Lightsail.aws.amazon.com is not returning A record

#1

Query for lightsail.aws.amazon.com is not returning any A record.

This issue is also reported by other users at https://news.ycombinator.com/item?id=21699362.

$ dig lightsail.aws.amazon.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> lightsail.aws.amazon.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33184
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;lightsail.aws.amazon.com.	IN	A

;; ANSWER SECTION:
lightsail.aws.amazon.com. 60	IN	CNAME	lbr.lightsail-lbr.com.
lbr.lightsail-lbr.com.	60	IN	CNAME	ap-southeast-1.lightsail.aws.amazon.com.

;; Query time: 521 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Dec 04 23:45:08 +08 2019
;; MSG SIZE  rcvd: 138

While the same query with 8.8.8.8 is working correctly.

$ dig lightsail.aws.amazon.com @8.8.8.8

; <<>> DiG 9.10.6 <<>> lightsail.aws.amazon.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16212
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;lightsail.aws.amazon.com.	IN	A

;; ANSWER SECTION:
lightsail.aws.amazon.com. 59	IN	CNAME	lbr.lightsail-lbr.com.
lbr.lightsail-lbr.com.	59	IN	CNAME	ap-southeast-1.lightsail.aws.amazon.com.
ap-southeast-1.lightsail.aws.amazon.com. 59 IN CNAME ap-southeast-1.console.aws.amazon.com.
ap-southeast-1.console.aws.amazon.com. 59 IN A	54.240.226.142

;; Query time: 412 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Dec 04 23:47:48 +08 2019
;; MSG SIZE  rcvd: 167
#3

ap-southeast-1.lightsail.aws.amazon.com would return lbr.lightsail-lbr.com
and
lbr.lightsail-lbr.com would return ap-southeast-1.lightsail.aws.amazon.com

It’s funny.

$ dig ap-southeast-1.lightsail.aws.amazon.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> ap-southeast-1.lightsail.aws.amazon.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30010
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;ap-southeast-1.lightsail.aws.amazon.com. IN A

;; ANSWER SECTION:
lightsail.aws.amazon.com. 60	IN	CNAME	lbr.lightsail-lbr.com.

;; Query time: 176 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Dec 04 23:54:02 +08 2019
;; MSG SIZE  rcvd: 124

$ dig lbr.lightsail-lbr.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> lbr.lightsail-lbr.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63643
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;lbr.lightsail-lbr.com.		IN	A

;; ANSWER SECTION:
lbr.lightsail-lbr.com.	60	IN	CNAME	ap-southeast-1.lightsail.aws.amazon.com.

;; Query time: 531 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Dec 04 23:55:02 +08 2019
;; MSG SIZE  rcvd: 121
#4

Query with console.aws.amazon.com is having the same issue.

$ dig console.aws.amazon.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> console.aws.amazon.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16467
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;console.aws.amazon.com.		IN	A

;; ANSWER SECTION:
console.aws.amazon.com.	7	IN	CNAME	lbr-optimized.console-l.amazonaws.com.
lbr-optimized.console-l.amazonaws.com. 7 IN CNAME us-east-1.console.aws.amazon.com.

;; Query time: 3 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Dec 04 23:58:22 +08 2019
;; MSG SIZE  rcvd: 145

$ dig us-east-1.console.aws.amazon.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> us-east-1.console.aws.amazon.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13595
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;us-east-1.console.aws.amazon.com. IN	A

;; ANSWER SECTION:
console.aws.amazon.com.	16	IN	CNAME	lbr-optimized.console-l.amazonaws.com.

;; Query time: 5 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Dec 04 23:59:15 +08 2019
;; MSG SIZE  rcvd: 131
#6

I am in Malaysia.

$ dig +short CHAOS TXT id.server @1.1.1.1
"KUL"
#8

I believe other AWS console related hosts are having the same issue and this is happening in some other regions too, as reported by a guy from Toronto, Ontario, Canada at https://news.ycombinator.com/item?id=21703192.

#10

THis may be the ugliest report I’ve ever seen for a hostname…

36
361104×620 81 KB

3 Likes
#11

Encountered another host with the same issue.

$ dig g.alicdn.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> g.alicdn.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11399
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;g.alicdn.com.			IN	A

;; ANSWER SECTION:
g.alicdn.com.		77697	IN	CNAME	g.alicdn.com.danuoyi.alicdn.com.

;; Query time: 3 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Dec 05 15:36:54 +08 2019
;; MSG SIZE  rcvd: 88

But the query with 8.8.8.8 is very fine.

$ dig g.alicdn.com @8.8.8.8

; <<>> DiG 9.10.6 <<>> g.alicdn.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8383
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;g.alicdn.com.			IN	A

;; ANSWER SECTION:
g.alicdn.com.		21599	IN	CNAME	g.alicdn.com.danuoyi.alicdn.com.
g.alicdn.com.danuoyi.alicdn.com. 59 IN	A	47.246.12.254
g.alicdn.com.danuoyi.alicdn.com. 59 IN	A	47.246.12.253

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 05 15:36:57 +08 2019
;; MSG SIZE  rcvd: 108
#12

After some research, I believe this issue is relating to edns-client-subnet.

Some load balancers or CDN require public resolvers like 1.1.1.1 to pass along the EDNS subnet information in order to return the geolocated responses.

Related information: https://webapps.stackexchange.com/questions/135222/why-does-1-1-1-1-not-resolve-archive-is

#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.