Tag: india

The curious case of esic.in DNS

A couple of weeks ago, at my $dayjob, we implemented a recursive resolver with RPZ in an enterprise network.

After a few days, the customer got back to us with an issue – the DNS resolution of the domain esic.in failed with an NXDOMAIN response. After a cursory look at the problem, it became evident that esic.in resolved correctly but www.esic.in did not.

The customer also reported that if they switched the resolver to 8.8.8.8, the DNS resolution of www.esic.in was without any problems, and the website was accessible in the network.

So, what is causing the DNS issue with www.esic.in with the on-prem resolver?

Let’s find out. To start with the basics, here are the authoritative name servers of the domain esic.in, 

$ whois esic.in | grep "Name Server:"
Name Server: ns-1089.awsdns-08.org
Name Server: ns-52.awsdns-06.com
Name Server: ns-1978.awsdns-55.co.uk
Name Server: ns-882.awsdns-46.net

If we traverse the DNS delegation from the root to esic.in, we get valuable insights,

.	518400	IN	NS	k.root-servers.net.
.	518400	IN	NS	l.root-servers.net.
.	518400	IN	NS	d.root-servers.net.
.	518400	IN	NS	e.root-servers.net.
.	518400	IN	NS	j.root-servers.net.
.	518400	IN	NS	b.root-servers.net.
.	518400	IN	NS	g.root-servers.net.
.	518400	IN	NS	a.root-servers.net.
.	518400	IN	NS	h.root-servers.net.
.	518400	IN	NS	m.root-servers.net.
.	518400	IN	NS	i.root-servers.net.
.	518400	IN	NS	c.root-servers.net.
.	518400	IN	NS	f.root-servers.net.
in.	172800	IN	NS	ns1.registry.in.
in.	172800	IN	NS	ns2.registry.in.
in.	172800	IN	NS	ns3.registry.in.
in.	172800	IN	NS	ns4.registry.in.
in.	172800	IN	NS	ns5.registry.in.
in.	172800	IN	NS	ns6.registry.in.
esic.in.	3600	IN	NS	ns-882.awsdns-46.net.
esic.in.	3600	IN	NS	ns-1978.awsdns-55.co.uk.
esic.in.	3600	IN	NS	ns-52.awsdns-06.com.
esic.in.	3600	IN	NS	ns-1089.awsdns-08.org.
esic.in.	300	IN	A	115.113.201.36
esic.in.	300	IN	A	218.248.15.136
esic.in.	172800	IN	NS	ns-1089.awsdns-08.org.
esic.in.	172800	IN	NS	ns-1978.awsdns-55.co.uk.
esic.in.	172800	IN	NS	ns-52.awsdns-06.com.
esic.in.	172800	IN	NS	ns-882.awsdns-46.net.

And, here is the delegation trace from the root to www.esic.in,

.	518400	IN	NS	a.root-servers.net.
.	518400	IN	NS	e.root-servers.net.
.	518400	IN	NS	c.root-servers.net.
.	518400	IN	NS	b.root-servers.net.
.	518400	IN	NS	m.root-servers.net.
.	518400	IN	NS	l.root-servers.net.
.	518400	IN	NS	h.root-servers.net.
.	518400	IN	NS	j.root-servers.net.
.	518400	IN	NS	d.root-servers.net.
.	518400	IN	NS	g.root-servers.net.
.	518400	IN	NS	i.root-servers.net.
.	518400	IN	NS	k.root-servers.net.
.	518400	IN	NS	f.root-servers.net.
in.	172800	IN	NS	ns1.registry.in.
in.	172800	IN	NS	ns4.registry.in.
in.	172800	IN	NS	ns5.registry.in.
in.	172800	IN	NS	ns6.registry.in.
in.	172800	IN	NS	ns3.registry.in.
in.	172800	IN	NS	ns2.registry.in.
esic.in.	3600	IN	NS	ns-882.awsdns-46.net.
esic.in.	3600	IN	NS	ns-1089.awsdns-08.org.
esic.in.	3600	IN	NS	ns-1978.awsdns-55.co.uk.
esic.in.	3600	IN	NS	ns-52.awsdns-06.com.
www.esic.in.	3600	IN	NS	lbr1.esic.in.
www.esic.in.	3600	IN	NS	lbr2.esic.in.
www.esic.in.	0	IN	A	218.248.15.136

If you compare the two outputs and look closely, the authoritative nameservers have delegated www.esic.in to the name servers lbr1.esic.in and lbr2.esic.in

And at the time of the issue, the nameservers lbr1.esic.in and lbr2.esic.in did not respond to Do53(UDP) resulting in an NXDOMAIN!

