<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>Yeah, I think my result was a red herring. a.ns.facebook.com and b.ns.facebook.com still can't resolve the A record for star.facebook.com, despite things seemingly being back to normal now. The NS record is what's key and by the time I looked at it, it was fixed.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal;"><span>Why some people feel the need to get so clever with DNS is beyond me. How about just resolving the A records directly from the facebook.com NS servers, instead of via a CNAME to another group of DNS
servers? Would that be so difficult? Then you're shocked when there's an outage.</span></div><div><br></div> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Jeremy Chadwick <jdc@koitsu.org><br> <b><span style="font-weight: bold;">To:</span></b> Terry <t0psecret@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> Richard Mahoney <richard.mahoney@tracesmart.co.uk>; Corey Quinn <corey@sequestered.net>; "outages@outages.org" <outages@outages.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, December 10, 2012 6:40 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [outages] Facebook<br> </font> </div> <br>
I could have provided dig +trace output but this is shorter and reads<br>easier.<br><br>It looks like records get looked up as follows (and I'm excluding the<br>root server lookups, i.e. . --> .com --> <a target="_blank" href="http://facebook.com/">facebook.com</a>):<br><br>facebook.com. 147814 IN NS <a target="_blank" href="http://b.ns.facebook.com/">b.ns.facebook.com</a>.<br>facebook.com. 147814 IN NS <a target="_blank" href="http://a.ns.facebook.com/">a.ns.facebook.com</a>.<br><br>And the A records:<br><br>a.ns.facebook.com. 172573 IN A 69.171.239.12<br>b.ns.facebook.com. 172573 IN A 69.171.255.12<br><br>The SOA for facebook.com (domain itself) hasn't
been changed since<br>2012/12/07 (if SOA serial is truly kept in lines with the YYYYMMDD<br>model).<br><br>69.171.239.12 when queried for any records for <a target="_blank" href="http://www.facebook.com/">www.facebook.com</a><br>results in a CNAME response to <a target="_blank" href="http://star.facebook.com/">star.facebook.com</a>. It's probably named<br>"star" to indicate asterisk (*):<br><br>www.facebook.com. 338 IN CNAME star.facebook.com.<br>star.facebook.com. 1238 IN NS <a target="_blank" href="http://glb2.facebook.com/">glb2.facebook.com</a>.<br>star.facebook.com. 1238 IN NS <a target="_blank" href="http://glb1.facebook.com/">glb1.facebook.com</a>.<br><br>And the A records:<br><br>glb1.facebook.com. 3038
IN A 69.171.239.10<br>glb2.facebook.com. 3038 IN A 69.171.255.10<br><br>glb obviously stands for "global load balancer", though I have no idea<br>what device they use (F5s, Citrix Netscalers, Alteons (god forbid), or<br>something home-grown).<br><br>Given the below analysis from Terry, it looks to me like:<br><br>a) one or both of their load balancers may have been overloaded briefly<br> and did not respond to DNS queries (or possibly something at layer 2<br> or layer 3 was affecting this)<br>b) one or more of the nameservers *behind* glb[12].facebook.com were<br> overloaded or broken in some way, or layer 2/3 was responsible for<br> breakage (between glbs and nameservers)<br><br>The only people who know for certain are -- yup -- the Facebook folks.<br><br>And naturally this is me doing my testing from a single
source, so its<br>possible they use anycast to distribute some of their load, in which<br>case the above analysis (despite speculative) is still correct, except<br>what actual devices/networks are involved would be different.<br><br>You're welcome. :-)<br><br>-- <br>| Jeremy Chadwick <a ymailto="mailto:jdc@koitsu.org" href="mailto:jdc@koitsu.org">jdc@koitsu.org</a> |<br>| UNIX Systems Administrator http://jdc.koitsu.org/ |<br>| Mountain View, CA, US |<br>| Making life hard for others since 1977. PGP 4BD6C0CB |<br><br>On Mon, Dec 10, 2012 at 03:24:28PM -0800, Terry wrote:<br>> Still
