-3

DNS lookup of www.duckdns.org takes 10 plus seconds. Is this my internet provider's DNS issue? Here is the output of host command using my provider DNS and Google DNS:

$ time host  www.duckdns.org
www.duckdns.org has address 50.112.156.11
;; connection timed out; no servers could be reached
www.duckdns.org mail is handled by 50 www.duckdns.org.

real    0m10.767s
user    0m0.016s
sys     0m0.012s

$ time host  www.duckdns.org 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

www.duckdns.org has address 54.148.234.172
Host www.duckdns.org not found: 2(SERVFAIL)
www.duckdns.org mail is handled by 50 www.duckdns.org.

real    0m0.546s
user    0m0.020s
sys     0m0.008s

$ time host www.google.com
www.google.com has address 62.168.125.25
www.google.com has address 62.168.125.29
www.google.com has address 62.168.125.30
www.google.com has address 62.168.125.34
www.google.com has address 62.168.125.35
www.google.com has address 62.168.125.39
www.google.com has address 62.168.125.40
www.google.com has address 62.168.125.44
www.google.com has address 62.168.125.45
www.google.com has address 62.168.125.49
www.google.com has address 62.168.125.50
www.google.com has address 62.168.125.54
www.google.com has address 62.168.125.55
www.google.com has address 62.168.125.59
www.google.com has address 62.168.125.20
www.google.com has address 62.168.125.24
www.google.com has IPv6 address 2a00:1450:4014:80b::1011

real    0m0.073s
user    0m0.032s
sys     0m0.012s

Update provided by DuckDNS:

Hi, I am pleased to let the community know that we believe that we have rectified the reported defects

It is always good to have feedback from pubic communities, we also appreciate any bugs being raised directly with us via our G+ community. This allows us to deal with defects as efficiently as possible.

We don't have enough reputation points to allow us to comment directly.

The correct AAAA response for not IPV6 implementers is a NOERROR with zero answers as now implemented.

Could you please check to ensure this now behaves as expected?

We have also fixed two additional defect around DNS Glue records, and minimum DNS TTL times (now 60 seconds).

QUACK!

xofer
  • 3,052
  • 12
  • 19
mehturt
  • 91
  • 1
  • 9
  • RE: the edit last month, I can confirm that things look better on those points. I don't have a G+ account and will reply here. Please hire a DNS consultant or amend your [about](http://www.duckdns.org/about.jsp) page to be less misleading. I do not question that you have 15 years of experience with software development, but the same cannot be said about the technology you are implementing. We should not have been able to go this far down the rabbit hole during the Q&A. – Andrew B May 17 '16 at 19:42

1 Answers1

5

Edit:

In the interest of fairness and full disclosure, it appears that the owners of DuckDNS were directed to this Q&A and have addressed the list of defects that were identified. While this is good, I stand by my opinions. These defects were quite grievous and it was irresponsible of the owners to make their service publicly available without the appropriate disclosures regarding its maturity.

Considering that the owners have only publicly addressed that the defects were corrected, and have provided no statement in regards to how they intend to prevent similar problems in the future, I would still not place much confidence in the maturity of this service.

You're being downvoted because you didn't invest much in the way of your own troubleshooting (i.e. you made no queries of your own against the duckdns.org DNS servers), but this is almost certainly not the fault of the DNS servers you're querying.

  • Your first hint is the fact that both of your host lookups include a timeout in their output. Something strange is going on here.
  • It turns out the timing out query is an IPv6 (AAAA) lookup for www.duckdns.org. A little research on my end suggests that your ISP and Google's DNS servers are barfing on it because the reply from the duckdns.org nameservers is completely broken:

-

# dig @ns1.duckdns.org www.duckdns.org AAAA +noall +question +answer

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @ns1.duckdns.org www.duckdns.org AAAA +noall +question +answer
; (1 server found)
;; global options: +cmd
;www.duckdns.org.               IN      AAAA
www.duckdns.org.        20      IN      A       50.112.156.11

Note how this request was for a AAAA record but we instead got a reply back for an A record. WTF?

Further research gives me more indicators that the DNS configuration for this domain and the software running it are very flaky:

  • Glue inconsistency. The glue for duckdns.org lists three NS records but the authoritative zone only lists one. (dig +trace +additional duckdns.org to see this in action) It looks like the individual DNS servers are returning only themselves when queried for the NS record. The other two NS records are probably being lost by DNS servers on refresh, which will lead to some interesting availability issues.
  • The TTL is 20 seconds for their www record which is likely to be ignored by most self-respecting DNS software.
  • If I ask Comcast for duckdns.org NS, I get SERVFAIL. This stuff is really, really broken.

In short, I don't think these people know what they're doing and I would hesitate to blame any intermediate DNS servers for whatever weird things encountered from interacting with this domain. The operators are novices and the software is clearly broken in some cases. I have zero confidence that this service is consistently RFC compliant in its software implementation, and whenever that's in question there's no telling how other servers are going to react to the broken behavior.

I would say that I would not trust the operators with my money but they're not asking for it. Instead, I'll go one step beyond "you're getting what you're paying for" and say that you could not pay me to use this service. There is no DNS professional involved in this.

Community
  • 1
Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • Their website also looks utterly and completely unprofessional... – Massimo Aug 12 '15 at 21:46
  • 2
    @Massimo Eh, I can deal with minimalist if the function is there. I know many smart people who do their web design that way. Making the service publicly available in this state without significant disclaimers and [claiming 15 years of experience in "the industry"](http://www.duckdns.org/about.jsp) is a totally different ballgame. I'll feel slightly bad if the owners stumble across this and get their feelings hurt, but I have very strong opinions when it comes to irresponsible DNS configurations. – Andrew B Aug 12 '15 at 21:51
  • 2
    @Massimo I think Andrew's point is that no matter the reason why their website looks the way it does (and whether it's minimalist or something less flattering) the bigger problem is that the actual DNS service appears to be broken as of right now. – Håkan Lindqvist Aug 12 '15 at 22:01
  • @Håkan On that note, just now I was exploring whether this was the result of a broken implementation of wildcard records and discovered that they return a status code of `?51` (so says dig, haven't looked at the raw bytes) when queried for a non-existent record of 4 characters or longer. This is a trainwreck. – Andrew B Aug 12 '15 at 22:14
  • 1
    @AndrewB Their regular `RCODE` value is 3 (`0011`) which would be `NXDOMAIN` in itself, which would have been fine but they've also set the EDNS0 `OPT` `EXTENDED-RCODE` field to 3 (`00000011`), which gives a combined RCODE of 51 (`000000110011`) as indicated by dig. (Displayed as a numerical value as it is unknown to dig, and unknown to everyone else for that matter.) – Håkan Lindqvist Aug 12 '15 at 22:35