www.eielson.af.mil

16 views
Skip to first unread message

Brian Webster

unread,
Jan 21, 2010, 2:04:12 PM1/21/10
to public-dns-discuss
Not resolving with google DNS. Works with other DNS servers.

$nslookup www.eielson.af.mil
Server: 209.165.131.12
Address: 209.165.131.12#53

Non-authoritative answer:
www.eielson.af.mil canonical name = www.eielson.af.mil.edgesuite.net.
www.eielson.af.mil.edgesuite.net canonical name = a1528.g.akamai.net.
Name: a1528.g.akamai.net
Address: 96.17.8.40
Name: a1528.g.akamai.net
Address: 96.17.8.11

$nslookup www.eielson.af.mil - 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

** server can't find www.eielson.af.mil: NXDOMAIN

Paul S. R. Chisholm

unread,
Jan 21, 2010, 3:02:05 PM1/21/10
to public-dn...@googlegroups.com
Thanks for the report, Brian.

Short answer: The nameservers that provide complete or partial answers
for this hostname are returning inconsistent results. I see the same
results from some other open resolvers.

Long answer:

There are six .mil nameservers:

con1.nipr.mil
con2.nipr.mil
eur1.nipr.mil
eur2.nipr.mil
pac1.nipr.mil
pac2.nipr.mil

The first two are returning the same answer you mentioned (including
the CNAME and addresses of names they have no authority for, so
they're probably recursing, inappropriately):

; <<>> DiG 9.4.3-P3 <<>> @con1.nipr.mil www.eielson.af.mil
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52101
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.eielson.af.mil. IN A

;; ANSWER SECTION:
www.eielson.af.mil. 20586 IN CNAME www.eielson.af.mil.edgesuite.net.
www.eielson.af.mil.edgesuite.net. 5586 IN CNAME a1528.g.akamai.net.
a1528.g.akamai.net. 20 IN A 64.208.249.43
a1528.g.akamai.net. 20 IN A 64.208.249.1

;; Query time: 142 msec
;; SERVER: 199.252.157.234#53(199.252.157.234)
;; WHEN: Thu Jan 21 14:24:48 2010
;; MSG SIZE rcvd: 143

The others delegate to five nameservers for the af.mil. zone:

NS.USAFE.af.mil. 86400 IN A 132.25.88.211
NS3.ACC.af.mil. 86400 IN A 131.7.52.10
ARES.AFNOC.af.mil. 86400 IN A 131.63.50.2
MARS.AFNOC.af.mil. 86400 IN A 131.63.50.1
MUHJ-NS-001.ACC.af.mil. 86400 IN A 132.54.1.17

Of those five, one is returning a CNAME:

; <<>> DiG 9.4.3-P3 <<>> @131.63.50.2 www.eielson.af.mil
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24187
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.eielson.af.mil. IN A

;; ANSWER SECTION:
www.eielson.af.mil. 36600 IN CNAME www.eielson.af.mil.edgesuite.net.

and the other four are delegating to other nameservers for the
eielson.af.mil. zone:

icebox.eielson.af.mil. 86400 IN A 131.39.248.6
paf-dns1.pacaf.af.mil. 86400 IN A 131.49.50.24
paf-dns2.pacaf.af.mil. 86400 IN A 131.49.50.25

Of those (in order), one definitively says the name doesn't exist:

; <<>> DiG 9.4.3-P3 <<>> @131.39.248.6 www.eielson.af.mil.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29176
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.eielson.af.mil. IN A

;; AUTHORITY SECTION:
eielson.af.mil. 36600 IN SOA icebox.eielson.af.mil.
354cs.scbbp.eielson.af.mil. 2009082648 3600 900 604800 36600

one sends REFUSED, and one never responds. That NXDOMAIN is cacheable
for over ten hours.

I'm glad your ISP (GCI) happened to get one of the CNAME responses, so
you could visit the site. Once your ISP's cached value expires, what
you'll get is based on the luck of the draw. (Unless the nameservers
are fixed by then.)

Hope this informs. --PSRC

Brian Webster

unread,
Jan 21, 2010, 4:19:33 PM1/21/10
to public-dns-discuss
Thanks. That does help.


-brian

On Jan 21, 11:02 am, "Paul S. R. Chisholm" <psrchish...@gmail.com>
wrote:


> Thanks for the report, Brian.
>
> Short answer: The nameservers that provide complete or partial answers
> for this hostname are returning inconsistent results. I see the same
> results from some other open resolvers.
>
> Long answer:
>
> There are six .mil nameservers:
>
> con1.nipr.mil
> con2.nipr.mil
> eur1.nipr.mil
> eur2.nipr.mil
> pac1.nipr.mil
> pac2.nipr.mil
>
> The first two are returning the same answer you mentioned (including
> the CNAME and addresses of names they have no authority for, so
> they're probably recursing, inappropriately):
>
> ; <<>> DiG 9.4.3-P3 <<>> @con1.nipr.milwww.eielson.af.mil
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52101
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.eielson.af.mil.              IN      A
>

> ;; ANSWER SECTION:www.eielson.af.mil.       20586   IN      CNAME  www.eielson.af.mil.edgesuite.net.www.eielson.af.mil.edgesuite.net. 5586 IN CNAME     a1528.g.akamai.net.

> > $nslookupwww.eielson.af.mil- 8.8.8.8

Reply all
Reply to author
Forward
0 new messages