Odd DNS responses for www.neopets.com
Maybe it's just me, but isn't there something odd about a DNS query coming back with 78 entries for the same host? It sends back an UDP packet that gets truncated and the DNS resolver reverts to TCP to get the full list. It seems to cause problems with Windows clients and/or Windows DNS servers. Seems like overkill. Here is a dig on www.neopets.com: ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.2.1 <<>> www.neopets.com @ns2.neopets.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34814 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 78, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.neopets.com. IN A ;; ANSWER SECTION: www.neopets.com. 1582 IN A 198.172.122.97 www.neopets.com. 1582 IN A 198.172.122.98 www.neopets.com. 1582 IN A 198.172.122.101 ... many lines deleted ... www.neopets.com. 1582 IN A 198.172.122.194 www.neopets.com. 1582 IN A 198.172.122.196 www.neopets.com. 1582 IN A 198.172.122.197 ;; AUTHORITY SECTION: neopets.com. 2434 IN NS ns1.neopets.com. neopets.com. 2434 IN NS ns2.neopets.com. ;; Query time: 53 msec ;; SERVER: 198.172.121.14#53(ns2.neopets.com) ;; WHEN: Wed Feb 5 16:42:45 2003 ;; MSG SIZE rcvd: 1349 -- Stephen Milton - Vice President (425) 881-8769 x102 ISOMEDIA.COM - Premium Internet Services (425) 869-9437 Fax milton@isomedia.com http://www.isomedia.com
Maybe it's just me, but isn't there something odd about a DNS query coming back with 78 entries for the same host? It sends back an UDP packet that gets truncated and the DNS resolver reverts to TCP to get the full list.
This is often used for server pools (as I'm guessing you know).
It seems to cause problems with Windows clients and/or Windows DNS servers. Seems like overkill.
The 78 addresses listed here are all in one bit of a /24. In the cases I've seen, there are a few servers listed in several different locations, network- (and location-) wise. I agree that this looks really weird. Perhaps they use it as a cheap load balancer? Cheers, Alex Lambert alambert@quickfire.org ----- Original Message ----- From: "Stephen Milton" <milton@isomedia.com> To: <nanog@merit.edu> Sent: Wednesday, February 05, 2003 6:47 PM Subject: Odd DNS responses for www.neopets.com
Maybe it's just me, but isn't there something odd about a DNS query coming back with 78 entries for the same host? It sends back an UDP packet that gets truncated and the DNS resolver reverts to TCP to get the full list.
This is often used for server pools (as I'm guessing you know).
It seems to cause problems with Windows clients and/or Windows DNS servers. Seems like overkill.
The 78 addresses listed here are all in one bit of a /24. In the cases I've seen, there are a few servers listed in several different locations, network- (and location-) wise. I agree that this looks really weird. Perhaps they use it as a cheap load balancer?
Perhaps they use it to pad their IP allocations?? DJ
When I worked for NeoPets in the summer of 2000 they had a server farm about that size. It was behind a NetFoundry (I think) Load Balancer at the time. Perhaps their load balancer died and they had to get back up in a hurry. Thanks, Adam "Tauvix" Debus Linux Certified Professional, Linux Certified Administrator #447641 Network Administrator, ReachONE Internet adam@reachone.com ----- Original Message ----- From: "Deepak Jain" <deepak@ai.net> To: "Alex Lambert" <alambert@quickfire.org>; "Stephen Milton" <milton@isomedia.com>; <nanog@merit.edu> Sent: Wednesday, February 05, 2003 7:40 PM Subject: RE: Odd DNS responses for www.neopets.com
Maybe it's just me, but isn't there something odd about a DNS query coming back with 78 entries for the same host? It sends back an UDP packet that gets truncated and the DNS resolver reverts to TCP to get the full list.
This is often used for server pools (as I'm guessing you know).
It seems to cause problems with Windows clients and/or Windows DNS servers. Seems like overkill.
The 78 addresses listed here are all in one bit of a /24. In the cases I've seen, there are a few servers listed in several different locations, network- (and location-) wise. I agree that this looks really weird. Perhaps they use it as a cheap load balancer?
Perhaps they use it to pad their IP allocations??
DJ
On Wed, 5 Feb 2003, Alex Lambert wrote: The 78 addresses listed here are all in one bit of a /24. In the cases I've seen, there are a few servers listed in several different locations, network- (and location-) wise. I agree that this looks really weird. Perhaps they use it as a cheap load balancer? For your routing convenience: matt@pants:~$ mysql -e 'select network, mask, owner from routes where owner="NeoPets";' spam +---------------+------+---------+ | network | mask | owner | +---------------+------+---------+ | 198.172.121.0 | 24 | NeoPets | +---------------+------+---------+ Thank you verio, for returning useful information for "NETBLK-A019-198-172-121-0", including "NeoPets" as the owner name, but returning "No match" for a query on "NeoPets". I am absolutely positive Verio would never aid and conceal customers of theirs that are guilty of such abusive and criminal behavior. matto --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
Maybe it's just me, but isn't there something odd about a DNS query coming back with 78 entries for the same host? It sends back an UDP packet that gets truncated and the DNS resolver reverts to TCP to get the full list.
It is not necessarily odd. Network management applications such as OpenView work best if the DNS lookup for a router returns all the addresses configured on the router. The UDP packet can overflow and be truncated with 22 entries.
It seems to cause problems with Windows clients and/or Windows DNS servers. Seems like overkill.
I feel your pain because I use a DNS module in my scripts that craps out when it sees one of these truncated packets, but then the problem is with the client and not DNS. It is too bad that the DNS packet size can't be increased to 1500B. David Russell ThruPoint, Inc
On Wed, 5 Feb 2003, Stephen Milton wrote: Maybe it's just me, but isn't there something odd about a DNS query coming back with 78 entries for the same host? It sends back an UDP packet that gets truncated and the DNS resolver reverts to TCP to get the full list. It seems to cause problems with Windows clients and/or Windows DNS servers. Seems like overkill. neopets.com has been blatantly and furiously attempting to spam me for several months: http://mrtg.snark.net/nullstats.cgi If they lack the sense to stop trying to relay to a host that does not even ACK their SYNs after several thousand tries, I suspect their proficiency at configuring rfc-compliant DNS might be lacking as well. Shockingly, emails to abuse@verio have been incredibly useless. matto --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
On Thursday, Feb 6, 2003, at 19:19 Canada/Eastern, just me wrote:
If they lack the sense to stop trying to relay to a host that does not even ACK their SYNs after several thousand tries, I suspect their proficiency at configuring rfc-compliant DNS might be lacking as well.
Just out of interest, what RFC do you think has been violated in this case?
On Thu, 6 Feb 2003, Joe Abley wrote: On Thursday, Feb 6, 2003, at 19:19 Canada/Eastern, just me wrote:
If they lack the sense to stop trying to relay to a host that does not even ACK their SYNs after several thousand tries, I suspect their proficiency at configuring rfc-compliant DNS might be lacking as well.
Just out of interest, what RFC do you think has been violated in this case? I haven't chosen to delve into debugging the "Odd DNS responses for www.neopets.com" myself- I have no personal interest in any sort of connectivity with them. I was simply operating off the information in the Subject line of the original email. matto --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
participants (7)
-
Adam "Tauvix" Debus
-
Alex Lambert
-
David Russell
-
Deepak Jain
-
Joe Abley
-
just me
-
Stephen Milton