<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 14pt; color: #000000"><div>I don't know what you mean by "the wrong logical answer". <br></div><div><br data-mce-bogus="1"></div><div>I get a different set of changing IPs when querying ns3.google.com than you, so the set you're getting likely is dependent on your IP/location.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>74.125.141.99<br>74.125.141.106<br>74.125.141.103<br>74.125.141.105<br>74.125.141.147<br>74.125.141.104<br><br>74.125.141.99<br>74.125.141.103<br>74.125.141.147<br>74.125.141.105<br>74.125.141.104<br>74.125.141.106<br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"Sotiris Tsimbonis" <stsimb@forthnet.gr><br><b>To: </b>"Kevin Kretz" <kevin@rentec.com><br><b>Cc: </b>bind-users@isc.org<br><b>Sent: </b>Wednesday, June 1, 2016 8:47:13 AM<br><b>Subject: </b>Re: different answers from google's authoritative servers<br></div><div><br></div><div data-marker="__QUOTED_TEXT__">On 1/6/16 15:30, Kevin Kretz wrote:<br>> There's also no reason to assume that the different responses have<br>> anything to do with the client network. They could, of course (with<br>> views), but that you get different responses from the same/similar IP<br>> is, again, not anything wrong.<br>> <br><br>True, so below is probably the visualisation of load balancing ... which<br>most of the times gives me "the wrong logical answer".<br><br>[root@syz3ns03 ~]# while true ; do sleep 0.1 ; echo "$(date) $(dig<br>+short A www.google.com. @ns3.google.com.)" ; done<br>...<br>Wed Jun 1 15:42:31 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:32 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:32 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:32 EEST 2016 216.58.208.100<br>Wed Jun 1 15:42:32 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:32 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:32 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:33 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:33 EEST 2016 216.58.208.100<br>Wed Jun 1 15:42:33 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:33 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:33 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:33 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:34 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:34 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:34 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:34 EEST 2016 216.58.208.100<br>Wed Jun 1 15:42:34 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:34 EEST 2016 172.217.16.36<br>Wed Jun 1 15:42:35 EEST 2016 172.217.16.36<br>...<br><br>So what I'm really trying to find out is if there's anything from my<br>side to influence the load balancer's decision..<br><br>Sot.<br><br>> ------------------------------------------------------------------------<br>> *From: *"Sotiris Tsimbonis" <stsimb@forthnet.gr><br>> *To: *"Kevin Kretz" <kevin@rentec.com><br>> *Cc: *bind-users@isc.org<br>> *Sent: *Wednesday, June 1, 2016 8:20:54 AM<br>> *Subject: *Re: different answers from google's authoritative servers<br>> <br>> On 1/6/16 15:08, Kevin Kretz wrote:<br>>> Whether the responses to the query work properly in the browsers is a<br>>> different issue. There's nothing inherently wrong with multiple and<br>>> different responses to queries in different subnets or regions.