[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Incorrect DNS Resolution for krk.kargo.com with 8.8.8.8



One quick clarification based on an offline concern of Alex's - we use multiple levels of blocking (DNS/CDN/service) to prevent traffic from the EU.

On Thursday, January 17, 2019 at 4:52:15 PM UTC-5, Jeremy Sadwith wrote:
Following up here with our solution in case anyone is experiencing the same issue.

Dyn thinks that this is due to: "Google Public DNS does some really weird routing, sometimes shipping requests from one POP to another for responses. If they are shipping a US-based request to a EU POP, this could explain this behavior.". Since we're blocking traffic in the EU, this could cause the weird resolution we're seeing in the US.

The solution for now is to use ECS: https://help.dyn.com/edns-client-subnet-faq-info/
Per Dyn, "Google will receive a DNS query, append the originating /24 prefix. in the edns-client-subnet (ECS) data, and send that information to our nameservers. If we see that ECS information in the query, we will take advantage of it in our traffic director response."

Hope this helps someone else someday.

Jeremy

On Tuesday, January 15, 2019 at 5:50:06 PM UTC-5, Jeremy Sadwith wrote:
Hey guys,

When using Google's DNS Server (8.8.8.8), we periodically see DNS resolution issues, but none of the other DNS servers have the same issue. You can reproduce by running `dig @8.8.8.8 krk.kargo.com` a bunch of times in a row in comparison to `dig @1.1.1.1 krk.kargo.com`.

1.1.1.1 always returns the following answer section...
;; ANSWER SECTION:
krk
.kargo.com. 227 IN CNAME kraken.production.us-east-1.kops.kargo.com.
kraken
.production.us-east-1.kops.kargo.com. 8 IN A 52.72.14.87
kraken
.production.us-east-1.kops.kargo.com. 8 IN A 52.204.49.101
kraken
.production.us-east-1.kops.kargo.com. 8 IN A 204.236.242.253


Whereas 8.8.8.8 sometimes returns an authority section instead...
;; AUTHORITY SECTION:
krk
.kargo.com. 1080 IN SOA ns1.p24.dynect.net. email.kargo.com. 2019011111 3600 600 604800 1800


There is one error, but we don't think it applies. Is that an incorrect assumption? 
kargo.com/DNSKEY: The response had an invalid RCODE (SERVFAIL). (204.13.250.24, 204.13.251.24, 208.78.70.24, 208.78.71.24, 2001:500:90:1::24, 2001:500:94:1::24, UDP_0_EDNS0_32768_512, UDP_0_NOEDNS)



We talked to our DNS provider and were told that this is an issue within Google's DNS server. Any clue how to best handle this?

Thanks,
Jeremy

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/4390a1d6-58db-43db-a729-b4cc76aa83cb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.