NS records available at Domain NS but not public 1.1.1.1

Hi - we are trying to route vpn.example.com to an A record at different CSPs and running into some errors, unsure if it’s configured incorrectly or we just are misunderstanding DNS concepts.

In Cloudflare:

vpn.example.com has 6 NS records:

  • NS1: vpn.aws.account.example.com (ns-111.awsdns-11.net)
  • NS2: vpn.aws.account.example.com (ns-222.awsdns-22.com)
  • NS3: vpn.azure.account.example.com (ns-111.azuredns-11.net)
  • NS4: vpn.azure.account.example.com (ns-222.azuredns-22.com)
  • NS5: vpn.gcp.account.example.com (ns-111.gcpdns-11.net)
  • NS6: vpn.gcp.account.example.com (ns-222.gcpdns-22.com)

At each of these NS’s, we have A records on the root @ (configured using ALIAS/ANAME which the CSPs support, aka AWS Route53 etc.), and they route to Load Balancers. For example:

  • dig vpn.aws.account.example.com returns the following:
; <<>> DiG 9.10.6 <<>> vpn.aws.account.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29377
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;vpn.aws.account.example.com. IN A
;; ANSWER SECTION:
vpn.aws.account.example.com. 60 IN A 1.2.3.4
vpn.aws.account.example.com. 60 IN A 2.3.4.5
vpn.aws.account.example.com. 60 IN A 3.5.6.7
;; Query time: 76 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Apr 11 17:45:55 CDT 2023
;; MSG SIZE rcvd: 104

This works great and has no issue. The IPs returned what we are expecting. Where the problem lies is trying to get the A records returned by hitting vpn.example.com directly:

  • dig vpn.example.com returns the following:
; <<>> DiG 9.10.6 <<>> vpn.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57632
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 16 61 74 20 64 65 6c 65 67 61 74 69 6f 6e 20 76 70 6e 2e 61 76 69 61 74 72 69 78 2e 63 6f 6d 2e ("..at delegation vpn.example.com.")
; OPT=15: 00 17 32 30 35 2e 32 35 31 2e 31 39 33 2e 34 39 3a 35 33 20 72 63 6f 64 65 3d 52 45 46 55 53 45 44 20 66 6f 72 20 76 70 6e 2e 61 76 69 61 74 72 69 78 2e 63 6f 6d 20 41 ("..205.251.193.49:53 rcode=REFUSED for vpn.example.com A")
;; QUESTION SECTION:
;vpn.example.com. IN A
;; Query time: 69 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Apr 11 17:52:56 CDT 2023
;; MSG SIZE rcvd: 142

Same error when trying to hit dig vpn.example.com NS.

What is weird is that if we do not use public Cloudflare DNS (1.1.1.1 - or even 8.8.8.8/any other), but instead our domains actual nameservers (brad.ns.cloudflare.com), it works!

  • dig vpn.example.com @brad.ns.cloudflare.com returns the following:
; <<>> DiG 9.10.6 <<>> vpn.example.com @brad.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7069
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;vpn.example.com. IN A
;; AUTHORITY SECTION:
vpn.example.com. 300 IN NS ns-111.awsdns-11.net.
vpn.example.com. 300 IN NS ns-222.awsdns-22.net.
;; Query time: 19 msec
;; SERVER: 108.162.193.105#53(108.162.193.105)
;; WHEN: Tue Apr 11 17:54:21 CDT 2023
;; MSG SIZE rcvd: 110

What may be the problem here? We are expecting the following to happen:

  1. Request to vpn.example.com
  2. Routes the request to one of the nameservers
  3. At the nameserver root @, sees the (Alias/ANAME) A record and sends back the 3 IPs for that record, as shown with dig vpn.aws.account.example.com

It looks like your problem is, you’re creating zones within other DNS Providers that do not match the one you’re trying to use.
If you go to any dns provider and set up a zone with the DNS Name “vpn.aws.account.example.com”, it will only answer queries for that zone.
All the nameserver sees is a request from trying to resolve a specific zone (ex. vpn.example.com), it has no idea of the relation to vpn.aws.account.example.com, regardless of any NS records you set up. Thus, it has no records for vpn.example.com and does not think it is the authority of it, causing the servfail.
The “DNS Name” or “Domain Name” of the zones you are trying to create in other providers should be “vpn.example.com”. Then you can use ns records to delegate that subdomain from CF to those providers.

ps. You failed to hide your real domain in the hex of opt psuedosection of the failed query

1 Like

I see - I was under the assumption:

  • NS record > go here to get authoritative answers

But it’s actually:

  • NS record > go here to get authoritative answers (and check if FQDN matches)

That does make sense though, thanks for your help!

And I figured so but was too lazy to check :stuck_out_tongue:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.