Incorrect resolution for my domain


#1

Hi All,
1.1.1.1 is not resolving my domain properly. I know of two specific URLs:
legacy.glb.growfinancial.org
and
hb3.glb.growfinancial.org

It resolves properly on every other resolver I’ve tried, except for CloudFlare.

I found this last week, I incremented the serial number on my zone and tested it again and hb3 updated properly, however legacy is still incorrect. There seems to still be some lingering issues with hb3 url because I have a few members reporting an SSL cert error.
The IP that’s being returned happens to be my www IP address, its also a * record in my glb dns zone. This zone sits behind my load-balancer and is used for global load balancing between my datacenters. I’ve had monitors running on the load-balancer and its never returned any record other than the one it’s supposed to.

Any thoughts on how to fix this once and for all?

Here are the requested troubleshooting outputs:
C:\WINDOWS\system32>nslookup legacy.glb.growfinancial.org 1.1.1.1
Server: 1dot1dot1dot1.cloudflare-dns.com
Address: 1.1.1.1

Non-authoritative answer:
Name:    legacy.glb.growfinancial.org
Address:  198.49.46.55


C:\WINDOWS\system32>nslookup legacy.glb.growfinancial.org  1.0.0.1
Server:  1dot1dot1dot1.cloudflare-dns.com
Address:  1.0.0.1

Non-authoritative answer:
Name:    legacy.glb.growfinancial.org
Address:  198.49.46.55


C:\WINDOWS\system32>nslookup legacy.glb.growfinancial.org  8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    legacy.glb.growfinancial.org
Address:  198.49.46.52


C:\WINDOWS\system32>nslookup -class=chaos -type=txt id.server 1.1.1.1
Server:  1dot1dot1dot1.cloudflare-dns.com
Address:  1.1.1.1

Non-authoritative answer:
id.server       text =

        "mia01"

C:\WINDOWS\system32>nslookup -class=chaos -type=txt id.server 1.0.0.1
Server:  1dot1dot1dot1.cloudflare-dns.com
Address:  1.0.0.1

Non-authoritative answer:
id.server       text =

        "mia01"

C:\WINDOWS\system32>nslookup hb3.glb.growfinancial.org  1.1.1.1
Server:  1dot1dot1dot1.cloudflare-dns.com
Address:  1.1.1.1

Non-authoritative answer:
Name:    hb3.glb.growfinancial.org
Address:  198.49.46.49


C:\WINDOWS\system32>nslookup hb3.glb.growfinancial.org  1.0.0.1
Server:  1dot1dot1dot1.cloudflare-dns.com
Address:  1.0.0.1

Non-authoritative answer:
Name:    hb3.glb.growfinancial.org
Address:  198.49.46.49


C:\WINDOWS\system32>nslookup hb3.glb.growfinancial.org  8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    hb3.glb.growfinancial.org
Address:  198.49.46.49


C:\WINDOWS\system32>

#2

It appears your DNS server doesn’t support 0x20 Bit encoding https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 so when querying for

dig legacY.glb.growfinancial.org @glbdns1.growfinancial.org
dig legacy.glb.growfinancial.org @glbdns1.growfinancial.org

You’ll see you get two different answers.

I’ve put in a request to our resolver team to see if we can make a change specific to this domain, but ideally your DNS server should support this as other resolvers use this behavior as well.


#3

Ok, thanks for the info. I’m using the DNS server built into my load-balancer, it may be time for an upgrade! I don’t think I can change many , if any, settings for the DNS server itself.

Ryan Jensen

network services manager , ccie #51211


#4

Hello!

Were you able to make a change on the Cloudflare side?

I removed the * record from the zone this morning and tested, it seems to resolve properly. I’m not sure if it’s a result of removing the * record or if a change was made specific to this domain.

H:>nslookup hb3.glb.growfinancial.org 1.1.1.1

Server: 1dot1dot1dot1.cloudflare-dns.com

Address: 1.1.1.1

Non-authoritative answer:

Name: hb3.glb.growfinancial.org

Address: 198.49.46.49

H:>nslookup Hb3.glb.growfinancial.org 1.1.1.1

Server: 1dot1dot1dot1.cloudflare-dns.com

Address: 1.1.1.1

Non-authoritative answer:

Name: Hb3.glb.growfinancial.org

Address: 198.49.46.49

H:>nslookup hb3.Glb.growfinancial.org 1.1.1.1

Server: 1dot1dot1dot1.cloudflare-dns.com

Address: 1.1.1.1

Non-authoritative answer:

Name: hb3.Glb.growfinancial.org

Address: 198.49.46.49

H:>nslookup legacy.Glb.growfinancial.org 1.1.1.1

Server: 1dot1dot1dot1.cloudflare-dns.com

Address: 1.1.1.1

Non-authoritative answer:

Name: legacy.Glb.growfinancial.org

Address: 198.49.46.52

H:>nslookup legacy.glb.growfinancial.org 1.1.1.1

Server: 1dot1dot1dot1.cloudflare-dns.com

Address: 1.1.1.1

Non-authoritative answer:

Name: legacy.glb.growfinancial.org

Address: 198.49.46.52

[Dropped .sig]


#5

No change on our side yet… it was late enough Friday that the team is just now triaging their queue. Are you OK with the current situation or would you like us to continue to investigate a change on our end?


#6

Yeah I’m fine with it.