *Subject: *different answers from google's authoritative servers 
>>> 
>>> Hi all, 
>>> 
>>> We have 3 recursive resolvers on the same subnet, and one of them is 
>>> getting different answers for the same things from google's 
>>> authoritative dns servers. 
>>> 
>>> [root at syz3ns01 ~]# RESOLVERS="ns1.google.com. ns2.google.com. 
>>> ns3.google.com. ns4.google.com." 
>>> [root at syz3ns01 ~]# SITES="www.google.com. www.google.gr." 
>>> [root at syz3ns01 ~]# for resolver in ${RESOLVERS} ; do for site in 
>>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site} 
>>> @${resolver})" ; done ; done 
>>> ns1.google.com. www.google.com. 216.58.211.4 
>>> ns1.google.com. www.google.gr. 216.58.211.3 
>>> ns2.google.com. www.google.com. 216.58.211.4 
>>> ns2.google.com. www.google.gr. 216.58.211.3 
>>> ns3.google.com. www.google.com. 216.58.211.4 
>>> ns3.google.com. www.google.gr. 216.58.211.3 
>>> ns4.google.com. www.google.com. 216.58.211.4 
>>> ns4.google.com. www.google.gr. 216.58.211.3 
>>> 
>>> [root at syz3ns02 ~]# RESOLVERS="ns1.google.com. ns2.google.com. 
>>> ns3.google.com. ns4.google.com." 
>>> [root at syz3ns02 ~]# SITES="www.google.com. www.google.gr." 
>>> [root at syz3ns02 ~]# for resolver in ${RESOLVERS} ; do for site in 
>>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site} 
>>> @${resolver})" ; done ; done 
>>> ns1.google.com. www.google.com. 216.58.211.36 
>>> ns1.google.com. www.google.gr. 216.58.211.35 
>>> ns2.google.com. www.google.com. 216.58.211.36 
>>> ns2.google.com. www.google.gr. 216.58.211.35 
>>> ns3.google.com. www.google.com. 216.58.211.36 
>>> ns3.google.com. www.google.gr. 216.58.211.35 
>>> ns4.google.com. www.google.com. 216.58.211.36 
>>> ns4.google.com. www.google.gr. 216.58.211.35 
>>> 
>>> [root at syz3ns03 ~]# RESOLVERS="ns1.google.com. ns2.google.com. 
>>> ns3.google.com. ns4.google.com." 
>>> [root at syz3ns03 ~]# SITES="www.google.com. www.google.gr." 
>>> [root at syz3ns03 ~]# for resolver in ${RESOLVERS} ; do for site in 
>>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site} 
>>> @${resolver})" ; done ; done 
>>> ns1.google.com. www.google.com. 172.217.16.36 
>>> ns1.google.com. www.google.gr. 172.217.16.35 
>>> ns2.google.com. www.google.com. 172.217.16.36 
>>> ns2.google.com. www.google.gr. 172.217.16.35 
>>> ns3.google.com. www.google.com. 172.217.16.36 
>>> ns3.google.com. www.google.gr. 172.217.16.35 
>>> ns4.google.com. www.google.com. 172.217.16.36 
>>> ns4.google.com. www.google.gr. 172.217.16.35 
>>> 
>>> The IP addresses of our servers are 84.205.252.16, 84.205.252.18 and 
>>> 84.205.252.20 respectively. 
>>> 
>>> The problem with the third answer set is on the users' browsers, it 
>>> produces an ssl certificate error and users cannot access google. 
>>> 
>>> traceroute to google's dns servers are different on the penultimate hop 
>>> (hop 12) 
>>> 
>>> [root at syz3ns01 ~]# traceroute ns3.google.com. 
>>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte 
> packets 
>>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.405 ms 0.262 
>>> ms 0.217 ms 
>>> 2 84.205.252.6 (84.205.252.6) 0.718 ms 0.504 ms 0.511 ms 
>>> 3 193.92.42.169 (193.92.42.169) 0.937 ms 1.024 ms 0.482 ms 
>>> 4 194.219.208.29 (194.219.208.29) 1.017 ms 1.004 ms 0.946 ms 
>>> MPLS Label=757472 CoS=5 TTL=1 S=0 
>>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 0.950 ms 1.063 
>>> ms 0.982 ms 
>>> 6 74.125.48.74 (74.125.48.74) 8.373 ms 8.374 ms 8.341 ms 
>>> 7 72.14.237.27 (72.14.237.27) 8.352 ms 72.14.237.189 (72.14.237.189) 
>>> 12.085 ms 72.14.237.27 (72.14.237.27) 8.979 ms 
>>> 8 209.85.253.114 (209.85.253.114) 26.920 ms 26.114 ms 25.789 ms 
>>> MPLS Label=772454 CoS=5 TTL=1 S=0 
>>> 9 216.239.58.8 (216.239.58.8) 50.816 ms 209.85.241.233 
>>> (209.85.241.233) 42.159 ms 43.461 ms 
>>> MPLS Label=756878 CoS=5 TTL=1 S=0 
>>> 10 209.85.251.178 (209.85.251.178) 45.549 ms 44.474 ms 45.682 ms 
>>> MPLS Label=720256 CoS=5 TTL=1 S=0 
>>> 11 74.125.37.103 (74.125.37.103) 39.998 ms 216.239.49.244 
>>> (216.239.49.244) 48.116 ms 74.125.37.150 (74.125.37.150) 42.865 ms 
>>> MPLS Label=25186 CoS=5 TTL=1 S=0 
>>> 12 209.85.251.231 (209.85.251.231) 39.575 ms 72.14.238.43 
>>> (72.14.238.43) 43.933 ms 209.85.242.165 (209.85.242.165) 46.748 ms 
>>> 13 * *Icmp checksum is wrong 
>>> * 
>>> 14 ns3.google.com (216.239.36.10) 41.453 ms 39.987 ms 47.545 ms 
>>> [root at syz3ns01 ~]# 
>>> 
>>> [root at syz3ns02 ~]# traceroute ns3.google.com. 