DNSViz also reported the non-responsive nameservers as well as OpenDNS cachecheck,

At the time of writing this blog post, the name servers lbr1.esic.in. and lbr2.esic.in. were responding and www.esic.in was resolving correctly. But for more than 24+ hours, they were unresponsive resulting in some random people on the Internet in India being unable to access the website.

Jio VoWiFi issue – It’s always DNS!

tl;dr If Jio VoWiFi isn’t working for you, set a different DNS resolver on the phone. While I am a big proponent of running your own resolver in the network, ( runyourownresolver.in ) , you could test by using open resolvers. The issue doesn’t seem to be impacting everyone and only a subset of users.

To begin with, there are multiple things broken in the authoritative name servers ns1.vowifi.jio.com. and ns2.vowifi.jio.com. of vowifi.jio.com which I’ll cover a bit later.

I came across reports ( See here & here ) of Jio VoWiFi not working for many and while the reports were sketchy, I decided to test this myself.

Below is a snippet from a log file of a dns query to vowifi.jio.com from my phone(192.168.1.137) to a recursive resolver(Unbound) which I run in my network,

May 28 15:54:35 root unbound: [1300:0] info: 192.168.1.137 vowifi.jio.com. A IN

Ideally, the domain is standardised & is made up of Mobile Network Code(MNC) and Mobile Country Code(MCC). For example – in the case of Airtel VoWiFi, the domain name that I see hitting my Unbound resolver is epdg.epc.mnc045.mcc404.pub.3gppnetwork.org. where MNC – 045 and MCC – 404 which signifies Airtel – Karnataka region.

However, oddly enough, Reliance Jio seems to be using vowifi.jio.com. Having said that, the standardised domain name works as well. For example – epdg.epc.mnc861.mcc405.pub.3gppnetwork.org. resolves to 49.44.59.36 and 49.44.59.38

Below is the dns resolution entire delegation chain. From my home network, I can see that the vowifi.jio.com resolves to 49.44.59.38 and 49.44.59.36

.	518400	IN	NS	a.root-servers.net.
.	518400	IN	NS	b.root-servers.net.
.	518400	IN	NS	c.root-servers.net.
.	518400	IN	NS	d.root-servers.net.
.	518400	IN	NS	e.root-servers.net.
.	518400	IN	NS	f.root-servers.net.
.	518400	IN	NS	g.root-servers.net.
.	518400	IN	NS	h.root-servers.net.
.	518400	IN	NS	i.root-servers.net.
.	518400	IN	NS	j.root-servers.net.
.	518400	IN	NS	k.root-servers.net.
.	518400	IN	NS	l.root-servers.net.
.	518400	IN	NS	m.root-servers.net.
com.	172800	IN	NS	a.gtld-servers.net.
com.	172800	IN	NS	l.gtld-servers.net.
com.	172800	IN	NS	c.gtld-servers.net.
com.	172800	IN	NS	h.gtld-servers.net.
com.	172800	IN	NS	e.gtld-servers.net.
com.	172800	IN	NS	d.gtld-servers.net.
com.	172800	IN	NS	i.gtld-servers.net.
com.	172800	IN	NS	f.gtld-servers.net.
com.	172800	IN	NS	m.gtld-servers.net.
com.	172800	IN	NS	j.gtld-servers.net.
com.	172800	IN	NS	g.gtld-servers.net.
com.	172800	IN	NS	k.gtld-servers.net.
com.	172800	IN	NS	b.gtld-servers.net.
jio.com.	172800	IN	NS	ns1.jio.com.
jio.com.	172800	IN	NS	ns2.jio.com.
jio.com.	172800	IN	NS	ns3.jio.com.
jio.com.	172800	IN	NS	ns4.jio.com.
vowifi.jio.com.	3600	IN	NS	ns1.vowifi.jio.com.
vowifi.jio.com.	3600	IN	NS	ns2.vowifi.jio.com.
vowifi.jio.com.	5	IN	A	49.44.59.38
vowifi.jio.com.	5	IN	A	49.44.59.36

At this point, I confirmed that VoWiFi on Jio works by putting the phone on Airplane mode while remain connected to WiFi. A ~22 minute call worked flawlessly.

