Inconsistent results querying Public DNS for fly-test.net domain
319 views
Skip to first unread message
Lillian Berry
Feb 23, 2023, 12:25:58 PM2/23/23
to public-dn...@googlegroups.com, d...@fly.io, jer...@fly.io, o...@fly.io
Hello,
We (Fly.io) host DNS servers for the domain 'fly-test.net', and have
been seeing inconsistent responses from Google Public DNS for this
domain. Some regions are able to resolve the domain correctly; others
can sometimes resolve the domain and sometimes return NXDOMAIN; one
region in particular (nrt) always returns NXDOMAIN.
The same results appear when using the Public DNS debugging API (`curl
https://dns.google/resolve?name=fly-test.net&type=A`)
We have attempted to reproduce the issue using Cloudflare, Quad9 and
OpenDNS public nameservers, but those always return the correct
responses.
Our nameservers are hosted on an Anycast subnet. They do not support
DNSSEC. Zone transfers are handled internally, not via the DNS
protocol.
I have attached a text file with DNS response information, queried
from our servers hosted globally. If a source IP address is needed to
debug this, the Google Cloud VM hosted at 35.243.111.107 exhibits the
same behaviour. It's worth noting that the default resolver for that
Google Cloud VM (169.254.169.254) is able to resolve the domain
correctly.
Any help with this would be much appreciated.
Lillian
We (Fly.io) host DNS servers for the domain 'fly-test.net', and have
been seeing inconsistent responses from Google Public DNS for this
domain. Some regions are able to resolve the domain correctly; others
can sometimes resolve the domain and sometimes return NXDOMAIN; one
region in particular (nrt) always returns NXDOMAIN.
The same results appear when using the Public DNS debugging API (`curl
https://dns.google/resolve?name=fly-test.net&type=A`)
We have attempted to reproduce the issue using Cloudflare, Quad9 and
OpenDNS public nameservers, but those always return the correct
responses.
Our nameservers are hosted on an Anycast subnet. They do not support
DNSSEC. Zone transfers are handled internally, not via the DNS
protocol.
I have attached a text file with DNS response information, queried
from our servers hosted globally. If a source IP address is needed to
debug this, the Google Cloud VM hosted at 35.243.111.107 exhibits the
same behaviour. It's worth noting that the default resolver for that
Google Cloud VM (169.254.169.254) is able to resolve the domain
correctly.
Any help with this would be much appreciated.
Lillian
Viktor Dukhovni
Feb 24, 2023, 2:25:58 PM2/24/23
to public-dns-discuss
You might want to address the issues reported by DNSViz: https://dnsviz.net/d/fly-test.net/Y_gFqQ/dnssec/
Tianhao Chi
Feb 24, 2023, 2:31:48 PM2/24/23
to public-dns-discuss
We are enabling case randomization for cache poisoning protection in many locations by default. See https://developers.google.com/speed/public-dns/docs/security#randomize_case and https://groups.google.com/g/public-dns-announce/c/MLsrx8dI2n4. We have fallbacks for case mismatched responses. However, for fly-test.net queries with upper case letter, we are getting NXDOMAIN from you. Please fix this issue if you can. Meanwhile, we can add your authoritative servers to our exception list temporarily.
> dig fLy-Test.nEt
; <<>> DiG 9.10.6 <<>> fLy-Test.nEt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62658
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fLy-Test.nEt. IN A
;; Query time: 41 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Fri Feb 24 14:29:48 EST 2023
;; MSG SIZE rcvd: 41
; <<>> DiG 9.10.6 <<>> fLy-Test.nEt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62658
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fLy-Test.nEt. IN A
;; Query time: 41 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Fri Feb 24 14:29:48 EST 2023
;; MSG SIZE rcvd: 41
Lillian Berry
Mar 13, 2023, 3:46:17 PM3/13/23
to public-dns-discuss
Thanks for your reply. Apologies, I didn't see it earlier because it was not sent directly to my email address.
I believe we have fixed the issue - our nameservers now reply to queries case insensitively.
Would you be able to check again and remove us from your exception list if it is not needed anymore?
Tianhao Chi
Mar 16, 2023, 5:29:26 PM3/16/23
to public-dns-discuss
It looks like NXDOMAIN is still replied:
> dig Fly-tEst.net.
; <<>> DiG 9.18.8-1-Debian <<>> Fly-tEst.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46178
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;Fly-tEst.net. IN A
;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Mar 16 21:28:22 UTC 2023
;; MSG SIZE rcvd: 41
Alice Whim
Mar 17, 2023, 2:48:16 PM3/17/23
to Tianhao Chi, public-dns-discuss
Mark you need to ale sure the servers are accessible via dns servers
--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/396b1bf7-3695-40e7-b712-e187100f087an%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages