[dns-operations] console.aws.amazon.com - breakage & confusing output from DNSViz?

Matthew Richardson matthew-l at itconsult.co.uk
Mon Feb 7 18:27:37 UTC 2022


Having tried to access AWS's console today (for the first time in a while),
an NXDOMAIN (using Knot Resolver) was returned for
eu-west-1.console.aws.amazon.com (to which AWS had redirected the browser).

Trying a lab of 4 validating caching resolvers, PowerDNS returned the
answer:-

>; <<>> DiG 9.11.29 <<>> @dt05 -p 534 eu-west-1.console.aws.amazon.com
>; (1 server found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51057
>;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 512
>;; QUESTION SECTION:
>;eu-west-1.console.aws.amazon.com. IN   A
>
>;; ANSWER SECTION:
>eu-west-1.console.aws.amazon.com. 60 IN CNAME   gr.console-geo.eu-west-1.amazonaws.com.
>gr.console-geo.eu-west-1.amazonaws.com. 60 IN CNAME a1b62e4959fcbcf72.awsglobalaccelerator.com.
>a1b62e4959fcbcf72.awsglobalaccelerator.com. 300 IN A 75.2.73.50
>a1b62e4959fcbcf72.awsglobalaccelerator.com. 300 IN A 99.83.251.236
>
>;; Query time: 1166 msec
>;; SERVER: 193.201.42.59#534(193.201.42.59)
>;; WHEN: Mon Feb 07 17:24:27 GMT Standard Time 2022
>;; MSG SIZE  rcvd: 195

but Bind & Unbound returned SERVFAIL and Knot Resolver returned NXDOMAIN.

https://dnsviz.net/d/console.aws.amazon.com/YgEn7g/dnssec/

suggests a DNSSEC issue showing some things being BOGUS.  However (unless I
am missing something obvious), there is no DNSSEC involved!

Can anyone more knowledgeable shed any light on what might be going wrong
here?  I wonder whether this is relevant:-

>; <<>> DiG 9.11.29 <<>> @ns-912.amazon.com +norec -t ns aws.amazon.com
>; (1 server found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34133
>;; flags: qr; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;aws.amazon.com.                        IN      NS
>
>;; ANSWER SECTION:
>aws.amazon.com.         600     IN      NS      ns-912.amazon.com.
>aws.amazon.com.         60      IN      CNAME   tp.8e49140c2-frontier.amazon.com.
>
>;; Query time: 156 msec
>;; SERVER: 52.9.146.37#53(52.9.146.37)
>;; WHEN: Mon Feb 07 14:17:31 GMT Standard Time 2022
>;; MSG SIZE  rcvd: 89

but it is something of a stab in the dark.

Also, is there anyone from AWS around these parts who might have an
insight?

--
Best wishes,
Matthew



More information about the dns-operations mailing list