Nac-cna.ca failing to resolve

I’m using 1.1.1.1 as my DNS and am having issues resolving nac-cna.ca

Reddit post pointed me to making a post here and others on reddit said it worked for them. Here is the output from dig:

dig nac-cna.ca @1.1.1.1

; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> nac-cna.ca @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11787
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 00 49 74 65 72 61 74 69 6f 6e 20 6c 69 6d 69 74 20 72 65 61 63 68 65 64 (.) (.) (I) (t) (e) (r) (a) (t) (i) (o) (n) ( ) (l) (i) (m) (i) (t) ( ) (r) (e) (a) (c) (h) (e) (d)
;; QUESTION SECTION:
;nac-cna.ca. IN A

;; Query time: 4843 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Mar 23 22:44:35 EDT 2021
;; MSG SIZE rcvd: 68

[email protected]:~# dig nac-cna.ca @1.1.1.1

; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> nac-cna.ca @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12736
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 16 (.) (.)
;; QUESTION SECTION:
;nac-cna.ca. IN A

;; Query time: 2020 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Mar 24 09:21:26 EDT 2021
;; MSG SIZE rcvd: 45

1 Like

Going by this field in your dig response:

; OPT=15: 00 16 (.) (.)

It suggests that your query is being “censored”. The draft of extended DNS errors at draft-ietf-dnsop-extended-error-16 - Extended DNS Errors states:

The server is unable to respond to the request because the domain is
blacklisted due to an external requirement imposed by an entity other
than the operator of the server resolving or forwarding the query.
Note that how the imposed policy is applied is irrelevant (in-band
DNS filtering, court order, etc).

I’m not sure why 1.1.1.1 would be returning this code though, I can verify that 1.1.1.1 works locally on this domain.

I really don’t want to ditch these DNS servers, but this url is still failing in the same way for me… no idea what else I can do.

Have problems with 1.1.1.1? Read Me First - DNS & Network / 1.1.1.1 - Cloudflare Community

Thanks for the reply.

Here are the outputs of the commands:

`# dig nac-cna.ca @1.1.1.1`

; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> nac-cna.ca @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3219
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 16  (.) (.)
;; QUESTION SECTION:
;nac-cna.ca.                    IN      A

;; Query time: 2966 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Mar 26 03:16:59 EDT 2021
;; MSG SIZE  rcvd: 45

# dig nac-cna.ca @1.0.0.1

; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> nac-cna.ca @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52843
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 00  (.) (.)
;; QUESTION SECTION:
;nac-cna.ca.                    IN      A

;; Query time: 19 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Fri Mar 26 03:17:08 EDT 2021
;; MSG SIZE  rcvd: 45

# dig nac-cna.ca @8.8.8.8

; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> nac-cna.ca @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24033
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nac-cna.ca.                    IN      A

;; ANSWER SECTION:
nac-cna.ca.             3599    IN      A       69.20.251.251

;; Query time: 114 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 26 03:17:16 EDT 2021
;; MSG SIZE  rcvd: 55

# dig +short CHAOS TXT id.server @1.1.1.1
"YYZ"
# dig +short CHAOS TXT id.server @1.0.0.1
"YYZ"

And a link to the visualization: https://dnsviz.net/d/nac-cna.ca/dnssec/

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.