Odd DNS behavior

tonyquan · June 13, 2020, 5:02pm

I’m seeing some odd DNS behavior (or maybe I’ve misunderstood something). This started happening recently. I’ve set up DNS to forward to “Quad9 (Filtered)”. If I dig for www.linkedin.com against kresd, I get this (NXDOMAIN):

# dig www.linkedin.com +dnssec +multi

; <<>> DiG 9.14.12 <<>> www.linkedin.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3331
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.linkedin.com.	IN A

;; ANSWER SECTION:
www.linkedin.com.	13 IN CNAME 2-01-2c3e-005a.cdx.cedexis.net.
2-01-2c3e-005a.cdx.cedexis.net.	176 IN CNAME www-linkedin-com.l-0005.l-msedge.net.

;; Query time: 41 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun 13 09:45:09 PDT 2020
;; MSG SIZE  rcvd: 136

However if I query against the Quad9 servers directly (9.9.9.9), I get this (correct result). Shouldn’t kresd have returned this as well?

# dig www.linkedin.com +dnssec +multi @9.9.9.9

; <<>> DiG 9.14.12 <<>> www.linkedin.com +dnssec +multi @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47003
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.linkedin.com.	IN A

;; ANSWER SECTION:
www.linkedin.com.	66 IN CNAME 2-01-2c3e-005a.cdx.cedexis.net.
2-01-2c3e-005a.cdx.cedexis.net.	42 IN CNAME www-linkedin-com.l-0005.l-msedge.net.
www-linkedin-com.l-0005.l-msedge.net. 204 IN CNAME l-0005.l-msedge.net.
l-0005.l-msedge.net.	204 IN A 13.107.42.14

;; Query time: 13 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sat Jun 13 09:46:29 PDT 2020
;; MSG SIZE  rcvd: 166

fantomas · June 13, 2020, 5:06pm

i get the latter response locally. Do you use DNS forwarding?

tonyquan · June 13, 2020, 5:10pm

@fantomas yes as I mentioned above I set up forwarding to “Quad9 (Filtered)”. This problem doesn’t seem to happen if I set up forwarding to Cloudflare though.

tonyquan · June 13, 2020, 5:16pm

OK I think I see the issue

dig www-linkedin-com.l-0005.l-msedge.net +dnssec +multi @9.9.9.9

returns NXDOMAIN. I’ll need to ask Quad9 why they are doing this.