Cannot resolve anildash.com

I’m having issues resolving anildash.com through the 1.1.1.1 DNS (set in pfSense). As soon as I remove the DNS servers I can connect. Pinging it results in the following message:

ping: cannot resolve anildash.com: Unknown host

I resolved the issues by disabling DNSSEC on my router. I suppose these sites have an improper configuration? I was getting problems with 512pixels.net as well (as seen below), but disabling the setting fixed both issues.

> nslookup anildash.com 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
Name:    3orqkkgru966qy9v.shw.io
Address:  206.51.242.1
Aliases:  anildash.com


> nslookup 3orqkkgru966qy9v.shw.io 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
Name:    3orqkkgru966qy9v.shw.io
Address:  206.51.242.1


> nslookup -class=chaos -type=txt id.server 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
id.server       text =

        "EWR"

> nslookup 512pixels.net
Server:  pfSense.localdomain
Address:  192.168.1.1

*** pfSense.localdomain can't find 512pixels.net: Server failed

It’s illegal to have a CNAME record at the zone apex. Those domains can’t be expected to resolve reliably, or ever.

One possible specific path to SERVFAIL is if your resolver on 192.168.1.1 is forwarding to 1.1.1.1 and doing DNSSEC validation. Because 1.1.1.1 has good cache hit rates, the domains are broken, and Knot Resolver doesn’t cover up the issue, if you send a DS query for a broken domain, you’re likely to get a response that a validating resolver will reject.

$ dig @one.one.one.one anildash.com

; <<>> DiG 9.15.0-Ubuntu <<>> @one.one.one.one anildash.com
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 179
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;anildash.com.                  IN      A

;; ANSWER SECTION:
anildash.com.           3600    IN      CNAME   3orqkkgru966qy9v.shw.io.
3orqkkgru966qy9v.shw.io. 300    IN      A       206.51.242.1

;; Query time: 44 msec
;; SERVER: 2606:4700:4700::1111#53(2606:4700:4700::1111)
;; WHEN: Wed Jun 05 23:33:42 UTC 2019
;; MSG SIZE  rcvd: 94

$ dig @one.one.one.one anildash.com ds

; <<>> DiG 9.15.0-Ubuntu <<>> @one.one.one.one anildash.com ds
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63044
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;anildash.com.                  IN      DS

;; ANSWER SECTION:
anildash.com.           3599    IN      CNAME   3orqkkgru966qy9v.shw.io.

;; AUTHORITY SECTION:
shw.io.                 300     IN      SOA     ns1.dnsimple.com. admin.dnsimple.com. 1539631279 86400 7200 604800 300

;; Query time: 18 msec
;; SERVER: 2606:4700:4700::1001#53(2606:4700:4700::1001)
;; WHEN: Wed Jun 05 23:33:43 UTC 2019
;; MSG SIZE  rcvd: 142

Edit: For comparison, the response a resolver wants is something like:

$ dig +dnssec anildash.com ds

; <<>> DiG 9.15.0-Ubuntu <<>> +dnssec anildash.com ds
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60329
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;anildash.com.                  IN      DS

;; AUTHORITY SECTION:
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190612044518 20190605033518 3800 com. kK+DBXFO++94SBlrVrUiVcRHsgFXS3D2cyHXxwRMSxcLGVriUL9aRk/j gAqDPO0w8p40ZZGHBBODE7Mjd+W712VTgxzOqOnbnnzz6PDyDDosTy+e 8pSkZjFDNK9nhkl4VzsSVeB40iR8jMt0FT+vbtKJoINyPVsNk0zTpqYT b+8=
com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1559778540 1800 900 604800 86400
com.                    900     IN      RRSIG   SOA 8 1 900 20190612234900 20190605223900 3800 com. ZSthE/x5ZhNcb6FQzBIE+VuGgd1jzsmVH0kPr4wzVaVx8EQ0MHvQZe1W OkxWxkKOrlcJ2FybxRPMy8GV6NhJVcvxWIAD3auP2n6sfLjwNoCNpxFO 3RnRSDExMV9/4HexCY78/cwghs6+qOAv2tOf00Qht710PFKJRQtnIDvz ByM=
N8OP54MPEHOFBC694C3THM4CC96RDN8M.com. 85317 IN NSEC3 1 1 0 - N8OPF1RMSLUHDRE2CJ34TKC9OKM1N376 NS DS RRSIG
N8OP54MPEHOFBC694C3THM4CC96RDN8M.com. 85317 IN RRSIG NSEC3 8 2 86400 20190609052624 20190602041624 3800 com. EPlOy2/R/E6l9K1ZUJsRPjJ1uWyUDbo9ZhnLQwaMCBfOZdv2c+DbFJYF CchEdKwJXDuoDLU4BI44UQcsM+GA7LO1XkljeqGY8QtaKgLNWnrhIdGb hhyYDDgyx+i7h+BUwd9fdK0gS3uxkLef9E7V4dFtFGx4mD1/H3l6WAcZ En8=

;; Query time: 132 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Jun 05 23:49:22 UTC 2019
;; MSG SIZE  rcvd: 762
2 Likes

Resolved over here, https://www.reddit.com/r/CloudFlare/comments/bwvfc2/issues_resolving_a_couple_domains_with_1111/

1 Like

Haha good find! My resolution is also posted here as a reply to my first post (for reference).

1 Like