To confirm that vowifi.jio.com was indeed the domain name that needs to resolve for VoWiFi to work on Jio, I configured an entry for vowifi.jio.com to return a NXDOMAIN answer in my DNS RPZ aka DNS Firewall in Unbound.

With that configured, any DNS query for vowifi.jio.com from any device in the network will be meted out with a NXDOMAIN answer. Below is a snippet from the Unbound log confirming the RPZ rule applied.

May 28 17:31:50 root unbound: [1191:0] info: 192.168.0.137 vowifi.jio.com. A IN
May 28 17:31:50 root unbound: [1191:0] info: RPZ applied [custom block to test vowifi] vowifi.jio.com. nxdomain 192.168.0.137@64521 vowifi.jio.com. A IN
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 14747
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; vowifi.jio.com.	IN	A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 136 msec
;; SERVER: 192.168.0.250
;; WHEN: Thu May 28 18:03:42 2020
;; MSG SIZE  rcvd: 32

And VoWiFi(Jio) stops working.

You can refer to the MNC and MCC codes list on Wikipedia – Mobile Network Codes in ITU region 4xx (Asia)

In the context of VoWiFi, the other noticeable problems with DNS infrastructure of Jio –

  1. A/AAAA records for ns1.vowifi.jio.com, ns2.vowifi.jio.com are missing
  2. ns1.vowifi.jio.com(49.44.59.6), ns2.vowifi.jio.com(49.44.59.7) don’t respond to queries over TCP

The other interesting thing that is worth observing is that when you try resolving vowifi.jio.com from outside India or use a DNS resolver which is perhaps not geographically located within India, the authoritative name servers ns1.vowifi.jio.com(49.44.59.6), ns2.vowifi.jio.com(49.44.59.7) give out a different set of IP addresses – 49.45.63.1, 49.45.63.2

; <<>> DiG 9.16.3 <<>> @127.0.0.1 vowifi.jio.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13728
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;vowifi.jio.com.			IN	A

;; ANSWER SECTION:
vowifi.jio.com.		4	IN	A	49.45.63.1
vowifi.jio.com.		4	IN	A	49.45.63.2

;; Query time: 352 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 30 06:23:23 IST 2020
;; MSG SIZE  rcvd: 75

@varkey at IBF pointed out the OpenDNS Cache Check website which also seems to confirm it.

To confirm this hypothesis, I decided to utilise the RIPE Atlas probes to run a measurement. If you’re unaware of the RIPE Atlas project, check an earlier post – Host a RIPE Atlas software probe in your network.

And the results of the measurement are interesting. Out of the 75 probes which participated in the measurement, there were many probes which received the response 49.45.63.1 & 49.45.63.2 to the DNS query to vowifi.jio.com

