Can't resolve an URL

Hello to all,
Yesterday evening the management called me about not being able to access the URL for the Bank they use for the Payments.
After some troubleshooting over the phone and analyzing the firewall I couldn’t find the RC for this issue, as everything seems to be working fine.
Later at night, I could finally find the RC for the issue and it seems that CF is not resolving the DNS record for one of Bank’s subdomains:

ISP Network Vodafone PT

Troubleshooting DNS:

C:\>nslookup ind.millenniumbcp.pt 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to one.one.one.one timed-out

C:\>nslookup ind.millenniumbcp.pt 1.0.0.1
Server:  one.one.one.one
Address:  1.0.0.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to one.one.one.one timed-out

C:\>nslookup ind.millenniumbcp.pt 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    ind.wip.millenniumbcp.pt
Address:  193.53.22.59
Aliases:  ind.millenniumbcp.pt

C:\>nslookup -class=chaos -type=txt id.server 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
id.server       text =

        "LIS"

C:\>nslookup -class=chaos -type=txt id.server 1.0.0.1
Server:  one.one.one.one
Address:  1.0.0.1

Non-authoritative answer:
id.server       text =

        "LIS"

Our requests go thru the DC -> FW - > World
Cleared all caches, but seems not affecting this issue at all.
I would like to go back to CF DNS resolver but until this issue is figured out I have to use the Google ones.

Any thoughts available?
Regards.
JG


Can you post the results of one of the commands in this article? It should show your the datacenter code for your query:

@sdayman, seems to be Lisbon.

@jasggomes, I am afraid I cant reproduce it either. It resolves fine for me as well. Can you resolve ind.wip.millenniumbcp.pt via 1.1.1.1?

Also, the domain appears to have some configuration issues -> http://dnsviz.net/d/millenniumbcp.pt/dnssec/

1 Like

Hi, sorry for the long delay in getting back to you, since I’m the part it needs help.

I’m going to try to send an email to DNS admins of Millennium, but in the meantime, I was able to solve the issue using Google DNS, temporarily.

I did use the article mentioned above for the troubleshooting, here it is the link from ‘help’.:

If I remove the Google DNS from the upstream FW, and using only the CF’s I stilll get the same results as above.

CF Dc is ‘LIS’ and ISP is Vodafone.
Does the issue from the records of Millennium cause this problem? Since you can resolve the address in the US.

Thanks for the support.
JG

You did not address my question.

Hi and sorry if I misunderstood your question.

But I still can resolve the address using either 1.1.1.1 or 1.0.0.1

C:>nslookup ind.wip.millenniumbcp.pt 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to one.one.one.one timed-out

C:>nslookup ind.wip.millenniumbcp.pt 1.0.0.1
Server: one.one.one.one
Address: 1.0.0.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to one.one.one.one timed-out

If I go to the CF-DNS Help page all seems ok …

Does this answer the question?
Thank for your support.
JG

It does.

So it is not necessarily an issue with the host you mentioned, but it seems the entire millenniumbcp.pt domain does not resolve via Cloudflare.

Try opening a support ticket with Cloudflare and ask why exactly it fails. At the same time try to contact the domain owner, so they can fix aforementioned DNS issues.

Thank you, I’ll try to reach the CF support Team and also the Millennium one too.

Regards.
JG

@sandro, as o said on the other ticket, CF support told me to use the community forum to solve the issue with the DNS Resolver.

I still couldn’t reach the DNS Admins for the domain. Still trying to.

Thank you for your support.
[email protected]

Other ticket? That was quite an unreasonable response and they should know better. They need to fix that if the issue is on Cloudflare’s side, the forum here cant do anything I am afraid.

Can you post the ticket number so @cloonan can check out what went wrong?

1 Like

@sandro I m outside, but please see if this snapshot can help you.

image

That appears to have been just an auto response, send a follow up and you should hopefully get a proper response.

@cloonan, for the record, ticket 1726661

2 Likes

@sandro, I just replied to the support email.
Thank you for your support.
JG

merging threads with additional domains. (Can't resolve m.activobank.pt)

i can’t resolve m.activobank either, via Lisbon. ISP MEO

$ dig @1.1.1.1 m.activobank.pt

; <<>> DiG 9.10.3-P4-Raspbian <<>> @1.1.1.1 m.activobank.pt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44450
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;m.activobank.pt. IN A

;; ANSWER SECTION:
m.activobank.pt. 1717 IN CNAME m.wip.activobank.pt.

;; Query time: 2224 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jul 30 12:49:44 WEST 2019
;; MSG SIZE rcvd: 64

dig m.activobank.pt 8.8.8.8

; <<>> DiG 9.10.3-P4-Raspbian <<>> m.activobank.pt 8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39299
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;m.activobank.pt. IN A

;; ANSWER SECTION:
m.activobank.pt. 1861 IN CNAME m.wip.activobank.pt.

;; Query time: 154 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Jul 30 12:47:07 WEST 2019
;; MSG SIZE rcvd: 64

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33203
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;8.8.8.8. IN A

;; AUTHORITY SECTION:
. 8634 IN SOA a.root-servers.net . nstld.verisign-grs.com. 2019073001 1800 900 604800 86400

;; Query time: 3 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Jul 30 12:47:07 WEST 2019
;; MSG SIZE rcvd: 111

dig @1.1.1.1 m.wip.activobank.pt

; <<>> DiG 9.10.3-P4-Raspbian <<>> @1.1.1.1 m.wip.activobank.pt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29490
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;m.wip.activobank.pt. IN A

;; Query time: 600 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jul 30 12:51:13 WEST 2019
;; MSG SIZE rcvd: 48

dig @8.8.8.8 m.wip.activobank.pt

; <<>> DiG 9.10.3-P4-Raspbian <<>> @8.8.8.8 m.wip.activobank.pt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24024
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;m.wip.activobank.pt. IN A

;; ANSWER SECTION:
m.wip.activobank.pt. 86 IN A 193.53.22.46

;; Query time: 34 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 30 12:50:45 WEST 2019
;; MSG SIZE rcvd: 64

Both domains use the same nameservers and both domains seem to have some configuration issues. I am afraid only Cloudflare could shed some light here.

@sandro
I just called to Millennium support center, and they told me that they are now aware of the problem in the DNS Records and they are trying to solve the issue.
Regarding CF not resolving and Google does, well that I cannot answer.
Thank you for the support.
JG

Well, there appears to be some issue with the domain’s nameservers but whether that is also the reason why Cloudflare cant resolve it is something only Cloudflare can clarify.

I can only recommend to push the ticket and I’ll spam-tag @cloonan once more :wink:

1 Like

@sandro thank you.
I have no response from support yet.
Regards
JG

i also had this issue with ISP MEO and i can say that it’s resolved now on my end.

i can finally access both millenium & activobank. this issue lasted a couple of days so i’m glad it’s finally fixed

@softexia when did you noticed as solved?
During this morning wasn’t and as I m away from my home and office networks and haven’t CF configured on my mobile I cannot say it is fixed on my end too.
Thanks for the info though
Btw support as replied with a ‘bs’ of an answer. Not really a reply expected from a CF tech eng. but …

Regards.
JG

1 Like