broke here. Silly CNAMEs.<br>> <br>> ~ > nslookup<br>> > server a.ns.facebook.com<br>> Default server: a.ns.facebook.com<br>> Address: 69.171.239.12#53<br>> <br>> > www.facebook.com<br>> Server: ? ? ? ? a.ns.facebook.com<br>> Address: ? ? ? ?69.171.239.12#53<br>> www.facebook.com ? ? ? ?canonical name = star.facebook.com.<br>> <br>> <br>> > star.facebook.com<br>> Server: ? ? ? ? a.ns.facebook.com<br>> Address: ? ? ? ?69.171.239.12#53<br>> <br>> Non-authoritative answer:<br>> *** Can't find star.facebook.com: No answer<br>> <br>> <br>> ________________________________<br>> From: Richard Mahoney <<a ymailto="mailto:richard.mahoney@tracesmart.co.uk" href="mailto:richard.mahoney@tracesmart.co.uk">richard.mahoney@tracesmart.co.uk</a>><br>> To: Corey Quinn <<a ymailto="mailto:corey@sequestered.net" href="mailto:corey@sequestered.net">corey@sequestered.net</a>>;
"<a ymailto="mailto:outages@outages.org" href="mailto:outages@outages.org">outages@outages.org</a>" <<a ymailto="mailto:outages@outages.org" href="mailto:outages@outages.org">outages@outages.org</a>> <br>> Sent: Monday, December 10, 2012 6:21 PM<br>> Subject: Re: [outages] Facebook<br>> <br>> <br>> <br>> Seems to be resolving again now on Virgin Media (UK). Guess it was just a hiccup.<br>> ?<br>> PS C:\Windows\system32> nslookup www.facebook.com<br>> Server:? (removed)<br>> Address:? (removed)<br>> ?<br>> Non-authoritative answer:<br>> Name:??? star.facebook.com<br>> Addresses:? 2a03:2880:2110:9f02:face:b00c:0:4<br>> ????????? 69.171.247.20<br>> Aliases:? www.facebook.com<br>> ?<br>> Kind regards<br>> ?<br>> Richard Mahoney, CEH?<br>> Systems Administrator<br>> Tracesmart<br>> T?029 2067 8534????M?07714 486543????E?<a
ymailto="mailto:richard.mahoney@tracesmart.co.uk" href="mailto:richard.mahoney@tracesmart.co.uk">richard.mahoney@tracesmart.co.uk</a><br>> www.tracesmartcorporate.co.uk????www.traceiq.co.uk<br>> Global Reach ?Dunleavy Drive ?Cardiff ?CF11 0SN<br>> Follow us on?Twitter<br>> ISO/IEC 27001?CERTIFICATE: GB 10/81945<br>> We are proud to sponsor?missingpeople.org.uk<br>> This email and any attachments are confidential to Tracesmart Ltd and are solely for use by the intended recipient. If you are not the intended recipient you must not disclose, copy or distribute its contents to any other person nor make use of its contents in any way. If you have received this email in error please forward a copy to?<a ymailto="mailto:info@tracesmart.co.uk" href="mailto:info@tracesmart.co.uk">info@tracesmart.co.uk</a>?and remove it from your system.This email and any attachments have been scanned for the presence of computer viruses. Neither Tracesmart Ltd
nor the sender accepts any responsibility for computer viruses once this email has been transmitted. The content of this message may contain personal views, which are not the views of Tracesmart Ltd, unless specifically stated. Tracesmart may monitor email traffic data and also the content of email for the purposes of security and staff training.Tracesmart Ltd is a company registered in England & Wales with company registration number 3827062 whose registered<br>> office is at Global Reach, Dunleavy Drive, Cardiff CF11 0SN. ?Our Data Protection Number is Z708281X and our Consumer Credit Licence Number is 565961.<br>> ?<br>> From:<a ymailto="mailto:outages-bounces@outages.org" href="mailto:outages-bounces@outages.org">outages-bounces@outages.org</a> [mailto:<a ymailto="mailto:outages-bounces@outages.org" href="mailto:outages-bounces@outages.org">outages-bounces@outages.org</a>] On Behalf Of Corey Quinn<br>> Sent: 10 December 2012
23:15<br>> To: <a ymailto="mailto:outages@outages.org" href="mailto:outages@outages.org">outages@outages.org</a><br>> Subject: Re: [outages] Facebook<br>> ?<br>> Can you be a bit more specific? ?"Works for me."<br>> ?<br>> cquinn@quinntel ~ % dig facebook.com ? ? ? ? ? ? ? 5344 15:14:37 Mon 12-10-2012<br>> ?<br>> ; <<>> DiG 9.9.1-P2 <<>> facebook.com<br>> ;; global options: +cmd<br>> ;; Got answer:<br>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63691<br>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 2, ADDITIONAL: 3<br>> ?<br>> ;; OPT PSEUDOSECTION:<br>> ; EDNS: version: 0, flags:; udp: 4096<br>> ;; QUESTION SECTION:<br>> ;facebook.com.??????????????????????????????????? IN??????? A<br>> ?<br>> ;; ANSWER SECTION:<br>> facebook.com.???????????? 7200??? IN??????? A???????? 66.220.152.16<br>> facebook.com.???????????? 7200??? IN???????
