Potential DNS misconfiguration

دعم الموقع

الدعم → دعم الموقع

نشر بواسطة agneev
STAFFMOD
في أكتوبر 11, 2021 عند الساعة 2:21 مساءا

Hello,

It seems that the DNS for image.tmdb.org is misconfigured.

Usually host names pointing to CDNs have CNAMEs associated with it, but there's no CNAME with this domain. As a result, I get directed to a CDN that has a RTT of 134ms instead of 2ms to a local Cloudfront edge location.

I further tested this theory by manually setting the IPs to 65.8.0.30, which is a common ECS anycast IP returned for many lookups concerning Cloudfront. Sure enough all images were being loaded from the nearest PoP.

I can't seem to upload screenshots here but I can explain this in more detail if needed.

7 ردود (على هذه الصفحة 1 من 1)

• Jump to last post

رد بواسطة Travis Bell

STAFFMOD

بتاريخ أكتوبر 12, 2021 في 12:40 مساءا

Hi @agneev,

I can't speak to anything other than how CloudFront has you setup DNS records through the Route 53 UI. When you choose a DNS hostname with a CloudFront distribution, it's Route 53 that creates the alias record. It's all an integrated set of services you use their UI to create.

$ dig image.tmdb.org

; <<>> DiG 9.10.6 <<>> image.tmdb.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16223
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;image.tmdb.org.            IN  A

;; ANSWER SECTION:
image.tmdb.org.     45  IN  A   13.224.7.124
image.tmdb.org.     45  IN  A   13.224.7.29
image.tmdb.org.     45  IN  A   13.224.7.37
image.tmdb.org.     45  IN  A   13.224.7.92

;; Query time: 50 msec
;; SERVER: 192.168.4.1#53(192.168.4.1)
;; WHEN: Tue Oct 12 10:31:01 MDT 2021
;; MSG SIZE  rcvd: 163

Is my current set of replied IPs, which seem to be my closest POP. CloudFront is returning the SEA19-C2 edge for my requests, which is in Seattle. 50ms is about as good as I can expect given that I'm on Starlink and latency doesn't ever get a whole lot better than ~35ms.

رد بواسطة agneev

STAFFMOD

بتاريخ أكتوبر 13, 2021 في 2:24 صباحا

Hey Travis 👋

Cloudfront relies on ECS to steer clients to a closer PoP. Cloudflare doesn't support that. Google, OpenDNS are among a handful that do. Here's a site that shows this.

To give you an example of a Cloudfront image-serving domain that hits the local cache:

# Using Google DNS
❯ kdig +short +tls @8.8.8.8 images.kitchenstories.io
dcj15sbom9jgt.cloudfront.net.
54.192.181.57
54.192.181.116
54.192.181.99
54.192.181.104
❯ ping 54.192.181.57
PING 54.192.181.57 (54.192.181.57) 56(84) bytes of data.
64 bytes from 54.192.181.57: icmp_seq=1 ttl=245 time=2.15 ms

# Using Cloudflare DNS
❯ kdig +short +tls @1.1.1.1 images.kitchenstories.io
dcj15sbom9jgt.cloudfront.net.
13.227.214.128
13.227.214.12
13.227.214.125
13.227.214.123
❯ ping 13.227.214.128
PING 13.227.214.128 (13.227.214.128) 56(84) bytes of data.
64 bytes from 13.227.214.128: icmp_seq=1 ttl=246 time=34.1 ms

Comparatively, image.tmdb.org doesn't return any Cloudfront CNAMEs and seems to return the same set of IPs regardless of the DNS.

❯ kdig +short +tls @1.1.1.1 image.tmdb.org
52.84.45.103
52.84.45.112
52.84.45.124
52.84.45.125
❯ kdig +short +tls @8.8.8.8 image.tmdb.org
52.84.45.125
52.84.45.103
52.84.45.112
52.84.45.124

❯ curl -v "http://image.tmdb.org/t/p/original/dzJtsLspH5Bf8Tvw7OQC47ETNfJ.jpg"
*   Trying 52.84.45.103:80...
...
< X-Cache: Hit from cloudfront
< Via: 1.1 d1807b809d16999d513cc543f4da6952.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: MRS52-P1
< X-Amz-Cf-Id: _v8G5heWamdUKdwx6aYza7FJ_0gx_IUZPIYDoYfH3wybUVtVCbzPDg==
# Connected to a data center in Marseille in France
# Ping latency: ~130ms

# Using a DNS rewrite
❯ dig +short image.tmdb.org
65.8.0.30
❯ curl -v "http://image.tmdb.org/t/p/original/dzJtsLspH5Bf8Tvw7OQC47ETNfJ.jpg"
*   Trying 65.8.0.30:80...
...
< X-Cache: Miss from cloudfront
< Via: 1.1 c6cf11c9a6d40f18c613fe75ae07110b.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: CCU50-C2
< X-Amz-Cf-Id: HgChPSfNEUFdgXE6WeWZFwnTf_k-d_7q0OKI9j9zwLFlUhK8hHWXxQ==
# Using a local data center

Since the DNS isn't returning IPs from this PoP, there's misses from the PoP cache, so there's no point of creating a DNS rewrite as of now.

All other domains that use Cloudfront hit the local PoP. I'm not familiar with Route 53, but maybe there's a way you could enable ECS, if there's such an option?

رد بواسطة agneev

STAFFMOD

بتاريخ أكتوبر 13, 2021 في 2:39 صباحا

I found a support article that might be helpful.

رد بواسطة agneev

STAFFMOD

بتاريخ أكتوبر 30, 2021 في 2:09 صباحا

Hey @travisbell, don't mean to rush you but is there an update on this?

رد بواسطة Travis Bell

STAFFMOD

بتاريخ أكتوبر 30, 2021 في 11:33 صباحا

Hi @agneev,

I suspect the reason you're not being forwarded to the POP you are expecting is the closest pop is because we are only paying for the "100" price class. The details on that are located here. We pay for POP's in North America, Europe and Israel.

If you run the same tests on www.themoviedb.org, are the results what you expect? We pay for the top price class on www.themoviedb.org, so it should perform differently than image.tmdb.org.

This hadn't occurred to me until I was reminded when I read through this support article.

رد بواسطة agneev

STAFFMOD

بتاريخ أكتوبر 31, 2021 في 1:40 صباحا

Indeed Google DNS returns IPs for the local edge for www.themoviedb.org. I wasn't aware of Cloudfront pricing tbh.

رد بواسطة Travis Bell

STAFFMOD

بتاريخ أكتوبر 31, 2021 في 11:03 صباحا

Ok, perfect, happy to have been able to help figure this out.

المستخدمين في هذه المحادثة

الفئات

دعم الموقع