<br>>><br>> <br>> True. But I'm trying to figure out why do the answers differ so much,<br>> when from my side everything is on the same subnet, announced as<br>> 84.205.252.0/23 on our BGP. I would expect all of them to end up on the<br>> same google anycast cluster and receive the same answer (or nearly the<br>> same).<br>> <br>> Sot.<br>> <br>>> ------------------------------------------------------------------------<br>>> *From: *"Sotiris Tsimbonis" <stsimb@forthnet.gr><br>>> *To: *"Kevin Kretz" <kevin@rentec.com><br>>> *Cc: *bind-users@isc.org<br>>> *Sent: *Wednesday, June 1, 2016 7:46:38 AM<br>>> *Subject: *Re: different answers from google's authoritative servers<br>>><br>>> On 1/6/16 14:41, Kevin Kretz wrote:<br>>>> Sotiris,<br>>>><br>>>> There could be multiple A records for load balancing.<br>>>><br>>><br>>> Of course, but answers of the first and second servers are on the same<br>>> subnet, and more importantly, work on the users' browsers.<br>>><br>>> The third set of answers is on a completely different subnet and<br>>> produces ssl errors in the browsers.. Like if it's a cluster for another<br>>> service, region or whatever..<br>>><br>>> Sot.<br>>><br>>>> ------------------------------------------------------------------------<br>>>> *From: *"Sotiris Tsimbonis" <stsimb@forthnet.gr><br>>>> *To: *bind-users@isc.org<br>>>> *Sent: *Wednesday, June 1, 2016 7:34:00 AM<br>>>> *Subject: *different answers from google's authoritative servers<br>>>><br>>>> Hi all,<br>>>><br>>>> We have 3 recursive resolvers on the same subnet, and one of them is<br>>>> getting different answers for the same things from google's<br>>>> authoritative dns servers.<br>>>><br>>>> [root@syz3ns01 ~]# RESOLVERS="ns1.google.com. ns2.google.com.<br>>>> ns3.google.com. ns4.google.com."<br>>>> [root@syz3ns01 ~]# SITES="www.google.com. www.google.gr."<br>>>> [root@syz3ns01 ~]# for resolver in ${RESOLVERS} ; do for site in<br>>>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site}<br>>>> @${resolver})" ; done ; done<br>>>> ns1.google.com. www.google.com. 216.58.211.4<br>>>> ns1.google.com. www.google.gr. 216.58.211.3<br>>>> ns2.google.com. www.google.com. 216.58.211.4<br>>>> ns2.google.com. www.google.gr. 216.58.211.3<br>>>> ns3.google.com. www.google.com. 216.58.211.4<br>>>> ns3.google.com. www.google.gr. 216.58.211.3<br>>>> ns4.google.com. www.google.com. 216.58.211.4<br>>>> ns4.google.com. www.google.gr. 216.58.211.3<br>>>><br>>>> [root@syz3ns02 ~]# RESOLVERS="ns1.google.com. ns2.google.com.<br>>>> ns3.google.com. ns4.google.com."<br>>>> [root@syz3ns02 ~]# SITES="www.google.com. www.google.gr."<br>>>> [root@syz3ns02 ~]# for resolver in ${RESOLVERS} ; do for site in<br>>>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site}<br>>>> @${resolver})" ; done ; done<br>>>> ns1.google.com. www.google.com. 216.58.211.36<br>>>> ns1.google.com. www.google.gr. 216.58.211.35<br>>>> ns2.google.com. www.google.com. 216.58.211.36<br>>>> ns2.google.com. www.google.gr. 216.58.211.35<br>>>> ns3.google.com. www.google.com. 216.58.211.36<br>>>> ns3.google.com. www.google.gr. 216.58.211.35<br>>>> ns4.google.com. www.google.com. 216.58.211.36<br>>>> ns4.google.com. www.google.gr. 216.58.211.35<br>>>><br>>>> [root@syz3ns03 ~]# RESOLVERS="ns1.google.com. ns2.google.com.