It seems that antivirus company AVG can’t get their DNS Setup right.
Today I spotted the below in syslog:
DNS format error from 204.193.144.47#53 resolving crashportal.avg.com/AAAA for client 127.0.0.1#34590: Name avg.com (SOA) not subdomain of zone crashportal.avg.com -- invalid response
So the AVG updater tried to contact via IPv6, as a record type of AAAA was requested, a host called crashportal.avg.com. To do so it had to “resolve” that hostname crashportal.avg.com to an IP address in order to submit a crash dump for a recent crash of their virus scanner (very trustworthy!), and the DNS resolver failed to resolve the IP address. So why is this?
Let’s see:
# dig -t AAAA crashportal.avg.com ; <<>> DiG 9.9.5-9-Debian <<>> -t AAAA crashportal.avg.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21322 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Huh? We can’t resolve this because our server failed? Let’s see what’s going on…
# dig -t SOA avg.com ; <<>> DiG 9.9.5-9-Debian <<>> -t SOA avg.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42124 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;avg.com. IN SOA ;; ANSWER SECTION: avg.com. 1160 IN SOA ns.grisoft.cz. domainadministration.avg.com. 2015061601 86400 3600 1209600 10800 ;; AUTHORITY SECTION: avg.com. 172607 IN NS a11-66.akam.net. avg.com. 172607 IN NS a20-66.akam.net. avg.com. 172607 IN NS a13-65.akam.net. avg.com. 172607 IN NS a26-67.akam.net. avg.com. 172607 IN NS a1-182.akam.net. avg.com. 172607 IN NS a6-67.akam.net.
Ok, so the above quoted Akamai nameservers should be able to help… Let’s see:
# dig -t AAAA crashportal.avg.com @a11-66.akam.net. ; <<>> DiG 9.9.5-9-Debian <<>> -t AAAA crashportal.avg.com @a11-66.akam.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63788 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;crashportal.avg.com. IN AAAA ;; AUTHORITY SECTION: crashportal.avg.com. 300 IN NS gtm-atl.avg.com. crashportal.avg.com. 300 IN NS gtm-self.avg.com. crashportal.avg.com. 300 IN NS gtm-tnt.avg.com. ;; ADDITIONAL SECTION: gtm-atl.avg.com. 3000 IN A 204.193.144.47 gtm-tnt.avg.com. 3000 IN A 173.245.115.70 gtm-self.avg.com. 3000 IN A 212.96.161.252
So the server was not authoritative to answer the request and pointed us to a different set of servers.
Note that the IP address from my error message (204.193.144.47) belongs to one of the nameservers mentioned above!
Ok, let’s ask that server:
# dig -t AAAA crashportal.avg.com @204.193.144.47 ; <<>> DiG 9.9.5-9-Debian <<>> -t AAAA crashportal.avg.com @204.193.144.47 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47390 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;crashportal.avg.com. IN AAAA ;; AUTHORITY SECTION: avg.com. 60 IN SOA gtm-tnt.avg.com. hostmaster.gtm-tnt.avg.com. 2015052909 10800 3600 604800 60
Why does the nameserver respond with an SOA record even though it’s supposed to be authoritative and was asked for AAAA? It’s not a delegation as — and this is exactly the error message — avg.com is not a subdomain of crashportal.avg.com. Duh!
In my humble opinion it is very disappointing if an IT security company cannot even get the basics right, such as DNS.
This issue reminded me of another similar issue I observed a while ago: Avira can’t get their DNS Setup right. And guess what? This was an antivirus company, too…