Problem: My fairly new domain (6 months old), https://gishotspot.com is not accessible inside the majority of the US through most ISPs. I am located within the US. 9 days continuous downtime increasing.
More Information: All external accessibility tests so far on major US ISP networks like Verizon, T-Mobile, Consolidated Communications, Comcast etc. result in no public access to the Wordpress website nor admin access to the WP Admin dashboard. We have tested with VPN, friends, engineers, different US and global ISP networks, internally and externally. For unknown reasons my domain is only assessable in numerous places outside the US, such as Europe.
The DNSSEC, DNS records, SSL etc. are correctly configured for the domain on the server/host side, otherwise there would be zero access globally. This is not a simple ‘wait for DNS records to resolve’ kind of fix. Please see attached images showing parts of my discussions with Cloudway Engineers as well as cleaned up and simplified DNS records The IP in the A records point to the Cloudways Wordpress application for the domain/website.
Possible Solution: Cloudflare (my registrar) must assist. This appears to be an issue connected directly to Cloudflare requiring advanced support. The problem cannot be fixed form the host’s end. The nuclear option would be domain abandonment which is unacceptable.
After your change of registrar to Cloudflare, everything seems to be working correctly now.
Your DNSSEC is valid, in the domain seems to resolve just fine worldwide: DNS Checker - DNS Check Propagation Tool
All the previous problems seem to be gone now.
Can you elaborate what problems you are facing exactly? What error are you seeing?
I can see your website now, but I’m from europe, so that probably doesn’t count.
Also, as you have only transferred your domain to Cloudflare today, you might just have to wait some time to let caches expire.
We are happy to give it a bit of time but we are convinced it is not a resolution issue because even the US servers are resolved for the A and CNAME records. I am happy for the complete switch away from Bluehost because Cloudways are guiding me and looked into the issue properly. They cannot solve the problem because it is not a host issue. We very strongly think the DNS has resolved itself and is no longer a factor. Something is blocking all traffic in the US including myself.
This is definitely an edge case scenario, no doubt. I turn the VPN on to locate myself in London and the website is accessible. I turn it off, am back in the US, and it is not inaccessible again. We tried different ISPS, including resolves ISPs across the US map (green ticks). There appears to be some deep rooted settings blocking access to domain/website in the US. I can show you with 1 picture below.
Inside the US on most internet service providers → the website is not accessible (left image)
Outside the US → the website is accessible (right image)
We have ruled out cache, host, propagation errors etc., as you can see with your checks everything is better. it is not realistic to call every single ISP across the US about the problem to grant access by creating a rule which allows the website to resolve across their network, hence it is likely a registrar issue. It is mysterious. Short of domain abandonment, which means the problem is not solved, Help from the registrar is needed to see if they can figure out what is causing the permanent block of US traffic.
You nameservers still point to bluehost and you have DNSSEC enabled but not properly configured. Disable DNSSEC at your registrar. Don’t reenable it until your zone has been successfully moved to whatever nameservers you intend to use and the old DNSSEC records have fully been cleared from caching resolvers.
dig +trace +nodnssec gishotspot.com
; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> +trace +nodnssec gishotspot.com
;; global options: +cmd
. 2459 IN NS k.root-servers.net.
. 2459 IN NS a.root-servers.net.
. 2459 IN NS h.root-servers.net.
. 2459 IN NS e.root-servers.net.
. 2459 IN NS i.root-servers.net.
. 2459 IN NS l.root-servers.net.
. 2459 IN NS m.root-servers.net.
. 2459 IN NS b.root-servers.net.
. 2459 IN NS j.root-servers.net.
. 2459 IN NS d.root-servers.net.
. 2459 IN NS f.root-servers.net.
. 2459 IN NS g.root-servers.net.
. 2459 IN NS c.root-servers.net.
;; Received 239 bytes from 127.0.0.53#53(127.0.0.53) in 0 ms
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
;; Received 867 bytes from 2001:7fe::53#53(i.root-servers.net) in 0 ms
gishotspot.com. 172800 IN NS noel.ns.cloudflare.com.
gishotspot.com. 172800 IN NS jillian.ns.cloudflare.com.
;; Received 362 bytes from 2001:503:d414::30#53(f.gtld-servers.net) in 20 ms
gishotspot.com. 300 IN A 104.21.4.118
gishotspot.com. 300 IN A 172.67.132.11
;; Received 75 bytes from 2606:4700:50::a29f:262c#53(jillian.ns.cloudflare.com) in 20 ms
I see the correct nameservers and a correct DNSSEC configuration. Do you really see Bluehost nameservers?
Either way, with what was likely a long TTL of DNSSEC records and an already fubar condition immediately enabling DNSSEC after the zone transfer is likely exacerbating any (pre)existing issues.
Yeah, I just had a look at the TTL in your screenshot. One day is a rather long TTL, so I assume DNS Viz used some cached DNS results, seeing as the registry is already reporting the correct values.
I guess there’s nothing to do but wait until most caches have expired.
Thank you for taking a look. So if I understand correctly, its fouled up beyond all repair (fubar) squared… and this is a waiting game. Correct?
My friend does not have access to the website in the UK, but I have access through my Nord VPN account when I pretend that I am in London. I am not going to touch any settings at all because as declared earlier, and seen, all that stuff is correct.
Is there a maximum timeframe for the waiting game before reaching back out here if it does not update?
The DNS VIZ results you posted are showing records last updated 4 days ago, which may explain the Bluehost information still shown, so the test used old data. I refreshed and got current results shown in the image, supporting the digging by @Laudian.
I still have no access to my website in the US. I am mentally burned out by this after 9 days. Hence I simply wish to know from you more experienced experts here at Cloudflare (my registrar and responsible party) what estimated timeframe (I am aware no guarantees) I must wait before revisiting the problem, to consider further action (which I am aware may require domain abandonment).
You’ll just have to wait a day or two, as the TTL on the old entries was set to one day by Bluehost. That’s how long DNS resolvers will cache the old entries, per level of DNS-Cache.
