Not Resolving AWS CNAME


#1

I’m not able to resolve a few AWS CNAMES via 1.1.1.1, here’s an example:

[~/Code] dig @8.8.8.8 clover-01.east.us.prod.bq-s.com

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 clover-01.east.us.prod.bq-s.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25163
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;clover-01.east.us.prod.bq-s.com. IN	A

;; ANSWER SECTION:
clover-01.east.us.prod.bq-s.com. 29 IN	CNAME	internal-prod-clover-elb-92218522.us-east-1.elb.amazonaws.com.
internal-prod-clover-elb-92218522.us-east-1.elb.amazonaws.com. 59 IN A 10.1.7.28
internal-prod-clover-elb-92218522.us-east-1.elb.amazonaws.com. 59 IN A 10.1.2.33

;; Query time: 92 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr  2 18:13:19 2018
;; MSG SIZE  rcvd: 153

[~/Code]

#2

Derp, didn’t paste the full output, here’s 1.1.1.1:

[~/Code] dig @1.1.1.1 clover-01.east.us.prod.bq-s.com

; <<>> DiG 9.8.3-P1 <<>> @1.1.1.1 clover-01.east.us.prod.bq-s.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56120
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;clover-01.east.us.prod.bq-s.com. IN	A

;; Query time: 1500 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Apr  2 18:13:11 2018
;; MSG SIZE  rcvd: 49

#3

The bq-s.com zone isn’t correct. Any DNS resolver that does QNAME minimisation – or, by chance, receives queries in prod.bq-s.com that aren’t in east.us.prod.bq-s.com will receive a lame delegation.

$ dig +norecurse @ns-73.awsdns-09.com prod.bq-s.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse @ns-73.awsdns-09.com prod.bq-s.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13981
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;prod.bq-s.com.                 IN      A

;; AUTHORITY SECTION:
prod.bq-s.com.          3600    IN      NS      ns-1062.awsdns-04.org.
prod.bq-s.com.          3600    IN      NS      ns-1599.awsdns-07.co.uk.
prod.bq-s.com.          3600    IN      NS      ns-509.awsdns-63.com.
prod.bq-s.com.          3600    IN      NS      ns-615.awsdns-12.net.

;; Query time: 15 msec
;; SERVER: 2600:9000:5300:4900::1#53(2600:9000:5300:4900::1)
;; WHEN: Mon Apr 02 22:20:29 UTC 2018
;; MSG SIZE  rcvd: 179

Those nameservers refuse queries for that zone.

$ dig +norecurse @ns-73.awsdns-09.com east.us.prod.bq-s.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse @ns-73.awsdns-09.com east.us.prod.bq-s.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15374
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;east.us.prod.bq-s.com.         IN      A

;; AUTHORITY SECTION:
east.us.prod.bq-s.com.  3600    IN      NS      ns-1072.awsdns-06.org.
east.us.prod.bq-s.com.  3600    IN      NS      ns-197.awsdns-24.com.
east.us.prod.bq-s.com.  3600    IN      NS      ns-2035.awsdns-62.co.uk.
east.us.prod.bq-s.com.  3600    IN      NS      ns-868.awsdns-44.net.

;; Query time: 15 msec
;; SERVER: 2600:9000:5300:4900::1#53(2600:9000:5300:4900::1)
;; WHEN: Mon Apr 02 22:21:31 UTC 2018
;; MSG SIZE  rcvd: 187

That’s a working delegation.

http://dnsviz.net/d/east.us.prod.bq-s.com/WsKuFw/dnssec/

You need to add the missing zone, or remove the faulty NS records. Or a combination of the two.