different answers from google's authoritative servers

Sotiris Tsimbonis stsimb at forthnet.gr
Wed Jun 1 13:57:10 UTC 2016 

On 1/6/16 16:10, Sotiris Tsimbonis wrote:
> On 1/6/16 15:50, Nico CARTRON wrote:
>> Hi Sotiris,
>>
>> On 1 June 2016 at 14:47:31, Sotiris Tsimbonis (stsimb at forthnet.gr
>> <mailto:stsimb at forthnet.gr>) wrote:
>>
>>> On 1/6/16 15:30, Kevin Kretz wrote: 
>>>> There's also no reason to assume that the different responses have 
>>>> anything to do with the client network. They could, of course (with 
>>>> views), but that you get different responses from the same/similar IP 
>>>> is, again, not anything wrong. 
>>>>
>>>
>>> True, so below is probably the visualisation of load balancing ... which 
>>> most of the times gives me "the wrong logical answer". 
>>>
>>> [root at syz3ns03 ~]# while true ; do sleep 0.1 ; echo "$(date) $(dig 
>>> +short A www.google.com. @ns3.google.com.)" ; done 
>>> ... 
>>> Wed Jun 1 15:42:31 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:32 EEST 2016 216.58.208.100 
>>> Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:33 EEST 2016 216.58.208.100 
>>> Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:34 EEST 2016 216.58.208.100 
>>> Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 
>>> Wed Jun 1 15:42:35 EEST 2016 172.217.16.36 
>>> ... 
>>>
>>> So what I'm really trying to find out is if there's anything from my 
>>> side to influence the load balancer's decision.. 
>>
>>
>> Why would you want to influence the LB decision?
>> Is there any difference between the different IP addresses you have as
>> answers?
>>
>> You mentioned SSL errors in the browser, could you give more details?
>> I don’t think you should have to fix that on your side, but rather find
>> out what is happening.
> 
> Because when google resolves to 172.217.16.*, browsers report an HSTS
> violation and SEC_ERROR_UNKNOWN_ISSUER if firefox or
> NET::ERR_CERT_AUTHORITY_INVALID in chrome.
> 
> When google resolves to 216.58.208.* they work as intented (no error).
> 

We just found out that the router in front of our servers had a static
route for 172.0.0.0/255.0.0.0 to some other interface.

This has now been changed to 172.16.0.0/255.240.0.0 and routing to
google subnet has been restored, browsers work as expected etc..

Thanks for your help to pinpoint this :)
Sot.

More information about the bind-users mailing list