ASNAS NameDNS Response 1DNS Response 2Resolver IP address
4758NICNET-VSNL-BOARDER-AP National Informatics Centre, IN’49.45.63.249.45.63.1164.100.3.1
4758NICNET-VSNL-BOARDER-AP National Informatics Centre, IN’49.45.63.149.45.63.2164.100.3.1
24186RAILTEL-AS-IN RailTel Corporation of India Ltd., Internet Service Provider, New Delhi, IN’49.44.59.3649.44.59.38127.0.0.1
14061DIGITALOCEAN-ASN, US’49.44.59.3649.44.59.38127.0.0.1
18209BEAMTELE-AS-AP Atria Convergence Technologies pvt ltd, IN’49.44.59.3849.44.59.36202.53.8.8
18209BEAMTELE-AS-AP Atria Convergence Technologies pvt ltd, IN’49.44.59.3849.44.59.3649.207.46.6
135190UBERCORE-AS Ubercore Data Labs Private Limited, IN’49.45.63.149.45.63.2192.168.1.200
135817ESTOB-AS-AP Esto Broadband Private Limited, IN’49.45.63.149.45.63.28.8.8.8
18207YOU-INDIA-AP YOU Broadband & Cable India Ltd., IN’49.45.63.149.45.63.28.8.8.8
134316WORLD-AS World Star Communication, IN’49.44.59.3849.44.59.361.1.1.1
24560AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN’49.44.59.3849.44.59.36192.168.0.1
24309CABLELITE-AS-AP Atria Convergence Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA, IN’49.44.59.3649.44.59.3810.98.0.1
24560AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN’49.44.59.3849.44.59.36192.168.1.1
17625BLAZENET-IN-AP BlazeNet_s Network, IN’49.44.59.3849.44.59.36202.131.104.2
133661NETPLUS-AS Netplus Broadband Services Private Limited, IN’49.45.63.149.45.63.2192.168.1.2
133982EXCITEL-AS-IN Excitel Broadband Private Limited, IN’49.44.59.3649.44.59.38192.168.1.1
133318MAXTECHA-AS Maxtech, IN’None49.44.59.38192.168.1.1
24560AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN’49.44.59.3649.44.59.381.1.1.1
24309CABLELITE-AS-AP Atria Convergence Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA, IN’49.45.63.249.45.63.1fd00:1:2:3::1
131442DIGITALNETWORK-IN Digital Network Associates Pvt Ltd, IN’49.45.63.249.45.63.1192.168.10.1
135260FOURTY2COMM-AS 42 Communications Pvt. Ltd., IN’None49.45.63.1192.168.10.1
9430STPI-NOIDA Software Technology Parks of India,Block-IV, IN’49.44.59.3649.44.59.38192.168.1.1
132933CTPLAND-AS CharotarTelelink Pvt Ltd, IN’49.45.63.149.45.63.2192.168.1.1
24560AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN’49.44.59.3849.44.59.3645.90.28.112
17488HATHWAY-NET-AP Hathway IP Over Cable Internet, IN’49.44.59.3649.44.59.38202.88.152.8
55824NKN-CORE-NW NKN Core Network, IN’49.45.63.149.45.63.2200.200.200.7
24560AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN’None49.45.63.2200.200.200.7
18196SEVENSTAR-AS Seven Star Internet Service Provider, IN’49.45.63.149.45.63.28.8.8.8
9829BSNL-NIB National Internet Backbone, IN’49.45.63.149.45.63.22001:4860:4860::8888
134053EXPL-AS-IN ETHERNET XPRESS PVT. LTD., IN’49.44.59.3849.44.59.36fda9:ded9:2bc5::1
24309CABLELITE-AS-AP Atria Convergence Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA, IN’49.45.63.249.45.63.1192.168.1.1
9829BSNL-NIB National Internet Backbone, IN’49.44.59.3649.44.59.38192.168.1.1
24309CABLELITE-AS-AP Atria Convergence Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA, IN’49.45.63.149.45.63.210.0.0.1
24560AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN’49.44.59.3849.44.59.36202.56.215.55
55824NKN-CORE-NW NKN Core Network, IN’49.44.59.3849.44.59.36192.168.1.7
17747SITINETWORS-IN-AP SITI NETWORKS LIMITED, IN’49.45.63.149.45.63.2172.22.146.1
134053EXPL-AS-IN ETHERNET XPRESS PVT. LTD., IN’49.44.59.3649.44.59.3845.116.0.238
24186RAILTEL-AS-IN RailTel Corporation of India Ltd., Internet Service Provider, New Delhi, IN’49.44.59.3649.44.59.3810.0.7.253
23860ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt. Ltd., IN’49.44.59.3649.44.59.38203.171.240.10
132215POWERGRID-IN Power Grid Corporation of India Limited, IN’49.45.63.149.45.63.210.0.0.1
9498BBIL-AP BHARTI Airtel Ltd., IN’49.45.63.249.45.63.1192.168.0.44
24309CABLELITE-AS-AP Atria Convergence Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA, IN’49.44.59.3849.44.59.36192.168.1.1
17813MTNL-AP Mahanagar Telephone Nigam Limited, IN’49.44.59.3649.44.59.3859.185.3.10
45528TIKONAIN-AS Tikona Infinet Ltd., IN’49.44.59.3849.44.59.36192.168.1.1
134325JETSPOTNETWORKSPVTLTD-AS JETSPOTNETWORKS PVT LTD, IN’49.44.59.3649.44.59.38192.168.1.1
24560AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN’49.44.59.3649.44.59.38192.168.1.1
24309CABLELITE-AS-AP Atria Convergence Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA, IN’49.44.59.3849.44.59.36202.83.21.43
17747SITINETWORS-IN-AP SITI NETWORKS LIMITED, IN’49.44.59.3649.44.59.381.1.1.1
9829BSNL-NIB National Internet Backbone, IN’49.44.59.3849.44.59.36192.168.1.1
134249MARGONW-AS Margo Networks Pvt Ltd, IN’49.44.59.3649.44.59.38172.28.242.252
12222AKAMAI, US’49.45.63.249.45.63.123.216.52.9
55836RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN’49.44.59.3849.44.59.36192.168.29.1
24560AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN’49.44.59.3649.44.59.38192.168.1.1
136336TICFIBER-AS Thamizhaga Internet Communications Private Limited, IN’49.44.59.3849.44.59.36192.168.0.1
9829BSNL-NIB National Internet Backbone, IN’None49.44.59.36192.168.0.1
55824NKN-CORE-NW NKN Core Network, IN’None49.44.59.36192.168.0.1
24560AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN’49.44.59.3649.44.59.38125.22.47.125
55577BEAMTELE-AS-AP Atria Convergence Technologies pvt ltd, IN’49.44.59.3849.44.59.36192.168.1.254
134326AIRDESIGNBROADCAST-AS Airdesign Broadcast Media Pvt Ltd, IN’49.45.63.149.45.63.2208.67.222.222
138786CCBSPL-AS-IN Crystal Clear Broadband Services Pvt. Ltd., IN’49.45.63.149.45.63.28.8.8.8
56166IISERBNET-IN IISER Bhopal Campus, IN’49.44.59.3849.44.59.36172.30.1.2
24560AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN’49.44.59.3849.44.59.36192.168.1.1
9829BSNL-NIB National Internet Backbone, IN’49.44.59.3649.44.59.38fdf6:a86d:4264::1
55836RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN’49.44.59.3649.44.59.38192.168.31.1
139331DCORP-AS-AP DevelentCorp., IN’49.45.63.149.45.63.28.8.8.8
23860ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt. Ltd., IN’49.44.59.3849.44.59.361.1.1.1
55836RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN’49.45.63.149.45.63.28.8.4.4
17488HATHWAY-NET-AP Hathway IP Over Cable Internet, IN’49.44.59.3849.44.59.361.1.1.1
135718DISHAWAVESINFONET-AS DISHAWAVES INFONET PVT. LTD, IN’None49.44.59.361.1.1.1
4755TATACOMM-AS TATA Communications formerly VSNL is Leading ISP, IN’49.45.63.149.45.63.28.8.8.8
16509AMAZON-02, US’49.44.59.3849.44.59.36::1
15169GOOGLE, US’49.45.63.149.45.63.2::1
139331DCORP-AS-AP DevelentCorp., IN’49.44.59.3649.44.59.38::1
24309CABLELITE-AS-AP Atria Convergence Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA, IN’49.45.63.249.45.63.1192.168.1.10
9498BBIL-AP BHARTI Airtel Ltd., IN’49.45.63.149.45.63.2192.168.139.245

