topic Re: idmsa.apple.com problematic, Sign-in to Apple discussions in OpenDNS

idmsa.apple.com problematic, Sign-in to Apple discussions

hcsitas — Sat, 24 Mar 2018 11:25:44 GMT

If I click “Sign-in” on discussions.apple.com, the idmsa.apple.com page hangs without serving the user id and password prompt. If I switch DNS to 8.8.8.8, it works but after about 30 minutes Google DNS has the same issue. Switching back to OpenDNS will get it to work temporarily but stop after idling for about 30 minutes.

However, with Quad 9, the page works perfectly even after idle periods. I’d like to stay with OpenDNS because Q9 does not provided custom filtering. However I’m concerned that this “bug” might exist for other pages. Could you resolve kindly? The usual stuff - clearing caches and rebooting router has no effect. Happens even if I remove all filtering, and problem is unchanged even after moving platforms from iOS to PC Chrome.

Thank you.

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

rotblitz — Sat, 24 Mar 2018 14:32:58 GMT

This doesn't look like a DNS problem, but like a connectivity problem. Btw, I do not face this problem when using OpenDNS, neither on iOS nor on Windows.

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

hcsitas — Sat, 24 Mar 2018 14:38:14 GMT

It could be location-dependent, both for origin and destination. Nonetheless, the problem instantly changes when DNS is changed, and goes away permanently with Q9. So I do believe Q9 is doing something better than Open.

Thanks anyways.

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

rotblitz — Sat, 24 Mar 2018 14:55:49 GMT

The fact that you have the same problem with Google Public DNS contradicts your theory. I treat the Q9 case rather for coincidental.

If it would be a DNS problem, you had to analyze the DNS query results, like:

nslookup domain_name.

Btw, Apple uses nearly almost CNAMEs, and they seem to use the CDN service of Akamai.

nslookup idmsa.apple.com.
Server: fritz.box
Address: fd00::ca0e:14ff:fee9:8373

Nicht autorisierende Antwort:
Name: idmsa.apple.com.akadns.net
Address: 17.179.252.96
Aliases: idmsa.apple.com

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

hcsitas — Sat, 24 Mar 2018 15:20:04 GMT

I treat the case with Q9 as completely related. And what *seems* frequently isn’t. I did check the DNS results for idms.apple.com at Open, and it returned the same address for Europe and the US, although it split them up by country. That seems to point the problem towards DNS@Open.

This must be related to higher security awareness both at Apple also Q9 and possible upgrades on their side, so let’s hope experts at Open can figure it out and get Open up to date too. Not holding breath however, my account here is a free one.

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

rotblitz — Sat, 24 Mar 2018 15:25:18 GMT

I have found something in the Q9 FAQ which could be related, that they do not send the EDNS Client Subnet to authoritative nameservers. If you get better DNS results as when sending the EDNS Client Subnet, then it is likely that your IP address is associated with the wrong location, i.e. some geo-location issue, as you mentioned. You can test this here:
https://www.iplocation.net/

"let’s hope experts at Open can figure it out"

In this case you must raise a support ticket, "Submit a request" above. Staff do not strictly monitor contributions in the community forum...

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

rotblitz — Sat, 24 Mar 2018 15:41:07 GMT

And indeed, I tested with a few domains' DNS queries, and typically Q9 returns IP addresses different from OpenDNS and Google. Just an example:

nslookup idmsa.apple.com. 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Nicht autorisierende Antwort:
Name: idmsa.apple.com.akadns.net
Address: 17.179.252.96
Aliases: idmsa.apple.com


nslookup idmsa.apple.com. 9.9.9.9
Server: dns.quad9.net
Address: 9.9.9.9

Nicht autorisierende Antwort:
Name: idmsa.apple.com.akadns.net
Address: 17.32.194.38
Aliases: idmsa.apple.com


nslookup idmsa.apple.com. 208.67.220.220
Server: resolver2.opendns.com
Address: 208.67.220.220

Nicht autorisierende Antwort:
Name: idmsa.apple.com.akadns.net
Address: 17.179.252.96
Aliases: idmsa.apple.com

That explains a lot...
You should be aware that not sending the EDNS Client Subnet is suboptimal in many cases especially in conjunction with CDNs. In your individual case it is coincidental to the contrary which can happen as well, but rather seldom.

And this is what "experts at Open can figure it out" as well. There is probably nothing what they could improve except to introduce different resolver addresses where the EDNS Client Subnet is not being used, so that you have the option to choose from the one or the other.

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

hcsitas — Sat, 24 Mar 2018 16:11:46 GMT

My geolocation maps correctly using the link you have provided.

So it is confirmed, Q9 sends different addresses than Google and Open, which in my case also happens to be better addresses. It smells really bad to me. Why does the biggest kid in the cyber-security neighborhood Q9 send different addresses for super-secure Apple than Open or Google? Especially addresses that work anytime, every time? Because they’re ahead of the cyber security curve, simple as that.

Something not right, that’s my ticket. If Open are not listening, phooey to them. I’m outta here. You should be too.

Anyway, thanks for the splendid analysis! Open needs to get in touch with you pronto.

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

rotblitz — Sat, 24 Mar 2018 16:33:02 GMT

No, I will not raise a ticket because of this, because as I said, I do not face any related problem.

"Why does the biggest kid in the cyber-security neighborhood Q9 send different addresses for super-secure Apple than Open or Google?"

This is most likely the answer: https://support.opendns.com/hc/en-us/articles/227987647
But because you're "outta here", it is of minor relevance now.

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

hcsitas — Sat, 24 Mar 2018 16:41:27 GMT

I didn’t ask you to raise a ticket. I said Open needs to proactively fix. Your link is 10 months old and wants an email with as much information as possible. It’ll bring good cheer to hackers worldwide. Everybody happy? Yes. Bye.

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

rotblitz — Sat, 24 Mar 2018 16:46:58 GMT

"Your link is 10 months old" ...and proves when they joined the project. I do not see that this article has to expire.

"It’ll bring good cheer to hackers worldwide."

What? Sorry, I don't understand what hacking had to do in this context. You do not need to answer.

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

hcsitas — Sat, 24 Mar 2018 16:52:04 GMT

But I will. A page that hangs mysteriously under defined circumstances that can be easily replicated is opportunity. Especially a page used by millions worldwide. You do not need to answer because you won’t be able to come up with one. Thanks anyways, I do appreciate your analysis.

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

rotblitz — Sat, 24 Mar 2018 17:01:49 GMT

I do have an answer, or better an explanation, already posted above.

"Especially a page used by millions worldwide."

Well, OpenDNS has more than 80 Millions of users, and I find only one report about the issue with the Apple discussions site's login or others here? Weird. Are all other users blindly accepting the issue? Hard to believe.

Re: idmsa.apple.com problematic, Sign-in to Apple discussions

hcsitas — Sat, 24 Mar 2018 17:10:45 GMT

Ha ha. Most happily accept the default DNS supplied by their ISP. People who use custom DNS services are by definition a super minority compared to the public at large. How many are Apple users? A minority within a minority within a minority. With no patience for glaring imperfections. And definitely not posting on Open’s sleepy “send me a mail open me a ticket” forum. Onwards to Q9! Zum Wohl!