08 September 2012

Commonwealth Bank DNS Weirdness

Whenever I try to login to netbank, I get this error after submitting my authentication details:
https://www2.my.commbank.com.au/netbank/Portfolio/Home/Home.aspx
...
Error 7 (net::ERR_TIMED_OUT): The operation timed out.

Looking at the NS records for my.commbank.com.au shows us 2 IPv4 DNS servers:
tank ~ # dig ns my.commbank.com.au
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> ns my.commbank.com.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24674
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;my.commbank.com.au. IN NS
;; ANSWER SECTION:
my.commbank.com.au. 177 IN NS bl1ca-pr-cclb01.my.commbank.com.au.
my.commbank.com.au. 177 IN NS NW2CA-PR-CCLB01.my.commbank.com.au.

;; ADDITIONAL SECTION:
NW2CA-PR-CCLB01.my.commbank.com.au. 19 IN A 140.168.131.10
bl1ca-pr-cclb01.my.commbank.com.au. 19 IN A 140.168.70.10
;; Query time: 22 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Sep  8 09:47:29 2012
;; MSG SIZE  rcvd: 128
These 2 servers appear to be misbehaving and the cause of my problems. They are very happy to promptly provide A records for www2.my.commbank.com.au
tank ~ # dig www2.my.commbank.com.au a @140.168.70.10
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> www2.my.commbank.com.au a @140.168.70.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5702
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www2.my.commbank.com.au. IN A
;; ANSWER SECTION:
www2.my.commbank.com.au. 20 IN A 140.168.131.23

;; Query time: 40 msec
;; SERVER: 140.168.70.10#53(140.168.70.10)
;; WHEN: Sat Sep  8 09:56:38 2012
;; MSG SIZE  rcvd: 57
tank ~ # dig www2.my.commbank.com.au a @140.168.131.10
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> www2.my.commbank.com.au a @140.168.131.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47090
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www2.my.commbank.com.au. IN A
;; ANSWER SECTION:
www2.my.commbank.com.au. 20 IN A 140.168.131.23

;; Query time: 38 msec
;; SERVER: 140.168.131.10#53(140.168.131.10)
;; WHEN: Sat Sep  8 09:56:42 2012
;; MSG SIZE  rcvd: 57
But when queried for AAAA records, they zip their lips and refuse to provide any information:
tank ~ # dig www2.my.commbank.com.au aaaa @140.168.70.10
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> www2.my.commbank.com.au aaaa @140.168.70.10
;; global options: +cmd
;; connection timed out; no servers could be reached
tank ~ # dig www2.my.commbank.com.au aaaa @140.168.131.10
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> www2.my.commbank.com.au aaaa @140.168.131.10
;; global options: +cmd
;; connection timed out; no servers could be reached
All these tests were performed on my firewall (dual stack enabled), and are repeatable on other dual-stack, and single-stack IPv4 hosts in various geographic locations and connectivity providers.

Dear Commonwealth Bank IT; you can't just ignore IPv6. Either serve up some AAAA records, or at least RESPOND when I ask for them please so I can fail back to IPv4.

1 comment:

  1. The same thing happens with ids.rr.com when logging into Time Warner Cable's Web site in the US for account management. They appear to be so paranoid when it comes to handing out AAAA records, as if their firewall has DPI and simply drops queries which aren't NS, A, PTR, etc.

    ReplyDelete