<br>>>> ns3.google.com. ns4.google.com."<br>>>> [root@syz3ns03 ~]# SITES="www.google.com. www.google.gr."<br>>>> [root@syz3ns03 ~]# for resolver in ${RESOLVERS} ; do for site in<br>>>> ${SITES}; do echo "${resolver} ${site} $(dig +short A ${site}<br>>>> @${resolver})" ; done ; done<br>>>> ns1.google.com. www.google.com. 172.217.16.36<br>>>> ns1.google.com. www.google.gr. 172.217.16.35<br>>>> ns2.google.com. www.google.com. 172.217.16.36<br>>>> ns2.google.com. www.google.gr. 172.217.16.35<br>>>> ns3.google.com. www.google.com. 172.217.16.36<br>>>> ns3.google.com. www.google.gr. 172.217.16.35<br>>>> ns4.google.com. www.google.com. 172.217.16.36<br>>>> ns4.google.com. www.google.gr. 172.217.16.35<br>>>><br>>>> The IP addresses of our servers are 84.205.252.16, 84.205.252.18 and<br>>>> 84.205.252.20 respectively.<br>>>><br>>>> The problem with the third answer set is on the users' browsers, it<br>>>> produces an ssl certificate error and users cannot access google.<br>>>><br>>>> traceroute to google's dns servers are different on the penultimate hop<br>>>> (hop 12)<br>>>><br>>>> [root@syz3ns01 ~]# traceroute ns3.google.com.<br>>>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte<br>> packets<br>>>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.405 ms 0.262<br>>>> ms 0.217 ms<br>>>> 2 84.205.252.6 (84.205.252.6) 0.718 ms 0.504 ms 0.511 ms<br>>>> 3 193.92.42.169 (193.92.42.169) 0.937 ms 1.024 ms 0.482 ms<br>>>> 4 194.219.208.29 (194.219.208.29) 1.017 ms 1.004 ms 0.946 ms<br>>>> MPLS Label=757472 CoS=5 TTL=1 S=0<br>>>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 0.950 ms 1.063<br>>>> ms 0.982 ms<br>>>> 6 74.125.48.74 (74.125.48.74) 8.373 ms 8.374 ms 8.341 ms<br>>>> 7 72.14.237.27 (72.14.237.27) 8.352 ms 72.14.237.189 (72.14.237.189)<br>>>> 12.085 ms 72.14.237.27 (72.14.237.27) 8.979 ms<br>>>> 8 209.85.253.114 (209.85.253.114) 26.920 ms 26.114 ms 25.789 ms<br>>>> MPLS Label=772454 CoS=5 TTL=1 S=0<br>>>> 9 216.239.58.8 (216.239.58.8) 50.816 ms 209.85.241.233<br>>>> (209.85.241.233) 42.159 ms 43.461 ms<br>>>> MPLS Label=756878 CoS=5 TTL=1 S=0<br>>>> 10 209.85.251.178 (209.85.251.178) 45.549 ms 44.474 ms 45.682 ms<br>>>> MPLS Label=720256 CoS=5 TTL=1 S=0<br>>>> 11 74.125.37.103 (74.125.37.103) 39.998 ms 216.239.49.244<br>>>> (216.239.49.244) 48.116 ms 74.125.37.150 (74.125.37.150) 42.865 ms<br>>>> MPLS Label=25186 CoS=5 TTL=1 S=0<br>>>> 12 209.85.251.231 (209.85.251.231) 39.575 ms 72.14.238.43<br>>>> (72.14.238.43) 43.933 ms 209.85.242.165 (209.85.242.165) 46.748 ms<br>>>> 13 * *Icmp checksum is wrong<br>>>> *<br>>>> 14 ns3.google.com (216.239.36.10) 41.453 ms 39.987 ms 47.545 ms<br>>>> [root@syz3ns01 ~]#<br>>>><br>>>> [root@syz3ns02 ~]# traceroute ns3.google.com.