Family DNS (1.1.1.3) returns IP and NXDOMAIN for clientHold domain simultaneously

Hello, I noticed, that 1.1.1.3 returns wrong answer for clientHold domain, that must not be resolved at all

> root@ssh:~$ nslookup yandex.ua 1.1.1.3
> Server:         1.1.1.3
> Address:        1.1.1.3#53
> 
> Non-authoritative answer:
> Name:   yandex.ua
> Address: 213.180.193.56
> ** server can't find yandex.ua: NXDOMAIN

Any other tested servers return right answer without IP address:

> root@ssh:~$ nslookup yandex.ua 1.1.1.1
> Server:         1.1.1.1
> Address:        1.1.1.1#53
> 
> Non-authoritative answer:
> *** Can't find yandex.ua: No answer
> 
> root@ssh:~$ nslookup yandex.ua 8.8.8.8
> Server:         8.8.8.8
> Address:        8.8.8.8#53
> 
> Non-authoritative answer:
> *** Can't find yandex.ua: No answer

WHOIS:

> |domain:|yandex.ua|
> |---|---|
> |dom-public:|NO|
> |license:|48116|
> |mnt-by:|ua.imena|
> |nserver:|ns7.yandex.ru|
> |nserver:|ns8.yandex.ru|
> |status:|clientHold|
> |created:|2005-04-27 02:54:19+03|
> |modified:|2022-03-01 11:16:56+02|
> |expires:|2025-04-27 02:54:19+03|
> |source:|UAEPP|

Can you explain that behaviour and fix it?

Whois does appear to confirm a ClientHold in place at the moment.

Hmmm… slightly more interesting.

dig yandex.ua @1.1.1.1

; <<>> DiG 9.10.6 <<>> yandex.ua @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 723
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;yandex.ua.			IN	A

;; AUTHORITY SECTION:
ua.			3535	IN	SOA	in1.ns.ua. domain-master.cctld.ua. 2023060804 3636 1212 3024000 3535

;; Query time: 51 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Jun 08 06:55:59 EDT 2023
;; MSG SIZE  rcvd: 101
dig yandex.ua @1.1.1.3

; <<>> DiG 9.10.6 <<>> yandex.ua @1.1.1.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 137
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;yandex.ua.			IN	A

;; ANSWER SECTION:
yandex.ua.		60	IN	A	213.180.193.56

;; Query time: 62 msec
;; SERVER: 1.1.1.3#53(1.1.1.3)
;; WHEN: Thu Jun 08 06:57:24 EDT 2023
;; MSG SIZE  rcvd: 54

Maybe if @mvavrusa happens to be around they could take a peek as this seems a bit odd.

1 Like

Just to clarify, NXDOMAIN is AAAA answer by 1.1.1.3

dig -t AAAA yandex.ua @1.1.1.3

; <<>> DiG 9.11.5 <<>> -t AAAA yandex.ua @1.1.1.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65467
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;yandex.ua.                     IN      AAAA

;; Query time: 2 msec
;; SERVER: 1.1.1.3#53(1.1.1.3)
;; WHEN: Thu Jun 08 13:56:43 CEST 2023
;; MSG SIZE  rcvd: 38

It seems like 1.1.1.3 redirects to “safe search” version, let me take a look what’s going on.

2 Likes

Hi! Just following up - 1.1.1.3 had a forced safesearch redirect that didn’t check whether the domain exists correctly, this has been corrected, sorry for the issues.

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.