internationalvowifi.jio.com also seems to indicate VoWiFi International calling, which resolves to 49.44.59.36 and 49.44.59.38 from my vantage point. The same resolves to 49.45.63.1 and 49.45.63.2 from every location that I’ve managed to check from outside India.

Looking at the results, most likely the issue is with how ns1.vowifi.jio.com & ns2.vowifi.jio.com are responding to  client subnet (EDNS0) in DNS queries.

Host a RIPE Atlas software probe in your network

RIPE Atlas is a global network of devices, called probes and anchors, that actively measure Internet connectivity. RIPE Atlas users can also perform customised measurements to gain valuable data about their own networks. 

At the time of writing, there were 11,009 probes connected, the total number of probes connected is maybe higher than this as probes go offline due to Internet disconnections, power issues especially in under developed/developing countries.

All this while, the probes have been hardware devices.

That changed sometime in February 2020, the RIPE NCC released a software version of the RIPE Atlas probe. This is super useful (apart from the fact that the hardware probe costs money to manufacture and ship it and most importantly Indian customs 😢 ) as you can run the software probe on RaspberryPi along with many other supported operating systems(CentOS7,CentOS8, Debian 9, Debian 10 and Docker). 

For more information about installing the software probe and registration, please click the following link

If anyone needs any help in installing/registering the probe, feel free to ping 🙂