www.cnn.com

Jeroen Massar jeroen at unfix.org
Thu Apr 26 10:56:16 UTC 2007


Stefan Schmidt wrote:
> On Thu, Apr 26, 2007 at 10:06:32AM +0100, Randy Bush wrote:
>> roam.psg.com:/usr/home/randy> doc -p -w www.cnn.com.
>> Doc-2.2.3: doc -p -w www.cnn.com.
>> Doc-2.2.3: Starting test of www.cnn.com.   parent is cnn.com.
>> Doc-2.2.3: Test date - Thu Apr 26 09:04:52 GMT 2007
>> DIGERR (NOT_AUTHORIZED): dig @dmtns01.turner.com. for SOA of www.cnn.com. failed
>> DIGERR (NOT_AUTHORIZED): dig @dmtns02.turner.com. for SOA of www.cnn.com. failed
> 
> I think your debugging tool is faulty, as a dig ns cnn.com
[..]

> All of the above answer to me and have the same serial for cnn.com.

Randy is looking at www.cnn.com (note the www portion) and if you would
do a 'dig +trace www.cnn.com' you would see:

www.cnn.com.            3600    IN      NS      dmtns01.turner.com.
www.cnn.com.            3600    IN      NS      dmtns02.turner.com.
;; Received 112 bytes from 207.200.73.85#53(twdns-03.ns.aol.com) in 176 ms

www.cnn.com.            600     IN      A       64.236.16.20
[..9 ip's..]
;; Received 157 bytes from 64.236.22.150#53(dmtns02.turner.com) in 100 ms

And dmtns0{1|2}.turner.com. don't have a SOA for www.cnn.com although
they are authoritive. They only respond to queries for "A". Fortunatily
they do respond for "AAAA" queries, 0 records result, but it doesn't
break. They do simply drop queries asking for SOA,MX,TXT and prolly others.

Aka just another peeped up "DNS loadbalancer" for which the implementers
didn't read the RFCs or where the configurators decided that they can
ignore other stuff for "anti-ddos" or other reasons.

Greets,
 Jeroen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070426/cf8c4154/attachment.sig>


More information about the NANOG mailing list