Weird DNS behaviour

Thu Oct 25 09:55:43 UTC 2007

Edgars,

On Tue, 2007-10-23 at 17:47 +0300, Edgars Šmits wrote:
> This isn't specific to Feisty or Gutsy, the problem occurs with both
> (I was hoping it would go away with a clean install of Gutsy), and may
> not be Ubuntu specific, but since I only see it in Ubuntu I'm hoping
> someone on the list can point me in the right direction.
> 
> For some reason I can't resolve subsets of domains as well as some
> normal domains. For instance, I can resolve and get to www.amazon.com,
> www.amazon.co.uk, but all images at those sites are on
> g-ecx.images-amazon.com which I can't resolve, so I can't see any
> images on amazon.
This is a problem with amazon's DNS.  They have a mix of CNAME and other
data for g-ecx.images-amazon.com, which is prohibited.  I suspect that
the Windows resolver is accepting an invalid mix of answer data while
the Linux resolver is  choking on an invalid combination of records. A
query for an IP address (A record) returns a CNAME record, while a query
for TYPE=ANY returns an SOA record:

tim at marvin:~$ dig g-ecx.images-amazon.com any @ns-912.amazon.com.

; <<>> DiG 9.4.1-P1 <<>> g-ecx.images-amazon.com any @ns-912.amazon.com.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44740
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;g-ecx.images-amazon.com.       IN      ANY

;; ANSWER SECTION:
g-ecx.images-amazon.com. 1      IN      SOA     ns-912.amazon.com.
dns.amazon.com. 1193226075 3600 900 7776000 1
g-ecx.images-amazon.com. 600    IN      NS      ns-912.amazon.com.

;; Query time: 252 msec
;; SERVER: 207.171.191.123#53(207.171.191.123)
;; WHEN: Thu Oct 25 22:43:10 2007
;; MSG SIZE  rcvd: 109

tim at marvin:~$ dig g-ecx.images-amazon.com a @ns-912.amazon.com.

; <<>> DiG 9.4.1-P1 <<>> g-ecx.images-amazon.com a @ns-912.amazon.com.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24226
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;g-ecx.images-amazon.com.       IN      A

;; ANSWER SECTION:
g-ecx.images-amazon.com. 60     IN      CNAME
ant.mii.instacontent.net.

;; Query time: 265 msec
;; SERVER: 207.171.191.123#53(207.171.191.123)
;; WHEN: Thu Oct 25 22:43:18 2007
;; MSG SIZE  rcvd: 79

tim at marvin:~$ 

>  Other sites that I know are fine are also not
> resolving - www.vmware.com for instance. Investigating this further -
> I have VMWare running with a bridged network, when I open an XP image
> and run IE to amazon, vmware etc, all resolve fine, no issues what so
> ever. I also have an emergency XP dual-boot option, when booted into
> full XP there are no issues.

Vmware appears to have a chain of CNAME records: 
tim at marvin:~$ host www.vmware.com
www.vmware.com is an alias for www.vmware.com.edgekey.net.
www.vmware.com.edgekey.net is an alias for e508.g.akamaiedge.net.
e508.g.akamaiedge.net has address 122.252.42.52

Some software expects a CNAME to point directly to an A record, and
complains at the second CNAME record.  

I wonder if there is an issue with your upstream nameservers not coping
with bad DNS setup for these sites
> 
> I'm running DHCP, and other machines with Ubuntu that have been
> connected to the same DHCP server have no problems. The problem seems
> to be almost transient in nature, a few nights ago I couldn't resolve
> www.cbc.ca, today I can, although vmware etc are still not resolving.
> 
> Any ideas where I should start looking? I have managed to work around
> the problem using the XP image, but would prefer to figure out what is
> causing it and fix it.
> 
> Totally stymied
> 
> ED
> 

Tim