Search code examples
amazon-web-servicesamazon-route53dig

Amazon Route53: `dig +tcp` gets current data, dig (UDP) lags behind

I had a typo in my DNS zone on Amazon Route53. I had an IP starting in 53 when it should have been 52. I have now changed it on Route53, but I'm still getting old data from dig and from other resolver mechanisms that use UDP. If I force TCP, I get the correct data.

Here is the actual DNS record on Route53 as of this instant, expressed in BIND syntax:

$ORIGIN templatolio.com.
@       3600    IN      A       52.32.48.83

Here is the result using UDP. Note that the ANSWER starts with 53 and Authority is 0:

C:\>dig templatolio.com @ns1.aleyant.net

; <<>> DiG 9.10.3-P4 <<>> templatolio.com @ns1.aleyant.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34565
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;templatolio.com.               IN      A

;; ANSWER SECTION:
templatolio.com.        2289    IN      A       53.32.48.83

;; Query time: 19 msec
;; SERVER: 205.251.199.16#53(205.251.199.16)
;; WHEN: Thu Sep 29 11:58:33 EDT 2016
;; MSG SIZE  rcvd: 60

Here is the result using TCP. Note that the ANSWER starts with 52, as it should:

C:\>dig +tcp templatolio.com @ns1.aleyant.net

; <<>> DiG 9.10.3-P4 <<>> +tcp templatolio.com @ns1.aleyant.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59721
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;templatolio.com.               IN      A

;; ANSWER SECTION: 
templatolio.com.        3600    IN      A       52.32.48.83

;; AUTHORITY SECTION:
templatolio.com.        3600    IN      NS      ns-1437.awsdns-51.org.
templatolio.com.        3600    IN      NS      ns-1808.awsdns-34.co.uk.
templatolio.com.        3600    IN      NS      ns-670.awsdns-19.net.
templatolio.com.        3600    IN      NS      ns-88.awsdns-11.com.
templatolio.com.        3600    IN      NS      ns1.aleyant.net.
templatolio.com.        3600    IN      NS      ns2.aleyant.net.
templatolio.com.        3600    IN      NS      ns3.aleyant.net.
templatolio.com.        3600    IN      NS      ns4.aleyant.net.

;; ADDITIONAL SECTION:
ns1.aleyant.net.        3600    IN      A       205.251.199.16
ns2.aleyant.net.        3600    IN      A       205.251.194.158
ns3.aleyant.net.        3600    IN      A       205.251.197.157
ns4.aleyant.net.        300     IN      A       205.251.192.88

;; Query time: 23 msec
;; SERVER: 205.251.199.16#53(205.251.199.16)
;; WHEN: Thu Sep 29 11:59:00 EDT 2016
;; MSG SIZE  rcvd: 340

Just had a thought: could this be my ISP bogarting the UDP DNS packet?

Solution

  • Duh. I was connected to a VPN using my Array Networks VPN for Desktop client, and it was that VPN client that was trapping UDP 53. Not a Route53 problem at all.