M.dm530.net unresolvable


#1

1.1.1.1 can’t resolve m.dm530.net:

# dig @1.1.1.1 m.dm530.net

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.4 <<>> @1.1.1.1 m.dm530.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31253
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;m.dm530.net.                   IN      A

;; ANSWER SECTION:
m.dm530.net.            600     IN      CNAME   m.dm530.net.fbicdn.com.

;; Query time: 505 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Apr 23 14:15:46 2018
;; MSG SIZE  rcvd: 65

while Google DNS can resolve it:

# dig @8.8.8.8 m.dm530.net

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.4 <<>> @8.8.8.8 m.dm530.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48294
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;m.dm530.net.                   IN      A

;; ANSWER SECTION:
m.dm530.net.            399     IN      CNAME   m.dm530.net.fbicdn.com.
m.dm530.net.fbicdn.com. 9       IN      A       209.58.184.226

;; Query time: 15 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 23 14:15:53 2018
;; MSG SIZE  rcvd: 81

#2

1.1.1.1 is behaving correctly. The authoritative DNS servers for m.dm530.net.fbicdn.com. are buggy.

1.1.1.1 sends queries with random capitalization. The zone’s authoritative DNS servers respond to non-lowercase queries by saying the name has no IP addresses.

$ dig +dnssec +norecurse m.dm530.net.fbicdn.com. @106.186.118.142

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec +norecurse m.dm530.net.fbicdn.com. @106.186.118.142
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39446
;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0258 , udp: 4096
;; QUESTION SECTION:
;m.dm530.net.fbicdn.com.                IN      A

;; ANSWER SECTION:
m.dm530.net.fbicdn.com. 10      IN      A       162.221.6.218

;; Query time: 212 msec
;; SERVER: 106.186.118.142#53(106.186.118.142)
;; WHEN: Mon Apr 23 06:47:07 UTC 2018
;; MSG SIZE  rcvd: 89

$ dig +dnssec +norecurse M.dm530.net.fbicdn.com. @106.186.118.142

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec +norecurse M.dm530.net.fbicdn.com. @106.186.118.142
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56387
;; flags: qr aa ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0258 , udp: 4096
;; QUESTION SECTION:
;M.dm530.net.fbicdn.com.                IN      A

;; Query time: 206 msec
;; SERVER: 106.186.118.142#53(106.186.118.142)
;; WHEN: Mon Apr 23 06:47:13 UTC 2018
;; MSG SIZE  rcvd: 51

You can mimic similar behavior by sending Google Public DNS a partly capitalized query.

$ dig @publicdns.goog m.dm530.net.fbicdn.COM

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @publicdns.goog m.dm530.net.fbicdn.COM
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46770
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;m.dm530.net.fbicdn.COM.                IN      A

;; Query time: 83 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Mon Apr 23 06:53:20 UTC 2018
;; MSG SIZE  rcvd: 51

At least, that’s one issue. I’m not certain there aren’t others.

Cloudflare can add a manual override to the DNS server, but it’s not really possible to automatically detect an issue like this, since it’s not visibly invalid on the wire.


#3

Thanks for the report @roytam and for the debugging @mnordhoff!

I’ve passed along to our resolver team.


#4

We’ve added a workaround for this (broken) domain. It should resolve now.