NS sub-domain request failure

Hi all, we have an issue related to hosting our own nameserver for a sub-domain. We have configured a nameserver on dns.dev.mydomain.com, but we are seeing an A record lookup that we did not expect. We are using CoreDNS, so I have included the config files.

Here is our setup:


;; Cloudflare records
ns1.eu.mydomain.com.            240	IN	A	12.34.56.78
dns.dev.mydomain.com.     120	IN	NS	ns1.eu.mydomain.com.


;; Records on our DNS server

$ORIGIN dns.dev.mydomain.com.
@                               3600  IN    SOA     ns1.eu.mydomain.com. admin.mydomain.com. 123456789 60 60 60 60
                                3600  IN    NS      ns1.eu.mydomain.com.

v1                              60    IN    A       1.2.3.4
123.v1                          60    IN    A       1.2.3.4


;; Corefile configuration

. {
    ready
    log
    
    forward . 1.1.1.1
}

dns.dev.mydomain.com {
    ready
    log

    file /conf/db.dns.dev.mydomain.com dns.dev.mydomain.com
    grpc . 12.34.56.78:5006 {
        tls /conf/mydomain-dev-ca.crt
        tls_servername dns.dev.mydomain.com
    }
}


;; CoreDNS log files
coredns | [INFO] 141.101.75.46:38300 - 3582 "A IN v1.dns.dev.mydomain.com. udp 61 true 1452" NOERROR qr,aa 158 0.00013892s
coredns | [INFO] 141.101.75.46:19842 - 23833 "A IN 123.v1.dns.dev.mydomain.com. udp 65 true 1452" NOERROR qr,aa 171 0.000087297s

These logs are the result of the lookup with dig A 123.v1.dns.dev.mydomain.com.

What I was not expecting was the A record lookup of A IN v1.dns.dev.mydomain.com.. Can somebody explain why this record is received? We are getting this record from 141.101.75.46 which is an CloudFlare IP.

You need to change the IP 141.101.75.46, you cannot proxy a Cloudflare IP, otherwise, it will return Error 1000: DNS points to prohibited IP, Error 1002: DNS points to prohibited IP, Error 1002: Restricted , Error 1004: Host not configured to serve web traffic, and others. Change it to the IP given to you by your hosting provider

1.1.1.1 is a privacy focused resolver. We practice query minimization RFC 7816 - DNS Query Name minimization to Improve Privacy (ietf.org) for records.

Ah, thanks for that info.

Another question, not really related to the extra A request, but we sometimes get an empty response when resolving a domain. When we directly target CloudFlare DNS it resolves always correctly, but when not we sometimes get the empty response and see multiple requests at our DNS server.

This always give the correct result:

dig 1234.v1.dns.dev.mydomain.com @1.1.1.1

This gives an empty result on the first request (when TTL has expired). When we try it again we get the correct result.

~ dig 1234.v1.dns.dev.mydomain.com

; <<>> DiG 9.10.6 <<>> 1234.v1.dns.dev.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42489
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;1234.v1.dns.dev.mydomain.com. IN A

;; Query time: 79 msec
;; SERVER: 172.16.1.1#53(172.16.1.1)
;; WHEN: Fri Apr 02 08:10:15 CEST 2021
;; MSG SIZE  rcvd: 106

Here are the CoreDNS results when this happens. We see the request for the records coming in multiple times and respond to it with no errors in our logs.

coredns | [INFO] 141.101.75.46:23148 - 53338 "A IN v1.dns.dev.mydomain.com. udp 61 true 1452" NOERROR qr 50 0.037577977s
coredns | [INFO] 212.142.48.81:45537 - 62020 "A IN 1234.v1.dns.dev.mydomain.com. udp 106 true 1232" NOERROR qr 188 0.043347121s
coredns | [INFO] 173.194.169.109:54959 - 35457 "A IN 1234.v1.dns.dev.mydomain.com. udp 106 true 1400" NOERROR qr 188 0.064021872s
coredns | [INFO] 212.54.39.70:46542 - 53510 "A IN 1234.v1.dns.dev.mydomain.com. udp 106 true 1232" NOERROR qr 188 0.059053472s
coredns | [INFO] 141.101.75.46:60802 - 52471 "A IN 1234.v1.dns.dev.mydomain.com. udp 106 true 1452" NOERROR qr 188 0.041572223s

Do you have any idea on why this first DNS request fails?

Hi William,

You mean we should forward to 141.101.75.46? Our current setup works and we see this setup mentioned in the CoreDNS docs: forward

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.