>>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte 
> packets 
>>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.232 ms 0.283 
>>> ms 0.209 ms 
>>> 2 84.205.252.6 (84.205.252.6) 0.688 ms 0.535 ms 0.455 ms 
>>> 3 193.92.42.169 (193.92.42.169) 1.715 ms 0.835 ms 0.726 ms 
>>> 4 194.219.208.29 (194.219.208.29) 1.248 ms 0.876 ms 0.773 ms 
>>> MPLS Label=757472 CoS=5 TTL=1 S=0 
>>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 0.755 ms 1.047 
>>> ms 0.944 ms 
>>> 6 74.125.48.74 (74.125.48.74) 8.331 ms 8.546 ms 8.328 ms 
>>> 7 72.14.237.189 (72.14.237.189) 12.286 ms 72.14.237.27 (72.14.237.27) 
>>> 5.935 ms 72.14.237.189 (72.14.237.189) 13.211 ms 
>>> 8 209.85.253.114 (209.85.253.114) 22.488 ms 209.85.240.160 
>>> (209.85.240.160) 25.713 ms 26.401 ms 
>>> MPLS Label=554255 CoS=5 TTL=1 S=0 
>>> 9 216.239.57.244 (216.239.57.244) 41.070 ms 209.85.241.233 
>>> (209.85.241.233) 34.822 ms 209.85.242.79 (209.85.242.79) 38.180 ms 
>>> MPLS Label=27780 CoS=5 TTL=1 S=0 
>>> 10 209.85.251.178 (209.85.251.178) 36.262 ms 66.249.95.39 
>>> (66.249.95.39) 44.744 ms 209.85.143.25 (209.85.143.25) 43.497 ms 
>>> MPLS Label=25688 CoS=5 TTL=1 S=0 
>>> 11 216.239.49.240 (216.239.49.240) 42.459 ms 216.239.49.244 
>>> (216.239.49.244) 42.738 ms 39.587 ms 
>>> MPLS Label=731306 CoS=5 TTL=1 S=0 
>>> 12 72.14.238.215 (72.14.238.215) 46.858 ms 216.239.51.147 
>>> (216.239.51.147) 48.715 ms 209.85.246.164 (209.85.246.164) 86.761 ms 
>>> Icmp checksum is wrong 
>>> 13 * * * 
>>> 14 ns3.google.com (216.239.36.10) 48.178 ms 48.106 ms 48.157 ms 
>>> [root at syz3ns02 ~]# 
>>> 
>>> [root at syz3ns03 ~]# traceroute ns3.google.com. 
>>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte 
> packets 
>>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.297 ms 0.393 
>>> ms 0.447 ms 
>>> 2 84.205.252.6 (84.205.252.6) 0.454 ms 0.574 ms 0.751 ms 
>>> 3 193.92.42.169 (193.92.42.169) 0.938 ms 0.823 ms 0.733 ms 
>>> 4 194.219.208.29 (194.219.208.29) 1.260 ms 0.766 ms 1.267 ms 
>>> MPLS Label=757472 CoS=5 TTL=1 S=0 
>>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 15.388 ms 1.248 
>>> ms 1.446 ms 
>>> 6 74.125.48.74 (74.125.48.74) 5.410 ms 5.378 ms 5.435 ms 
>>> 7 72.14.237.27 (72.14.237.27) 12.224 ms 12.309 ms 72.14.237.189 
>>> (72.14.237.189) 5.354 ms 
>>> 8 209.85.240.160 (209.85.240.160) 22.422 ms 35.365 ms 22.601 ms 
>>> MPLS Label=536927 CoS=5 TTL=1 S=0 
>>> 9 216.239.57.244 (216.239.57.244) 43.196 ms 209.85.242.79 
>>> (209.85.242.79) 40.263 ms 216.239.57.244 (216.239.57.244) 43.387 ms 
>>> MPLS Label=27555 CoS=5 TTL=1 S=0 
>>> 10 209.85.251.178 (209.85.251.178) 41.581 ms 209.85.143.25 
>>> (209.85.143.25) 36.869 ms 66.249.95.39 (66.249.95.39) 44.804 ms 
>>> MPLS Label=24801 CoS=5 TTL=1 S=0 
>>> 11 216.239.49.244 (216.239.49.244) 44.189 ms 74.125.37.154 
>>> (74.125.37.154) 47.331 ms 216.239.49.244 (216.239.49.244) 48.582 ms 
>>> MPLS Label=549098 CoS=5 TTL=1 S=0 
>>> 12 209.85.246.135 (209.85.246.135) 47.964 ms 209.85.251.231 
>>> (209.85.251.231) 42.683 ms 72.14.238.215 (72.14.238.215) 43.525 ms 
>>> 13 * * * 
>>> 14 ns3.google.com (216.239.36.10) 49.559 ms 48.009 ms 48.148 ms 
>>> [root at syz3ns03 ~]# 
>>> 
>>> Any ideas please? 
>>> Sot. 
>>> _______________________________________________ 
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this list 
>>> 
>>> bind-users mailing list 
>>> bind-users at lists.isc.org 
>>> https://lists.isc.org/mailman/listinfo/bind-users 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160601/ee57082d/attachment-0001.html>


More information about the bind-users mailing list