A???????? 69.171.224.32<br>> facebook.com.???????????? 7200??? IN??????? A???????? 173.252.100.16<br>> facebook.com.???????????? 7200??? IN??????? A???????? 69.171.229.16<br>> facebook.com.???????????? 7200??? IN??????? A???????? 173.252.101.16<br>> facebook.com.???????????? 7200??? IN??????? A???????? 66.220.158.16<br>> ?<br>> ;; AUTHORITY SECTION:<br>> facebook.com.???????????? 139086??????????? IN??????? NS?????? a.ns.facebook.com.<br>> facebook.com.???????????? 139086??????????? IN??????? NS?????? b.ns.facebook.com.<br>> ?<br>> ;; ADDITIONAL SECTION:<br>> a.ns.facebook.com.????? 139086??????????? IN??????? A???????? 69.171.239.12<br>> b.ns.facebook.com.????? 139086??????????? IN??????? A???????? 69.171.255.12<br>> ?<br>> ;; Query time: 50 msec<br>> ;; SERVER: 10.201.1.103#53(10.201.1.103)<br>> ;; WHEN: Mon Dec 10 15:14:40 2012<br>> ;; MSG SIZE ?rcvd: 204<br>> ?<br>> ?<br>> On Dec 10, 2012,
at 3:12 PM, Richard Mahoney <<a ymailto="mailto:richard.mahoney@tracesmart.co.uk" href="mailto:richard.mahoney@tracesmart.co.uk">richard.mahoney@tracesmart.co.uk</a>> wrote:<br>> <br>> <br>> Seeing DNS issues for Facebook here.<br>> Anyone else?<br>> ?<br>> Kind regards<br>> ?<br>> Richard Mahoney, CEH?<br>> Systems Administrator<br>> Tracesmart<br>> T?029 2067 8534????M?07714 486543????E?<a ymailto="mailto:richard.mahoney@tracesmart.co.uk" href="mailto:richard.mahoney@tracesmart.co.uk">richard.mahoney@tracesmart.co.uk</a><br>> www.tracesmartcorporate.co.uk????www.traceiq.co.uk<br>> Global Reach ?Dunleavy Drive ?Cardiff ?CF11 0SN<br>> Follow us on?Twitter<br>> ISO/IEC 27001?CERTIFICATE: GB 10/81945<br>> We are proud to sponsor?missingpeople.org.uk<br>> This email and any attachments are confidential to Tracesmart Ltd and are solely for use by the intended recipient. If you are not the intended
recipient you must not disclose, copy or distribute its contents to any other person nor make use of its contents in any way. If you have received this email in error please forward a copy to?<a ymailto="mailto:info@tracesmart.co.uk" href="mailto:info@tracesmart.co.uk">info@tracesmart.co.uk</a>?and remove it from your system.This email and any attachments have been scanned for the presence of computer viruses. Neither Tracesmart Ltd nor the sender accepts any responsibility for computer viruses once this email has been transmitted. The content of this message may contain personal views, which are not the views of Tracesmart Ltd, unless specifically stated. Tracesmart may monitor email traffic data and also the content of email for the purposes of security and staff training.Tracesmart Ltd is a company registered in England & Wales with company registration number 3827062 whose registered<br>> office is at Global Reach, Dunleavy Drive,
Cardiff CF11 0SN. ?Our Data Protection Number is Z708281X and our Consumer Credit Licence Number is 565961.<br>> ?<br>> _______________________________________________<br>> Outages mailing list<br>> <a ymailto="mailto:Outages@outages.org" href="mailto:Outages@outages.org">Outages@outages.org</a><br>> <a href="https://puck.nether.net/mailman/listinfo/outages" target="_blank">https://puck.nether.net/mailman/listinfo/outages</a><br>> ?<br>> _______________________________________________<br>> Outages mailing list<br>> <a ymailto="mailto:Outages@outages.org" href="mailto:Outages@outages.org">Outages@outages.org</a><br>> <a href="https://puck.nether.net/mailman/listinfo/outages" target="_blank">https://puck.nether.net/mailman/listinfo/outages</a><br><br>> _______________________________________________<br>> Outages mailing list<br>> <a ymailto="mailto:Outages@outages.org"
href="mailto:Outages@outages.org">Outages@outages.org</a><br>> <a href="https://puck.nether.net/mailman/listinfo/outages" target="_blank">https://puck.nether.net/mailman/listinfo/outages</a><br><br><br><br> </div> </div> </div></body></html>