idmsa.apple.com problematic, Sign-in to Apple discussions

Comments

13 comments

  • Avatar
    rotblitz

    This doesn't look like a DNS problem, but like a connectivity problem.  Btw, I do not face this problem when using OpenDNS, neither on iOS nor on Windows.

    -1
    Comment actions Permalink
  • Avatar
    hcsitas (Edited )

    It could be location-dependent, both for origin and destination. Nonetheless, the problem instantly changes when DNS is changed, and goes away permanently with Q9. So I do believe Q9 is doing something better than Open.

    Thanks anyways.

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    The fact that you have the same problem with Google Public DNS contradicts your theory.  I treat the Q9 case rather for coincidental.

    If it would be a DNS problem, you had to analyze the DNS query results, like:

    nslookup domain_name.

    Btw, Apple uses nearly almost CNAMEs, and they seem to use the CDN service of Akamai.

    nslookup idmsa.apple.com.
    Server: fritz.box
    Address: fd00::ca0e:14ff:fee9:8373

    Nicht autorisierende Antwort:
    Name: idmsa.apple.com.akadns.net
    Address: 17.179.252.96
    Aliases: idmsa.apple.com

     

    -1
    Comment actions Permalink
  • Avatar
    hcsitas

    I treat the case with Q9 as completely related. And what *seems* frequently isn’t. I did check the DNS results for idms.apple.com at Open, and it returned the same address for Europe and the US, although it split them up by country. That seems to point the problem towards DNS@Open.

    This must be related to higher security awareness both at Apple also Q9 and possible upgrades on their side, so let’s hope experts at Open can figure it out and get Open up to date too. Not holding breath however, my account here is a free one. 

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    I have found something in the Q9 FAQ which could be related, that they do not send the EDNS Client Subnet to authoritative nameservers.  If you get better DNS results as when sending the EDNS Client Subnet, then it is likely that your IP address is associated with the wrong location, i.e. some geo-location issue, as you mentioned.  You can test this here: 
    https://www.iplocation.net/

    "let’s hope experts at Open can figure it out"

    In this case you must raise a support ticket, "Submit a request" above.  Staff do not strictly monitor contributions in the community forum...

    1
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    And indeed, I tested with a few domains' DNS queries, and typically Q9 returns IP addresses different from OpenDNS and Google.  Just an example:

    nslookup idmsa.apple.com. 8.8.8.8
    Server: google-public-dns-a.google.com
    Address: 8.8.8.8

    Nicht autorisierende Antwort:
    Name: idmsa.apple.com.akadns.net
    Address: 17.179.252.96
    Aliases: idmsa.apple.com


    nslookup idmsa.apple.com. 9.9.9.9
    Server: dns.quad9.net
    Address: 9.9.9.9

    Nicht autorisierende Antwort:
    Name: idmsa.apple.com.akadns.net
    Address: 17.32.194.38
    Aliases: idmsa.apple.com


    nslookup idmsa.apple.com. 208.67.220.220
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    Nicht autorisierende Antwort:
    Name: idmsa.apple.com.akadns.net
    Address: 17.179.252.96
    Aliases: idmsa.apple.com

    That explains a lot... 
    You should be aware that not sending the EDNS Client Subnet is suboptimal in many cases especially in conjunction with CDNs.  In your individual case it is coincidental to the contrary which can happen as well, but rather seldom.

    And this is what "experts at Open can figure it out" as well.  There is probably nothing what they could improve except to introduce different resolver addresses where the EDNS Client Subnet is not being used, so that you have the option to choose from the one or the other.

    1
    Comment actions Permalink
  • Avatar
    hcsitas (Edited )

    My geolocation maps correctly using the link you have provided.

    So it is confirmed, Q9 sends different addresses than Google and Open, which in my case also happens to be better addresses. It smells really bad to me. Why does the biggest kid in the cyber-security neighborhood Q9 send different addresses for super-secure Apple than Open or Google? Especially addresses that work anytime, every time? Because they’re ahead of the cyber security curve, simple as that. 

    Something not right, that’s my ticket. If Open are not listening, phooey to them. I’m outta here. You should be too.

    Anyway, thanks for the splendid analysis! Open needs to get in touch with you pronto.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    No, I will not raise a ticket because of this, because as I said, I do not face any related problem.

    "Why does the biggest kid in the cyber-security neighborhood Q9 send different addresses for super-secure Apple than Open or Google?"

    This is most likely the answer: https://support.opendns.com/hc/en-us/articles/227987647 
    But because you're "outta here", it is of minor relevance now.

    -1
    Comment actions Permalink
  • Avatar
    hcsitas

    I didn’t ask you to raise a ticket. I said Open needs to proactively fix. Your link is 10 months old and wants an email with as much information as possible. It’ll bring good cheer to hackers worldwide. Everybody happy? Yes. Bye.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "Your link is 10 months old"  ...and proves when they joined the project.  I do not see that this article has to expire.

    "It’ll bring good cheer to hackers worldwide."

    What?  Sorry, I don't understand what hacking had to do in this context.  You do not need to answer.

    -1
    Comment actions Permalink
  • Avatar
    hcsitas (Edited )

    But I will. A page that hangs mysteriously under defined circumstances that can be easily replicated is opportunity. Especially a page used by millions worldwide. You do not need to answer because you won’t be able to come up with one. Thanks anyways, I do appreciate your analysis.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    I do have an answer, or better an explanation, already posted above.

    "Especially a page used by millions worldwide."

    Well, OpenDNS has more than 80 Millions of users, and I find only one report about the issue with the Apple discussions site's login or others here?  Weird.  Are all other users blindly accepting the issue?  Hard to believe.

    0
    Comment actions Permalink
  • Avatar
    hcsitas (Edited )

    Ha ha. Most happily accept the default DNS supplied by their ISP. People who use custom DNS services are by definition a super minority compared to the public at large. How many are Apple users? A minority within a minority within a minority. With no patience for glaring imperfections. And definitely not posting on Open’s sleepy “send me a mail open me a ticket” forum. Onwards to Q9! Zum Wohl!

    0
    Comment actions Permalink

Please sign in to leave a comment.