“Intelligently designed” DNS?

The Uncommon Descent blog (hostname http://www.uncommondescent.com) is one of the showcase sites of the Intelligent Design movement.  In this post, I shall discuss their DNS setup, which does not look to me like an example of intelligent design.

Step 1:  I lookup “www.uncommondescent.com” at the “.COM” servers.  Their response is a delegation to “ns1.mediatemple.net” and “ns2.mediatemple.net”.

Step 2: I lookup the name at the mediatemple nameservers.  They respond with a CNAME record, showing that “www.uncommondescent.com” is an alias for “www.uncommondescent.com.cdn.cloudflare.net”.  The TTL for this record is 43200 (or 12 hours).

Step 3: I lookup “www.uncommondescent.com.cdn.cloudflare.net” at the “.NET” servers.  They respond with a delegation to “fred.ns.cloudflare.com” and “jean.ns.cloudflare.com”.

Step 4: I repeat the lookup at those cloudflare.com dns servers.  Their response is a CNAME record showing that “www.uncommondescent.com.cdn.cloudflare.net” is an alias for “cf-protected-www.uncommondescent.com.cdn.cloudflare.net”.  This record has a TTL (time to live) of 30 seconds.

Step 5: I lookup “cf-protected-www.uncommondescent.com.cdn.cloudflare.net” at the cloudfl;are.com servers.  The response is two A records, giving the IP addresses 173.245.60.32 and 173.245.61.98.  Those A records have a TTL of 30 seconds.

So what’s wrong here?  The first problem is the use of a CNAME pointing to another CNAME.  That’s bad practice, even though it usually works.

The second (and main) problem is the use of 30 second TTLs at two levels in the lookup chain.  The 30 second time make caching useless, with the result that DNS lookups have to be repeated every time.  And doing that at two levels compounds the problem.  If I point my browser to “www.uncommondescent.com”, there is a long delay before the page shows, and the browser status shows that it is looking up the hostname.

That does not look like intelligent design to me, unless the intention is to deliberately discourage use of the site.

Details

Step 1:

% dig @a.gtld-servers.net www.uncommondescent.com any +norec

; <<>> DiG 9.7.3-P3 <<>> @a.gtld-servers.net http://www.uncommondescent.com any +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.uncommondescent.com. IN ANY

;; AUTHORITY SECTION:
uncommondescent.com. 172800 IN NS ns1.mediatemple.net.
uncommondescent.com. 172800 IN NS ns2.mediatemple.net.

;; ADDITIONAL SECTION:
ns1.mediatemple.net. 172800 IN A 64.207.128.246
ns2.mediatemple.net. 172800 IN A 70.32.65.137

;; Query time: 80 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Mon Oct 17 08:24:40 2011
;; MSG SIZE rcvd: 124

Step 2:

% dig @ns2.mediatemple.net. www.uncommondescent.com. any +norec
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.7.3-P3 <<>> @ns2.mediatemple.net. http://www.uncommondescent.com. any +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:
;www.uncommondescent.com. IN ANY

;; ANSWER SECTION:
http://www.uncommondescent.com. 43200 IN CNAME http://www.uncommondescent.com.cdn.cloudflare.net.

;; AUTHORITY SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4
b.root-servers.net. 3600000 IN A 192.228.79.201
c.root-servers.net. 3600000 IN A 192.33.4.12
d.root-servers.net. 3600000 IN A 128.8.10.90
e.root-servers.net. 3600000 IN A 192.203.230.10
f.root-servers.net. 3600000 IN A 192.5.5.241
g.root-servers.net. 3600000 IN A 192.112.36.4
h.root-servers.net. 3600000 IN A 128.63.2.53
i.root-servers.net. 3600000 IN A 192.36.148.17
j.root-servers.net. 3600000 IN A 192.58.128.30
k.root-servers.net. 3600000 IN A 193.0.14.129
l.root-servers.net. 3600000 IN A 198.32.64.12
m.root-servers.net. 3600000 IN A 202.12.27.33

;; Query time: 103 msec
;; SERVER: 70.32.65.137#53(70.32.65.137)
;; WHEN: Mon Oct 17 08:25:56 2011
;; MSG SIZE rcvd: 513

Step 3:

% dig @a.gtld-servers.net www.uncommondescent.com.cdn.cloudflare.net any +norec

; <<>> DiG 9.7.3-P3 <<>> @a.gtld-servers.net http://www.uncommondescent.com.cdn.cloudflare.net any +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.uncommondescent.com.cdn.cloudflare.net. IN ANY

;; AUTHORITY SECTION:
cloudflare.net. 172800 IN NS fred.ns.cloudflare.com.
cloudflare.net. 172800 IN NS jean.ns.cloudflare.com.

