Starbucks and DNS

I was testing DNS responses at Starbuck's and I got really confused. First I'll show the answers going through my tethered iPhone to show how things are supposed to work.

Non-Authoritative Name Resolution

Here's a DNS resolution for the www.ccsf.edu server, performed at Google's DNS server 8.8.8.8:

Notice the "flags: qr rd ra" line near the top. The absence of an "aa" flag indicates that this is not an authoritative response, which is correct since Google is not CCSF's authoritative server.

Finding an Authoritative Server

This command asks Google who is authorititative over CCSF:

The answer is that "rudra3.ccsf.cc.ca.us" is authoritative for CCSF.

Authoritative Name Resolution

If I query rudra3, I get this answer:

Notice the "flags: qr aa rd" section. The "aa" correctly indicates that this is an authoritative response.

Starbucks Strangeness

Now try the same thing using Starbucks Wi-Fi:

The reply has "flags: qr rd ra" -- it is not authoritative!

I tried several domains and I was unable to get any authoritative responses at all at Starbuck's.

I don't know what is causing this, but I suspect that Starbuck's is lying to clients, and redirecting all DNS queries to some sort of caching server no matter who I try to ask.

But the end of the reply says I really used the CCSF server, with address 147.144.3.238.

So it seems that Starbuck's passes responses through a proxy that removes the aa flag. Very strange.

Posted 10:49 am 9-9-13 by Sam Bowne