Dns_probe_finished_nxdomain


#1

Hi,

since I use 1.1.1.1 I often get DNS_PROBE_FINISHED_NXDOMAIN in Chrome. When switching back to 8.8.8.8 everything works fine.

Any idea why? An example site is https://www.corsicaferries.biz


#2

Usually it’s the case that the authoritative DNS servers are broken in some ways, e.g. http://dnsviz.net/d/www.corsicaferries.biz/WtTHBQ/dnssec/

Knot-resolver is apparently a little more sensitive to some issues than some other implementations.


#3

Neither of the nameservers for corsicaferries.com (or corsica-ferries.fr) supports EDNS properly (and half of the nameservers are broken completely). We’ll add overrides to disable most DNS protocol features for their nameservers to make it work at least.


#4

Thanks, When will this be live?


#5

Hi, I just pushed the overrides out, so the website should be resolving.


#6

I believe this problem is bigger. There are too many sites not reachable. Even CNN Philippines: http://www.cnnphilippines.com


#7

Works for me in my browser and dig:


#8

Yes now it is working for me, too. But I get these NX error messages often. I don’t get them with the Google DNS…


#9

I’m getting this with a different domain, ISP’s DNS returns the correct DNS but 1.1.1.1 is returning null values:

1.1.1.1 =
; <<>> DiG 9.10.6 <<>> ns muirfieldtravel.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57056
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;muirfieldtravel.com.		IN	NS

;; Query time: 47 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed May 09 08:53:15 BST 2018
;; MSG SIZE  rcvd: 37

ISPs DNS =

; <<>> DiG 9.10.6 <<>> ns muirfieldtravel.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33113
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;muirfieldtravel.com.		IN	NS

;; ANSWER SECTION:
muirfieldtravel.com.	172489	IN	NS	ns-208.awsdns-26.com.
muirfieldtravel.com.	172489	IN	NS	ns-526.awsdns-01.net.
muirfieldtravel.com.	172489	IN	NS	ns-1305.awsdns-35.org.
muirfieldtravel.com.	172489	IN	NS	ns-1994.awsdns-57.co.uk.

;; ADDITIONAL SECTION:
ns-1305.awsdns-35.org.	151397	IN	A	205.251.197.25
ns-1305.awsdns-35.org.	156869	IN	AAAA	2600:9000:5305:1900::1
ns-1994.awsdns-57.co.uk. 146038	IN	A	205.251.199.202
ns-1994.awsdns-57.co.uk. 161919	IN	AAAA	2600:9000:5307:ca00::1
ns-208.awsdns-26.com.	150592	IN	A	205.251.192.208
ns-208.awsdns-26.com.	154979	IN	AAAA	2600:9000:5300:d000::1
ns-526.awsdns-01.net.	147008	IN	A	205.251.194.14
ns-526.awsdns-01.net.	156077	IN	AAAA	2600:9000:5302:e00::1

;; Query time: 61 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Wed May 09 08:57:41 BST 2018
;; MSG SIZE  rcvd: 361

#10

I have the same error message withmy website www.viosarp.gr where I have setup cloudflare. I have check it from various pc/mobiles and on some of them the problem exists. When I try to change to the dns of google it works.

But I think that this is not a solution. To inform all the clients to do this.

Any help on this please or if I can check anything to my setup on cloudflare or to my server please.


#11

It seems to be resolving. Do you still see any problems?


#12

I still have problem yes.
I dont know how to fix it as the problem exist to some of our clients visits.
I see the site fine but I have calls that some clients does not access the site.


#13

I have this problem as well. The DNS for the site is using Cloudflare and when I use the cloudflare DNS servers on my device, the error occurs. bellinghamadvertising.com is the domain.


#14

That domain has a DS record set at the registrar, but doesn’t have DNSSEC enabled at Cloudflare. 1.1.1.1 and other validating resolvers can’t consider it valid. You have to delete the DS record at your registrar. If you want, you can enable DNSSEC on Cloudflare and set the DS record Cloudflare gives you.

bellinghamadvertising.com. 86400 IN     DS      12737 13 2 0E8EEF7C384249AAD82BEBCED36AD622768E17601E192DE2B1F205FA 120DA8D1

#15

Thanks mnordhoff! You really nailed it.