;; ADDITIONAL SECTION:
fred.ns.cloudflare.com. 172800 IN A 173.245.59.113
jean.ns.cloudflare.com. 172800 IN A 173.245.58.121

;; Query time: 80 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Mon Oct 17 08:26:34 2011
;; MSG SIZE rcvd: 147

Step 4:

% dig @173.245.59.113 www.uncommondescent.com.cdn.cloudflare.net. any +norec

; <<>> DiG 9.7.3-P3 <<>> @173.245.59.113 http://www.uncommondescent.com.cdn.cloudflare.net. any +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.uncommondescent.com.cdn.cloudflare.net. IN ANY

;; ANSWER SECTION:
http://www.uncommondescent.com.cdn.cloudflare.net. 30 IN CNAME cf-protected-www.uncommondescent.com.cdn.cloudflare.net.

;; Query time: 29 msec
;; SERVER: 173.245.59.113#53(173.245.59.113)
;; WHEN: Mon Oct 17 08:27:12 2011
;; MSG SIZE rcvd: 91

Step 5:

% dig @173.245.59.113 cf-protected-www.uncommondescent.com.cdn.cloudflare.net. any +norec

; <<>> DiG 9.7.3-P3 <<>> @173.245.59.113 cf-protected-www.uncommondescent.com.cdn.cloudflare.net. any +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cf-protected-www.uncommondescent.com.cdn.cloudflare.net. IN ANY

;; ANSWER SECTION:
cf-protected-www.uncommondescent.com.cdn.cloudflare.net. 30 IN A 173.245.61.98
cf-protected-www.uncommondescent.com.cdn.cloudflare.net. 30 IN A 173.245.60.32
cf-protected-www.uncommondescent.com.cdn.cloudflare.net. 86400 IN SOA ns.cloudflare.com. dns.cloudflare.com. 2011100203 10000 1600 604800 3600

;; Query time: 30 msec
;; SERVER: 173.245.59.113#53(173.245.59.113)
;; WHEN: Mon Oct 17 08:29:01 2011
;; MSG SIZE rcvd: 162

Advertisements

About Neil Rickert

Retired mathematician and computer scientist who dabbles in cognitive science.

5 responses to ““Intelligently designed” DNS?”

  1. Neil Rickert says :

    An update. Rechecking today, I see that they have increased the TTL of the A-records from 30 to 300 (or 5 minutes), and the TTL of the second CNAME from 30 to 600 (10 minutes). Those changes should reduce DNS lookup delays for the site.

    Like

  2. James Sutherland says :

    It’s much, much worse than that: they mis-handle wildcard records, with the result my CloudFlared domain now has both A *and* CNAME records for the www entry – the CNAME being an error on their part. (The RFC states the wildcard should only be served if NO RRs are present regardless of type, but CloudFlare’s “special” DNS server fails to implement the logic properly.)

    Like

    • Neil Rickert says :

      Interesting. Thanks.

      I get that they are wanting to be able to dynamically move hostnames around. But they should be able to do that without causing DNS lookup problems for end users. They seem to have not planned this well.

      Like

      • jas88 says :

        It’s a complete fiasco, and their “support” is faulty at best. I investigated a little further; in fact the problem was that they add a CNAME pointing “www” to “cf-protected-www” – which *should* presumably in turn point to their own servers, but is instead caught by the wildcard.

        When I reported the issue, the ticket was closed with “don’t use wildcards”. My preferred resolution is, of course, “don’t use Cloudflare”! It’s probably no coincidence that all three tickets I have opened, over several months, have been ignored by “Lyn”: tiny operation without real support?

        With hindsight, their insistence on taking over DNS hosting for the domain should have been a deal-breaker (it seems uncommondescent.org was set up before they made this change, but the resulting setup is no more intelligent now than it was then).

        Like

Trackbacks / Pingbacks

  1. The trouble with DNS redirection « Thoughts on computing - 2011/12/14

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: