Problem with Comcast DNS Servers?

Hi - I have about 50 domains that last week were suddenly impacted by a strange problem. I started getting calls that users of my websites (it turned out to only be people using Comcast as their ISP) were unable to access the sites unless they specified the "www." in the address. For example "bacbookingsDOTcom" didn't work (as it had for a year or so), but if the "www" is added then it did!

When I use NSlookup to query the comcast DNS server, with
NSlookup bacbookingsDOTcom [dns server ip goes here]

then usually (~6 times out of 7) it fails with "server failed". Approx one time out of 7 it will succeed!

If I use NSlookup with any other DNS (eg. using Google's ) it always succeeds.

Does anybody have ANY ideas/suggestions?

Thanks.

You should see if they can contact Comcast. I used to work for an ISP and most ISP's have a special DNS set up (like a walled garden running on the DTS). It may run BIND on the backside but most of them have additional software running for various purposes that have the potential to cause weird problems. I'm not on Comcast so I can't do any testing, but something with their system may not like your DNS set up any more. Or someone hosting your DNS made a change that doesn't go well with Comcast. Either way, at a glance the set up for the domain provided should work.

Thanks for the input. I've contacted my hosting company, but have no idea how I'd contact Comcast.

fyi the comcast DNS is at 75.75.75.75 .

You would probably need someone on Comcast to contact their support. Good luck with that. Your hosting company might be able to do it for you. They deny queries to their DNS that don't originate from their network, so that's why I couldn't test it. Most ISP's do that.

dig shows this:

;; QUESTION SECTION:
;bacbookings.com. IN ANY

;; ANSWER SECTION:
bacbookings.com. 86400 IN CNAME tennisreservations.com.
bacbookings.com. 162612 IN NS ns52.1and1.com.
bacbookings.com. 162612 IN NS ns51.1and1.com.

Is this the source of the problem? Since it points to a CNAME should there NOT be NS records also? I'm no expert on this but I found section 2.4 "CName Records" in RFC1912 . This says:

Especially do not try to combine CNAMEs and NS
records like this!:


podunk.xx. IN NS ns1
IN NS ns2
IN CNAME mary
mary IN A 1.2.3.4


This is often attempted by inexperienced administrators as an obvious
way to allow your domain name to also be a host. However, DNS
servers like BIND will see the CNAME and refuse to add any other
resources for that name. Since no other records are allowed to
coexist with a CNAME, the NS entries are ignored. Therefore all the
hosts in the podunk.xx domain are ignored as well!

Thanks.

A zone wouldn't load like that anyways. Rather, whatever software you might be using shouldn't let that configuration load. You can't have multiple entries along side a CNAME.

I'm pretty sure 1and1 uses powerdns but I don't know what backends they're running. I know their set up isn't really a common one (I've dealt with weird problems with them before), but I'm not sure if it may be some quirky thing there.

Like setting up bacbookings.com as an alias for tennisreservations.com is considered abnormal for a DNS server. If you were to create a normal zone for bacbookings.com and try to create that CNAME record, it wouldn't load under a normal configuration. This is because the existance of the SOA violates the policy of having no other records for a CNAME. Logically this would need to be set up as a CNAME on the .com servers. My guess is that 1and1 probably has some mimicked set up of the .com servers and a sideways referral, or they are running something a little unique as far as how it can answer queries. The NS records in the answer are a little odd from what I've had experience with, normally you would just see them in the auth and addl sections. Just a guess though about what they are running, I'm probably wrong

Anyways, none of that probably matters about your issue. To other DNS servers, it doesn't really matter where the CNAME happens. The servers should follow normal lookup procedures and resolve it. Assuming Comcast is following normal procedures as well. It could just be a weird temporary issue too.

So if I understand you correctly, the NS records should NOT be there for "bacbookings.com"?

The DNS 'control panel' at 1and1 is extremely simple:
When creating a CNAME you enter the alias name and that's it!

I checked out "bacbookings.com" using the tools at dnssy.com, intodns.com and they flagged multiple errors with the setup of this name. My thoughts now are that:
a) 1and1 has misconfigured the name,
b) Comcast's dns system is less tolerant of this misconfiguration than are others (such as google's at 8.8.8.8). Does that seem plausible?
Thanks for your input.

Paul.

I've done more digging and I think there's an even more fundamental problem with the 1and 1 configuration:

; <<>> DiG 9.3.2 <<>> @localhost bacbookings.com ANY
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46060
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bacbookings.com. IN ANY

;; ANSWER SECTION:
bacbookings.com. 86400 IN CNAME tennisreservations.com.
bacbookings.com. 75053 IN NS ns51.1and1.com.
bacbookings.com. 75053 IN NS ns52.1and1.com.


The way I read this there exists a CNAME record for the 'main' domain name "bacbookings.com" (ie. NOT a sub-domain). As I understand it, this should NEVER be allowed. Can anyone comment? Thanks.

Yes. Those NS records shouldn't be there in the answer. As for the CNAME, that shouldn't be doable normally but theoretically that shouldn't be the problem. A server doing a lookup won't care where the CNAME happens in the DNS tree since bacbookings can be viewed as a subdomain of .com. I have BIND 9.7.3 and 9.8.1 running on some servers and they have no problems with that domain. Since only Comcast is having the issue, it's probably something on their side. The 1and1 people may not be playing by normal DNS rules but technically it should still work. I have no way of testing Comcast so I'm not sure what's unique about their servers. Or if they even run BIND. They could have some advanced software that sees that 1and1 is manipulating DNS in ways that are slightly abnormal and it's pushing back SERVFAIL responses. Could be some obscure caching issue somewhere. If it's intermittent that even throws more uncertainty as to what's happening. Do you know what queries return from Comcast for ns lookups for that domain or anything for the domain it's an alias for?

Personally I'm not a fan of people not following accepted DNS procedures because it makes this stuff almost impossible to narrow down unless those companies can provide you hard information as to what their servers are seeing. You could ask for a dbdump from Comcast if you could get a hold of them. When I worked at an ISP we would do that if someone was saying we were at fault. Either way you'll probably have to have someone get a hold of Comcast. You can ask 1and1 but since it works everywhere else, they'll probably point you to Comcast as well.