Unable to reach a sub site from Chamberlain.edu


#1

I’m having difficulty resolving https://portal.chamberlain.edu using 1.1.1.1/1.0.0.1 dns’s. I’m a FIOS customer in NYC.


#2

Have tried the instructions in this post? And post the results of this:
dig +short CHAOS TXT id.server @1.1.1.1


#3

What instructions? Sorry, I’m the greenest person around here and also I’m not sure how to do the dig command. If you can instruct me, I’ll try.


#4

Sorry, I forgot to paste it:


#5

Okay, here’s the nslookups and traces from windows. Hope it helps.

PS C:\Users> nslookup portal.chamberlain.edu 1.1.1.1
Server: 1dot1dot1dot1.cloudflare-dns.com
Address: 1.1.1.1

Non-authoritative answer:
Name: chamberlain-mobile-prod.herokuapp.com
Addresses: 52.4.88.104
52.87.102.242
Aliases: portal.chamberlain.edu

PS C:\Users> nslookup portal.chamberlain.edu 1.0.0.1
Server: 1dot1dot1dot1.cloudflare-dns.com
Address: 1.0.0.1

Non-authoritative answer:
Name: chamberlain-mobile-prod.herokuapp.com
Addresses: 52.87.102.242
52.4.88.104
Aliases: portal.chamberlain.edu

PS C:\Users> nslookup portal.chamberlain.edu 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: chamberlain-mobile-prod.herokuapp.com
Addresses: 52.4.88.104
52.87.102.242
Aliases: portal.chamberlain.edu

PS C:\Users> nslookup -class=chaos -type=txt id.server 1.1.1.1
Server: 1dot1dot1dot1.cloudflare-dns.com
Address: 1.1.1.1

Non-authoritative answer:
id.server text =

    "ewr01"

PS C:\Users> nslookup -class=chaos -type=txt id.server 1.0.0.1
Server: 1dot1dot1dot1.cloudflare-dns.com
Address: 1.0.0.1

Non-authoritative answer:
id.server text =

    "ewr01"

PS C:\Users> tracert 1.1.1.1

Tracing route to 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]
over a maximum of 30 hops:

1 1 ms 2 ms 1 ms router
2 4 ms 6 ms 2 ms ISP Gateway
3 8 ms 9 ms 10 ms B3386.NYCMNY-LCR-22.verizon-gni.net [100.41.218.204]
4 * * * Request timed out.
5 6 ms 6 ms 7 ms 0.ae5.br1.nyc1.alter.net [140.222.228.107]
6 9 ms 5 ms 5 ms ae13.cr0-nyc2.ip4.gtt.net [173.205.47.145]
7 8 ms 11 ms 7 ms xe-0-0-0.cr0-nyc4.ip4.gtt.net [89.149.184.98]
8 5 ms 6 ms 8 ms cloudflare-gw.cr0-nyc4.ip4.gtt.net [69.174.23.54]
9 8 ms 5 ms 6 ms 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]

Trace complete.
PS C:\Users> tracert 1.0.0.1

Tracing route to 1dot1dot1dot1.cloudflare-dns.com [1.0.0.1]
over a maximum of 30 hops:

1 2 ms 2 ms 2 ms router
2 5 ms 7 ms 5 ms ISP Gateway
3 6 ms 5 ms 6 ms b3386.nycmny-lcr-21.verizon-gni.net [100.41.218.202]
4 * * * Request timed out.
5 8 ms 9 ms 7 ms 0.ae6.br1.nyc1.alter.net [140.222.228.131]
6 5 ms 7 ms 7 ms ae13.cr0-nyc2.ip4.gtt.net [173.205.47.145]
7 6 ms 6 ms 6 ms xe-8-0-0.cr0-nyc4.ip4.gtt.net [89.149.184.198]
8 5 ms 5 ms 5 ms cloudflare-gw.cr0-nyc4.ip4.gtt.net [69.174.23.54]
9 5 ms 5 ms 4 ms 1dot1dot1dot1.cloudflare-dns.com [1.0.0.1]

Trace complete.


#6

It looks to me that every nslookup got you the same responses. What’s not working for you? Is a web browser not showing you the site? What error is it showing?


#7

The site is just blank but now I just tried the portal and it came up. It seems that site is hit or miss. Don’t know what the problem is but last night when I change the DNS server to Quad .9.9.9.9 it works all the time. I’ll observe quite a bit and see what it comes out with.


#8

I see it ultimately points to Heroku. I wonder if Heroku gets upset when someone uses DNS that doesn’t forward their home location to help with geo-routing. I can’t remember the name of the feature, but Cloudflare disables it for privacy, whereas most other DNS services leave it enabled.


#9

I think I have found the problem, it has to do with DNSSEC but Im not sure why? So, here’s for you experts to analyze. Is it cloudflares DNS or portal.chamberlain.edu DNSSEC implementation?

Scenario 1
a. Set DNS 1.1.1.1/1.0.0.1 - Router
b. Enable DNSSEC support - Router
c. Go to portal.chamberlain.edu
d. The site sometimes work then it won’t work it just comes up with a blank page with no errors.
e. Everytime I go to the site the router’s log tells me, “dnsmasq[248]: Insecure DS reply received, do upstream DNS servers support DNSSEC?” It seems cloudfare’s DNS doesn’t recognize the site as secure.

Scenario 2
a. Set DNS 9.9.9.9/149.112.112.112 or OpenDNS’s - Router
b. Enable DNSSEC support - Router
c. Go to portal.chamberlain.edu
d. The site always works.
e. It doesn’t produce a dnsmasq log. It seems the DNS recognize the site as secure which renders the site correctly.

Scenario 3
a. Set DNS to cloudflare, quad9 or any.
b. Disable DNSSEC support - Router
c. Go to portal.chamberlain.edu
d. The site always works.
e. no log occurs and site renders correctly.

What do you think is going on?
Here’s Verisign’s report on the sites DNSSEC.
https://dnssec-debugger.verisignlabs.com/portal.chamberlain.edu