<br>>>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte<br>> packets<br>>>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.232 ms 0.283<br>>>> ms 0.209 ms<br>>>> 2 84.205.252.6 (84.205.252.6) 0.688 ms 0.535 ms 0.455 ms<br>>>> 3 193.92.42.169 (193.92.42.169) 1.715 ms 0.835 ms 0.726 ms<br>>>> 4 194.219.208.29 (194.219.208.29) 1.248 ms 0.876 ms 0.773 ms<br>>>> MPLS Label=757472 CoS=5 TTL=1 S=0<br>>>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 0.755 ms 1.047<br>>>> ms 0.944 ms<br>>>> 6 74.125.48.74 (74.125.48.74) 8.331 ms 8.546 ms 8.328 ms<br>>>> 7 72.14.237.189 (72.14.237.189) 12.286 ms 72.14.237.27 (72.14.237.27)<br>>>> 5.935 ms 72.14.237.189 (72.14.237.189) 13.211 ms<br>>>> 8 209.85.253.114 (209.85.253.114) 22.488 ms 209.85.240.160<br>>>> (209.85.240.160) 25.713 ms 26.401 ms<br>>>> MPLS Label=554255 CoS=5 TTL=1 S=0<br>>>> 9 216.239.57.244 (216.239.57.244) 41.070 ms 209.85.241.233<br>>>> (209.85.241.233) 34.822 ms 209.85.242.79 (209.85.242.79) 38.180 ms<br>>>> MPLS Label=27780 CoS=5 TTL=1 S=0<br>>>> 10 209.85.251.178 (209.85.251.178) 36.262 ms 66.249.95.39<br>>>> (66.249.95.39) 44.744 ms 209.85.143.25 (209.85.143.25) 43.497 ms<br>>>> MPLS Label=25688 CoS=5 TTL=1 S=0<br>>>> 11 216.239.49.240 (216.239.49.240) 42.459 ms 216.239.49.244<br>>>> (216.239.49.244) 42.738 ms 39.587 ms<br>>>> MPLS Label=731306 CoS=5 TTL=1 S=0<br>>>> 12 72.14.238.215 (72.14.238.215) 46.858 ms 216.239.51.147<br>>>> (216.239.51.147) 48.715 ms 209.85.246.164 (209.85.246.164) 86.761 ms<br>>>> Icmp checksum is wrong<br>>>> 13 * * *<br>>>> 14 ns3.google.com (216.239.36.10) 48.178 ms 48.106 ms 48.157 ms<br>>>> [root@syz3ns02 ~]#<br>>>><br>>>> [root@syz3ns03 ~]# traceroute ns3.google.com.<br>>>> traceroute to ns3.google.com (216.239.36.10), 30 hops max, 38 byte<br>> packets<br>>>> 1 syz3fw01-dmz.servers.n3.syzefxis.gov.gr (10.95.1.1) 0.297 ms 0.393<br>>>> ms 0.447 ms<br>>>> 2 84.205.252.6 (84.205.252.6) 0.454 ms 0.574 ms 0.751 ms<br>>>> 3 193.92.42.169 (193.92.42.169) 0.938 ms 0.823 ms 0.733 ms<br>>>> 4 194.219.208.29 (194.219.208.29) 1.260 ms 0.766 ms 1.267 ms<br>>>> MPLS Label=757472 CoS=5 TTL=1 S=0<br>>>> 5 xe-0-3-1.core-lsf-08.forthnet.gr (213.16.247.193) 15.388 ms 1.248<br>>>> ms 1.446 ms<br>>>> 6 74.125.48.74 (74.125.48.74) 5.410 ms 5.378 ms 5.435 ms<br>>>> 7 72.14.237.27 (72.14.237.27) 12.224 ms 12.309 ms 72.14.237.189<br>>>> (72.14.237.189) 5.354 ms<br>>>> 8 209.85.240.160 (209.85.240.160) 22.422 ms 35.365 ms 22.601 ms<br>>>> MPLS Label=536927 CoS=5 TTL=1 S=0<br>>>> 9 216.239.57.244 (216.239.57.244) 43.196 ms 209.85.242.79<br>>>> (209.85.242.79) 40.263 ms 216.239.57.244 (216.239.57.244) 43.387 ms<br>>>> MPLS Label=27555 CoS=5 TTL=1 S=0<br>>>> 10 209.85.251.178 (209.85.251.178) 41.581 ms 209.85.143.25<br>>>> (209.85.143.25) 36.869 ms 66.249.95.39 (66.249.95.39) 44.804 ms<br>>>> MPLS Label=24801 CoS=5 TTL=1 S=0<br>>>> 11 216.239.49.244 (216.239.49.244) 44.189 ms 74.125.37.154<br>>>> (74.125.37.154) 47.331 ms 216.239.49.244 (216.239.49.244) 48.582 ms<br>>>> MPLS Label=549098 CoS=5 TTL=1 S=0<br>>>> 12 209.85.246.135 (209.85.246.135) 47.964 ms 209.85.251.231<br>>>> (209.85.251.231) 42.683 ms 72.14.238.215 (72.14.238.215) 43.525 ms<br>>>> 13 * * *<br>>>> 14 ns3.google.com (216.239.36.10) 49.559 ms 48.009 ms 48.148 ms<br>>>> [root@syz3ns03 ~]#<br>>>><br>>>> Any ideas please?<br>>>> Sot.<br>>>> _______________________________________________<br>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to<br>>>> unsubscribe from this list<br>>>><br>>>> bind-users mailing list<br>>>> bind-users@lists.isc.org<br>>>> https://lists.isc.org/mailman/listinfo/bind-users<br></div></div></body></html>